WO2007108627A1 - System and method for curing malicious code and virus - Google Patents
System and method for curing malicious code and virus Download PDFInfo
- Publication number
- WO2007108627A1 WO2007108627A1 PCT/KR2007/001331 KR2007001331W WO2007108627A1 WO 2007108627 A1 WO2007108627 A1 WO 2007108627A1 KR 2007001331 W KR2007001331 W KR 2007001331W WO 2007108627 A1 WO2007108627 A1 WO 2007108627A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- operating system
- user information
- windows
- virus
- user
- Prior art date
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 66
- 238000000034 method Methods 0.000 title claims abstract description 59
- 229960005486 vaccine Drugs 0.000 claims abstract description 45
- 238000012545 processing Methods 0.000 claims description 27
- 230000003213 activating effect Effects 0.000 claims description 6
- 230000010365 information processing Effects 0.000 claims description 6
- 238000007781 pre-processing Methods 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 description 5
- 230000002093 peripheral effect Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004904 shortening Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- A—HUMAN NECESSITIES
- A47—FURNITURE; DOMESTIC ARTICLES OR APPLIANCES; COFFEE MILLS; SPICE MILLS; SUCTION CLEANERS IN GENERAL
- A47J—KITCHEN EQUIPMENT; COFFEE MILLS; SPICE MILLS; APPARATUS FOR MAKING BEVERAGES
- A47J41/00—Thermally-insulated vessels, e.g. flasks, jugs, jars
- A47J41/0083—Accessories
-
- A—HUMAN NECESSITIES
- A47—FURNITURE; DOMESTIC ARTICLES OR APPLIANCES; COFFEE MILLS; SPICE MILLS; SUCTION CLEANERS IN GENERAL
- A47J—KITCHEN EQUIPMENT; COFFEE MILLS; SPICE MILLS; APPARATUS FOR MAKING BEVERAGES
- A47J45/00—Devices for fastening or gripping kitchen utensils or crockery
- A47J45/06—Handles for hollow-ware articles
- A47J45/063—Knobs, e.g. for lids
Definitions
- the present invention relates generally to a system and a method for curing any malicious code and virus. More particularly, the present invention relates to a system and a method for curing any malicious code and virus, in which a vaccine program capable of curing the malicious code and virus is executed with top priority, thereby removing the malicious code and virus before the malicious code and virus are activated.
- the computer is the aggregate of all technologies, and serves also as the ba sic of all technologies. This computer is applied throughout almost all the fields.
- the application of the computer becomes wide, which is also accompanied with evils, for example, malicious codes and viruses that copy information of another user computer without agreement or that execute any program, which is designated by a specific user, on another user computer without agreement.
- vaccine technologies for preventing damages from the malicious codes and viruses show a tendency toward high-speed development.
- the vaccine technologies of curing the viruses are grown faster than any other information telecommunication technology due to increase of intelligent viruses. Nevertheless, the existing vaccine services are impossible to prevent the damages from all the malicious codes and viruses.
- the malicious codes and viruses which are recorded on user information of the computer and are activated as soon as the computer is executed, provide trouble in that they must be looked up and removed by any vaccine program and then the computer must be re -booted.
- the present invention has been made to solve the above problem occurring in the prior art, and an object of the present invention is to provide a system and method for curing any malicious code and virus, in which the malicious code and virus are looked up and removed before logon based on user information is carried out, thereby eliminating inconvenience of a user caused by re-booting of a computer.
- a system for curing any malicious code and virus includes a power supply supplying power to a terminal, an operating system executed after the terminal supplied with the power is booted, and an input unit inputting signals for controlling the booting and the operating system.
- the operating system executes a vaccine program for curing the malicious code and virus before logon based on user information is processed.
- overall user information may include a list of user's application programs from which the malicious code and virus are removed.
- the operating system may include a Windows-series operating system.
- the Windows-series operating system may include at least one of a Windows 2000 operating system, a Windows 2003 operating system, a Windows NT operating system, and a Windows XP operating system.
- a method for curing any malicious code and virus comprises a first step of supplying power to a terminal, a second step of booting the terminal, a third step of activating an operating system, and taking over process processing authority from the operating system to execute a vaccine program, a fourth step of collecting user information and overall user information relating to the user information, a fifth step of verifying validity of the user information and the overall user information, a sixth step of processing logon of a user, and a seventh step of initializing the overall user in- formation. [14]
- the system and method for curing any malicious code and virus in accordance with an embodiment of the present invention looks up and removes the malicious code and virus before the logon is carried out based on the user information, so that they can eliminate inconvenience of the user caused by re-booting of the computer.
- the system and method for curing any malicious code and virus in accordance with another embodiment of the present invention inactivate and remove the malicious code and virus before the malicious code and virus is activated, so that they can shorten a time to activate the resources and programs of the computer and thereby improve satisfaction of the user.
- the system and method for curing any malicious code and virus in accordance with another embodiment of the present invention inactivate and remove the malicious code and virus before the Window logon, so that they can minimize leakage of the user information.
- FIG. 1 illustrates the configuration of a system for curing any malicious code and virus in accordance with an embodiment of the present invention
- FIG. 2 illustrates a schematic configuration of the vaccine pre-processing section of
- FIG. 1 A first figure.
- FIG. 3 illustrates a schematic configuration of the user information processing section of FIG. 1 ;
- FIG. 4 is a flowchart illustrating the operation of a system for curing any malicious code and virus in accordance with an embodiment of the present invention.
- FIG. 5 is a detailed flowchart illustrating the operation of a system for curing any malicious code and virus in accordance with an embodiment of the present invention.
- FIG. 1 illustrates a system for curing any malicious code and virus in accordance with an embodiment of the present invention.
- the system for curing any malicious code and virus in accordance with an embodiment of the present invention includes a power supply 110 supplying power, a booting system 120, a display unit 130, an input unit 140, and an operating system 210 curing the virus prior to logon, and may further include at least one application program 240 executed on the operating system 210.
- the inventive system for curing any malicious code and virus includes a first memory 200 in which the operating system 210 and the application program 240 are stored, and a second memory 150 that calls and activates the operating system 210 out of the first memory 200.
- the first memory 200 may include a hard disk
- the second memory 150 may include a random access memory (RAM).
- the power supply 110 supplies power to a terminal such as a computer, thereby activating main and peripheral devices of the computer.
- the booting system 120 functions to start the computer after the computer is supplied with power from the power supply 110.
- a basic program such as a basic input/output system (BIOS) is operated first.
- This basic program is recorded in a read only memory (ROM) such that it can be stored although the power is turned off.
- ROM read only memory
- POST power on self test
- the summary information includes information on the type of a currently installed microprocessor, information on the installation of a coprocessor, information on a clock speed, information on a floppy disk drive, information on a hard disk drive, information on a compact disk (CD)-ROM drive, information on the capacity of a basic memory, information on the capacity of an extended memory, and so on.
- the display unit 130 displays operational processes of the computer after the power is supplied by the power supply 110.
- the display unit 130 may include a variety of display devices such as a cathode ray tube (CRT) monitor, a liquid crystal display (LCD), a plasma display panel (PDP), and so on.
- CTR cathode ray tube
- LCD liquid crystal display
- PDP plasma display panel
- the input unit 140 functions to generate signals, which are input to control the booting system 120, the operating system 210, etc.
- the input unit 140 may include a keyboard, a mouse, an external device connected through a universal serial bus (USB), a touch panel, and so on. In the case in which the computer is connected on-line, the signals can be input through remote control.
- USB universal serial bus
- the operating system 210 is interposed between computer hardware and the user application program 240, and is a program for managing software and hardware resources so as to allow the application program 240 to easily use the hardware as well as to maximize the efficiency of an overall system.
- the operating system 210 generally takes charge of process management, memory management, and output service, and is classified, according to a use method, as a batch system, a real-time processing system, a time-sharing system, etc., as well as, according to a user environment, as a single- user system and a multi-user system.
- the operating system 210 is divided, according to a manufacturer, into Solaris of SUN Microsystems, Ultrix of Digital Equipment, Mach of Carnegie Mellon University, PowerOpen of IBM and Apple, System 7.0 of Apple, OS/2 of IBM, DOS and Windows of Microsoft, UnixWare of Novell, NextStep of NeXT, and so on.
- the operating system 210 of the present invention will be described on the basis of the Windows environment that is most widely distributed to personal computers.
- the operating system 210 of the present invention drives a vaccine pre-processing section 220 in order to execute a vaccine program, when logon or winlogon (hereinafter, referred to as winlogon) service is provided before a user logs on, to thereby remove the malicious code and virus, and then activates a user information processing section 230 that collects user information ID_Pass input by the user and overall user information User_Info relating to the user information ID_Pass after the removal of the malicious code and virus is completed, and initializes the program on the basis of the collected information.
- winlogon logon or winlogon
- the operating system 210 is recorded and activated in the memory, such as RAM, by inputting a "Ctrl- Alt-Del" key combination that is a secure attention sequence (SAS), and performs a winlogon desktop step in response to the SAS in the step of supplying the power.
- the operating system 210 activates the vaccine pre-processing section 220 to remove the malicious codes and viruses when it is converted into the winlogon desktop and provides the winlogon service, and the activates the user information processing section 230 for initializing the input user information ID_Pass and the overall user information User_Info relating to the user information ID_Pass.
- the vaccine pre-processing section 220 includes a process assigning part 222 that is preferentially assigned process processing authority, for instance a token, from the operating system 210 in the winlogon desktop step, and a vaccine program executing part 224.
- the process assigning part 222 is assigned the process processing authority from the operating system 210 with top priority, when the operating system 210 is driven by the input of the SAS and thereby enters the winlogon desktop step.
- the process assigning part 222 can register a processing sequence with a scheduler of the operating system 210 with top priority, or can interrupt and be assigned the process processing authority from the operating system 210. Thereafter, the process assigning part 222 delivers the assigned process processing authority, the token, to the vaccine program executing part 224.
- the vaccine program executing part 224 executes the vaccine program to look up the malicious code and virus when the process processing authority, the token, is transferred from the process processing part 222.
- the vaccine program executing part 224 can be stored in the memory such as hard disk, ROM, RAM, flash memory, CD-ROM, or the like according to designated conditions of the user, and looks up the files stored in the memory such as hard disk, ROM, RAM, flash memory, CD-ROM, or the like in whole or in part using specific codes determined as previously registered malicious codes and viruses. These specific codes are stored as a lookup table in the memory designated by the vaccine program executing part 224, and are compared with the files to be looked up when the malicious code and virus are looked up.
- the vaccine program executing part 224 cures or deletes files infected with the specific code.
- the lookup table can be updated on-line or off-line.
- the vaccine program executing part 224 can look up each memory, executable file, etc. at a time interval, which is designated by the user or the vaccine program executing part 224, in a user desktop step, after the process processing authority, the token, is transferred from the process assigning part 222, as well as after the winlogon desktop step while continuing to be executed by a Demon and the like.
- the user information processing section 230 includes graphical identification and authentication (GINA) 232, local security authority (LSA) 234 verifying validity of the collected user information ID_Pass and the overall user information User_Info relating to the user information ID_Pass, and a logon processing part 236, and a user initializing part 238.
- GINA graphical identification and authentication
- LSA local security authority
- the GINA 232 displays an information dialogue box for inputting the user information ID_Pass.
- ID_Pass e.g. identifier (ID) and password
- the GINA 232 puts the input ID and password, the overall user information User_Info relating to the ID and password, etc. into a data package, and then sends the data package to the LSA 234.
- the GINA 232 can be employed as MSGINA supported by Microsoft, and load the resulting MSGINA.DLL.
- the GINA 232 collects and pigeonholes part of the information relating to the user, i.e. the information from which the files infected with the malicious code and virus are removed by the vaccine program executing part 224.
- the overall user information User_Info includes lists of application programs relating to the input user information ID_Pass.
- the LSA 234 verifies whether or not values of the user information ID_Pass and the overall user information User_Info are valid.
- the LSA 234 creates tokens that have subsystem user information taking charge of local security policy and user authentication in the windows-based local system as well as information about the security authority, and creates and records audit messages.
- the LSA 234 can be used in the operating system of the Windows-series, such as Windows dotnet server family, Windows XP, Windows 2000, Windows NT, and so on.
- the logon processing part 236 processes user logon when the LSA 234 determines that the values of the user information ID_Pass and the overall user information User_Info are valid.
- the user initializing part 238 initializes programs listed in the overall user information User_Info and registry values of the listed programs on the basis of the user information ID_Pass and the overall user information User_Info, the values of which the LSA 234 determines to be valid.
- the listed programs can include application programs included in the overall user information.
- the application program 240 is a program that is designated and activated in the user desktop step by means of the user, and is activated by the designation of the user, for example by the control based on the input of the input unit 140 such as keyboard control, mouse control, or so on.
- FIG. 4 is a flowchart illustrating an operation method according to an embodiment of the present invention
- FIG. 5 is a detailed flowchart illustrating steps of an operation method according to an embodiment of the present invention.
- the method of operating the system for curing any malicious code and virus in accordance with an embodiment of the present invention is roughly divided into a power supply step, a winlogon desktop step, and a user desktop step.
- the power supply step includes step SlOl of supplying power to the booting system 120 to carry out system booting, and step S 102 of receiving an input signal, a SAS signal, for recording the operating system 210 on the memory such as RAM after the booting is completed.
- step SlOl the power supply 110 supplies power to activate each peripheral device of a terminal such as a computer, and the system booting is carried out by the booting system 120.
- the booting system 120 checks whether or not each peripheral device of the computer is correctly connected, and prepares summary information relating to each peripheral device.
- step S 102 when the SAS input is received from the input unit 140 after the booting is completed, the operating system 210 is recorded and executed on the RAM.
- the operating system 210 executed in the embodiment of the present invention can employ various operating systems, and preferably the operating systems for Windows series such as Windows 2000, Windows NT, Windows XP, and so on.
- the winlogon desktop step includes step S 103 of initiating winlogon services according to the SAS input, step S 104 of assigning processing authority relating to processes, for example token, step S 105 of delivering the assigned token to the vaccine program executing part 224, looking up malicious codes and viruses, and curing the discovered malicious codes and viruses, step S 106 of activating the GINA 232 for collecting user information ID_Pass, step S 107 of collecting the user information ID_Pass input from the input unit 140 and the overall user information User_Info relating to the user information ID_Pass, and verifying validity of the collected user information ID_Pass and overall user information User_Info, step S 109 of processing u ser logon, and step Sl 10 of carrying out initialization based on the user information ID_Pass and the overall user information User_Info.
- step S 103 as the operating system 210 is activated, the winlogon services relating to the user logon is initiated.
- step S 104 as the winlogon services is initiated, the process assigning part 222 is assigned the token relating to the processing authority such that it can be first assigned the process processing authority from the operating system 210 in order to be able to first execute the vaccine program executing part 224.
- the system and method for curing any malicious code and virus in accordance with an embodiment of the present invention have been described that the program assigned the token, the process processing authority, has been first processed, but they can first obtain the process processing authority by pre-occupying process scheduler priority of the operating system 210 using interrupt and the like.
- step S 105 the vaccine program executing part 224 executes a vaccine program by taking over the process processing authority from the process assigning part 222.
- the vaccine program executing part 224 drives the vaccine program, looks up at least one of the various files stored in the memory of the computer, such as hard disk, ROM, RAM, flash memory, CD-ROM, external memory connected through an external connector, or the like, discovers any malicious code and virus, and removes the discovered malicious code and virus.
- step S 106 the GINA 232 for collecting the user information ID_Pass is activated, and thereby an information dialogue box capable of inputting the user information ID_Pass is created.
- step S 107 when the user inputs the user information ID_Pass into the information dialogue box created by the GINA 232 using the input unit 140, the input user information ID_Pass is collected together with the overall user information User_Info relating to the user information ID_Pass.
- the overall user information User_Info may include a list of the application programs used by the user, and the like.
- step S 108 it is verified whether or not the values of the user information ID_Pass and the overall user information User_Info that are collected by the GINA 232 are substantially valid. To this end, the user information ID_Pass and the overall user information User_Info are sent to the LSA 234, and then the LSA 234 verifies whether or not the values thereof are valid.
- step S 109 when the values of the user information ID_Pass and the overall user information User_Info are verified to be valid, the user logon for authenticating the user is processed.
- step Sl 10 when the user is authenticated by the user logon, the programs and the registry values of the programs are initialized on the basis of a list of the application programs included in the overall user information User_Info.
- the user desktop step includes step Si l l of, by the user, designating and executing the application program 240.
- step Si l l the user logon and the user initialization are completed in the
- Windlogon desktop step the application program 240 is activated by the user.
- the system and method for curing any malicious code and virus in accordance with an embodiment of the present invention executes the vaccine program before the logon based on the user information is processed, and removes any malicious code and virus before the malicious code and virus are activated, so that they can not only remove unnecessary use of the terminal's resources, but also minimize information loss.
Abstract
Disclosed are a system and a method for curing any malicious code and virus. The system for curing any malicious code and virus includes a power supply supplying power to a terminal, an operating system executed after the terminal supplied with the power is booted, and an input unit inputting signals for controlling the booting and the operating system. The operating system executes a vaccine program for curing the malicious code and virus before logon based on user information is processed.
Description
Description
SYSTEM AND METHOD FOR CURING MALICIOUS CODE
AND VIRUS
Technical Field
[1] The present invention relates generally to a system and a method for curing any malicious code and virus. More particularly, the present invention relates to a system and a method for curing any malicious code and virus, in which a vaccine program capable of curing the malicious code and virus is executed with top priority, thereby removing the malicious code and virus before the malicious code and virus are activated.
[2]
Background Art
[3] Recently, high-tech electronic products have undergo integration and precision higher than ever before. According to this tendency, elements constituting such a high- tech electronic product are also subjected to higher integration and precision. In particular, the computer is the aggregate of all technologies, and serves also as the ba sic of all technologies. This computer is applied throughout almost all the fields.
[4] Meanwhile, the application of the computer becomes wide, which is also accompanied with evils, for example, malicious codes and viruses that copy information of another user computer without agreement or that execute any program, which is designated by a specific user, on another user computer without agreement. As such, vaccine technologies for preventing damages from the malicious codes and viruses show a tendency toward high-speed development. The vaccine technologies of curing the viruses are grown faster than any other information telecommunication technology due to increase of intelligent viruses. Nevertheless, the existing vaccine services are impossible to prevent the damages from all the malicious codes and viruses. Especially, the malicious codes and viruses, which are recorded on user information of the computer and are activated as soon as the computer is executed, provide trouble in that they must be looked up and removed by any vaccine program and then the computer must be re -booted. In addition, the malicious codes and viruses, which are activated prior to the vaccine program, frequently cause a problem in that they considerably delay activating the vaccine program and other application programs. For these reasons, studies on effective removal of the malicious codes and viruses activated when the computer is logged on are keenly required.
[5]
Disclosure of Invention
Technical Problem
[6] The present invention has been made to solve the above problem occurring in the prior art, and an object of the present invention is to provide a system and method for curing any malicious code and virus, in which the malicious code and virus are looked up and removed before logon based on user information is carried out, thereby eliminating inconvenience of a user caused by re-booting of a computer.
[7] It is another object of the present to provide a system and method for curing any malicious code and virus, in which the malicious code and virus are inactivated and removed before the malicious code and virus is activated, thereby shortening a time to activate resources and programs of a computer as well as improving satisfaction of a user.
[8] It is yet another object of the present to provide a system and method for curing any malicious code and virus, in which the malicious code and virus are inactivated and removed before window logon, thereby minimizing leakage of user information.
[9]
Technical Solution
[10] In order to accomplish the above objects, according to one aspect of the present invention, there is provided a system for curing any malicious code and virus includes a power supply supplying power to a terminal, an operating system executed after the terminal supplied with the power is booted, and an input unit inputting signals for controlling the booting and the operating system. Here, the operating system executes a vaccine program for curing the malicious code and virus before logon based on user information is processed.
[11] Meanwhile, overall user information may include a list of user's application programs from which the malicious code and virus are removed.
[12] Further, the operating system may include a Windows-series operating system.
Furthermore, the Windows-series operating system may include at least one of a Windows 2000 operating system, a Windows 2003 operating system, a Windows NT operating system, and a Windows XP operating system.
[13] According to another aspect of the present invention, there is provided a method for curing any malicious code and virus. The method comprises a first step of supplying power to a terminal, a second step of booting the terminal, a third step of activating an operating system, and taking over process processing authority from the operating system to execute a vaccine program, a fourth step of collecting user information and overall user information relating to the user information, a fifth step of verifying validity of the user information and the overall user information, a sixth step of processing logon of a user, and a seventh step of initializing the overall user in-
formation. [14]
Advantageous Effects
[15] As described above, the system and method for curing any malicious code and virus in accordance with an embodiment of the present invention looks up and removes the malicious code and virus before the logon is carried out based on the user information, so that they can eliminate inconvenience of the user caused by re-booting of the computer.
[16] The system and method for curing any malicious code and virus in accordance with another embodiment of the present invention inactivate and remove the malicious code and virus before the malicious code and virus is activated, so that they can shorten a time to activate the resources and programs of the computer and thereby improve satisfaction of the user.
[17] Finally, the system and method for curing any malicious code and virus in accordance with another embodiment of the present invention inactivate and remove the malicious code and virus before the Window logon, so that they can minimize leakage of the user information.
[18] Although exemplary embodiments of the present invention have been described for illustrative purposes, those skilled in the art will appreciate that various modifications, additions and substitutions are possible, without departing from the scope and spirit of the invention as disclosed in the accompanying claims.
[19]
Brief Description of the Drawings
[20] FIG. 1 illustrates the configuration of a system for curing any malicious code and virus in accordance with an embodiment of the present invention;
[21] FIG. 2 illustrates a schematic configuration of the vaccine pre-processing section of
FIG. 1;
[22] FIG. 3 illustrates a schematic configuration of the user information processing section of FIG. 1 ;
[23] FIG. 4 is a flowchart illustrating the operation of a system for curing any malicious code and virus in accordance with an embodiment of the present invention; and
[24] FIG. 5 is a detailed flowchart illustrating the operation of a system for curing any malicious code and virus in accordance with an embodiment of the present invention.
[25]
Mode for the Invention
[26] Hereinafter, exemplary embodiments according to the present invention will be described with reference to the accompanying drawings. The terms or words used in
the present invention may not be limited to the meanings defined in the dictionary, but can be variously defined by the inventors of this application matching with the scope of the present invention.
[27] FIG. 1 illustrates a system for curing any malicious code and virus in accordance with an embodiment of the present invention.
[28] Referring to FIG. 1, the system for curing any malicious code and virus in accordance with an embodiment of the present invention includes a power supply 110 supplying power, a booting system 120, a display unit 130, an input unit 140, and an operating system 210 curing the virus prior to logon, and may further include at least one application program 240 executed on the operating system 210. Further, the inventive system for curing any malicious code and virus includes a first memory 200 in which the operating system 210 and the application program 240 are stored, and a second memory 150 that calls and activates the operating system 210 out of the first memory 200. Here, the first memory 200 may include a hard disk, and the second memory 150 may include a random access memory (RAM).
[29] The power supply 110 supplies power to a terminal such as a computer, thereby activating main and peripheral devices of the computer.
[30] The booting system 120 functions to start the computer after the computer is supplied with power from the power supply 110. As the booting system 120 is operated, a basic program such as a basic input/output system (BIOS) is operated first. This basic program is recorded in a read only memory (ROM) such that it can be stored although the power is turned off. Taking the booting of a compatible IBM personal computer by way of example of the booting executed by the booting system 120, a checking operation called power on self test (POST) is executed. In this checking operation, a RAM used as a main memory, a keyboard, a hard disk, etc. are checked. In this checking operation, summary information about a configuration of the system is represented together. The summary information includes information on the type of a currently installed microprocessor, information on the installation of a coprocessor, information on a clock speed, information on a floppy disk drive, information on a hard disk drive, information on a compact disk (CD)-ROM drive, information on the capacity of a basic memory, information on the capacity of an extended memory, and so on.
[31] The display unit 130 displays operational processes of the computer after the power is supplied by the power supply 110. The display unit 130 may include a variety of display devices such as a cathode ray tube (CRT) monitor, a liquid crystal display (LCD), a plasma display panel (PDP), and so on.
[32] The input unit 140 functions to generate signals, which are input to control the booting system 120, the operating system 210, etc. The input unit 140 may include a
keyboard, a mouse, an external device connected through a universal serial bus (USB), a touch panel, and so on. In the case in which the computer is connected on-line, the signals can be input through remote control.
[33] The operating system 210 is interposed between computer hardware and the user application program 240, and is a program for managing software and hardware resources so as to allow the application program 240 to easily use the hardware as well as to maximize the efficiency of an overall system. The operating system 210 generally takes charge of process management, memory management, and output service, and is classified, according to a use method, as a batch system, a real-time processing system, a time-sharing system, etc., as well as, according to a user environment, as a single- user system and a multi-user system. Further, the operating system 210 is divided, according to a manufacturer, into Solaris of SUN Microsystems, Ultrix of Digital Equipment, Mach of Carnegie Mellon University, PowerOpen of IBM and Apple, System 7.0 of Apple, OS/2 of IBM, DOS and Windows of Microsoft, UnixWare of Novell, NextStep of NeXT, and so on. The operating system 210 of the present invention will be described on the basis of the Windows environment that is most widely distributed to personal computers. Meanwhile, the operating system 210 of the present invention drives a vaccine pre-processing section 220 in order to execute a vaccine program, when logon or winlogon (hereinafter, referred to as winlogon) service is provided before a user logs on, to thereby remove the malicious code and virus, and then activates a user information processing section 230 that collects user information ID_Pass input by the user and overall user information User_Info relating to the user information ID_Pass after the removal of the malicious code and virus is completed, and initializes the program on the basis of the collected information. In other words, after the booting is completed by the booting system, the operating system 210 is recorded and activated in the memory, such as RAM, by inputting a "Ctrl- Alt-Del" key combination that is a secure attention sequence (SAS), and performs a winlogon desktop step in response to the SAS in the step of supplying the power. The operating system 210 activates the vaccine pre-processing section 220 to remove the malicious codes and viruses when it is converted into the winlogon desktop and provides the winlogon service, and the activates the user information processing section 230 for initializing the input user information ID_Pass and the overall user information User_Info relating to the user information ID_Pass.
[34] As illustrated in FIG. 2, the vaccine pre-processing section 220 includes a process assigning part 222 that is preferentially assigned process processing authority, for instance a token, from the operating system 210 in the winlogon desktop step, and a vaccine program executing part 224.
[35] The process assigning part 222 is assigned the process processing authority from
the operating system 210 with top priority, when the operating system 210 is driven by the input of the SAS and thereby enters the winlogon desktop step. When entering the winlogon desktop step, the process assigning part 222 can register a processing sequence with a scheduler of the operating system 210 with top priority, or can interrupt and be assigned the process processing authority from the operating system 210. Thereafter, the process assigning part 222 delivers the assigned process processing authority, the token, to the vaccine program executing part 224.
[36] The vaccine program executing part 224 executes the vaccine program to look up the malicious code and virus when the process processing authority, the token, is transferred from the process processing part 222. At this time, the vaccine program executing part 224 can be stored in the memory such as hard disk, ROM, RAM, flash memory, CD-ROM, or the like according to designated conditions of the user, and looks up the files stored in the memory such as hard disk, ROM, RAM, flash memory, CD-ROM, or the like in whole or in part using specific codes determined as previously registered malicious codes and viruses. These specific codes are stored as a lookup table in the memory designated by the vaccine program executing part 224, and are compared with the files to be looked up when the malicious code and virus are looked up. At this time, when any specific code is discovered, the vaccine program executing part 224 cures or deletes files infected with the specific code. Here, the lookup table can be updated on-line or off-line. The vaccine program executing part 224 can look up each memory, executable file, etc. at a time interval, which is designated by the user or the vaccine program executing part 224, in a user desktop step, after the process processing authority, the token, is transferred from the process assigning part 222, as well as after the winlogon desktop step while continuing to be executed by a Demon and the like.
[37] As illustrated in FIG. 3, the user information processing section 230 includes graphical identification and authentication (GINA) 232, local security authority (LSA) 234 verifying validity of the collected user information ID_Pass and the overall user information User_Info relating to the user information ID_Pass, and a logon processing part 236, and a user initializing part 238.
[38] After the lookup of the malicious code and virus is completed by the vaccine program executing part 224, the GINA 232 displays an information dialogue box for inputting the user information ID_Pass. When the user inputs the user information ID_Pass, e.g. identifier (ID) and password, through the information dialogue box, the GINA 232 puts the input ID and password, the overall user information User_Info relating to the ID and password, etc. into a data package, and then sends the data package to the LSA 234. In the case in which the operating system 210 is a Microsoft Windows operating system, the GINA 232 can be employed as MSGINA supported by
Microsoft, and load the resulting MSGINA.DLL. The GINA 232 collects and pigeonholes part of the information relating to the user, i.e. the information from which the files infected with the malicious code and virus are removed by the vaccine program executing part 224. The overall user information User_Info includes lists of application programs relating to the input user information ID_Pass.
[39] The LSA 234 verifies whether or not values of the user information ID_Pass and the overall user information User_Info are valid. The LSA 234 creates tokens that have subsystem user information taking charge of local security policy and user authentication in the windows-based local system as well as information about the security authority, and creates and records audit messages. The LSA 234 can be used in the operating system of the Windows-series, such as Windows dotnet server family, Windows XP, Windows 2000, Windows NT, and so on.
[40] The logon processing part 236 processes user logon when the LSA 234 determines that the values of the user information ID_Pass and the overall user information User_Info are valid.
[41] The user initializing part 238 initializes programs listed in the overall user information User_Info and registry values of the listed programs on the basis of the user information ID_Pass and the overall user information User_Info, the values of which the LSA 234 determines to be valid. Here, the listed programs can include application programs included in the overall user information. When the user initialization is completed by the user initializing part 238, the next step enters the user desktop step in which the window capable of designating and activating the application program 240 is provided.
[42] The application program 240 is a program that is designated and activated in the user desktop step by means of the user, and is activated by the designation of the user, for example by the control based on the input of the input unit 140 such as keyboard control, mouse control, or so on.
[43] A method of operating the system for curing any malicious code and virus, having this configuration, in accordance with an embodiment of the present invention will be described in detail with reference to FIGS. 4 and 5.
[44] FIG. 4 is a flowchart illustrating an operation method according to an embodiment of the present invention, and FIG. 5 is a detailed flowchart illustrating steps of an operation method according to an embodiment of the present invention.
[45] Referring to FIGS. 4 and 5, the method of operating the system for curing any malicious code and virus in accordance with an embodiment of the present invention is roughly divided into a power supply step, a winlogon desktop step, and a user desktop step.
[46] The power supply step includes step SlOl of supplying power to the booting system
120 to carry out system booting, and step S 102 of receiving an input signal, a SAS signal, for recording the operating system 210 on the memory such as RAM after the booting is completed.
[47] In step SlOl, the power supply 110 supplies power to activate each peripheral device of a terminal such as a computer, and the system booting is carried out by the booting system 120. At this time, the booting system 120 checks whether or not each peripheral device of the computer is correctly connected, and prepares summary information relating to each peripheral device.
[48] In step S 102, when the SAS input is received from the input unit 140 after the booting is completed, the operating system 210 is recorded and executed on the RAM. At this time, the operating system 210 executed in the embodiment of the present invention can employ various operating systems, and preferably the operating systems for Windows series such as Windows 2000, Windows NT, Windows XP, and so on.
[49] The winlogon desktop step includes step S 103 of initiating winlogon services according to the SAS input, step S 104 of assigning processing authority relating to processes, for example token, step S 105 of delivering the assigned token to the vaccine program executing part 224, looking up malicious codes and viruses, and curing the discovered malicious codes and viruses, step S 106 of activating the GINA 232 for collecting user information ID_Pass, step S 107 of collecting the user information ID_Pass input from the input unit 140 and the overall user information User_Info relating to the user information ID_Pass, and verifying validity of the collected user information ID_Pass and overall user information User_Info, step S 109 of processing u ser logon, and step Sl 10 of carrying out initialization based on the user information ID_Pass and the overall user information User_Info.
[50] In step S 103, as the operating system 210 is activated, the winlogon services relating to the user logon is initiated.
[51] In step S 104, as the winlogon services is initiated, the process assigning part 222 is assigned the token relating to the processing authority such that it can be first assigned the process processing authority from the operating system 210 in order to be able to first execute the vaccine program executing part 224. Here, the system and method for curing any malicious code and virus in accordance with an embodiment of the present invention have been described that the program assigned the token, the process processing authority, has been first processed, but they can first obtain the process processing authority by pre-occupying process scheduler priority of the operating system 210 using interrupt and the like.
[52] In step S 105, the vaccine program executing part 224 executes a vaccine program by taking over the process processing authority from the process assigning part 222. Here, the vaccine program executing part 224 drives the vaccine program, looks up at
least one of the various files stored in the memory of the computer, such as hard disk, ROM, RAM, flash memory, CD-ROM, external memory connected through an external connector, or the like, discovers any malicious code and virus, and removes the discovered malicious code and virus.
[53] In step S 106, the GINA 232 for collecting the user information ID_Pass is activated, and thereby an information dialogue box capable of inputting the user information ID_Pass is created.
[54] In step S 107, when the user inputs the user information ID_Pass into the information dialogue box created by the GINA 232 using the input unit 140, the input user information ID_Pass is collected together with the overall user information User_Info relating to the user information ID_Pass. Here, the overall user information User_Info may include a list of the application programs used by the user, and the like.
[55] In step S 108, it is verified whether or not the values of the user information ID_Pass and the overall user information User_Info that are collected by the GINA 232 are substantially valid. To this end, the user information ID_Pass and the overall user information User_Info are sent to the LSA 234, and then the LSA 234 verifies whether or not the values thereof are valid.
[56] In step S 109, when the values of the user information ID_Pass and the overall user information User_Info are verified to be valid, the user logon for authenticating the user is processed.
[57] In step Sl 10, when the user is authenticated by the user logon, the programs and the registry values of the programs are initialized on the basis of a list of the application programs included in the overall user information User_Info.
[58] The user desktop step includes step Si l l of, by the user, designating and executing the application program 240.
[59] In step Si l l, the user logon and the user initialization are completed in the
Windlogon desktop step, the application program 240 is activated by the user.
[60] In this way, the system and method for curing any malicious code and virus in accordance with an embodiment of the present invention executes the vaccine program before the logon based on the user information is processed, and removes any malicious code and virus before the malicious code and virus are activated, so that they can not only remove unnecessary use of the terminal's resources, but also minimize information loss.
Claims
[1] A system for curing any malicious code and virus, the system comprising: a power supply supplying power to a terminal; an operating system executed after the terminal supplied with the power is booted; and an input unit inputting signals for controlling the booting and the operating system, wherein the operating system executes a vaccine program for curing the malicious code and virus before logon based on user information is processed.
[2] The system as claimed in claim 1, wherein the operating system includes: a vaccine pre-processing section that takes over process processing authority from the operating system to execute the vaccine program; and a user information processing section that processes the user information input from the input unit and overall user information relating to the user information.
[3] The system as claimed in claim 2, wherein the overall user information includes a list of user's application programs from which the malicious code and virus are removed.
[4] The system as claimed in claim 2, wherein the vaccine pre-processing section includes: a process assigning part that obtains the process processing authority from the operating system; and a vaccine program executing part that takes over the process processing authority from the process assigning part and executing the vaccine program.
[5] The system as claimed in claim 4, wherein the vaccine program executing part looks up at least one of a hard disk, a read only memory (ROM), a random access memory (RAM), a flash memory, and a compact disk (CD)-ROM in whole or in part.
[6] The system as claimed in claim 2, wherein the user information processing section includes: graphical identification and authentication (GINA) collecting the user information and the overall user information; local security authority (LSA) verifying validity of the user information and the overall user information; a logon processing part processing the user logon based on the validity; and a user initializing part initializing information included in the overall user information.
[7] The system as claimed in claim 1, wherein the vaccine program is continuously
executed at designated time intervals while the operating system is activated.
[8] The system as claimed in claim 1, wherein the operating system includes a
Windows-series operating system.
[9] The system as claimed in claim 8, wherein the Windows-series operating system includes at least one of a Windows 2000 operating system, a Windows 2003 operating system, a Windows NT operating system, and a Windows XP operating system.
[10] The system as claimed in claim 1, wherein the operating system is activated in response to a secure attention sequence (SAS) signal input from the input unit after the booting is completed.
[11] The system as claimed in claim 1, further comprising at least one of: a display unit displaying processes of the booting and the execution of the o perating system; a first memory in which the operating system is stored; and a second memory that loads the operating system stored in the first memory.
[12] The system as claimed in claim 1, wherein the vaccine program is stored in at least one of a hard disk, a read only memory (ROM), a flash memory, a mobile storage of an external connection type, and a compact disk (CD)-ROM.
[13] A method for curing any malicious code and virus, the method comprising: a first step of supplying power to a terminal; a second step of booting the terminal; a third step of activating an operating system, and taking over process processing authority from the operating system to execute a vaccine program; a fourth step of collecting user information and overall user information relating to the user information; a fifth step of verifying validity of the user information and the overall user information; a sixth step of processing logon of a user; and a seventh step of initializing the overall user information.
[14] The method as claimed in claim 13, wherein the vaccine program looks up at least one of a hard disk, a read only memory (ROM), a random access memory
(RAM), a flash memory, and a compact disk (CD)-ROM in whole or in part.
[15] The method as claimed in claim 13, wherein the overall user information includes a list of user's application programs from which the malicious code and virus are removed.
[16] The method as claimed in claim 13, wherein the operating system includes a
Windows-series operating system.
[17] The method as claimed in claim 16, wherein the Windows-series operating
system includes at least one of a Windows 2000 operating system, a Windows 2003 operating system, a Windows NT operating system, and a Windows XP operating system.
[18] The method as claimed in claim 13, wherein the vaccine program is stored in at least one of a hard disk, a read only memory (ROM), a flash memory, a mobile storage of an external connection type, and a compact disk (CD)-ROM.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| KR1020060026100A KR100648604B1 (en) | 2006-03-22 | 2006-03-22 | Malignant code and virus cure system and method thereof |
| KR10-2006-0026100 | 2006-03-22 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2007108627A1 true WO2007108627A1 (en) | 2007-09-27 |
Family
ID=37713194
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/KR2007/001331 WO2007108627A1 (en) | 2006-03-22 | 2007-03-19 | System and method for curing malicious code and virus |
Country Status (2)
| Country | Link |
|---|---|
| KR (1) | KR100648604B1 (en) |
| WO (1) | WO2007108627A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101380908B1 (en) * | 2010-07-26 | 2014-04-02 | 김기용 | Hacker Virus Security Aggregation Management Apparatus |
| KR101412202B1 (en) | 2012-12-27 | 2014-06-27 | 주식회사 안랩 | Device and method for adaptive malicious diagnosing and curing |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5511184A (en) * | 1991-04-22 | 1996-04-23 | Acer Incorporated | Method and apparatus for protecting a computer system from computer viruses |
| JPH09190347A (en) * | 1996-01-11 | 1997-07-22 | Oki Electric Ind Co Ltd | Microcomputer system |
| US6802028B1 (en) * | 1996-11-11 | 2004-10-05 | Powerquest Corporation | Computer virus detection and removal |
| KR20050118443A (en) * | 2004-06-14 | 2005-12-19 | 삼성전자주식회사 | Method and apparatus for vaccine program update |
-
2006
- 2006-03-22 KR KR1020060026100A patent/KR100648604B1/en not_active IP Right Cessation
-
2007
- 2007-03-19 WO PCT/KR2007/001331 patent/WO2007108627A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5511184A (en) * | 1991-04-22 | 1996-04-23 | Acer Incorporated | Method and apparatus for protecting a computer system from computer viruses |
| JPH09190347A (en) * | 1996-01-11 | 1997-07-22 | Oki Electric Ind Co Ltd | Microcomputer system |
| US6802028B1 (en) * | 1996-11-11 | 2004-10-05 | Powerquest Corporation | Computer virus detection and removal |
| KR20050118443A (en) * | 2004-06-14 | 2005-12-19 | 삼성전자주식회사 | Method and apparatus for vaccine program update |
Also Published As
| Publication number | Publication date |
|---|---|
| KR100648604B1 (en) | 2006-11-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7565522B2 (en) | Methods and apparatus for integrity measurement of virtual machine monitor and operating system via secure launch | |
| US9589139B2 (en) | Method and device for altering a unified extensible firmware interface (UEFI) secure boot process in a computing device | |
| US9471780B2 (en) | System, method, and computer program product for mounting an image of a computer system in a pre-boot environment for validating the computer system | |
| US7591018B1 (en) | Portable antivirus device with solid state memory | |
| US7380136B2 (en) | Methods and apparatus for secure collection and display of user interface information in a pre-boot environment | |
| EP2622533B1 (en) | Demand based usb proxy for data stores in service processor complex | |
| US9292302B2 (en) | Allowing bypassing of boot validation in a computer system having secure boot enabled by default only under certain circumstances | |
| US20030217287A1 (en) | Secure desktop environment for unsophisticated computer users | |
| WO2006017112A2 (en) | Multiple user desktop system | |
| US9851981B2 (en) | Booting a computer from a user trusted device with an operating system loader stored thereon | |
| EP3155547B1 (en) | Systems and methods for providing authentication using a managed input/output port | |
| EP3753221B1 (en) | System and method for monitoring effective control of a machine | |
| US9436828B2 (en) | Systems and methods for command-based entry into basic input/output system setup from operating system | |
| US9448888B2 (en) | Preventing a rollback attack in a computing system that includes a primary memory bank and a backup memory bank | |
| US10684904B2 (en) | Information handling systems and methods to selectively control ownership of a hardware based watchdog timer (WDT) | |
| US20210374005A1 (en) | Systems and methods for verifying and preserving the integrity of basic input/output system before powering on of host system and management engine | |
| US11301567B2 (en) | Systems and methods for automatic boot to authenticated external device | |
| WO2007108627A1 (en) | System and method for curing malicious code and virus | |
| CN113190853A (en) | Computer credibility authentication system, method, equipment and readable storage medium | |
| US11409541B2 (en) | Systems and methods for binding secondary operating system to platform basic input/output system | |
| KR100443203B1 (en) | Security method for application program using message hooking | |
| US20230401316A1 (en) | Pre-authorized virtualization engine for dynamic firmware measurement | |
| US11132206B2 (en) | Systems and methods for modifying boot operation of an information handling system | |
| RU2533303C2 (en) | Antivirus computer system | |
| WO2023027687A1 (en) | Hashes to control code execution |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07715709 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 07715709 Country of ref document: EP Kind code of ref document: A1 |