A recently increasing new form of cyber attack affecting companies is a targeted attack that infects a target computer used or owned by a specific employee of a company with malware and steals information from the company.
Conventional antivirus software uses a virus definition file using a black list method. However, the number of types of malware containing computer viruses is increasing by the ten thousands a day. It is therefore impossible to keep up with the abrupt increase in the number of malware types by updating the virus definition software. Hence, it is difficult to cope with a targeted attack by conventional antivirus software.
On the other hand, there exists a measure against a targeted attack using a so-called white list type control method that allows execution of known programs and restricts execution of the remaining programs. When updating a program in a computer using the white list type control method, an updater program used for updating is registered in the white list.
However, the updater normally generates a plurality of other execution files in many cases. Hence, even when the updater is registered in the white list, the execution files generated by the updater are not registered in the white list. As a result, if the execution files generated by the updater are installed in the computer, and the update completed, it may be impossible to start the execution files and normally operate the updated program.
There also exists a measure against a targeted attack using a so-called white list type network access control that allows network access by known programs and restricts network access by a program included in the remaining programs.
When starting white list type network access control, a program to be permitted is registered in the white list. However, if an update is performed by, for example, applying a security patch, the previously registered white list permitted program is updated and no longer matches the registration, and the updated program needs to be re-registered in the white list. In addition, if a program is newly generated by an updater, it is necessary to register the newly generated program as well.
A system administrator or the like conventionally performs an operation of extracting an execution file generated by an updater and registering it in a white list or an operation of registering an updated program or a program generated by an updater in a white list every time an update is performed. According to these methods, it is necessary to do burdensome operations, for example, not only an operation of determining whether an updater is reliable but also an operation of registering an updated program or generated program in a white list and an operation of extracting an execution file and updating the white list.