Conventionally, there is known a technique of identifying, when malware is discovered on a computer, the intrusion route of the malware (see PTL 1). If the intrusion route can be identified, it is possible to take measures such as blockage of a point of intrusion. However, even if the point of intrusion is blocked, malware which has already entered does not disappear automatically. In an organization such as a company or school, a number of computers are connected via a network, and malware which has entered may be widely spread via the network. As a technique of grasping the spread range of malware, there is known a technique disclosed in PTL 2. According to PTL 2, a PC which has accessed a file detected as malware (virus) is identified, and then a procedure of cutting off the PC from the network is performed.