In the related art, diagnosing malicious codes in a file system of a computer system is typically performed by searching for files directory by directory and diagnosing the files.
According to the conventional method of diagnosing malicious codes, since all files are searched for and diagnosed directory by directory, an infection may be diagnosed after a long period of time depending on the location of the infection. Furthermore, since there are a large number of files in a file system, it takes a significant time period to perform a malicious code diagnosing operation, e.g., dozens of minutes to several hours.
Here, to overcome the time-consuming problem, it is conceivable to perform diagnosing operation only on some directories (e.g., Windows, System, etc.). Although this approach may reduce diagnosing time period, it is not possible to detect a malicious code infection at a location other than significant folders, that is, some designated directories (e.g., Windows, System, etc.) during a malicious code diagnosing operation. Thus, reliability of the malicious code diagnosing operation is deteriorated.
Incidentally, in a file system, when a modification of a file occurs, such as generation/storage of the file, modification of name or content of the file, and deletion of the file, information regarding the modification is recorded as file change log information.
In view of the above, the present disclosure suggests to perform a malicious code diagnosing operation only on files that are likely to be infected by malicious codes by utilizing file change log information recorded in a file system, thereby overcoming time consumption and low reliability during a quick diagnosis of the conventional diagnosing method while performing a quick and reliable malicious code diagnosing operation.