JP2023156423A - Risk checking system, risk level checking method, and program - Google Patents

Abstract

To check whether or not an attachment file has risk without troubling a user even when an encrypted attachment file is contained in an electronic message.SOLUTION: A system includes: a mail server 20 which determines whether or not an encrypted attachment file is attached to a received electronic message, and extracts a password candidate for decoding the encrypted attachment file from a text or header of the electronic message attached with the attachment file when the encrypted attachment file is determined to be attached to the electronic message; a virtual computer, which is generated by a test server 30 for receiving the attachment file and the password candidate that are sent from the mail server 20, and decodes the encrypted attachment file using the extracted password candidate; and a virus check server 40 which checks whether or not the encrypted attachment file has risk.SELECTED DRAWING: Figure 1

Description

The present invention relates to a risk check system, a risk check method, and a program for checking the risk of attached files attached to electronic messages such as e-mail, chat, SNS (Social Networking Service), and various messages, and particularly relates to Regarding technology when is encrypted.

With the recent development of information and communication technology, it has become common to use e-mail and the like to exchange information. While e-mail and the like have advantages such as immediacy and the ability to attach files, they also have the problem of fraudulent e-mails such as virus e-mails and phishing e-mails.

In the past, in order to deal with such problems, software was installed on computers and other terminals to check for fraudulent emails such as virus emails and phishing emails, and the emails received on the terminal were checked. . They also installed software on their mail servers to check for fraudulent emails such as virus emails and phishing emails, and the mail servers checked emails sent to and received from email addresses they managed. Further, dangers such as virus emails and phishing emails may also be contained in attached files attached to emails. Even in that case, if you use software that checks for viruses, etc., you can check whether the attached file is dangerous.

However, if the attached file is encrypted, it is not possible to check whether the attached file is dangerous or not. Therefore, when a received e-mail contains an encrypted attachment, the information necessary for decryption is requested from the e-mail recipient, and the encrypted file is encrypted using the information notified from the e-mail recipient. Patent Document 1 discloses a mechanism for decrypting the attached file and checking whether the e-mail including the attached file contains a virus. By using the mechanism disclosed in Patent Document 1, even if an attached file attached to an e-mail is encrypted, it is possible to check whether there is a risk of a virus or the like in the attached file.

Japanese Patent Application Publication No. 2011-4132

However, in the mechanism disclosed in Patent Document 1, when a received e-mail includes an encrypted attachment, information necessary to decrypt the encrypted attachment is transferred to the electronic mail. Since a request is made to the recipient of the e-mail, there is a problem in that it is troublesome for the user who receives the e-mail.

The present invention has been made in view of the problems of the conventional techniques as described above, and even if an electronic message such as an e-mail contains an encrypted attachment, the user can An object of the present invention is to provide a risk checking system, a risk checking method, and a program that can check whether an attached file is dangerous without bothering the operator.

In order to achieve the above object, the present invention has the following features:
A risk checking system for checking whether an attachment attached to an electronic message is dangerous, the system comprising:
a file presence/absence determination means for determining whether an encrypted attachment is attached to a received electronic message;
If it is determined that an encrypted attachment is attached to an electronic message, a password for decrypting the encrypted attachment from the body or header of the electronic message to which the attachment is attached. a password extraction means for extracting candidates;
a virtual computer that is generated by a test server that receives the attached file and the password candidate sent from the mail server, and decrypts the encrypted attached file using the extracted password candidate; and,
and a virus check server that checks whether the decrypted attached file is dangerous.

According to the present invention, even if an electronic message includes an encrypted attached file, it is possible to check whether the attached file is dangerous without bothering the user.

1 is a diagram showing an embodiment of a risk check system of the present invention. 2 is a block diagram showing the configuration of the mail server shown in FIG. 1. FIG. FIG. 2 is a block diagram showing the configuration of the test server shown in FIG. 1. FIG. 4 is a block diagram showing the configuration of a virtual computer generated by the virtual computer generation unit shown in FIG. 3. FIG. FIG. 2 is a block diagram showing the configuration of the virus check server shown in FIG. 1. FIG. 6 is a flowchart for explaining a process when a user who uses the risk check system shown in FIGS. 1 to 5 registers optional service content. FIG. 3 is a diagram showing a part of an optional service content setting screen sent from a mail server and displayed on a user terminal. FIG. 3 is a diagram showing a part of an optional service content confirmation screen sent from a mail server and displayed on a user terminal. FIG. 2 is a diagram showing a part of the user database shown in FIG. 1; 6 is a flowchart illustrating a process when checking the danger of an e-mail in the danger check system shown in FIGS. 1 to 5. FIG.

Embodiments of the present invention will be described below with reference to the drawings.

FIG. 1 is a diagram showing an embodiment of the risk checking system of the present invention.

As shown in FIG. 1, the risk checking system in this embodiment is configured such that user terminals 10-1 to 10-n and a mail server 20 are connectable via the Internet 60, and the mail server 20 and the test A server 30, a virus check server 40, and a user database 50 are configured to be connectable via a local network 61. Note that the electronic message for checking the degree of risk in the present invention may be not only e-mail but also various messages using chat, SNS, and messenger. For example, the mail server may refer to a chat server, an SNS server, or a messenger server depending on the format to be handled, but in this embodiment, an example using e-mail will be described to simplify the explanation. Further, the mail server 20, the test server 30, the virus check server 40, and the user database 50 that constitute the risk check system of the present invention may not be one each, but may be plural, or each may be a separate one. Instead of devices, two or more types of servers may be configured in one device, or may be realized by cloud computing.

There is one or more user terminals 10, and they are shown as user terminals 10-1 to 10-n (n is an integer). The user terminal 10 is, for example, a personal computer, a smartphone, a mobile phone, or the like. The user terminals 10-1 to 10-n are operated by each user who uses this system, and each user uses the user terminal 10 that he/she owns among the user terminals 10-1 to 10-n. send and receive e-mail. Note that one user may own multiple user terminals 10.

The mail server 20 is a server device that manages email addresses of contracted users and provides a mail service that relays the sending and receiving of emails corresponding to the email addresses. In this embodiment, each user of the user terminals 10-1 to 10-n has a contract for the mail service provided by the mail server 20, so that the mail server 20 can provide the mail service to the user terminals 10-1 to 10-n. It manages each e-mail address of 10-n and relays e-mails sent and received to user terminals 10-1 to 10-n, which are made compatible with each e-mail address through authentication processing using ID and password. It turns out. Note that in the case of a messenger or the like, an account name, ID, phone number, etc. may be used instead of the email address.

FIG. 2 is a block diagram showing the configuration of the mail server 20 shown in FIG. 1.

As shown in FIG. 2, the mail server 20 shown in FIG. It has a receiving section 26 and a mail storage section 27.

The user management section 21 serves as a membership determination means in the present invention. The user management unit 21 manages the email addresses of users who have subscribed to the email service provided by the company that manages the email server 20, as well as the contents of optional services subscribed to by the users who have subscribed to the email service. are registered in the user database 50 and managed.

The mail sending/receiving section 22 receives e-mails addressed to the e-mail addresses managed by the user management section 21, and also transmits e-mails sent from the e-mail addresses managed by the user management section 21 onto the Internet 60.

The file presence/absence determination section 23 determines whether an encrypted attached file is attached to the e-mail received by the mail transmission/reception section 22 .

When the file presence/absence determination unit 23 determines that an encrypted attachment file is attached to the email received by the email sending/receiving unit 22, the password extraction unit 24 extracts the following information from the body of a specific email: Extract a string as a password candidate to decrypt an encrypted attachment. Note that if the extended header that starts with X contains characters indicating a password (for example, X-password, In this explanation, it is assumed that the password is written in the main text). The password candidate is, for example, a 1-byte character string, and conditions for making it a password candidate and conditions for excluding it from the password candidates are stored in advance in a storage unit (not shown) of the mail server 20. At this time, the password extraction unit 24 may select the e-mail with the attached file as a specific e-mail for extracting password candidates, or may use the e-mail with the attached file as an e-mail with the same destination as the e-mail with the attached file. An e-mail received within a predetermined time from the time when the e-mail with the attached file was received may be used as the specific e-mail for extracting password candidates. Furthermore, an e-mail that has a reply or forwarding relationship with the e-mail to which the attached file is attached may be used as a specific e-mail for extracting password candidates.

The virtual computer generation instruction unit 25 instructs the test server 30 to generate a virtual computer when the password extraction unit 24 extracts a password candidate. At this time, the virtual computer generation instruction section 25 refers to the optional service contents for each user managed by the user management section 21 in the user database 50, and generates a virtual computer according to the optional service contents to the test server 30. Instruct to generate. Further, the virtual computer generation instruction unit 25 attaches the password candidates extracted by the password extraction unit 24 and the e-mail that has been determined to have an encrypted attached file attached by the file presence/absence determination unit 23. The attached file is sent to the test server 30.

The result receiving unit 26 receives the results of the virus check performed by the virus check server 40.

The mail storage unit 27 serves as message storage means in the present invention. The mail storage section 27 stores the e-mail received by the mail transmission/reception section 22 in a storage area according to the result received by the result reception section 26 .

The test server 30 is a server device that generates a virtual computer according to instructions from the mail server 20, and uses the generated virtual computer to decrypt an attached file attached to an email received by the mail server 20.

FIG. 3 is a block diagram showing the configuration of the test server 30 shown in FIG. 1.

The test server 30 shown in FIG. 1 includes an instruction receiving section 31, a virtual computer generating section 32, and an attached file transmitting section 33, as shown in FIG.

The instruction receiving unit 31 receives an instruction to generate a virtual computer sent from the virtual computer generation instruction unit 25 of the mail server 20.

The virtual computer generation unit 32 generates a virtual computer based on the instructions received by the instruction reception unit 31. The virtual computer generation instruction unit 25 instructs the user management unit 21 to generate a virtual computer according to the optional service content for each user managed in the user database 50. The details of the optional service contents for each user managed in the user database 50 will be described later, but a virtual computer is generated in which the applications included in the optional service contents are installed.

The attached file transmitter 33 transmits the attached file decrypted by the virtual computer generated by the virtual computer generator 32.

FIG. 4 is a block diagram showing the configuration of a virtual computer generated by the virtual computer generation unit 32 shown in FIG. 3. As shown in FIG. Note that the virtual computer generated by the virtual computer generation unit 32 shown in FIG. For configurations that do not exist, there is no need to generate them. The configurations directly related to the operation of the present invention will be illustrated and explained, and other configurations will be omitted from the description.

As shown in FIG. 4, the virtual computer generated by the virtual computer generation section 32 shown in FIG. 3 includes an attached file reception section 32a, a password reception section 32b, and a decryption section 32c.

The attached file receiving unit 32a receives an attached file sent from the virtual computer generation instruction unit 25 of the mail server 20 to the test server 30.

The password accepting unit 32b accepts password candidates sent from the virtual computer generation instruction unit 25 of the mail server 20 to the test server 30.

The decryption unit 32c decrypts the attached file received by the attached file reception unit 32a using the password candidate received by the password reception unit 32b.

The virus check server 40 is a server device that performs a virus check on the attached file decrypted by the virtual computer generated by the test server 30 to see if it is dangerous.

FIG. 5 is a block diagram showing the configuration of the virus check server 40 shown in FIG. 1. As shown in FIG.

The virus check server 40 shown in FIG. 1 includes an attached file receiving section 41, a virus checking section 42, and a result transmitting section 43, as shown in FIG.

The attached file receiving unit 41 receives the decrypted attached file transmitted from the test server 30.

The virus check section 42 serves as a risk checking means in the present invention. The virus checking unit 42 performs a virus check on the decrypted attached file received by the attached file receiving unit 41 to check whether it is dangerous.

The result transmitter 43 transmits the result of the virus check performed by the virus checker 42 to the mail server 20. In the present invention, the virus check server 40 receives the decrypted attached file, checks whether it is dangerous, and sends the check result to the mail server 20, but the test server 30 Then, a virus check application is installed on the generated virtual computer, and the installed virus check application checks the decrypted attachment file on the virtual computer to see if it is dangerous, and sends the check result to the mail server 20. You may. In that case, the virus check server 40 provides the virtual computer with the latest virus check application and the latest virus definition file necessary for virus checking.

The user database 50 is a database device in which optional service contents desired by users registered in this system are registered in association with IDs that are identifiers for identifying users. The details will be described later. Additionally, email addresses, passwords, etc. are also registered in association with each user's ID. The user database 50 may be, for example, a server device in which database software is stored in an executable manner, a storage device connected to a network such as a NAS, or a storage device built into or externally attached to another server device.

A method of checking the danger of electronic mail in the danger checking system configured as described above will be explained below.

First, the process when a user registers optional service content will be explained.

FIG. 6 is a flowchart for explaining the process when a user who uses the risk check system shown in FIGS. 1 to 5 registers optional service content.

A user who uses the risk check system shown in FIGS. 1 to 5 uses a mail server, for example, one of the user terminals 10-1 to 10-n, to register optional service contents. 20 (step S1), the mail server 20 sends an authentication screen for entering an ID and password (other authentication methods such as biometric authentication may also be used) to perform user authentication (step S2). ) is received and displayed on the user terminal 10-1 (step S3).

On the authentication screen displayed on the user terminal 10-1, the ID and password given and set in advance by the user are entered and sent (step S4), and when received by the mail server 20 (step S5) The user management section 21 of the mail server 20 refers to the user database 50 and performs user authentication using the received ID and password (step S6). In the user database 50, information such as e-mail addresses of contracted users is registered in association with IDs and passwords given and set to the users in advance. Therefore, the user management section 21 of the mail server 20 can perform user authentication using the received ID and password by referring to the user database 50, and if the authentication is successful, the user management section 21 can authenticate the user using the received ID and password. If the user terminal 10 that sent the message is the user terminal 10 owned by the user whose email address corresponds to the ID and password, the correspondence can be established.

As a result of user authentication, if the verification is successful, the user management unit 21 determines that the user is a subscribed user, and the mail server 20 sends a service content setting screen for setting and registering optional service content (step S7), is received and displayed on the user terminal 10-1 (step S8).

FIG. 7 is a diagram showing a part of the optional service content setting screen transmitted from the mail server 20 and displayed on the user terminals 10-1 to 10-n.

As shown in FIG. 7(a), the optional service content setting screen sent from the mail server 20 and displayed on the user terminal 10-1 includes standard settings for received e-mails as optional services related to the e-mail service. Check for spam emails (e.g. check for viruses on unencrypted attachments, see if there are links to phishing sites, check whether they are spam emails, etc.) and check for viruses on encrypted attachments (for links to phishing sites). An optional service selection area 71 is provided for selecting an optional service (which may include the presence or absence of a service) using a check box. Further, a next button 72 that is pressed after selection in the optional service selection area 71 is displayed.

When the user terminal 10-1 selects an optional service in the optional service selection area 71 and presses the next button 72 on the screen shown in FIG. The contents of the selected optional service are sent to the mail server 20 (step S9). The mail server 20 receives the content of the optional service selected in the optional service selection area 71 (step S10), and the user management unit 21 performs a virus check on the encrypted attached file in the optional service selection area 71. To determine whether the file has been selected or not, and if it has been selected, to select the type of file extension or application name to be decrypted (decrypted) and checked for viruses, as shown in Figure 7(b). a type selection area 73, a reception method selection area 74 for selecting a method for receiving virus-checked attached files, and a next button 75 that is pressed after selection in the type selection area 73 and reception method selection area 74. The provided screen may be transmitted to the user terminal 10-1. The received screen is displayed on the user terminal 10-1. For example, in the case of an encrypted compressed file, as shown in FIG. The extension is ".zip", the application name is "compressed file software", and if the file is encrypted using the unique function of the document creation software, the extension is ".docx", and the application name is the specific product. Names are written, and check boxes that can be selected are provided corresponding to each description. As shown in Figure 7(b), there are two ways to receive virus-checked attachments: one is to receive virus-checked attachments encrypted, and the other is to decrypt virus-checked attachments. There are descriptions for saving the virus-checked attached file in a predetermined network folder and for saving the virus-checked attached file in a predetermined network folder.Selectable checkboxes are provided corresponding to each description. Note that the number of items that can be selected may be limited depending on the selection content.

When the method for receiving the virus-checked attached file is selected on the screen shown in FIG. 7(b) and the next button 75 displayed on the screen is pressed on the user terminal 10-1, the type The contents of the optional service selected in the selection area 73 and the receiving method selection area 74 are transmitted to the mail server 20. In this way, depending on the type and hierarchy of the selected optional service, the process from transmitting the optional service content setting screen (step S7) to receiving the selected content (step S10) may be performed multiple times.

If the next button 72 is pressed on the screen shown in FIG. 7(a) without selecting the virus check for encrypted attached files, or when the screen shown in FIG. 7(b) On the other hand, select the type of file extension or application name to be decrypted (decrypted) and checked for viruses, the method for receiving the virus-checked attachment is selected, and the Next button 75 is selected. When is pressed, the user management unit 21 of the mail server 20 writes the contents of the selected optional service in the optional service selection area 71, type selection area 73, and reception method selection area 74, and confirms the selection. A confirmation screen with buttons is sent to the user terminal 10-1.

FIG. 8 is a diagram showing a part of the optional service content confirmation screen transmitted from the mail server 20 and displayed on the user terminals 10-1 to 10-n.

If the next button 72 is pressed on the screen shown in FIG. 7(a) without selecting the virus check for encrypted attached files, or when the screen shown in FIG. 7(b) On the other hand, select the type of file extension or application name to be decrypted (decrypted) and checked for viruses, the method for receiving the virus-checked attachment is selected, and the Next button 75 is selected. When is pressed, as shown in FIG. 8, the user displays a confirmation screen in which the details of the selected optional service are listed in the optional service selection area 71, type selection area 73, and receipt method selection area 74. It is transmitted to the terminal 10-1 and displayed on the user terminal 10-1. The confirmation screen displayed on the user terminal 10-1 is provided with a decision button 76 as shown in FIG. The content of optional services is determined. In addition, in FIG. 8, "Standard spam check" and "Virus check for encrypted attachment files" are selected for the screen shown in FIG. 7(a), and the screen shown in FIG. On the screen shown in b), select the type of file extension or application name to be decrypted (decrypted) and checked for viruses, and select the option to receive the virus-checked attachment. , shows an example when "Receive the attached file in a decrypted state" is selected.

When the enter button 76 is pressed, the contents of the optional service received in step S10 are set in the user management section 21 of the mail server 20 and registered in the user database 50 (step S11).

FIG. 9 is a diagram showing a part of the user database 50 shown in FIG. 1.

FIG. 9 shows the correspondence between users and optional service contents desired by the users. As shown in FIG. 9, the user database 50 includes the optional services to which the user has subscribed as a result of selection in the optional service selection area 71 shown in FIG. 7(a), and the optional services shown in FIG. The type of file to be decrypted and virus-checked selected in the type selection area 73 shown and the method of receiving the attached file selected in the reception method selection area 74 shown in FIG. 7(b) are determined by the user. It is registered in association with the ID. Although each piece of data is described in text for the sake of explanation, it is also possible to define an identifier corresponding to each piece of data and manage the data using the identifier.

On the other hand, if the user cannot be verified as a result of user authentication, the user management unit 21 determines that the user is not a contracted user, and the mail server 20 notifies the user that user authentication was not possible (step S12). , are received and displayed on the user terminal 10-1 that sent the ID and password (step S13).

Next, a description will be given of processing when checking the danger of e-mail in the danger check system shown in FIGS. 1 to 5.

FIG. 10 is a flowchart for explaining the process when checking the danger of e-mail in the danger check system shown in FIGS. 1 to 5.

When the mail server 20 receives an e-mail addressed to the e-mail address managed by the user management section 21 from another mail server via the Internet 60 in the mail transmission/reception section 22 (step S21), first, in the user management section 21, The user database 50 is searched to determine whether the user corresponding to the e-mail address to which the received e-mail is sent has subscribed to this optional service (step S22). As shown in FIG. 8, in the user database 50, optional services such as decrypting encrypted attached files and virus checking for received e-mails are set and registered in association with user IDs. Since the user ID is separately managed in association with the e-mail address, the user management unit 21 can check which service the user corresponding to the e-mail address that is the destination of the received e-mail has subscribed to. can be judged. In the description of this embodiment, decrypting an encrypted attached file and checking for viruses is treated as this optional service, and the explanation will be based on the processing of this optional service, and the explanation of the processing of other optional services will be omitted. Note that when the mail server 20 receives an e-mail addressed to the e-mail address managed by the user management section 21, a message ID is assigned to the received e-mail if no message ID has been assigned yet. Normally, a message ID is assigned by the email software when sending an email on a user terminal, and if it is not assigned by the email software at the time of sending, the message ID is assigned by the email server on the sending side, and the message ID is assigned by the email server on the sending side. If not, they will be added to the email in the order in which they are added by the mail server on the receiving side.

This optional service, which performs a virus check on encrypted attached files, is registered in the user database 50 as an optional service subscribed to by the user corresponding to the email address that is the destination of the received email. If so, the file presence/absence determining section 23 determines whether an encrypted attached file is attached to the e-mail received by the mail transmitting/receiving section 22 (step S23). Here, encrypted attachments include not only files in compressed file format that require a password to decompress (uncompress), but also files owned by application software such as word processing software and spreadsheet software. This also includes files that use encryption functions that require a password to open.

If the file presence/absence determining unit 23 determines that an encrypted attachment file is attached to the e-mail received by the e-mail sending/receiving unit 22, the password extraction unit 24 extracts an encrypted file from the body of the specific e-mail. Extract a string as a password candidate for decrypting an encrypted attachment. For example, if an e-mail with an encrypted attachment is specified as a specific e-mail, a 1-byte character string is extracted from the body of the e-mail, and a password is used to decrypt the encrypted attachment. It is extracted as a candidate (step S24). Therefore, there may be multiple password candidates to be extracted. At this time, the probability of being a password candidate is calculated using the condition information for extracting password candidates stored in the storage unit of the mail server 20, and character strings with higher probability than the default value are extracted. Good too. For example, in addition to the 1-byte character string mentioned above, the condition information may include a word or phrase indicating a password such as "password" or "PW" nearby, or a string of 10 or more consecutive characters. It is possible that the format of the character string to be excluded from password candidates, such as a half-width date, email address, or telephone number, has been registered. Further, the password extraction unit 24 extracts an e-mail for a predetermined period of time, such as within 30 minutes, from the time when the e-mail with the attached file is received and has the same destination as the e-mail with the attached file. The e-mail received within the specified period may be used as a specific e-mail for extracting password candidates. Furthermore, the message ID assigned to the received e-mail is used to identify attached e-mails, such as e-mails that have been replied or forwarded from the same sender, or e-mails that contain References or In-Reply-To headers. An e-mail that has a reply or forwarding relationship with the e-mail to which the file is attached may be used as a specific e-mail for extracting password candidates. The password extraction unit 24 also provides a method for extracting password candidates from an e-mail with an attached file as a specific e-mail, and a method for extracting password candidates from an e-mail with an attached file within a predetermined time from the time when the e-mail with the attached file is received. A method for extracting password candidates for a received e-mail as a specific e-mail, and a method for extracting password candidates for an e-mail that has a reply or forwarding relationship with an e-mail with an attached file as a specific e-mail. You can try extracting password candidates using one of these methods, and if you cannot extract password candidates, you can try extracting password candidates using other methods, or you can use all of these methods to extract password candidates. You may try extracting it.

When the password extraction unit 24 extracts a password candidate, the virtual computer generation instruction unit 25 instructs the test server 30 to generate a virtual computer on the test server 30 (step S25). Since the virtual computer generated on the test server 30 is for decrypting encrypted attached files, as will be described later, the virtual computer generation instruction section 25 refers to the storage section and generates the virtual computer on the test server 30. In addition to instructing the test server 30 to generate a virtual computer, the test server 30 is notified of the application required to decrypt the encrypted attachment file corresponding to the extension of the encrypted attachment file, and the application is sent to the generated virtual computer. It also instructs you to install. At this time, the mail server 20 generates an association ID that is an identifier for associating the attached file to be decrypted with the e-mail to which the attached file is attached, and notifies the test server 30 with an instruction to generate a virtual computer. . Note that the association ID may be a message ID given to an e-mail to which the attached file to be decrypted is attached.

On the other hand, if the password extraction unit 24 is unable to extract a password candidate, the email storage unit 27 saves the email with the encrypted attachment received by the email sending/receiving unit 22 to the destination email. Save the email in the Unsecure Mailbox, which is a third mailbox that corresponds to the address and is different from the Incoming Mailbox and Spam Mailbox, and send an email that states that you have received an email with unknown security. in the receiving mailbox corresponding to the email address.

Further, the virtual computer generation instruction unit 25 sends the encrypted attached file determined to be attached to the e-mail by the file existence determination unit 23 and the password candidate extracted by the password extraction unit 24 to the test server. Send to 30. (Step S26).

On the other hand, if the user corresponding to the e-mail address that is the destination of the e-mail received by the e-mail sending and receiving unit 22 does not subscribe to this optional service, or if the e-mail received by the e-mail sending and receiving unit 22 is not encrypted. If the attached file is not attached, the mail storage section 27 stores the e-mail received by the e-mail sending/receiving section 22 in the reception mailbox corresponding to the e-mail address to which the e-mail is sent (step S27). At that time, if the user of the e-mail address to which the e-mail received by the e-mail sending/receiving unit 22 is directed has subscribed to an optional service that performs a standard spam check on received e-mails, the encrypted e-mail will not be encrypted. Although it does not check attached files, it does check for viruses, phishing, spam mail, etc. depending on the optional service you subscribe to.

When the instruction reception unit 31 of the test server 30 receives the virtual computer generation instruction from the virtual computer generation instruction unit 25 (step S28), the test server 30 causes the virtual computer generation unit 32 to change the extension notified from the virtual computer generation instruction unit 25. A virtual computer is created on the test server 30, in which the application corresponding to the attached file to which the .

Then, the attached file sent from the virtual computer generation instruction section 25 is accepted by the attached file acceptance section 32a of the virtual computer, and the password candidate sent from the virtual computer generation instruction section 25 is sent to the password acceptance section 32b of the virtual computer. When the password candidate is accepted (step S30), the decryption unit 32c of the virtual computer decrypts the encrypted attached file using the password candidate (step S31). For example, when an encrypted attached file is executed, a password input field is displayed and the decryption unit 32c inputs a password candidate into the password input field. At this time, encrypted attachments may be in compressed file format and require a password to decompress (uncompress), or may be encrypted using a password owned by application software such as document processing software or spreadsheet software. Since the file may be a file using a function, decompression software compatible with compressed files and application software compatible with the file are required to decrypt the file, but the virtual computer is notified from the virtual computer generation instruction unit 25. Since the application corresponding to the attached file with the extension is installed, the decryption unit 32c can decrypt the encrypted attached file using the password candidate. Note that the fee for the optional service that checks encrypted attachments may vary depending on the application installed on the virtual computer.

Here, the virtual computer generation instruction unit 25 may instruct the test server 30 to generate a virtual computer and send the attached file and password candidates at the same time, or the virtual computer generation instruction unit 25 may After the test server 30 generates a virtual computer in response to the instruction to generate a virtual computer, the test server 30 notifies the mail server 20 of this fact, and after the mail server 20 receives the notification, attached files and Password candidates may be sent to the test server 30.

The password extraction unit 24 also describes a method for extracting password candidates from an e-mail with an attached file as a specific e-mail, and within a predetermined time from the time when the e-mail with the attached file is received. A method for extracting password candidates for a received e-mail as a specific e-mail, and a method for extracting password candidates for an e-mail that has a reply or forwarding relationship with an e-mail with an attached file as a specific e-mail. If password candidates are extracted using any of the methods described above, and the attached file cannot be decrypted using the password candidates sent from the virtual computer generation instruction unit 25, the test server 30 will notify you of this fact. The mail server 20 may be notified, and the password extraction unit 24 of the mail server 20 may try extracting password candidates using another method among the three methods described above.

In the case of a compressed file, the file is decompressed; in the case of an encryption function using a password of the application software, the file is opened; and if the virtual computer is able to decrypt the attached file, the attached file sending unit 33 of the test server 30 sends the decrypted attached file to the virus check server 40 together with the attached file and the association ID received from the mail server 20 (step S32). Note that when a compressed file is decrypted, the unzipped file appears, but if the application software has a password encryption function, the encrypted file remains when the file is closed. Set the file so that the software's password encryption function is not used before storing the decrypted file.

On the other hand, if the attached file cannot be decrypted in the decryption unit 32c of the virtual computer, the mail server 20 is notified of this together with the attached file and the association ID received from the mail server 20. The email storage unit 27 of the email server 20 stores the email with the encrypted attachment corresponding to the received association ID in the security unknown mailbox corresponding to the destination email address, and also An e-mail stating that an unknown e-mail has been received is saved in the reception mailbox corresponding to the destination e-mail address.

When the attached file receiving unit 41 of the virus check server 40 receives the decrypted attached file transmitted from the attached file transmitting unit 33 of the test server 30 (step S33), the virus checking unit 42 sends the attached file to the attached file receiving unit 41. The decrypted attached file received is checked to see if there is a risk of a virus, phishing, or spam mail (step S34). Note that the header and body of the e-mail other than the attached file of the e-mail to which the encrypted attached file corresponding to the association ID was attached is also checked to see if there is any danger.

When the virus check unit 42 checks the risk of the decrypted attached file, the result transmission unit 43 of the virus check server 40 sends the check result along with the association ID of the decrypted attached file. It is sent to the mail server 20 (step S35).

If the result receiving unit 26 of the mail server 20 receives the check result sent from the result transmitting unit 43 of the virus check server 40 (step S36) and there is no risk (step S37), the mail storage unit 27 stores the Refer to the user database 50 via the management unit 21, call up the method of receiving the attached file registered corresponding to the user ID of the e-mail corresponding to the association ID received with the check result, and select the method of receiving the attached file. Based on the determination and the receiving method registered in the user database 50, an e-mail corresponding to the association ID is provided (step S38). For example, if a method for receiving attached files in an encrypted state is registered as a method for receiving attached files, the mail storage unit 27 stores the e-mail corresponding to the association ID received with the check result and the attached file. Attach it to the e-mail in its encrypted state, save it in the recipient's mailbox, and send an e-mail to the recipient's e-mail address stating that you have received a non-threatening e-mail. to the corresponding receiving mailbox. Further, if a method of receiving the attached file in a decrypted state is registered as the method of receiving the attached file, the email storage unit 27 obtains the decrypted attached file from the test server 30 and stores the attached file corresponding to the association ID. Removed encrypted attachments from an email, attached decrypted attachments to that email, saved them in the email's recipient's mailbox, and decrypted the encrypted attachments. An e-mail stating that the file has been exchanged is saved in the receiving mailbox corresponding to the destination's e-mail address. Further, if a method of saving the attached file in a specific folder is registered as a method of receiving the attached file, the mail storage unit 27 deletes the attached file from the e-mail corresponding to the association ID, and also deletes the attached file. Save the encrypted file or the decrypted file obtained from the test server 30 in a specific folder that is a predetermined storage area, and save it to the mailbox of the email destination to which the attached file was attached. In addition to saving the e-mail, send an e-mail to the recipient's e-mail address that states that you have received a non-threatening e-mail and includes a link to access the folder where the attached file is saved. Save to inbox. At this time, the virus check server 40 has notified the association ID assigned to the attached file that has been virus checked, so the mail server 20 can check the check results received from the virus check server 40 when sending or receiving emails. It is possible to determine which of the e-mails received by the section 22 has an attached file attached to the e-mail. In addition, if you want to save an attached file in a decrypted state to an e-mail and save it in the mailbox of the e-mail destination, or to save an attached file in a decrypted state to a specific folder, Server 20 will receive the decrypted attachment from test server 30. In addition, when an attached file is decrypted and attached to an e-mail or saved in a specific folder, the original encrypted attached file is transferred from the user terminal 10 to a storage folder that is a predetermined storage area for a predetermined period of time. It may be saved in an accessible state.

On the other hand, if there is a risk, the e-mail storage unit 27 sends the e-mail with the encrypted attachment corresponding to the association ID received along with the check result to the spam mailbox corresponding to the destination e-mail address. (step S39), and also saves the e-mail containing the fact that a potentially dangerous e-mail has been received in the reception mailbox corresponding to the destination e-mail address.

Thereafter, the test server 30 deletes the virtual computer and attached file generated on the test server 30 according to instructions from the virtual computer generation instruction section 25 of the mail server 20.

In this way, when you receive an email with an encrypted attachment, you can get password suggestions to decrypt the encrypted attachment from the specific email related to that email. Extract encrypted attachments to emails, use the extracted password candidates to decrypt the encrypted attachments, and check whether the decrypted attachments are dangerous or not. It is possible to check whether an attached file is dangerous without any user intervention, even if it contains an attached file.

Note that the method performed by the risk checking system of the present invention may be applied to a program to be executed by a computer. Further, the program can be stored in a storage medium, and can also be provided externally via a network.

10-1 to 10-n User terminal 20 Mail server 21 User management section 22 Mail sending/receiving section 23 File presence/absence judgment section 24 Password extraction section 25 Virtual computer generation instruction section 26 Result receiving section 27 Mail storage section 30 Test server 31 Instruction reception section 32 Virtual computer generation section 32a Attachment file reception section 32b Password reception section 32c Decryption section 33 Attachment file transmission section 40 Virus check server 41 Attachment file reception section 42 Virus check section 43 Result transmission section 50 User database 60 Internet 61 Local network 71 Optional service selection area 72, 75 Next button 73 Type selection area 74 Receipt method selection area 76 Confirm button

Claims (5)

A risk checking system for checking whether an attachment attached to an electronic message is dangerous, the system comprising:
a file presence/absence determination means for determining whether an encrypted attachment is attached to a received electronic message;
If it is determined that an encrypted attachment is attached to an electronic message, a password for decrypting the encrypted attachment from the body or header of the electronic message to which the attachment is attached. a password extraction means for extracting candidates;
a virtual computer that is generated by a test server that receives the attached file and the password candidate sent from the mail server, and decrypts the encrypted attached file using the extracted password candidate; and,
and a virus check server that checks whether the decrypted attached file is dangerous. A risk checking system for checking whether an attachment attached to an electronic message is dangerous, the system comprising:
a file presence/absence determination means for determining whether an encrypted attachment is attached to a received electronic message;
If it is determined that an encrypted attachment is attached to an electronic message, a password for decrypting the encrypted attachment from the body or header of the electronic message to which the attachment is attached. a password extraction means for extracting candidates;
a decryption unit that decrypts the encrypted attached file using the extracted password candidate;
Risk checking means for checking whether the decrypted attachment file is dangerous;
When a password candidate is extracted by the password extraction means, an application selected and registered in advance for each user in association with the destination of the electronic message to which the attached file is attached is installed as the decryption means. and a virtual computer generation means for generating a virtual computer. A risk checking method in which a virus check server checks whether an attachment file attached to an electronic message received by a mail server is dangerous, the method comprising:
a file presence/absence determination step in which the mail server determines whether an encrypted attachment is attached to the received electronic message;
If the mail server determines that an encrypted attachment is attached to an electronic message, the mail server decrypts the encrypted attachment from the body or header of the electronic message to which the attachment is attached. a password extraction step for extracting password candidates for
A virtual computer generated by a test server that receives the attached file and the password candidate sent from the mail server decrypts the encrypted attached file using the extracted password candidate. a decoding step to
A risk checking method, wherein the virus check server performs a risk checking step of checking whether or not the decrypted attached file is dangerous. A risk checking method in which a virus check server checks whether an attachment file attached to an electronic message received by a mail server is dangerous, the method comprising:
a file presence/absence determination step in which the mail server determines whether an encrypted attachment is attached to the received electronic message;
If the mail server determines that an encrypted attachment is attached to an electronic message, the mail server decrypts the encrypted attachment from the body or header of the electronic message to which the attachment is attached. a password extraction step for extracting password candidates for
When a password candidate is extracted in the password extraction step, the test server that receives the encrypted attachment file and the password candidate sent from the mail server determines whether the attachment file is attached or not. a virtual computer generation step of generating a virtual computer on which an application selected and registered in advance for each user is installed in association with the destination of the electronic message;
a decryption step in which the virtual computer decrypts the encrypted attachment file using the extracted password candidate;
A risk checking method, wherein the virus check server performs a risk checking step of checking whether or not the decrypted attached file is dangerous. A program that runs a computer to check whether attachments attached to electronic messages are potentially dangerous, the program comprising:
to the computer;
a file presence/absence determination procedure for determining whether an encrypted attachment is attached to a received electronic message;
If it is determined that an encrypted attachment is attached to an electronic message, a password for decrypting the encrypted attachment from the body or header of the electronic message to which the attachment is attached. a password extraction procedure for extracting candidates;
When a password candidate is extracted in the password extraction step, a virtual computer is created in which an application selected and registered for each user is installed in association with the destination of the electronic message to which the attached file is attached. a virtual computer generation procedure,
a decryption step of causing the virtual computer to decrypt the encrypted attached file using the extracted password candidate;
and a program for executing a risk checking procedure for checking whether or not the decrypted attachment file is dangerous.

Images