摘要 |
PURPOSE: A malicious program blocking device and a method thereof are provided to protect a system from malicious programs forcibly terminating a protection target process by interrupting a call of a hooking handler for preventing the forced termination. CONSTITUTION: When a termination of a process in execution is requested, a termination permission determining unit(211) confirms a protection target process. If the process is the protection target process, the termination permission determining unit determines whether the request for the termination is permitted or not. If the request is permitted, the termination permission determining unit registers the process in a termination permission list. A termination monitoring thread generating unit(212) generates a termination monitoring thread for the process. When an OS(Operating System) calls a termination notice for the thread, an attack detection unit(213) confirms the thread having the called notice. [Reference numerals] (211) Termination permission determining unit; (212) Termination monitoring thread generating unit; (213) Attack detection unit; (214) Termination blocking unit; (215) Scheduling stopping unit; (216) APC removal unit; (217) Hooking information removal unit
|