KR100468372B1 - Apparatus and method for intercepting and detecting network virus using monitoring SMB/CIFS - Google Patents

Abstract

The present invention relates to a network transitive virus firewall device and a method through sharing through monitoring and analyzing the SMB / CIFS protocol on a network.

According to the invention, the packet collecting unit for collecting the network packet; An SMB / CIFS protocol analysis unit configured to receive a collected packet and analyze a SMB (Server Message Block) command in which file input / output (File I / O) is performed; An internal file path / stack storage unit for receiving and storing the analyzed data; A virus inspection unit that receives the analyzed data and determines whether a virus is infected; And a packet blocking unit for storing the remote information that infected the virus if it is determined that the virus has been infected, and blocking the packet transmission if the packet sender corresponds to the virus; Provided is a network transitive virus detection / blocking apparatus using SMB / CIFS monitoring, comprising: a.

Description

Apparatus and method for intercepting and detecting network virus using monitoring SMB / CIFS}

The present invention relates to a network transitive virus detection / blocking apparatus using SMB / CIFS monitoring and a method thereof, and more particularly, to provide a network transitive virus firewall apparatus and method through sharing.

Conventional virus real-time monitoring technology monitors the file system's input / output (I / O) using a file system filer driver. Detects infections At this time, if the virus is infected, the virus is repaired and the execution of the file is blocked by blocking the execution of the virus. In addition, a virus introduced through a network uses a method of detecting an infection of a file by examining an I / O message generated when the handle of a file is closed.

The file system filter driver is manufactured as a device driver in Kernel Mode of Microsoft Windows, and the IoAttachDevice () API (Application Programming Interface) is applied to the file system device. Interface is applied as a filter driver. Then, the filter driver intercepts all I / O of the file system device, and then I / O request such as IRP_MJ_CREATE related to file generation that occurs when the application calls the CreateFile () API during the hidden I / O. When calling CloseHandle () API, I / O request such as IRP_MJ_CLOSE related to file close is detected.

Since the method described above can detect the access to the created and closed file in real time, most antivirus software uses this technique to check whether the file is infected with a virus.

In the anti-virus software industry, such a technology is called a virus real-time monitoring technology, and the software equipped with such a technology is called a virus real-time monitor. In addition, in the case of a virus that is infected through the network to detect whether the virus is infected in the same way.

However, since the virus real-time monitoring device described above is based on the file system, the virus that is infected through the network always detects the presence or absence of the virus at the time when the I / O of the file system ends. In addition, the virus real-time monitor can detect a virus that is infected through the network, but has a limitation of detection after infection. In addition, since it is file system based above all, a virus spreading through a share on a network has a limitation in that information such as a MAC address, an IP address, or a NetBIOS name of a remote computer that has infected the virus is unknown.

Due to the limitations of the prior art as described above, when a virus attacking a shared folder continuously attacks, even if there is a virus real-time monitor, infection and treatment are continuously repeated. Moreover, viruses such as ChiHack can infect Microsoft's Word files (* .doc) and Excel files (* .xls) in shared folders on the network and corrupt the header of the file. This makes it difficult to recover from infection.

Also, in recent years, the number of viruses spreading through the network is rapidly increasing, and if the file / print sharing function itself is not used, the infection of the virus spreading through the network can be prevented. Convenience will not be available.

On the other hand, in Personal Firewall, by using file / print sharing blocking policy, policy can be used so that only specific users can use file / print sharing, but even in this case, Since blocking the virus is impossible, there is a problem of repeating infection and treatment.

An object of the present invention for solving the problems of the prior art as described above is to provide a technique using SMB / CIFS monitoring to detect / block network transitive virus through sharing.

1 is a mode classification block diagram of a Microsoft Windows operating system used in the present invention,

2 is a conceptual diagram schematically illustrating a method of transmitting the SMB / CIFS protocol used in the present invention,

3 is a block diagram showing the overall structure of a network transitive virus detection and blocking system according to an embodiment of the present invention,

4 is a flowchart illustrating an operation of the packet blocking unit 310 illustrated in FIG. 3.

5 is a conceptual diagram illustrating a file transmission and reception process by the SMB / CIFS protocol analyzer 335 shown in FIG. 3,

6 is a flowchart illustrating an operation procedure of the SMB / CIFS protocol analyzer 335 illustrated in FIG. 3.

7 is a flowchart illustrating a process performed by the virus checker 340 shown in FIG. 3.

According to the present invention to achieve the above object, a packet collecting unit for collecting a network packet; An SMB / CIFS protocol analyzer configured to receive a packet collected from the packet collector and analyze a SMB (Server Message Block) command in which file input / output (File I / O) is performed; An internal file path / stack storage unit for receiving and storing data analyzed by the SMB / CIFS protocol analyzer; A virus inspection unit that receives data analyzed by the SMB / CIFS protocol analyzer and data stored in the internal file path / stack storage unit to determine whether a virus is infected; And a packet blocking unit for storing the remote information that infected the virus if it is determined that the virus has been infected, and blocking the packet transmission if the packet sender corresponds to the determined result from the virus inspection unit. Provided is a network transitive virus detection / blocking apparatus using SMB / CIFS monitoring, comprising: a.

Further, more preferably, the SMB / CIFS protocol analyzer extracts a tree IDentification (TID) and file path information from the packet when the SMB command type of the packet received from the packet collector is SMB_COM_CONNECT, and the internal file path. Transfer to stack storage; If the SMB command type is SMB_COM_CREATE, the TID and the file name are extracted from the packet, the TID matching the TID is retrieved from the internal file path / stack storage unit, and the file name is combined with the file path name extracted from the SMB_COM_CONNECT to absolute file. Complete a path, store it in the internal file path / stack storage, and send a file path to the virus checker; If the SMB command type is SMB_COM_WRITE, the TID, FID (File IDentification), file data, file data offset and file data length are extracted from the corresponding packet, and the TID and FID corresponding to the TID and FID are stored in the internal file path. / Retrieve from the stack storage unit, configure the corresponding stack to be transmitted to the internal file / path stack storage unit and the virus checker; If the SMB command type is SMB_COM_CLOSE, the TID and the FID are extracted from the corresponding packet, the TID and the FID matching the TID and the FID are searched from the internal file path / stack storage unit, and the corresponding file path is found to find the matching file path. Provided is a network transitive virus detection / blocking device using SMB / CIFS monitoring, characterized in that for transmitting to the network.

Hereinafter, a network transitive virus detection / blocking apparatus using SMB / CIFS monitoring according to an embodiment of the present invention and a method thereof will be described in detail with reference to the accompanying drawings.

First, let's briefly look at the background technology used in the present invention.

Figure 1 is a block diagram of mode division of the Microsoft Windows operating system used in the present invention.

Referring to FIG. 1, the Windows XP provided by Microsoft is divided into a kernel mode 110 and a user mode 150. In the kernel mode, an operating system kernel and various device drivers are driven. The application is mainly driven. In addition, programs that run in kernel mode exist in the form of device drivers.

The kernel-mode network architecture of Microsoft's Windows operating system includes AFD (afd.sys), NDIS (Network Driver Interface Specification), and TDI (Transport Driver Interface Specification), which are kernel parts of Windows Sockets. Interface).

In kernel mode, afd.sys, which resides at the top level, communicates with msafd.dll, the lowest-level DLL in the user mode (Windows Dynamic Link Library) on Windows Sockets, and interfaces with TDI at the bottom level.

TDI defines a kernel mode interface that resides on top of the protocol stack. NDIS provides a standard interface for NIC device drivers (Network Interface Card Device Drivers).

This article outlines how to create a firewall or monitor packets in user mode on Microsoft's Windows operating system.

Hooking is a well-known programming technique that saves the original address of the function to be hooked, replaces it with the address of the function it created, and then executes its own function first to execute the original hooked function later. .

Firewalls typically block packets at the time of packet reception, either by not calling the hooked original function, by calling the original function with the appropriate status that the packet failed to be received, or by manipulating the contents of the packet. Use a method to prevent this from happening. If the packet is allowed, the normal function is used by calling the original function as it is. These methods include creating a firewall in user mode and creating a firewall in kernel mode.

First, let's look at how to create a firewall in user mode.

* Winsock Layered Service Provider (LSP): This method is provided by Microsoft, and is a component of Microsoft networking that is widely used for quality of service (QOS), URL filtering, and encryption of data streams. Based on the Service Provider Interface (SPI).

* Windows 2000 Packet Filtering Interface: Based on how to install Filter Descrypter to allow / block packets based on IP address and port information in Windows 2000 user mode. It is done.

* Winsock DLL replacement: It is based on the filtering method by replacing Winsock DLL of Microsoft Windows operating system with user-created DLL.

Global Function Hooking: Hooks Windows socket functions such as Connect, Listen, Send, Recv, Sendto, and Receive Prompt. It is based on the technique of hooking the DeviceIoControl () function that user-mode applications use to communicate with kernel-mode drivers.

The article then briefly explains how to monitor packets or create a firewall in kernel mode on Microsoft's Windows operating system.

* NDIS packet driver: Collects packet contents based on the technique of registering protocol driver that can send / receive packet using NdisRegisterProtocol function. As a method that MicroSopot provides to users, common packet monitoring drivers use this method. However, it cannot be used as a firewall that can block packets.

Kernel Mode Socket Filter: Based on the technique that msafd.dll, the lowest level DLL of Windows sockets in user mode, hooks all I / Os that communicate with afd.sys, a kernel mode Windows socket. .

* TDI filter driver: Filter driver using IoAttackDevice () API to the device created by tcpip.sys driver (\ Device \ RawIp, \ Device \ Udp, \ Device \ Tcp, \ Device \ Ip, \ Device \ MULTICAST) This is how to apply. Alternatively, it is based on the technique of hooking all I / O by changing the dispatch table in the driver object of tcpip.sys.

* NDIS IM (InterMediate) Driver: A method provided by Microsoft to users. It is a technique for developing a firewall, network address translation (NAT), and the like between a NIC driver and a protocol driver such as TCP / IP.

* NDIS hooking filter driver: A method of hooking functions of the NDIS library, based on the NdisProtocolHandle returned by hooking functions such as NdisRegisterProtocol, NdisDeregisterProtocol, NdisOpenAdapter, NdisCloseAdapter, and NdisSend, or NdisRegisterProtocol which registers its protocol driver. It is based on the technique of hooking existing registered protocol driver links such as TCP / IP and I / O of protocol drivers and NIC drivers that communicate with NDIS.

The packet collecting unit and the packet blocking unit proposed by the present invention may be implemented in the kernel mode socket filter, the NDIS packet driver, the TDI filter driver, the NDIS IM driver, the NDIS hooking filter driver, and the like. In general, the packet blocking unit may include a TDI filter driver, Implemented in the NDIS IM driver or the NDIS hooking filter driver, the packet collector is implemented in the NDIS packet driver.

Next, the SMB / CIFS network file sharing protocol corresponding to another background of the present invention will be briefly described.

SMB (Server Message Block) is a protocol developed jointly by Microsoft, IBM, and Intel, and is used to share files or printers of other systems on a network. It performs the same power as Unix's network sharing protocol, NFS (Network File System). SMB uses a client / server model, which sends a file access or print request to the server, which accepts the request and responds.

CIFS (Common Inernet File System) is an extended version of the SMB file sharing protocol for the Internet. It is the Internet's standard file protocol that supports both Windows and Unix environments by adding scalability using Domain Name Service (DNS) over the SMB protocol, optimizations for slow dial-up networking, and support for Unicode-compliant file names. In addition, CIFS defines various commands used to transfer information between network computers. One important fact is that, unlike the previous closed SMB protocol, several UNIX vendors participated in the definition of the CIFS protocol. Microsoft has supported the CIFS 1.0 protocol, a version of SMB that has been upgraded to the standard file sharing protocol since Windows 2000.

Microsoft's Windows 2000 redirector allows users to use network resources as if they were connected to their computers. The redirector can also use CIFS to make requests to the local computer's protocol stack. Platforms that support CIFS include Microsoft's Windows 95/98 / ME / NT / 2000 / XP, OS / 2 LAN Manager, LAN Manager For UNIX, Windows For Workgroups, Unix, VMS, Macintosh, IBM LAN Server from IBM, DEC Pathworks from 3C, and 3 + OPEN from 3Com.

2 is a conceptual diagram schematically illustrating a method of transmitting the SMB / CIFS protocol used in the present invention, which will be described in detail as follows.

SMB / CIFS (200) is transmitted via NetBIOS Over TCP / IP (NBT) via NetBIOS (NetBIOS, 210) and TCP / IP 220, and also, NetBIOS 210 and IPX (Internetwork Packet, eXchange, network packet transmission, and via NBIPX (NetBIOS Over IPX) via 230. On the other hand, it may be directly transmitted through NBT (NetBIOS Frame) via NetBEOS (NetBIOS Extended User Interface, NetBIOS Extended User Interface, 240), may be directly transmitted via TCP / IP (250). Such SMB / CIFS monitoring requires full analysis at the packet level.

The SMB / CIFS protocol analysis unit proposed in the present invention includes all analysis at the packet level for the transmission method in SMB / CIFS.

3 is a block diagram showing the overall structure of a network transitive virus detection and blocking system according to an embodiment of the present invention.

After collecting the network packet, the packet collector 330 transmits the collected packets to the SMB / CIFS protocol analyzer 335. The SMB / CIFS protocol analyzer 335 analyzes the collected packets, analyzes an SMB command in which file I / O is performed, and stores the analyzed data in an internal file path / stack storage unit 345. The virus scan unit 340 transmits the data.

The virus inspection unit 340 refers to the virus database (DB, 350) by using the data transmitted from the SMB / CIFS protocol analyzer 335 and the data stored in the internal file path / stack storage unit 345 to determine whether a virus is infected. Check. As a result of the check, if the virus is infected, the remote infected information is stored in the internal block list storage unit 325. Thereafter, when the packet is received, the packet blocking unit 310 blocks the packet if the sender of the packet is included in the list stored in the internal block list storage unit 325, and if not, the packet blocking unit 310 allows the packet transmission.

Meanwhile, the packet collecting unit 330 collects packets using a network packet monitoring method in a user mode or a network packet monitoring method in a kernel mode which are generally used to collect packets.

4 is a flowchart illustrating an operation of the packet blocking unit 310 shown in FIG. 3, which will be described in detail as follows.

First, in step S401, when receiving the received packet, the packet blocker 310 extracts the MAC address and IP address information of the sender from the received packet. Subsequently, in step S402, the MAC address extracted in step S401 and the IP address are compared or not included in the list stored in the internal block list storage unit 325. Block, and if not included, allow the packet.

On the other hand, as described above, the packet blocking method does not call the hooked original function or calls the original function with an appropriate state value indicating that packet reception has failed. Alternatively, a method of manipulating the contents of a packet to prevent normal reception can be used. If there is no matching information, the original function is called as it is to allow the packet, so that normal reception is made.

FIG. 5 is a conceptual diagram illustrating a file transmission and reception process in the SMB / CIFS protocol analyzer 335 illustrated in FIG. 3.

First, the general meaning of related commands is as follows.

The SMB_COM_TREE_CONNECT command is called to send and receive files between the server and the client. Once the connection between the two is successful, the call no longer occurs.

Also, SMB_COM_CREATE command is a message that a client requests Create or Open to the server when it wants to write a file.

In addition, the SMB_COM_WRITE command is a direct request message for writing a file when the SMB_COM_CREATE command is normally accepted. At this time, if the file is smaller than the packet size, all data is included in the write request, but if the file is large, the files are fragmented and transmitted. These fragments are processed directly in the lower layer without including the same headers as the write request again. For example, in the case of NBT, the remaining data after the write request is transmitted only with a TCP header that does not include the SMB header. The order of this data is managed by the sequence number of the TCP header.

Also, the SMB_COM_CLOSE command is a request to close the file after writing the file.

Also, the SMB_COM_TREE_DISCONNECT command is a request that is called when a connection is terminated.

The operation is described in detail as follows.

When a client sends a connection request packet to the server by SMB_COM_TREE_CONNECT 500, the packet includes a path, a password, and a service name for the service. If this request is made, the server informs the client of the Tree IDentification (TID). This TID is a unique number for the rest of the connection between the client and server. On the other hand, the SMB_COM_TREE_CONNECT (500) request does not occur every time a file is transmitted or received, and when a connection is established, it no longer occurs.

When a client wants to write a file, it sends an SMB_COM_CREATE 501 request to the server. Information included here is a TID, a file name, an attribute, and the like obtained from SMB_COM_TREE_CONNECT 501. The file name and the path name from SMB_COM_TREE_CONNECT 501 are combined to complete the file path (absolute path). This file path is used when the virus checker 340 checks for a virus infection. When the server performs file generation normally, the server sends a file identification (FID).

If the SMB_COM_CREATE 501 request is normally accepted, an SMB_COM_WRITE 502 request occurs for file writing. This SMB_COM_WRITE 502 request includes TID, FID, file offset and data length. The offset and data length of the file are used when the virus checker 340 checks for virus infection.

If the file size is smaller than the packet size, all data is included in the SMB_COM_WRITE 502 request, but if the file size is large, the files are transmitted in pieces. These fragments do not contain the same headers as the SMB_COM_WRITE 502 request and are processed directly at the lower layer. For example, in the case of NBT, the remaining data after the SMB_COM_WRITE 502 request is transmitted only with a TCP header not including the SMB header. The order of this data is managed by the sequence number of the TCP header. The server will write to the specified file based on the TID and FID.

When the file is finished writing, the client sends a SMB_COM_CLOSE 503 request. Information included in the SMB_COM_CLOSE 503 is TID and FID. When the server normally closes the file, a success value is sent. If the client wants to terminate the connection, a SMB_COM_DISCONNECT 503 request is made for the TID, and if so, the server releases the TID.

FIG. 6 is a flowchart illustrating an operation procedure of the SMB / CIFS protocol analyzer 335 illustrated in FIG. 3, which will be described in detail as follows.

First, in step S600, the protocol of the SMB / CIFS command of the packet received from the packet collector 330 is analyzed.

As a result of the analysis in step S600, if the command is SMB_COM_CONNECT, in step S602, TID and path information are extracted from the packet and stored in the internal file path and file stack storage 345.

If the result of the analysis in step S600 is the SMB_COM_CREATE command, in step S604 to step S605, the TID and the file name are extracted from the packet, and the matching TID is searched by the internal file path and the file stack storage unit 345 through the TID. After that, the file path (absolute path) is completed by attaching the file name to the path name extracted from SMB_COM_CONNECT. Then, it is stored in the internal file path and file stack storage 345 and then transmitted to the virus checker 340.

If the result of the analysis in step S600 is the SMB_COM_WRITE command, in step S607 to step S608, the TID, FID, file data, file data offset and file data length are extracted from the packet, and the internal file path and the TID and FID are extracted. The stack is configured in the file stack storage unit 345. Such a file stack may generally be composed of a linked list or an array existing in memory, or may be stored in a file on a hard disk. Subsequently, a file path, file data, file data offset, and file data length are transmitted to the virus checker 340. In addition, when the stack is completed, the completed stack is transmitted to the virus checker 340.

If it is determined in the step S600 that the command is SMB_COM_CLOSE, in step S610 to step S611, the TID and the FID are extracted from the packet, and the file path matching the TID and the FID from the internal file path and the file stack storage unit 345 is obtained. To get Next, the obtained file path is transmitted to the virus checker 340.

FIG. 7 is a flowchart illustrating a process performed by the virus inspecting unit 340 shown in FIG. 3.

In step S700, when the virus checker 340 receives the file path or file stack information from the SMB / CIFS protocol analyzer 335, two processes are performed.

When the virus inspection unit 340 receives the file path information, in step S701 to step S704, the virus database 350 checks whether the file of the file path has been affected by the virus, and then confirms that the virus has been infected. When the internal file path and file stack storage unit 345 extracts the sender's MAC address and IP address information, the internal block list storage unit 325 is stored.

When the virus inspection unit 340 receives the file stack information, in step S705 to step S708, after checking whether the file stack is infected with the virus from the virus database 350, it is confirmed that the virus is infected. When the caller MAC address and IP address information of the caller are extracted from the internal file path and the file stack storage 345, they are stored in the internal block list storage 325.

Meanwhile, Table 1 below shows an example of contents stored in the internal file path and the file stack storage 345.

TABLE 1

Remote Mac Address Remote IP address TID FID File path (path + file name) File stack location or file path One 00: E0: 00AE: AB: 8D 203.202.234.50 100 1234 C: \ SHARED \ MYFILE.EXE 0xC0123456 or C: \ TEMP \ 00001.BIN 2 00: 02: 2D: 32: A9: 95 203.202.234.100 200 1235 C: \ SHARED \ MYDOC.DOC 0xC0234567 or C: \ TEMP \ 00002.BIN 3 00: 50: 56: C0: 00: 01 202.201.135.100 300 1236 C: \ SHARED \ MYEXL.EXL 0xC0345678 or C: \ TEMP \ 00003.BIN ...

In [Table 1], the file path is a file path generated by a path collected at SMB_COM_TREE_CONNECT and a file name collected at SMB_COM_CREATE, and a file stack may generally be composed of a connection list or an array that exists in memory and is hard. It can also be stored as a file on disk.

Table 2 below is a diagram showing the contents stored in the internal block list storage unit 325 by way of example.

TABLE 2

Caller mac address Caller IP Address One 00: E0: 00AE: AB: 8D 203.202.234.50 2 00: 50: 56: C0: 00: 01 202.201.135.100 ...

While the invention has been described above based on the preferred embodiments thereof, these embodiments are intended to illustrate rather than limit the invention. It will be apparent to those skilled in the art that various changes, modifications, or adjustments to the above embodiments can be made without departing from the spirit of the invention. Therefore, the protection scope of the present invention will be limited by the appended claims, and should be construed as including all such changes, modifications or adjustments.

As described above, according to the present invention, the virus can be prevented from spreading through the network in advance, and in particular, by monitoring the virus spreading through file / printer sharing, the effect of using file / printer sharing more securely can be achieved. have.

Claims (9)

A packet collecting unit collecting network packets; SMB / which analyzes SMB (Server Message Block) or CIFS (Common Inernet File System) command that receives the collected packet from the packet collection unit and performs file input / output (File I / O) CIFS protocol analysis unit; An internal file path / stack storage unit for receiving and storing data analyzed by the SMB / CIFS protocol analyzer; A virus inspection unit that receives data analyzed by the SMB / CIFS protocol analyzer and data previously stored in the internal file path / stack storage unit to determine whether a virus is infected; And A packet blocking unit for storing the remote information that infected the virus if it is determined that the virus has been infected and blocking the packet transmission if the packet sender corresponds to the determination result of the virus inspection unit; Network transitive virus detection / blocking device using SMB / CIFS monitoring, comprising a. The method of claim 1, An internal block list storage unit for transmitting the information to the packet blocker by storing remote information that infected the virus; Network transitive virus detection / blocking device using SMB / CIFS monitoring, characterized in that it further comprises. The method of claim 1, The SMB / CIFS protocol analysis unit, SMB_COM_TREE_CONNECT command, which is a command called to send and receive a file between a server and a client, when a SMB command type of a packet received from the packet collecting unit is used, when a client wants to write a file, a client requests a file create or open from the server. SMB_COM_CREATE command, SMB_COM_WRITE command, which is a direct request message for writing a file, SMB_COM_CLOSE command, which is a request message for closing a file, and SMB_COM_DISCONNECT command, which is called when a connection is terminated. Network transitive virus detection / blocking device using SMB / CIFS monitoring. The method of claim 3, wherein The SMB / CIFS protocol analysis unit, Extracting a tree IDentification (TID) and file path information from the packet when the SMB command type of the packet received from the packet collecting unit is SMB_COM_CONNECT and transmitting the extracted file path information to the internal file path / stack storage unit; If the SMB command type is SMB_COM_CREATE, the TID and the file name are extracted from the packet, the TID matching the TID is retrieved from the internal file path / stack storage unit, and the file name is combined with the file path name extracted from the SMB_COM_CONNECT to absolute file. Complete a path, store it in the internal file path / stack storage, and send a file path to the virus checker; If the SMB command type is SMB_COM_WRITE, TID, File IDentification (FID), file data, file data offset and file data length are extracted from the packet, and the corresponding stack matching the TID and FID is stored in the internal file / path. Configure it in a stack storage and send it to the virus checker; If the SMB command type is SMB_COM_CLOSE, the TID and the FID are extracted from the corresponding packet, the TID and the FID matching the TID and the FID are searched from the internal file path / stack storage unit, and the corresponding file path is found to find the matching file path. Network transitive virus detection / blocking device using SMB / CIFS monitoring, characterized in that for transmitting to. A first step of collecting network packets; A second step of receiving a packet collected in the first step and analyzing a SMB (Server Message Block) command in which file input / output (File I / O) is performed; A third step of receiving and storing the data analyzed in the second step; A fourth step of determining whether the virus is infected by receiving the data analyzed in the second step and the data stored in the third step; And A fifth step of storing the remote information that infected the virus if it is determined that the virus has been infected and blocking the packet transmission if the packet sender corresponds to the determination result in the fourth step; Network transitive virus detection / blocking method using SMB / CIFS monitoring comprising a. The method of claim 5, wherein The second step, The SMB_COM_TREE_CONNECT command, which is a command that is called to send and receive a file between the server and the client, when the SMB command type of the packet received in the first step is used to write a file, the client requests a file create or open from the server. SMB_COM_CREATE command, SMB_COM_WRITE command, which is a direct request message for writing a file, SMB_COM_CLOSE command, which is a request message for closing a file, and SMB_COM_DISCONNECT command, which is called when a connection is terminated. Network transitive virus detection / blocking method using SMB / CIFS monitoring. The method of claim 6, The second step, A sub-step of extracting TID (Tree IDentification) and file path information from the packet if the SMB command type of the packet received in the first step is SMB_COM_CONNECT; If the SMB command type is SMB_COM_CREATE, extract the TID and the file name from the packet, retrieve the TID matching the TID from the data stored in the third step, and then combine the file name with the file path name extracted from the SMB_COM_CONNECT file absolute path. Sub-steps to complete; A substep of extracting a TID, a file IDentification (FID), a file data, a file data offset, and a file data length from the corresponding packet if the SMB command type is SMB_COM_WRITE, and configuring a corresponding stack matching the TID and the FID; And If the SMB command type is SMB_COM_CLOSE, extracting the TID and the FID from the corresponding packet, searching for the TID and the FID matching the TID and the FID from the data stored in the third step, and then extracting a matching file path; Network transitive virus detection / blocking method using SMB / CIFS monitoring comprising a. The method of claim 6, The fourth step, The inputted information may be one or more of a remote MAC address, a remote IP address, a TID, a FID, a file path (path + file name), a file stack location, and a file path. Metastatic Virus Detection / Blocking Method. The method of claim 6, In the fifth step, the remote location information infected with the virus includes a sender MAC address or a sender IP address, wherein the network transitive virus detection / blocking method using SMB / CIFS monitoring.