Virus detection by executing electronic message code in a virtual machine

US 10,121,005 B2
Filed: 05/15/2017
Issued: 11/06/2018
Est. Priority Date: 01/17/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method for analyzing executable code associated with electronic messages, the method comprising:

detecting that an electronic message includes executable code, the electronic message designating a destination recipient;

identifying, for the electronic message, by executing an instruction with a processor, two or more destination computing systems corresponding to the destination recipient specified in the electronic message prior to delivery of the electronic message to the two or more destination computing systems, the two or more destination computing systems including a first destination computing system and a second destination computing system different from the first destination computing system;

identifying two or more different simulation environments respectively corresponding to the two or more destination computing systems;

executing the executable code in the two or more simulation environments;

monitoring, by executing an instruction with the processor, for a malicious action in response to execution of the executable code in the two or more simulation environments; and

delivering the electronic message to the destination recipient if the malicious action is not detected.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Virus detection by executing electronic message code in a virtual machine is disclosed. An example method includes detecting that an electronic message includes executable code, the electronic message designating a destination recipient. Two or more destination computing systems are identified for the electronic message corresponding to the destination recipient specified in the electronic message prior to delivery of the electronic message to the two or more destination computing systems, the two or more destination computing systems including a first destination computing system and a second destination computing system different from the first destination computing system. Two or more simulation environments corresponding to the two or more destination computing systems are identified. The executable code is executed in the two or more simulation environments. The two or more simulation environments are monitored for a malicious action. The electronic message is delivered to the destination recipient if the action is detected.

73 Citations

16 Claims

1. A method for analyzing executable code associated with electronic messages, the method comprising:
- detecting that an electronic message includes executable code, the electronic message designating a destination recipient;
  
  identifying, for the electronic message, by executing an instruction with a processor, two or more destination computing systems corresponding to the destination recipient specified in the electronic message prior to delivery of the electronic message to the two or more destination computing systems, the two or more destination computing systems including a first destination computing system and a second destination computing system different from the first destination computing system;
  
  identifying two or more different simulation environments respectively corresponding to the two or more destination computing systems;
  
  executing the executable code in the two or more simulation environments;
  
  monitoring, by executing an instruction with the processor, for a malicious action in response to execution of the executable code in the two or more simulation environments; and
  
  delivering the electronic message to the destination recipient if the malicious action is not detected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further including flagging the electronic message as having malicious executable code when the action is detected.
  - 3. The method of claim 1, further including:
    - determining a sender of the electronic message; and
      
      restricting future electronic message deliveries from the sender when the malicious action is detected.
  - 4. The method of claim 1, further including notifying a receiving user that the electronic message may be harmful, the notifying occurring when the malicious action is detected.
  - 5. The method of claim 1, further including notifying a system administrator that the electronic message may be harmful, the notifying occurring when the malicious action is detected.
  - 6. The method of claim 1, wherein the executable code is an attachment of the electronic message.
  - 7. The method of claim 1, wherein the executable code is embedded within a body of the electronic message.
  - 8. The method of claim 1, wherein the malicious action includes at least one of accessing a recipient book, modifying a file, or reading a file.
  - 9. The method of claim 1, wherein the malicious action includes modifying sector zero of a storage disc or storage device.

10. A tangible machine readable hardware storage disk or storage device comprising instructions which, when executed, cause a machine to at least:
- detect that an electronic message includes executable code, the electronic message designating a destination recipient;
  
  identify, for the electronic message, two or more destination computing systems corresponding to the destination recipient specified in the electronic message prior to delivery of the electronic message to the two or more destination computing systems, the two or more destination computing systems including a first destination computing system and a second destination computing system different from the first destination computing system;
  
  identify two or more different simulation environments corresponding respectively to the two or more destination computing systems;
  
  execute the executable code in the two or more simulation environments;
  
  monitor for a malicious action in response to execution of the executable code in the two or more simulation environments; and
  
  deliver the electronic message to the destination recipient if the malicious action is not detected.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The tangible machine readable hardware storage disk or storage device of claim 10, wherein the instructions, when executed, further cause the machine to flag the electronic message as having malicious executable code when the malicious action is detected.
  - 12. The tangible machine readable hardware storage disk or storage device of claim 10, wherein the instructions, when executed, further cause the machine to at least:
    - determine a sender of the electronic message; and
      
      restrict future electronic message deliveries from the sender when the malicious action is detected.
  - 13. The tangible machine readable hardware storage disk or storage device of claim 10, wherein the instructions, when executed, further cause the machine to notify a receiving user that the electronic message may be harmful, the notifying occurring when the malicious action is detected.
  - 14. The tangible machine readable hardware storage disk or storage device of claim 10, wherein the instructions, when executed, further cause the machine to notify a system administrator that the electronic message may be harmful, the notifying occurring when the malicious action is detected.
  - 15. The tangible machine readable hardware storage disk or storage device of claim 10, wherein the executable code is an attachment of the electronic message.
  - 16. The tangible machine readable hardware storage disk or storage device of claim 10, wherein the executable code is embedded within a body of the electronic message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Marsden, Walter L., Green, David L.
Primary Examiner(s)
Colin, Carl G
Assistant Examiner(s)
Lavelle, Gary E

Application Number

US15/595,001
Publication Number

US 20170249463A1
Time in Patent Office

540 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

G06F 2221/2149   Restricted operating enviro...

Virus detection by executing electronic message code in a virtual machine

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

73 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Virus detection by executing electronic message code in a virtual machine

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

73 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links