Mitigation of anti-sandbox malware techniques
First Claim
Patent Images
1. A method of securing an endpoint against malware that contains sandbox detection mechanisms, the method comprising:
- receiving a sample of a software object;
performing a first static analysis of the sample using one or more signatures of known malware;
when malware is detected in the first static analysis, rejecting a file containing the sample for use on the endpoint;
when malware is not detected in the first static analysis, performing a reputation analysis of the sample to detect a known, safe software object that can be executed on the endpoint without further analysis;
when a known, safe software object is not detected in the reputation analysis, performing a second static analysis of the sample to detect a component configured to detect one or more aspects of a virtualized environment;
when an anti-sandbox component is detected in the second static analysis, selecting, based on the anti-sandbox component detected in the second static analysis, a least computationally expensive sandbox from a number of different types of sandboxes having different computational costs, and forwarding the sample to the least computationally expensive sandbox for execution and testing; and
when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint.
4 Assignments
0 Petitions
Accused Products
Abstract
Static analysis is applied to unrecognized software objects in order to identify and address potential anti-sandboxing techniques. Where static analysis suggests the presence of any such corresponding code, the software object may be forwarded to a sandbox for further analysis. In another aspect, multiple types of sandboxes may be provided, with the type being selected according to the type of exploit suggested by the static analysis.
-
Citations
15 Claims
-
1. A method of securing an endpoint against malware that contains sandbox detection mechanisms, the method comprising:
-
receiving a sample of a software object; performing a first static analysis of the sample using one or more signatures of known malware; when malware is detected in the first static analysis, rejecting a file containing the sample for use on the endpoint; when malware is not detected in the first static analysis, performing a reputation analysis of the sample to detect a known, safe software object that can be executed on the endpoint without further analysis; when a known, safe software object is not detected in the reputation analysis, performing a second static analysis of the sample to detect a component configured to detect one or more aspects of a virtualized environment; when an anti-sandbox component is detected in the second static analysis, selecting, based on the anti-sandbox component detected in the second static analysis, a least computationally expensive sandbox from a number of different types of sandboxes having different computational costs, and forwarding the sample to the least computationally expensive sandbox for execution and testing; and when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer program product for securing an endpoint against malware that contains sandbox detection mechanisms, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
-
receiving a sample of a software object; performing a first static analysis of the sample using one or more signatures of known malware; when malware is detected in the first static analysis, rejecting a file containing the sample for use on an endpoint; when malware is not detected in the first static analysis, performing a reputation analysis of the sample to detect a known, safe software object that can be executed on the endpoint without further analysis; when a known, safe software object is not detected in the reputation analysis, performing a second static analysis of the sample to detect a component configured to detect one or more aspects of a virtualized environment; when an anti-sandbox component is detected in the second static analysis, selecting, based on the anti-sandbox component detected in the second static analysis, a least computationally expensive sandbox from a number of different types of sandboxes having different associated computational costs, and forwarding the sample to the least computationally expensive sandbox for execution and testing; and when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint. - View Dependent Claims (12, 13, 14)
-
-
15. A system for securing an endpoint against malware that contains sandbox detection mechanisms, the system comprising:
-
a computing device coupled to a network; a processor; and a memory bearing computer executable code configured to be executed by the processor to cause the computing device to perform the steps of receiving a sample of a software object over the network, performing a first static analysis of the sample using one or more signatures of known malware, when malware is detected in the first static analysis, rejecting a file containing the sample for use on the endpoint, when malware is not detected in the first static analysis, performing a reputation analysis of the sample to detect a known, safe software object that can be executed on the endpoint without further analysis, when a known, safe software object is not detected in the reputation analysis performing a second static analysis of the sample to detect a component configured to detect one or more aspects of a virtualized environment, when an anti-sandbox component is detected in the second static analysis, selecting, based on the anti-sandbox component detected in the second static analysis, a least computationally expensive sandbox from a number of different types of sandboxes having different associated computational costs, and forwarding the sample to the least computationally expensive sandbox for execution and testing, and when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint.
-
Specification