System, apparatus and method for classifying a file as malicious using static scanning
First Claim
Patent Images
1. A system comprising:
- a non-transitory computer-readable medium to store information; and
a processor communicatively coupled to the non-transitory computer-readable medium, the processor for processing the stored information to;
(i) prior to deconstructing a file, performing a first static scan to determine if content within the file has a prescribed level of correlation with one or more malware identifiers;
(ii) when the content does not have at least the predefined level of correlation with the one or more malware identifiers, deconstruct the file to gain access to an object within the file, and thereafter, perform a second static scan to analyze the object to determine whether the object is suspected of including malware and classify the file with a score indicating a likelihood that the file includes malware when the object is suspected of including malware, and(iii) when the object remains inaccessible for purposes of performing the second static scan following deconstruction of the file, emulate processing of the object and perform a third static scan on both (1) information provided to the object during emulation and (2) information produced by the object during emulation.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a computerized method comprises conducting a first static scan on content within a file. Thereafter, if the first static scan did not result in the file being classified as malicious, the file is deconstructed to gain access to one or more objects within the file. A second static scan associated with the one or more objects is performed to determine whether the one or more objects are suspected of including malware. The file may then be classified as malicious based on results of the second static scan.
488 Citations
23 Claims
-
1. A system comprising:
-
a non-transitory computer-readable medium to store information; and a processor communicatively coupled to the non-transitory computer-readable medium, the processor for processing the stored information to; (i) prior to deconstructing a file, performing a first static scan to determine if content within the file has a prescribed level of correlation with one or more malware identifiers; (ii) when the content does not have at least the predefined level of correlation with the one or more malware identifiers, deconstruct the file to gain access to an object within the file, and thereafter, perform a second static scan to analyze the object to determine whether the object is suspected of including malware and classify the file with a score indicating a likelihood that the file includes malware when the object is suspected of including malware, and (iii) when the object remains inaccessible for purposes of performing the second static scan following deconstruction of the file, emulate processing of the object and perform a third static scan on both (1) information provided to the object during emulation and (2) information produced by the object during emulation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computerized method comprising:
-
storing, in a non-transitory computer-readable medium, information including a file being a collection of data; prior to deconstructing the file, performing a first static scan to determine if content within the file has a prescribed level of correlation with one or more malware identifiers; deconstructing the file to gain access to an object within the file; performing a second static scan to analyze the object to determine whether the object is suspected of including malware and classify the file with a score indicating a likelihood that the file includes malware if the object is suspected of including malware; and when the object remains inaccessible for purposes of performing the second static scan following deconstruction of the file, emulating processing of the object and performing a third static scan on both (1) information provided to the object during emulation and (2) information produced by the object during emulation. - View Dependent Claims (20, 21, 22, 23)
-
Specification