Launcher for setting analysis environment variations for malware detection
First Claim
Patent Images
1. A system for automatically analyzing an object for malware, the system comprising:
- one or more hardware processors; and
a memory coupled to the one or more hardware processors, the memory comprises a dynamic analysis engine, a classification engine and a reporting engine, whereinthe dynamic analysis engine, when executed by the one or more hardware processors, generates one or more virtual machines, at least a first virtual machine of the one or more virtual machines includes launcher logic that, upon execution, (i) sets a processing framework for use in configuring a plurality of processes based on a type of object being analyzed and received configuration data identifying a prescribed order of execution of different application and plug-in combinations, (ii) receives information for accessing an object for analysis and parameters associated with the object, and (iii) selects a different application and plug-in combination for each process of the plurality of processes based on the parameters, wherein the plurality of processes concurrently processing the object within the first virtual machine to produce results comprising information associated with behaviors of the object,the classification engine classifying the object as part of a potential malicious attack based on the information associated with the behaviors of the object, andthe reporting engine generating an alert signal indicating the potential malicious attack.
9 Assignments
0 Petitions
Accused Products
Abstract
A system and method for automatically analyzing an object for malware is described. Operating one or more virtual machines, the system and method provide an analysis environment variation framework to provide a more robust analysis of an object for malware. The multi-application, multi-plugin processing framework is configured within a virtual machine, where the framework generates a plurality of processes for analyzing the object for malware and each of plurality of processes is configured with a different application and plug-in combination selected based in part on a type of object being analyzed.
-
Citations
45 Claims
-
1. A system for automatically analyzing an object for malware, the system comprising:
-
one or more hardware processors; and a memory coupled to the one or more hardware processors, the memory comprises a dynamic analysis engine, a classification engine and a reporting engine, wherein the dynamic analysis engine, when executed by the one or more hardware processors, generates one or more virtual machines, at least a first virtual machine of the one or more virtual machines includes launcher logic that, upon execution, (i) sets a processing framework for use in configuring a plurality of processes based on a type of object being analyzed and received configuration data identifying a prescribed order of execution of different application and plug-in combinations, (ii) receives information for accessing an object for analysis and parameters associated with the object, and (iii) selects a different application and plug-in combination for each process of the plurality of processes based on the parameters, wherein the plurality of processes concurrently processing the object within the first virtual machine to produce results comprising information associated with behaviors of the object, the classification engine classifying the object as part of a potential malicious attack based on the information associated with the behaviors of the object, and the reporting engine generating an alert signal indicating the potential malicious attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory storage medium including software that, when executed by one or more hardware processors, perform operations for automatically analyzing an object for malware, the non-transitory storage medium comprising:
-
a first software component that, when executed by the one or more hardware processors, generates one or more virtual machines; a launcher logic of at least a first virtual machine of the one or more virtual machines that, upon execution, (i) sets a processing framework for use in configuring a plurality of processes based on a type of object being analyzed and received configuration data identifying a prescribed order of execution of different application and plug-in combinations, (ii) receives information for accessing an object for analysis and parameters associated with the object, and (iii) selects a different application and plug-in combination for each process of the plurality of processes based on the parameters, wherein the plurality of processes concurrently processing the object within the first virtual machine to produce results comprising information associated with behaviors of the object; a classification engine that, upon execution, classifies the object as part of a potential malicious attack based on the information associated with the behaviors of the object; and the reporting engine that, upon execution, generates an alert signal indicating the potential malicious attack. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. A computerized method for automatically analyzing an object for malware comprising:
-
running a virtual machine within an electronic device; and analyzing an object being processing within the virtual machine for malware concurrently by a plurality of processes associated with a processing framework by at least (i) setting the-processing framework for use in configuring plurality of processes based on a type of object being analyzed and received configuration data identifying a prescribed order of execution of different application and plug-in combinations, (ii) receiving information for accessing an object for analysis and parameters associated with the object, and (iii) selecting a different application and plug-in combination for each process of the plurality of processes based on the parameters, wherein the plurality of processes concurrently processing the object within the virtual machine to produce results comprising information associated with behaviors of the object; classifying the object as part of a potential malicious attack based on the information associated with the behaviors of the object; and generating an alert signal indicating the potential malicious attack. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
-
Specification