Dynamically remote tuning of a malware content detection system
First Claim
Patent Images
1. An apparatus comprising:
- a processor; and
a memory communicatively coupled to the processor, the memory has stored thereon a first detection logic including software that is configurable to enable, disable or modify analysis capabilities of the first detection logic, wherein the first detection logic, when executed by the processor, conducts a first analysis of a received object to determine if the received object is associated with a malicious attack,wherein the first detection logic receives a configuration file, the configuration file being automatically generated by a parameter generation logic including second software to automatically generate the configuration file based on a result of the first analysis,wherein the capabilities of the first detection logic are altered based on the configuration file, the first detection logic, after alteration of the capabilities, performs a second analysis on the received object or a second received object, the second analysis being different than the first analysis and configured to detect characteristics or behaviors associated with the malicious attack that are used to classify the received object or the second received object as malware, wherein the configuration file modifies a weighting of at least one of a first analysis score being at least part as the result of the first analysis or a second analysis score being at least part of a result of the second analysis as used in classifying the received object or the second received object as malware.
6 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, an apparatus comprises a processor and memory. Communicatively coupled to the processor, the memory includes a detection module that, when executed, conducts an analysis of a received object to determine if the received object is associated with a malicious attack. The detection module is configurable, and thus, certain capabilities can be enabled, disabled or modified. The analysis is to be altered upon receipt of a configuration file that includes information to alter one or more rules controlling the analysis conducted by the detection module.
559 Citations
21 Claims
-
1. An apparatus comprising:
-
a processor; and a memory communicatively coupled to the processor, the memory has stored thereon a first detection logic including software that is configurable to enable, disable or modify analysis capabilities of the first detection logic, wherein the first detection logic, when executed by the processor, conducts a first analysis of a received object to determine if the received object is associated with a malicious attack, wherein the first detection logic receives a configuration file, the configuration file being automatically generated by a parameter generation logic including second software to automatically generate the configuration file based on a result of the first analysis, wherein the capabilities of the first detection logic are altered based on the configuration file, the first detection logic, after alteration of the capabilities, performs a second analysis on the received object or a second received object, the second analysis being different than the first analysis and configured to detect characteristics or behaviors associated with the malicious attack that are used to classify the received object or the second received object as malware, wherein the configuration file modifies a weighting of at least one of a first analysis score being at least part as the result of the first analysis or a second analysis score being at least part of a result of the second analysis as used in classifying the received object or the second received object as malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method for altering operability of a malware content detection system, comprising:
-
conducting a first analysis of an object for malware, the first analysis including monitoring behaviors of the object being processed within a virtual machine; determining whether results of the first analysis of the object are sufficient to classify the object as part of a malicious attack; generating an alert in response to the results of the first analysis of the object being sufficient to classify the object as part of a malicious attack; and responsive to determining that results of the analysis of the object are insufficient to classify the object as part of the malicious attack, (1) receiving an automatically generated configuration file based on the results of the first analysis, and (2) altering parameters of monitoring logic that controls operability of one or more rules controlling a second analysis of the object for a presence of malware, wherein the parameters of the monitoring logic are altered based on the configuration file, and wherein the altering includes adjusting a weighting of at least one of a first analysis score being at least part of the results of the first analysis or a second analysis score being at least part of results of the second analysis that are used in classifying the object as being part of a malicious attack. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification