Malware detection using internal and/or external malware detection operations
First Claim
1. A system, comprising:
- a memory and;
one or more processors to;
perform an external malware detection operation that detects malware executing on a client device,the external malware detection operation including a communication with another device and a service validation operation to test a feature of a protocol associated with a connection attempt with the other device by exchanging messages with the other device;
monitor a result of performing the communication with the other device for a behavior indicative of the malware executing on the client device;
detect that the behavior has occurred based on monitoring the result,the behavior being detected based on detecting the other device failing the service validation operation that tests the feature of the protocol,the other device failing the service validation operation based on the other device not supporting the protocol;
determine that the client device is infected with malware based on detecting the other device failing the service validation operation that tests the feature of the protocol; and
provide a notification that the client device is infected with the malware based on determining that the client device is infected with malware.
1 Assignment
0 Petitions
Accused Products
Abstract
A system may determine to perform an internal and an external malware detection operation to detect a malware infection associated with a client device. The system may perform the internal operation by modifying an environment, executing on a particular device, to form a modified environment. The system may perform the external operation by performing a communication from the particular device. The system may monitor the modified environment for a first behavior indicative of the malware infection, and may monitor a result of performing the communication for a second behavior indicative of the malware infection. The system may detect that the first or second behavior has occurred. The system may provide a notification that the client device is infected with malware based on detecting that the first or second behavior has occurred. The notification may cause one or more network devices to block network traffic to or from the client device.
-
Citations
20 Claims
-
1. A system, comprising:
-
a memory and; one or more processors to; perform an external malware detection operation that detects malware executing on a client device, the external malware detection operation including a communication with another device and a service validation operation to test a feature of a protocol associated with a connection attempt with the other device by exchanging messages with the other device; monitor a result of performing the communication with the other device for a behavior indicative of the malware executing on the client device; detect that the behavior has occurred based on monitoring the result, the behavior being detected based on detecting the other device failing the service validation operation that tests the feature of the protocol, the other device failing the service validation operation based on the other device not supporting the protocol; determine that the client device is infected with malware based on detecting the other device failing the service validation operation that tests the feature of the protocol; and provide a notification that the client device is infected with the malware based on determining that the client device is infected with malware. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method, comprising:
-
performing, by a device, an external malware detection operation that detects malware executing on a client device, the external malware detection operation including a communication with another device and a service validation operation to test a feature of a protocol associated with a connection attempt with the other device by exchanging messages with the other device; monitoring, by the device, a result of performing the communication with the other device for a behavior indicative of the malware executing on the client device; detecting, by the device, that the behavior has occurred based on monitoring the result, the behavior being detected based on detecting the other device failing the service validation operation that tests the feature of the protocol, the other device failing the service validation operation based on the other device not supporting the protocol; determining, by the device, that the client device is infected with malware based on detecting the other device failing the service validation operation that tests the feature of the protocol; and providing, by the device, a notification that the client device is infected with the malware based on determining that the client device is infected with malware. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors, cause the one or more processors to; perform an external malware detection operation that detects malware executing on a client device, the external malware detection operation including a communication with another device and a service validation operation to test a feature of a protocol associated with a connection attempt with the other device by exchanging messages with the other device; monitor a result of performing the communication with the other device for a behavior indicative of the malware executing on the client device; detect that the behavior has occurred based on monitoring the result, the behavior being detected based on detecting the other device failing the service validation operation that tests the feature of the protocol, the other device failing the service validation operation based on the other device not supporting the protocol; determine that the client device is infected with malware based on detecting the other device failing the service validation operation that tests the feature of the protocol; and provide a notification that the client device is infected with the malware based on determining that the client device is infected with malware. - View Dependent Claims (16, 17, 18, 19, 20)
Specification