Automatic initiation of execution analysis
First Claim
1. One or more non-transitory machine-readable storage mediums storing one or more sequences of instructions for initiating execution analysis upon a bit set, which when executed by one or more processors, causes:
- monitoring execution of the bit set in a host operating system execution environment to identify whether the bit set exhibits a suspicious characteristic, wherein said suspicious characteristic corresponds to one or more of a set consisting of;
(1) creating a new executable bit set, (2) modifying an existing executable bit set in the host operating system execution environment, and (3) loading a new dynamic link library (DLL) file, wherein said monitoring execution of said bit set is performed without additional performance of execution analysis upon said bit set;
upon determining that the execution of the bit set exhibits a suspicious characteristic, then consulting metadata maintained locally upon a machine in which said one or more processors reside to determine if said execution analysis has previously been performed upon said bit set; and
upon determining that the execution of the bit set exhibits a suspicious characteristic and upon determining that said execution analysis has not yet been performed upon said bit set, then (a) ceasing the execution of the bit set in the host operating system execution environment, (b) instantiating an isolated environment configured to have the same operating attributes as said host operating system execution environment, (c) copying the bit set into the isolated environment and transferring control to the bit set within the isolated environment, and (d) initiating said execution analysis upon the bit set in the isolated environment,wherein said same operating attributes includes any versions of software executing in said host operating system execution environment and any patches applied to said host operating system execution environment.
2 Assignments
0 Petitions
Accused Products
Abstract
Approaches for transferring control to a bit set. Execution of a bit set upon a host operating system is monitored. A determination is made that the execution of the bit set exhibits a suspicious characteristic. In response, the execution of the bit set on the host operating system is ceased. Then, the bit set is copied into an isolated environment and control to the bit set is transferred within the isolated environment. Thereafter, execution analysis upon the bit set is initiated in the isolated environment. The isolated environment may, but need not, reside on a different physical device than upon which executes the host operating system.
171 Citations
16 Claims
-
1. One or more non-transitory machine-readable storage mediums storing one or more sequences of instructions for initiating execution analysis upon a bit set, which when executed by one or more processors, causes:
-
monitoring execution of the bit set in a host operating system execution environment to identify whether the bit set exhibits a suspicious characteristic, wherein said suspicious characteristic corresponds to one or more of a set consisting of;
(1) creating a new executable bit set, (2) modifying an existing executable bit set in the host operating system execution environment, and (3) loading a new dynamic link library (DLL) file, wherein said monitoring execution of said bit set is performed without additional performance of execution analysis upon said bit set;upon determining that the execution of the bit set exhibits a suspicious characteristic, then consulting metadata maintained locally upon a machine in which said one or more processors reside to determine if said execution analysis has previously been performed upon said bit set; and upon determining that the execution of the bit set exhibits a suspicious characteristic and upon determining that said execution analysis has not yet been performed upon said bit set, then (a) ceasing the execution of the bit set in the host operating system execution environment, (b) instantiating an isolated environment configured to have the same operating attributes as said host operating system execution environment, (c) copying the bit set into the isolated environment and transferring control to the bit set within the isolated environment, and (d) initiating said execution analysis upon the bit set in the isolated environment, wherein said same operating attributes includes any versions of software executing in said host operating system execution environment and any patches applied to said host operating system execution environment. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus for initiating execution analysis upon a bit set, comprising:
-
one or more processors; and one or more non-transitory computer-readable storage mediums storing one or more sequences of instructions, which when executed, cause; monitoring execution of the bit set in a host operating system execution environment to identify whether the bit set exhibits a suspicious characteristic, wherein said suspicious characteristic corresponds to one or more of a set consisting of;
(1) creating a new executable bit set, (2) modifying an existing executable bit set in the host operating system execution environment, and (3) loading a new dynamic link library (DLL) file, wherein said monitoring execution of said bit set is performed without additional performance of execution analysis upon said bit set;upon determining that the execution of the bit set exhibits a suspicious characteristic, then consulting metadata maintained locally upon a machine in which said one or more processors reside to determine if said execution analysis has previously been performed upon said bit set; and upon determining that the execution of the bit set exhibits a suspicious characteristic and upon determining that said execution analysis has not yet been performed upon said bit set, then (a) ceasing the execution of the bit set in the host operating system execution environment, (b) instantiating an isolated environment configured to have the same operating attributes as said host operating system execution environment, (c) copying the bit set into the isolated environment and transferring control to the bit set within the isolated environment, and (d) initiating said execution analysis upon the bit set in the isolated environment, wherein said same operating attributes includes any versions of software executing in said host operating system execution environment and any patches applied to said host operating system execution environment. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A method for initiating execution analysis upon a bit set, comprising:
-
monitoring execution of the bit set in a host operating system execution environment to identify whether the bit set exhibits a suspicious characteristic, wherein said suspicious characteristic corresponds to one or more of a set consisting of;
(1) creating a new executable bit set, (2) modifying an existing executable bit set in the host operating system execution environment, and (3) loading a new dynamic link library (DLL) file, wherein said monitoring execution of said bit set is performed without additional performance of execution analysis upon said bit set;upon determining that the execution of the bit set exhibits a suspicious characteristic, then consulting metadata maintained locally upon a machine in which said one or more processors reside to determine if said execution analysis has previously been performed upon said bit set; and upon determining that the execution of the bit set exhibits a suspicious characteristic and upon determining that said execution analysis has not yet been performed upon said bit set, then (a) ceasing the execution of the bit set in the host operating system execution environment, (b) instantiating an isolated environment configured to have the same operating attributes as said host operating system execution environment, (c) copying the bit set into the isolated environment and transferring control to the bit set within the isolated environment, and (d) initiating said execution analysis upon the bit set in the isolated environment, wherein said same operating attributes includes any versions of software executing in said host operating system execution environment and any patches applied to said host operating system execution environment. - View Dependent Claims (14, 15, 16)
-
Specification