Mitigation of anti-sandbox malware techniques

US 10,652,273 B2
Filed: 02/27/2018
Issued: 05/12/2020
Est. Priority Date: 10/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method for configuring a sandbox for malware testing, the method comprising:

analyzing, at a threat management facility, at least one digital signature of a software object for a target endpoint to detect a known, trusted software object that can be executed without further analysis, the at least one digital signature verifying an origin of the software object;

when the software object is determined to be trusted, proceeding directly to forwarding the software object from the threat management facility to an endpoint; and

when the software object is determined, based on the digital signature, to be other than trusted, performing, at the threat management facility, the steps of;

sending, to a repository of configuration information of an enterprise, a request for configuration information of the target endpoint for the software object;

receiving, in response to the request, the configuration information of the target endpoint for the software object;

configuring the sandbox to match the configuration information of the target endpoint for the software object, the sandbox instrumented to detect a known anti-sandbox malware component and the sandbox configured to disguise virtualization of the sandbox by mimicking at least one environmental variable of the target endpoint; and

forwarding the software object to the sandbox for execution.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Static analysis is applied to unrecognized software objects in order to identify and address potential anti-sandboxing techniques. Where static analysis suggests the presence of any such corresponding code, the software object may be forwarded to a sandbox for further analysis. In another aspect, multiple types of sandboxes may be provided, with the type being selected according to the type of exploit suggested by the static analysis.

22 Citations

View as Search Results

17 Claims

1. A method for configuring a sandbox for malware testing, the method comprising:
- analyzing, at a threat management facility, at least one digital signature of a software object for a target endpoint to detect a known, trusted software object that can be executed without further analysis, the at least one digital signature verifying an origin of the software object;
  
  when the software object is determined to be trusted, proceeding directly to forwarding the software object from the threat management facility to an endpoint; and
  
  when the software object is determined, based on the digital signature, to be other than trusted, performing, at the threat management facility, the steps of;
  
  sending, to a repository of configuration information of an enterprise, a request for configuration information of the target endpoint for the software object;
  
  receiving, in response to the request, the configuration information of the target endpoint for the software object;
  
  configuring the sandbox to match the configuration information of the target endpoint for the software object, the sandbox instrumented to detect a known anti-sandbox malware component and the sandbox configured to disguise virtualization of the sandbox by mimicking at least one environmental variable of the target endpoint; and
  
  forwarding the software object to the sandbox for execution.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising monitoring execution of the software object in the sandbox for a presence of a malicious action.
  - 3. The method of claim 1, wherein the configuration information includes an application configuration.
  - 4. The method of claim 1, wherein the configuration information includes an operating system configuration.
  - 5. The method of claim 1, wherein the configuration information includes a hardware configuration.
  - 6. The method of claim 1, wherein configuring the sandbox includes creating a new virtual machine corresponding to the configuration information of the target endpoint.
  - 7. The method of claim 1, wherein configuring the sandbox includes installing software on a preexisting virtual machine to match a software configuration of the target endpoint.

8. A computer program product for configuring a sandbox for malware testing, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- analyzing, at a threat management facility, at least one digital signature of a software object for a target endpoint to detect a known, trusted software object that can be executed without further analysis, the at least one digital signature verifying an origin of the software object;
  
  when the software object is determined to be trusted, proceeding directly to forwarding the software object from the threat management facility to an endpoint; and
  
  when the software object is determined, based on the digital signature, to be other than trusted, performing, at the threat management facility, the steps of;
  
  sending, to a repository of configuration information of an enterprise, a request for configuration information of the target endpoint for the software object;
  
  receiving, in response to the request, the configuration information of the target endpoint for the software object;
  
  configuring the sandbox to match the configuration information of the target endpoint for the software object, the sandbox instrumented to detect a known anti-sandbox malware component and the sandbox configured to disguise virtualization of the sandbox by mimicking at least one environmental variable of the target endpoint; and
  
  forwarding the software object to the sandbox for execution.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8, further comprising code that performs the step of monitoring execution of the software object in the sandbox for a presence of a malicious action.
  - 10. The computer program product of claim 8, wherein the configuration information includes an application configuration.
  - 11. The computer program product of claim 8, wherein the configuration information includes an operating system configuration.
  - 12. The computer program product of claim 8, wherein the configuration information includes a hardware configuration.
  - 13. The computer program product of claim 8, wherein configuring the sandbox includes creating a new virtual machine corresponding to the configuration of the target endpoint.
  - 14. The computer program product of claim 8, wherein configuring the sandbox includes installing software on a preexisting virtual machine to match the configuration information of the target endpoint.

15. A system comprising:
- a computing device coupled to a network, the computing device including a threat management facility;
  
  a processor; and
  
  a memory bearing computer executable code configured to be executed by the processor to cause the computing device to perform the steps of analyzing, at the threat management facility, at least one digital signature of a software object for a target endpoint to detect a known, trusted software object that can be executed without further analysis, the at least one digital signature verifying an origin of the software object, when the software object is determined to be trusted, proceeding directly to forwarding the software object from the threat management facility to an endpoint, and when the software object is determined, based on the digital signature, to be other than trusted, performing, at the threat management facility, the steps of sending, to a repository of configuration information of an enterprise, a request for configuration information of the target endpoint for the software object, receiving, in response to the request, the configuration information of the target endpoint for the software object, configuring a sandbox to match the configuration information of the target endpoint for the software object, the sandbox instrumented to detect a known anti-sandbox malware component and the sandbox configured to disguise virtualization by mimicking at least one environmental variable of the target endpoint, and forwarding the software object to the sandbox for execution.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, wherein the configuration information includes one or more of an application configuration, an operating system configuration, and a hardware configuration.
  - 17. The system of claim 15, wherein configuring the sandbox includes creating a new virtual machine corresponding to the configuration information of the target endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Kraft, Chris Douglas
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US15/906,383
Publication Number

US 20180191739A1
Time in Patent Office

805 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Mitigation of anti-sandbox malware techniques

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Mitigation of anti-sandbox malware techniques

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others