Mitigation of anti-sandbox malware techniques
First Claim
Patent Images
1. A method for configuring a sandbox for malware testing, the method comprising:
- analyzing, at a threat management facility, at least one digital signature of a software object for a target endpoint to detect a known, trusted software object that can be executed without further analysis, the at least one digital signature verifying an origin of the software object;
when the software object is determined to be trusted, proceeding directly to forwarding the software object from the threat management facility to an endpoint; and
when the software object is determined, based on the digital signature, to be other than trusted, performing, at the threat management facility, the steps of;
sending, to a repository of configuration information of an enterprise, a request for configuration information of the target endpoint for the software object;
receiving, in response to the request, the configuration information of the target endpoint for the software object;
configuring the sandbox to match the configuration information of the target endpoint for the software object, the sandbox instrumented to detect a known anti-sandbox malware component and the sandbox configured to disguise virtualization of the sandbox by mimicking at least one environmental variable of the target endpoint; and
forwarding the software object to the sandbox for execution.
4 Assignments
0 Petitions
Accused Products
Abstract
Static analysis is applied to unrecognized software objects in order to identify and address potential anti-sandboxing techniques. Where static analysis suggests the presence of any such corresponding code, the software object may be forwarded to a sandbox for further analysis. In another aspect, multiple types of sandboxes may be provided, with the type being selected according to the type of exploit suggested by the static analysis.
22 Citations
17 Claims
-
1. A method for configuring a sandbox for malware testing, the method comprising:
-
analyzing, at a threat management facility, at least one digital signature of a software object for a target endpoint to detect a known, trusted software object that can be executed without further analysis, the at least one digital signature verifying an origin of the software object; when the software object is determined to be trusted, proceeding directly to forwarding the software object from the threat management facility to an endpoint; and when the software object is determined, based on the digital signature, to be other than trusted, performing, at the threat management facility, the steps of; sending, to a repository of configuration information of an enterprise, a request for configuration information of the target endpoint for the software object; receiving, in response to the request, the configuration information of the target endpoint for the software object; configuring the sandbox to match the configuration information of the target endpoint for the software object, the sandbox instrumented to detect a known anti-sandbox malware component and the sandbox configured to disguise virtualization of the sandbox by mimicking at least one environmental variable of the target endpoint; and forwarding the software object to the sandbox for execution. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product for configuring a sandbox for malware testing, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
-
analyzing, at a threat management facility, at least one digital signature of a software object for a target endpoint to detect a known, trusted software object that can be executed without further analysis, the at least one digital signature verifying an origin of the software object; when the software object is determined to be trusted, proceeding directly to forwarding the software object from the threat management facility to an endpoint; and when the software object is determined, based on the digital signature, to be other than trusted, performing, at the threat management facility, the steps of; sending, to a repository of configuration information of an enterprise, a request for configuration information of the target endpoint for the software object; receiving, in response to the request, the configuration information of the target endpoint for the software object; configuring the sandbox to match the configuration information of the target endpoint for the software object, the sandbox instrumented to detect a known anti-sandbox malware component and the sandbox configured to disguise virtualization of the sandbox by mimicking at least one environmental variable of the target endpoint; and forwarding the software object to the sandbox for execution. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
a computing device coupled to a network, the computing device including a threat management facility; a processor; and a memory bearing computer executable code configured to be executed by the processor to cause the computing device to perform the steps of analyzing, at the threat management facility, at least one digital signature of a software object for a target endpoint to detect a known, trusted software object that can be executed without further analysis, the at least one digital signature verifying an origin of the software object, when the software object is determined to be trusted, proceeding directly to forwarding the software object from the threat management facility to an endpoint, and when the software object is determined, based on the digital signature, to be other than trusted, performing, at the threat management facility, the steps of sending, to a repository of configuration information of an enterprise, a request for configuration information of the target endpoint for the software object, receiving, in response to the request, the configuration information of the target endpoint for the software object, configuring a sandbox to match the configuration information of the target endpoint for the software object, the sandbox instrumented to detect a known anti-sandbox malware component and the sandbox configured to disguise virtualization by mimicking at least one environmental variable of the target endpoint, and forwarding the software object to the sandbox for execution. - View Dependent Claims (16, 17)
-
Specification