MALWARE DETECTION METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT
First Claim
1. A method comprising:
- receiving an indication that a software application is attempting to execute on a user'"'"'s device;
emulating, by a processor, the software application in a virtual environment, in response to receiving the indication;
analyzing, by the processor, one or more behavior characteristics of the emulated software application; and
identifying the software application as malicious based at least in part on the behavior characteristics analyzed.
8 Assignments
0 Petitions
Accused Products
Abstract
A method, electronic device and computer program product for real-time detection of malicious software (“malware”) are provided. In particular, execution of a suspicious software application attempting to execute on a user'"'"'s device may be emulated in a virtual operating system environment in order to observe the behavior characteristics of the suspicious application. If after observing the behavior of the suspicious application in the virtual environment, it is determined that the application is malicious, the application may not be permitted to execute on the user'"'"'s actual device. The suspicious application may be identified as malicious if an isolated data string of the application matches a “blacklisted” data string, a certain behavior of the application matches a behavior that is known to be malicious, and/or the overall behavior of the application is substantially the same or similar to a known family of malware.
356 Citations
30 Claims
-
1. A method comprising:
-
receiving an indication that a software application is attempting to execute on a user'"'"'s device; emulating, by a processor, the software application in a virtual environment, in response to receiving the indication; analyzing, by the processor, one or more behavior characteristics of the emulated software application; and identifying the software application as malicious based at least in part on the behavior characteristics analyzed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer program product comprising at least one computer-readable storage medium having computer-readable program code portions stored therein, said computer-readable program code portions comprising:
-
a first executable portion for receiving an indication that a software application is attempting to execute on a user'"'"'s device; a second executable portion for emulating the software application in a virtual environment, in response to receiving the indication; a third executable portion for analyzing one or more behavior characteristics of the emulated software application; and a fourth executable portion for identifying the software application as malicious based at least in part on the behavior characteristics analyzed. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. An electronic device comprising:
a processor configured to; receive an indication that a software application is attempting to execute on a user'"'"'s device; emulate the software application in a virtual environment, in response to receiving the indication; analyze one or more behavior characteristics of the emulated software application; and identify the software application as malicious based at least in part on the behavior characteristics analyzed. - View Dependent Claims (27, 28, 29, 30)
Specification