Systems and Methods for Virtualized Malware Detection
First Claim
1. A method comprising:
- intercepting an object provided from a first digital device to a second digital device;
determining one or more resources the object requires when the object is executed;
instantiating a virtual environment with the one or more resources;
processing the object within the virtual environment;
tainting operations of the object within the virtual environment;
monitoring the operations of the object while processing within the virtual environment;
identifying an additional resource of the object while processing that is not provided in the virtual environment;
re-instantiating the virtual environment with the additional resource as well as the one or more resources;
monitoring the operations of the object while processing within the re-instantiated virtual environment;
identifying untrusted actions from the monitored operations; and
generating a report identifying the operations and the untrusted actions of the object.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for virtualized malware enabled detection are described. In some embodiments, a method comprises intercepting an object provided from a first digital device, determining one or more resources the object requires, instantiating a virtual environment with the one or more resources, processing the object within the virtual environment, tainting operations of the object within the virtual environment, monitoring the operations of the object, identifying an additional resource of the object while processing that is not provided in the virtual environment, re-instantiating the virtual environment with the additional resource, monitoring the operations of the object while processing within the re-instantiated virtual environment, identifying untrusted actions from the monitored operations, and generating a report identifying the operations and the untrusted actions of the object.
250 Citations
27 Claims
-
1. A method comprising:
-
intercepting an object provided from a first digital device to a second digital device; determining one or more resources the object requires when the object is executed; instantiating a virtual environment with the one or more resources; processing the object within the virtual environment; tainting operations of the object within the virtual environment; monitoring the operations of the object while processing within the virtual environment; identifying an additional resource of the object while processing that is not provided in the virtual environment; re-instantiating the virtual environment with the additional resource as well as the one or more resources; monitoring the operations of the object while processing within the re-instantiated virtual environment; identifying untrusted actions from the monitored operations; and generating a report identifying the operations and the untrusted actions of the object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system comprising:
-
a collection module configured to receive an object provided from a first digital device to a second digital device; a virtualization module configured to instantiate a virtual environment with the one or more resources, to process the object within the virtual environment, to identify an additional resource of the object while processing that is not provided in the virtual environment, re-instantiate the virtual environment with the additional resource as well as the one or more resources, and to taint operations of the object within the virtual environment; a control module configured to determine one or more resources the object requires when the object is processed, to monitor the operations of the object while processing within the virtual environment, to monitor the operations of the object while processing within the re-instantiated virtual environment, and to identify untrusted actions from the monitored operations; and a report module configured to generate a report identifying the operations and the untrusted actions of the object. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A computer readable medium comprising instructions, the instructions being executable by a processor for performing a method, the method comprising:
-
intercepting an object provided from a first digital device to a second digital device; determining one or more resources the object requires when the object is executed; instantiating a virtual environment with the one or more resources; processing the object within the virtual environment; tainting operations of the object within the virtual environment; monitoring the operations of the object while processing within the virtual environment; identifying an additional resource of the object while processing that is not provided in the virtual environment; re-instantiating the virtual environment with the additional resource as well as the one or more resources; monitoring the operations of the object while processing within the re-instantiated virtual environment; identifying untrusted actions from the monitored operations; and generating a report identifying the operations and the untrusted actions of the object.
-
Specification