SYSTEMS AND METHODS FOR MALWARE EVASION MANAGEMENT
First Claim
1. A method for emulating at least one resource in a host computer to a querying hosted code, comprising:
- monitoring a plurality of operating system (OS) queries received from a plurality of code executed on a monitored computing unit, said plurality of OS queries are designated to an OS of said monitored computing unit;
detecting among said plurality of OS queries at least one query for receiving at least one characteristic of at least one resource of said monitored computing unit among said plurality of OS queries, said at least one query is received from querying code of said plurality of code;
preparing a response of said OS to said at least one query, said response comprising a false indication at least one false characteristic of said at least one resource; and
sending said response to said querying code in response to said at least one query.
3 Assignments
0 Petitions
Accused Products
Abstract
A method for emulating at least one resource in a host computer to a querying hosted code. The method comprises monitoring a plurality of operating system (OS) queries received from a plurality of code executed on a monitored computing unit, the plurality of OS queries are designated to an OS of the monitored computing unit, detecting among the plurality of OS queries at least one query for receiving at least one characteristic of at least one resource of the monitored computing unit among the plurality of OS queries, the at least one query is received from querying code of the plurality of code, preparing a response of the OS to the at least one query, the response comprising a false indication at least one false characteristic of the at least one resource, and sending the response to the querying code in response to the at least one query.
-
Citations
26 Claims
-
1. A method for emulating at least one resource in a host computer to a querying hosted code, comprising:
-
monitoring a plurality of operating system (OS) queries received from a plurality of code executed on a monitored computing unit, said plurality of OS queries are designated to an OS of said monitored computing unit; detecting among said plurality of OS queries at least one query for receiving at least one characteristic of at least one resource of said monitored computing unit among said plurality of OS queries, said at least one query is received from querying code of said plurality of code; preparing a response of said OS to said at least one query, said response comprising a false indication at least one false characteristic of said at least one resource; and sending said response to said querying code in response to said at least one query. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 22)
-
-
21. A hosting device for emulating at least one resource to a querying hosted code, comprising:
-
a processor unit coupled to an evasion manipulation module, said evasion manipulation module for implementing stored code, the stored code comprising; code to monitor a plurality of operating system (OS) queries send from a plurality of code executed on a monitored computing unit to an OS of said monitored computing unit; code to detect among said plurality of OS queries at least one query for receiving at least one characteristic of at least one resource of said monitored computing unit among said plurality of operating system (OS) queries, said at least one query is received from a querying code of said plurality of code; code to prepare a response of said OS to said at least one query, said response comprising at least one false characteristic of said at least one resource; and code to send said response to said querying code in response to said at least one query. - View Dependent Claims (23)
-
-
24. A system for emulating at least one resource to a querying hosted code, comprising:
-
a plurality of evasion manipulation modules which are installed in a plurality of connected computing nodes; a processor coupled to each evasion manipulation module, each evasion manipulation module for implementing stored code, the stored code comprising; code to respond to OS queries received from one or more querying codes hosted by respective computing nodes with false responses faking the presence or the absence of a security mechanism in the respective hosting computing node such that when the querying code is a malicious code an escalation process is triggered in the computing node with a security mechanism. - View Dependent Claims (25)
-
-
26. A computer program product for emulating a at least one resource in a host computer to a querying hosted code comprising a readable storage medium storing program code thereon for use by a processor, the program code comprising:
-
instructions for monitoring a plurality of operating system (OS) queries received from a plurality of code executed on a monitored computing unit, said plurality of OS queries are designated to an OS of said monitored computing unit; instructions for detecting among said plurality of OS queries at least one query for receiving at least one characteristic of at least one resource of said monitored computing unit among said plurality of OS queries, said at least one query is received from a querying code of said plurality of code; instructions for preparing a response of said OS to said at least one query, said response comprising a false indication at least one false characteristic of said at least one resource; and instructions for sending said response to said querying code in response to said at least one query.
-
Specification