MITIGATION OF ANTI-SANDBOX MALWARE TECHNIQUES

US 20170111374A1
Filed: 11/02/2015
Published: 04/20/2017
Est. Priority Date: 10/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method of securing an endpoint against malware that contains sandbox detection mechanisms, the method comprising:

receiving a sample of a software object;

performing a first static analysis of the sample using one or more signatures of known malware;

when malware is detected in the first static analysis, rejecting a file containing the sample for use on the endpoint;

when malware is not detected in the first static analysis, performing a second static analysis of the sample using one or more signatures of known anti-sandbox components;

when an anti-sandbox component is detected in the second static analysis, forwarding the sample to a sandbox environment for execution and testing; and

when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Static analysis is applied to unrecognized software objects in order to identify and address potential anti-sandboxing techniques. Where static analysis suggests the presence of any such corresponding code, the software object may be forwarded to a sandbox for further analysis. In another aspect, multiple types of sandboxes may be provided, with the type being selected according to the type of exploit suggested by the static analysis.

22 Citations

View as Search Results

20 Claims

1. A method of securing an endpoint against malware that contains sandbox detection mechanisms, the method comprising:
- receiving a sample of a software object;
  
  performing a first static analysis of the sample using one or more signatures of known malware;
  
  when malware is detected in the first static analysis, rejecting a file containing the sample for use on the endpoint;
  
  when malware is not detected in the first static analysis, performing a second static analysis of the sample using one or more signatures of known anti-sandbox components;
  
  when an anti-sandbox component is detected in the second static analysis, forwarding the sample to a sandbox environment for execution and testing; and
  
  when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 wherein the software object is at least one of a file, a document, an application, a media file, and electronic mail, and an item of executable code.
  - 3. The method of claim 1 wherein the sample is all of the software object.
  - 4. The method of claim 1 wherein the sample is a representative portion of the software object.
  - 5. The method of claim 1 further comprising performing a reputation analysis of the sample prior to the second static analysis in order to detect a known, safe software object that can be executed on the endpoint without further analysis.
  - 6. The method of claim 5 wherein the reputation analysis includes an analysis of at least one digital signature of the software object that verifies an origin of the software object.
  - 7. The method of claim 1 wherein the anti-sandbox component includes a component configured to avoid detection within a predetermined sandbox environment.
  - 8. The method of claim 1 wherein the anti-sandbox component includes a component configured to detect one or more aspects of a virtualized environment.
  - 9. The method of claim 1 wherein the one or more signatures include one or more byte sequences known to be associated with malware anti-sandbox components.
  - 10. The method of claim 1 wherein the one or more signatures include feature vectors known to be associated with malware anti-sandbox components.
  - 11. The method of claim 1 wherein the sandbox environment includes a hardware sandbox.
  - 12. The method of claim 1 wherein the sandbox environment includes a virtual sandbox instrumented to detect at least one known anti-sandbox malware component.
  - 13. The method of claim 1 wherein permitting the software object to be processed on the endpoint includes forwarding the software object from at least one of a web gateway, an electronic mail gateway, a firewall, and a threat management facility.
  - 14. The method of claim 1 wherein permitting the software object to be processed on the endpoint includes releasing the software object from an antivirus engine executing on the endpoint.

15. A computer program product for securing an endpoint against malware that contains sandbox detection mechanisms, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- receiving a sample of a software object;
  
  performing a first static analysis of the sample using one or more signatures of known malware;
  
  when malware is detected in the first static analysis, rejecting a file containing the sample for use on an endpoint;
  
  when malware is not detected in the first static analysis, performing a second static analysis of the sample using one or more signatures of known anti-sandbox components;
  
  when an anti-sandbox component is detected in the second static analysis, forwarding the sample to a sandbox environment for execution and testing; and
  
  when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer program product of claim 15 wherein the software object is at least one of a file, a document, an application, a media file, and electronic mail, and an item of executable code.
  - 17. The computer program product of claim 15 further comprising code that performs the step of performing a reputation analysis of the sample prior to the second static analysis in order to detect a known, safe software object that can be executed on the endpoint without further analysis.
  - 18. The computer program product of claim 15 wherein the one or more computing devices include at least one of an endpoint, a web gateway, an electronic mail gateway, a firewall, and a threat management facility.
  - 19. The computer program product of claim 15 wherein permitting the software object to be processed on the endpoint includes releasing the software object from an antivirus engine executing on the endpoint.

20. A system for securing an endpoint against malware that contains sandbox detection mechanisms, the system comprising:
- a computing device coupled to a network;
  
  a processor; and
  
  a memory bearing computer executable code configured to be executed by the processor to cause the computing device to perform the steps of receiving a sample of a software object over the network, performing a first static analysis of the sample using one or more signatures of known malware, when malware is detected in the first static analysis, rejecting a file containing the sample for use on the endpoint, when malware is not detected in the first static analysis, performing a second static analysis of the sample using one or more signatures of known anti-sandbox components, when an anti-sandbox component is detected in the second static analysis, forwarding the sample to a sandbox environment for execution and testing, and when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Harris, Mark David, Stutz, Daniel, Lynch, Vincent Kevin

Granted Patent

US 10,135,861 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

MITIGATION OF ANTI-SANDBOX MALWARE TECHNIQUES

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

MITIGATION OF ANTI-SANDBOX MALWARE TECHNIQUES

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others