MITIGATION OF ANTI-SANDBOX MALWARE TECHNIQUES
First Claim
Patent Images
1. A method of securing an endpoint against malware that contains sandbox detection mechanisms, the method comprising:
- receiving a sample of a software object;
performing a first static analysis of the sample using one or more signatures of known malware;
when malware is detected in the first static analysis, rejecting a file containing the sample for use on the endpoint;
when malware is not detected in the first static analysis, performing a second static analysis of the sample using one or more signatures of known anti-sandbox components;
when an anti-sandbox component is detected in the second static analysis, forwarding the sample to a sandbox environment for execution and testing; and
when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint.
4 Assignments
0 Petitions
Accused Products
Abstract
Static analysis is applied to unrecognized software objects in order to identify and address potential anti-sandboxing techniques. Where static analysis suggests the presence of any such corresponding code, the software object may be forwarded to a sandbox for further analysis. In another aspect, multiple types of sandboxes may be provided, with the type being selected according to the type of exploit suggested by the static analysis.
22 Citations
20 Claims
-
1. A method of securing an endpoint against malware that contains sandbox detection mechanisms, the method comprising:
-
receiving a sample of a software object; performing a first static analysis of the sample using one or more signatures of known malware; when malware is detected in the first static analysis, rejecting a file containing the sample for use on the endpoint; when malware is not detected in the first static analysis, performing a second static analysis of the sample using one or more signatures of known anti-sandbox components; when an anti-sandbox component is detected in the second static analysis, forwarding the sample to a sandbox environment for execution and testing; and when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer program product for securing an endpoint against malware that contains sandbox detection mechanisms, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
-
receiving a sample of a software object; performing a first static analysis of the sample using one or more signatures of known malware; when malware is detected in the first static analysis, rejecting a file containing the sample for use on an endpoint; when malware is not detected in the first static analysis, performing a second static analysis of the sample using one or more signatures of known anti-sandbox components; when an anti-sandbox component is detected in the second static analysis, forwarding the sample to a sandbox environment for execution and testing; and when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A system for securing an endpoint against malware that contains sandbox detection mechanisms, the system comprising:
-
a computing device coupled to a network; a processor; and a memory bearing computer executable code configured to be executed by the processor to cause the computing device to perform the steps of receiving a sample of a software object over the network, performing a first static analysis of the sample using one or more signatures of known malware, when malware is detected in the first static analysis, rejecting a file containing the sample for use on the endpoint, when malware is not detected in the first static analysis, performing a second static analysis of the sample using one or more signatures of known anti-sandbox components, when an anti-sandbox component is detected in the second static analysis, forwarding the sample to a sandbox environment for execution and testing, and when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint.
-
Specification