LAUNCHER FOR SETTING ANALYSIS ENVIRONMENT VARIATIONS FOR MALWARE DETECTION

US 20180048660A1
Filed: 11/10/2015
Published: 02/15/2018
Est. Priority Date: 11/10/2015
Status: Active Grant

First Claim

Patent Images

1. A system for automatically analyzing an object for malware, the system comprising:

one or more hardware processors; and

a memory coupled to the one or more hardware processors, the memory comprises software components that, when executed by the one or more hardware processors, generate one or more virtual machines, at least a first virtual machine of the one or more virtual machines includes launcher logic that, upon execution, configures a processing framework that includes a plurality of processes for analyzing the object for malware,wherein the launcher logic configures each of plurality of processes with different application and plug-in combinations based on a type of object being analyzed and received configuration data identifying a prescribed order of execution on an application basis and a plug-in basis.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for automatically analyzing an object for malware is described. Operating one or more virtual machines, the system and method provide an analysis environment variation framework to provide a more robust analysis of an object for malware. The multi-application, multi-plugin processing framework is configured within a virtual machine, where the framework generates a plurality of processes for analyzing the object for malware and each of plurality of processes is configured with a different application and plug-in combination selected based in part on a type of object being analyzed.

161 Citations

20 Claims

1. A system for automatically analyzing an object for malware, the system comprising:
- one or more hardware processors; and
  
  a memory coupled to the one or more hardware processors, the memory comprises software components that, when executed by the one or more hardware processors, generate one or more virtual machines, at least a first virtual machine of the one or more virtual machines includes launcher logic that, upon execution, configures a processing framework that includes a plurality of processes for analyzing the object for malware,wherein the launcher logic configures each of plurality of processes with different application and plug-in combinations based on a type of object being analyzed and received configuration data identifying a prescribed order of execution on an application basis and a plug-in basis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the plurality of processes associated with the processing framework being further configured based on the received configuration data that includes a priority list, the priority list identifying a selected plug-in ordering for analysis of a selected type and version of the application.
  - 3. The system of claim 2, wherein the priority list identifying the selected plug-in ordering based on which plug-in operating with the selected type and version of the application is more frequently targeted for malicious attack.
  - 4. The system of claim 1, wherein the different application and plug-in combinations include a different version of a selected application type and a different version of one or more selected plug-in types.
  - 5. The system of claim 1, wherein the different application and plug-in combinations include a selected application type and one or more different plug-in types.
  - 6. The system of claim 1, wherein the launcher logic reconfigures the processing framework to alter the analysis of the object in accordance with a different application and plug-in combination than previously configured by the launcher logic.
  - 7. The system of claim 1, wherein the first virtual machine further includes correlation logic operating in combination with the launcher logic, the correlation logic to receive information associated with the object and categorize the object as either a Uniform Resource Locator (URL) or a data type, the object being categorized as the data type in response to a determination that the object includes a selected type of file extension.
  - 8. The system of claim 7, wherein the correlation logic provides a file path of the object and an object type parameter that identifies a category of the object to the launcher logic.
  - 9. The system of claim 1, wherein the plurality of processes include (1) a first process based on a first application and plug-in combination corresponding to an operating environment of an electronic device targeted to receive the object, (2) a second process based on a second application and plug-in combination that is more vulnerable to a malicious attack, and (3) a third process based on a third application and plug-in combination that is a most fortified application and plug-in combination to detect latest and unknown attacks.
  - 10. The system of claim 1, wherein the plurality of processes associated with the processing framework being further configured based on the received configuration data that includes a priority list, the priority list identifying a selected plug-in ordering for analysis of a selected type and version of the application, the priority list further comprises an identification of a selected operating system type and version supporting the selected type and version of the application.

11. A non-transitory storage medium including software that, when executed by one or more hardware processors, perform operations for automatically analyzing an object for malware, the non-transitory storage medium comprising:
- a first software component that, when executed by the one or more hardware processors, generates one or more virtual machines; and
  
  a launcher logic of at least a first virtual machine of the one or more virtual machines that, upon execution, configures a processing framework that includes a plurality of processes for analyzing the object for malware, each of the plurality of processes being configured with different application and plug-in combinations that are selected based on a type of object being analyzed and received configuration data identifying a prescribed order of execution on an application basis and a plug-in basis.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The non-transitory storage medium of claim 11, wherein the processing framework set by the launcher logic includes a plurality of processes associated with the processing framework being further configured based on the received configuration data that includes a priority list, the priority list identifying a selected plug-in ordering for analysis of a selected type and version of the application.
  - 13. The non-transitory storage medium of claim 12, wherein the priority list identifying the selected plug-in ordering based on which plug-in operating with the selected type is more frequently targeted for malicious attack.
  - 14. The non-transitory storage medium of claim 12, wherein the different application and plug-in combinations include a different versions of a selected application type and a different versions of one or more selected plug-in types.
  - 15. The non-transitory storage medium of claim 12, wherein the different application and plug-in combinations include either (i) a different version of a selected application type and a different plug-in types or (ii) a selected application type and a different versions of one or more plug-in types.
  - 16. The non-transitory storage medium of claim 11 further comprising correlation logic operating in combination with the launcher logic, the correlation logic to receive information associated with the object and categorize the object as either a Uniform Resource Locator (URL) or a data type, the object being categorized as the data type in response to a determination that the object includes a selected type of file extension.
  - 17. The non-transitory storage medium of claim 16, wherein the correlation logic provides a file path of the object and an object type parameter that identifies a category of the object to the launcher logic.
  - 18. The non-transitory storage medium of claim 11, wherein the plurality of processes include (1) a first process based on a first application and plug-in combination corresponding to an operating environment of an electronic device targeted to receive the object, (2) a second process based on a second application and plug-in combination that is more vulnerable to a malicious attack, and (3) a third process based on a third application and plug-in combination that is a most fortified application and plug-in combination to detect zero-day attacks.
  - 19. The non-transitory storage medium of claim 11, wherein the plurality of processes associated with the processing framework being further configured based on the received configuration data that includes a priority list, the priority list identifying a selected plug-in ordering for analysis of a selected type and version of the application, the priority list further comprises an identification of a selected operating system type and version supporting the selected type and version of the application.

20. A computerized method for automatically analyzing an object for malware comprising:
- running a virtual machine within an electronic device; and
  
  analyzing an object being processing within the virtual machine for malware by a plurality of processes associated with a processing framework, each of the plurality of processes being configured with different application and plug-in combinations that are selected based on both a type of object being analyzed and received configuration data identifying a prescribed order of execution on an application basis and a plug-in basis, the received configuration data comprises a priority list identifying a selected plug-in ordering for analysis of a selected type and version of the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Paithane, Sushant, Vashisht, Sai Omkar, Khalid, Yasir, Pilipenko, Alexandre

Granted Patent

US 10,284,575 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/6218   to a system of files or obj...

H04L 63/1416   Event detection, e.g. attac...

LAUNCHER FOR SETTING ANALYSIS ENVIRONMENT VARIATIONS FOR MALWARE DETECTION

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

161 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

LAUNCHER FOR SETTING ANALYSIS ENVIRONMENT VARIATIONS FOR MALWARE DETECTION

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

161 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others