System and method for proactive computer virus protection
First Claim
1. A computer-implementable method for determining the behavior of an executable comprising:
- selecting evaluation calls made by the executable to the interface of an operating system;
loading stubs into a virtual address space, the stubs;
mirroring the calls made to the interface of an operating system wherein mirroring the calls made to the interface of the operating system includes mirroring a set of full implemented DLLs; and
determining a behavior signature for the selected calls;
wherein the calls are included in dynamic link libraries (DLLs) and wherein loading stubs include loading stub DLLs into said virtual address space;
executing the selected calls inside of a virtual operating environment using the loaded stubs dynamically linked libraries; and
determining the behavior signatures resulting from said execution of the selected calls inside of a virtual operating environment.
2 Assignments
0 Petitions
Accused Products
Abstract
A system, method, and computer readable medium for the proactive detection of malware in operating systems that receive application programming interface (API) calls is provided. A virtual operating environment for simulating the execution of programs and determining if the programs are malware is created. The virtual operating environment confines potential malware so that the systems of the host operating environment will not be adversely effected. During simulation, a behavior signature is generated based on the API calls issued by potential malware. The behavior signature is suitable for analysis to determine whether the simulated executable is malware.
-
Citations
24 Claims
-
1. A computer-implementable method for determining the behavior of an executable comprising:
-
selecting evaluation calls made by the executable to the interface of an operating system; loading stubs into a virtual address space, the stubs; mirroring the calls made to the interface of an operating system wherein mirroring the calls made to the interface of the operating system includes mirroring a set of full implemented DLLs; and determining a behavior signature for the selected calls; wherein the calls are included in dynamic link libraries (DLLs) and wherein loading stubs include loading stub DLLs into said virtual address space; executing the selected calls inside of a virtual operating environment using the loaded stubs dynamically linked libraries; and determining the behavior signatures resulting from said execution of the selected calls inside of a virtual operating environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer-readable medium bearing computer-executable instructions which, when executed, carry out a method for determining the behavior of an executable comprising:
-
selecting evaluation calls made by the executable to the interface of an operating system; loading stubs into a virtual address space, the stubs; mirroring the calls made to the interface of an operating system wherein mirroring the calls made to the interface of the operating system includes mirroring a set of full implemented DLLs; and determining a behavior signature for the selected calls; wherein the calls are included in dynamic link libraries (DLLs) and wherein loading stubs include loading stub DLLs into said virtual address space; executing the selected calls inside of a virtual operating environment using the loaded stubs dynamically linked libraries; and determining the behavior signatures resulting from said execution of the selected calls inside of a virtual operating environment. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification