Virus detection by executing e-mail code in a virtual machine
First Claim
1. A method for detecting that executable code associated with an e-mail is harmful, the method comprising:
- an act of receiving an e-mail that designates at least a first and a second destination computing system;
an act of detecting that the e-mail has associated executable code;
an act of determining an environment of the at least the first and the second destination computing system;
an act of emulating the environment of the at least the first and the second destination computing system to create a first emulated environment corresponding to the first destination computing system and a second emulated environment corresponding to the second destination computing system;
an act of executing the associated executable code in the first emulated environment and in the second emulated environment;
an act of determining whether the email is harmful and includes one or more unknown viruses by monitoring the act of executing the associated executable code in the first emulated environment and in the second emulated environment using a plurality of filters for any of one or more viral like actions;
during execution of the executable code, strategically monitoring an impact of the executable code on the hardware and software of the first emulated environment and the second emulated environment, as well as monitoring for a viral like request to transmit data over a network during execution of the executable code using the plurality of filters;
if the email is determined to include the viral like request to transmit data over the network, updating the plurality of filters to identify the one or more viral like actions in the email; and
if the email is determined not to be harmful, an act of delivering the e-mail with the associated executable code to the first destination computing system or the second destination computing system.
8 Assignments
0 Petitions
Accused Products
Abstract
An intermediary isolation server receives e-mails and isolates any viral behavior from harming its intended destination. After the intermediary receives an e-mail, it determines that the e-mail has associated executable code, and then identifies the environment in which the e-mail code would be executed if delivered. The intermediary then executes the code by emulating how it would be executed in its ultimate environment. If a viral-like behavior is detected, appropriate action is taken to prevent the execution of the code at its intended destination. The attachment is executed in a contained environment that allows for the contained environment to be easily restarted in a clean state.
334 Citations
20 Claims
-
1. A method for detecting that executable code associated with an e-mail is harmful, the method comprising:
-
an act of receiving an e-mail that designates at least a first and a second destination computing system; an act of detecting that the e-mail has associated executable code; an act of determining an environment of the at least the first and the second destination computing system; an act of emulating the environment of the at least the first and the second destination computing system to create a first emulated environment corresponding to the first destination computing system and a second emulated environment corresponding to the second destination computing system; an act of executing the associated executable code in the first emulated environment and in the second emulated environment; an act of determining whether the email is harmful and includes one or more unknown viruses by monitoring the act of executing the associated executable code in the first emulated environment and in the second emulated environment using a plurality of filters for any of one or more viral like actions; during execution of the executable code, strategically monitoring an impact of the executable code on the hardware and software of the first emulated environment and the second emulated environment, as well as monitoring for a viral like request to transmit data over a network during execution of the executable code using the plurality of filters; if the email is determined to include the viral like request to transmit data over the network, updating the plurality of filters to identify the one or more viral like actions in the email; and if the email is determined not to be harmful, an act of delivering the e-mail with the associated executable code to the first destination computing system or the second destination computing system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer program product for implementing a method for detecting that executable code associated with an e-mail is harmful, the computer program product comprising one or more physical computer-readable media having thereon the following:
-
computer-executable instructions for detecting the receipt of an e-mail that designates at least a first and a second destination computing system; computer-executable instructions for detecting that the e-mail has associated executable code; computer-executable instructions for determining an environment of the at least the first and the second destination computing system; computer-executable instructions for emulating the environment of the at least the first and the second destination computing system to create a first emulated environment corresponding to the first destination computing system and a second emulated environment corresponding to the second destination computing system; computer-executable instructions for executing the associated executable code in the first emulated environment and in the second emulated environment; and computer-executable instructions for determining whether the email is harmful and includes one or more unknown viruses by monitoring the act of executing the associated executable code in the first emulated environment and in the second emulated environment using a plurality of filters for any of one or more viral like actions; computer-executable instructions for strategically monitoring during execution of the executable code, strategically monitoring an impact of the executable code on the hardware and software of the first emulated environment and the second emulated environment, as well as monitoring for a viral like request to transmit data over a network during execution of the executable code using the plurality of filters; computer-executable instructions for updating the plurality of filters to identify one or more viral like actions associated with the email if the email is determined to include the viral like request to transmit data over the network; and computer-executable instructions for delivering the e-mail with the associated executable code to the first destination computing system or the second destination computing system if the email is determined not to be harmful. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification