Method and system for isolating suspicious email
First Claim
Patent Images
1. A method for detecting malicious programs, the method comprising:
- determining whether an object is suspicious;
opening, in response to determining that the object is suspicious, the suspicious object in a disposable, secure, single purpose virtual machine (VM) session running on a computer system; and
detecting indications of malicious behavior when the suspicious object is opened within the VM session, the detecting of the indications of the malicious behavior comprising;
taking a first snapshot of one or more system features of the VM session prior to opening the object in the VM session;
taking a second snapshot of the one or more system features of the VM session after the opening of the object in the VM session; and
comparing the first snapshot with the second snapshot to detect indications of the malicious programs within the VM session.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for detecting malicious programs, the method includes determining whether an object is suspicious, opening the suspicious object in a disposable, secure, single purpose VM (virtual machine) session and detecting indications of malicious behavior when the suspicious object is opened within the VM session.
-
Citations
81 Claims
-
1. A method for detecting malicious programs, the method comprising:
-
determining whether an object is suspicious; opening, in response to determining that the object is suspicious, the suspicious object in a disposable, secure, single purpose virtual machine (VM) session running on a computer system; and detecting indications of malicious behavior when the suspicious object is opened within the VM session, the detecting of the indications of the malicious behavior comprising; taking a first snapshot of one or more system features of the VM session prior to opening the object in the VM session; taking a second snapshot of the one or more system features of the VM session after the opening of the object in the VM session; and comparing the first snapshot with the second snapshot to detect indications of the malicious programs within the VM session. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A system for detecting malicious programs comprising:
-
one or more memory units; and one or more processing units operable to perform operations comprising; determining whether an object is suspicious; opening, in response to determining that the object is suspicious, the suspicious object in a disposable, secure, single purpose virtual machine (VM) session; and detecting indications of malicious behavior when the suspicious object is opened within the VM session, the detecting comprising; taking a first snapshot of one or more system features of the VM session prior to opening the object in the VM session; taking a second snapshot of the one or more system features of the VM session after the opening of the object in the VM session; and comparing the first snapshot with the second snapshot to detect indications of the malicious programs within the VM session. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
-
-
55. A non-transitory, tangible computer-readable storage medium including computer executable code for detecting malicious programs, comprising:
-
code for determining whether an object is suspicious; code for opening, in response to determining that the object is suspicious, the suspicious object in a disposable, secure, single purpose virtual machine (VM) session; and code for detecting indications of malicious behavior when the suspicious object is opened within the VM session, the code for detecting for the malicious behavior within the VM session comprising; code for taking a first snapshot of one or more system features of the VM session prior to opening the object in the VM session; code for taking a second snapshot of the one or more system features of the VM session after the opening of the object in the VM session; and code for comparing the first snapshot with the second snapshot to detect indications of the malicious programs within the VM session. - View Dependent Claims (56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81)
-
Specification