System and method for malware protection using virtualization
First Claim
1. A method for protecting applications deployed on a host computer, the method comprising:
- intercepting, at kernel level of the host computer, system calls addressed to an object of a protected application deployed on the host computer;
determining if there is a security rule associated with one or more of the intercepted system call, the object of the protected application, and the actions allowed on the object of the protected application, wherein the security rule indicates at least whether the system call is allowed to be executed or not allowed to be executed on the host computer;
if there is a security rule indicating that the system call is allowed to be executed on the host computer, executing the system call on the host computer;
if there is a security rule indicating that the system call is not allowed to be executed on the host computer, blocking execution of the system call on the host computer;
if there is no security rule associated with the system call, executing the system call in a secure execution environment using a virtual copy of the object of the protected application;
analyzing whether changes to the virtual copy of the object of the protected application present any security threat to the application, application data, or the host computer;
if the changes to the virtual copy of the object do not present any security threat, applying the changes to the real object in the host computer; and
if the changes to the virtual copy of the object present a security threat, blocking execution of the system call on the host computer.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are systems, methods and computer program products for protecting applications deployed on a host computer from malware using virtualization. An exemplary malware protection system may include a kernel-level driver configured to intercept system calls addressed to an object of a protected application. The system also includes an analysis engine configured to determine if there are security rules associated with one or more of the intercepted system call, the object of the protected application, and the actions allowed on the object of the protected application. The security rules indicate whether the system call is allowed or not allowed to be executed on the host computer. If there is no security rule associated with the system call, the system call is executed in a secure execution environment of the host computer using a virtual copy of the object of the protected application.
71 Citations
17 Claims
-
1. A method for protecting applications deployed on a host computer, the method comprising:
-
intercepting, at kernel level of the host computer, system calls addressed to an object of a protected application deployed on the host computer; determining if there is a security rule associated with one or more of the intercepted system call, the object of the protected application, and the actions allowed on the object of the protected application, wherein the security rule indicates at least whether the system call is allowed to be executed or not allowed to be executed on the host computer; if there is a security rule indicating that the system call is allowed to be executed on the host computer, executing the system call on the host computer; if there is a security rule indicating that the system call is not allowed to be executed on the host computer, blocking execution of the system call on the host computer; if there is no security rule associated with the system call, executing the system call in a secure execution environment using a virtual copy of the object of the protected application; analyzing whether changes to the virtual copy of the object of the protected application present any security threat to the application, application data, or the host computer; if the changes to the virtual copy of the object do not present any security threat, applying the changes to the real object in the host computer; and if the changes to the virtual copy of the object present a security threat, blocking execution of the system call on the host computer. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for protecting applications deployed on a host computer, the system comprising:
-
a kernel-level driver stored in a memory of the host computer and being executable by a processor of the host computer, the kernel-level driver being configured to intercept system calls addressed to an object of a protected application; and an analysis engine executable by the processor, the analysis engine being configured to; determine if there is a security rule associated with one or more of the intercepted system call, the object of the protected application, and the actions allowed on the object of the protected application, wherein the security rule indicates at least whether the system call is allowed to be executed or not allowed to be executed on the host computer; if there is a security rule indicating that the system call is allowed to be executed on the host computer, instruct the host computer to execute the system call; if there is a security rule indicating that the system call is not allowed to be executed on the host computer, instruct the host computer to block execution of the system call; if there is no security rule associated with the system call, instruct a handler of a secure execution environment of the host computer to execute the system call in the secure execution environment using a virtual copy of the object of the protected application; analyze whether changes to the virtual copy of the object of the protected application present any security threat to the application, application data, or the host computer; if the changes to the virtual copy of the object do not present any security threat, instruct the host computer to apply the changes to the real object in the host computer; and if the changes to the virtual copy of the object present a security threat, instruct the host computer to block execution of the system call on the host computer. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A computer program product embedded in a non-transitory computer-readable storage medium, the computer-readable storage medium comprising computer-executable instructions for protecting applications deployed on a host computer, the instructions for:
-
intercepting, at kernel level of the host computer, system calls addressed to an object of a protected application deployed on the host computer; determining if there is a security rule associated with one or more of the intercepted system call, the object of the protected application, and the actions allowed on the object of the protected application, wherein the security rule indicates at least whether the system call is allowed to be executed or not allowed to be executed on the host computer; if there is a security rule indicating that the system call is allowed to be executed on the host computer, executing the system call on the host computer; if there is a security rule indicating that the system call is not allowed to be executed on the host computer, blocking execution of the system call on the host computer; and if there is no security rule associated with the system call, executing the system call in a secure execution environment using a virtual copy of the object of the protected application; analyzing whether changes to the virtual copy of the object of the protected application present any security threat to the application, application data, or the host computer; if the changes to the virtual copy of the object do not present any security threat, applying the changes to the real object in the host computer; and if the changes to the virtual copy of the object present a security threat, blocking execution of the system call on the host computer. - View Dependent Claims (13, 14, 15, 16, 17)
-
Specification