Emulation system, method, and computer program product for passing system calls to an operating system for direct execution
First Claim
Patent Images
1. A computer program product embodied on a non-transitory computer readable storage medium for performing operations, comprising:
- loading a file into a sandbox coupled to an operating system and configured for running suspicious executable code, wherein the sandbox replicates a host system that would otherwise receive the file and the sandbox includes code guards driven by a sandbox application program interface (API) that ensures certain portions of program code are not patched;
emulating instructions associated with the loaded file;
identifying system calls resulting from the emulation;
determining whether the system calls include system calls that are at least potentially harmful, wherein the potentially harmful system calls are overridden, wherein a first portion of the system calls associated with a registry is redirected to a quarantine system for scanning using antivirus software, and wherein a second portion of the system calls associated with harmless system calls is passed to the operating system for direct execution; and
receiving an instruction to revert to a previous clean state of the operating system based on detecting malware associated with the loaded file, wherein the clean state includes an application level snapshot of configuration data of an application that was saved between multiple sessions, said application level snapshot of configuration data being used during rollback implementation.
10 Assignments
0 Petitions
Accused Products
Abstract
An emulation system, method, and computer program product are provided for passing system calls to an operating system for direct execution. In operation, a file is loaded into memory and instructions associated with the loaded file are emulated. Furthermore, system calls resulting from the emulation are identified. Still yet, at least a portion of the system calls are passed to an operating system for direct execution thereof. In addition, application programming interfaces are provided for external components to access, to monitor and to control the aforementioned system.
47 Citations
18 Claims
-
1. A computer program product embodied on a non-transitory computer readable storage medium for performing operations, comprising:
-
loading a file into a sandbox coupled to an operating system and configured for running suspicious executable code, wherein the sandbox replicates a host system that would otherwise receive the file and the sandbox includes code guards driven by a sandbox application program interface (API) that ensures certain portions of program code are not patched; emulating instructions associated with the loaded file; identifying system calls resulting from the emulation; determining whether the system calls include system calls that are at least potentially harmful, wherein the potentially harmful system calls are overridden, wherein a first portion of the system calls associated with a registry is redirected to a quarantine system for scanning using antivirus software, and wherein a second portion of the system calls associated with harmless system calls is passed to the operating system for direct execution; and receiving an instruction to revert to a previous clean state of the operating system based on detecting malware associated with the loaded file, wherein the clean state includes an application level snapshot of configuration data of an application that was saved between multiple sessions, said application level snapshot of configuration data being used during rollback implementation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method, comprising:
-
loading a file into a sandbox coupled to an operating system and configured for running suspicious executable code, wherein the sandbox replicates a host system that would otherwise receive the file and the sandbox includes code guards driven by a sandbox application program interface (API) that ensures certain portions of program code are not patched; emulating instructions associated with the loaded file; identifying system calls resulting from the emulation; determining whether the system calls include system calls that are at least potentially harmful, wherein the potentially harmful system calls are overridden, wherein a first portion of the system calls associated with a registry is redirected to a quarantine system for scanning using antivirus software, and wherein a second portion of the system calls associated with harmless system calls is passed to the operating system for direct execution; and receiving an instruction to revert to a previous clean state of the operating system based on detecting malware associated with the loaded file, wherein the clean state includes an application level snapshot of configuration data of an application that was saved between multiple sessions, said application level snapshot of configuration data being used during rollback implementation.
-
-
17. A system, comprising:
-
a sandbox configured for receiving a loaded file, the sandbox being coupled to an operating system and configured for running suspicious executable code, wherein the sandbox replicates a host system that would otherwise receive the file and the sandbox includes code guards driven by a sandbox application program interface (API) that ensures certain portions of program code are not patched; logic for; emulating instructions associated with the loaded file and identifying system calls resulting from the emulation; determining whether the system calls include system calls that are at least potentially harmful, wherein the potentially harmful system calls are overridden, wherein a first portion of the system calls associated with a registry is redirected to a quarantine system for scanning using antivirus software, and wherein a second portion of the system calls associated with harmless system calls is passed to the operating system for direct execution; and receiving an instruction to revert to a previous clean state of the operating system based on detecting malware associated with the loaded file, wherein the clean state includes an application level snapshot of configuration data of an application that was saved between multiple sessions, said application level snapshot of configuration data being used during rollback implementation; a processor for executing the second portion of the system calls passed to the operating system. - View Dependent Claims (18)
-
Specification