Preventing propagation of malicious software during execution in a virtual machine
First Claim
Patent Images
1. An apparatus for preventing propagation of malicious content specifying a destination computing device during simulation of execution of content, comprising:
- a plurality of virtual machines for executing the content in a simulation environment simulating an environment associated with the destination computing device;
a simulation manager for receiving the content and associating a destination virtual machine from the plurality of virtual machines with the content;
a virtual firewall adapted to communicate with the simulation manager and the plurality of virtual machines, the virtual firewall establishing a connection to a network, communicating the content to the destination virtual machine and applying one or more access rules to identify a network access command that includes a type of a network action received from the destination virtual machine during execution of the content, wherein the one or more access rules modify the connection to the network, the virtual firewall also preventing the network access command from propagating to a second virtual machine, and wherein the one or more access rules comprise responsive to determining the network access command is non-malicious, determining to allow the network access command to access the connection to the network;
responsive to determining the network access command is malicious, terminating the connection to the network before the network access command transmits data using the connection to the network; and
responsive to failing to determine whether the network access command is malicious or non-malicious, determining to allow the network access command to access the connection to the network, monitoring data including one or more data types transmitted by the network access command via the connection to the network, and responsive to detecting transmission of the one or more data types via the connection to the network, terminating the connection to the network, wherein the one or more data types include one or more of configuration data, user data, and registry data.
6 Assignments
0 Petitions
Accused Products
Abstract
A system and method for preventing propagation of malicious content associated with an electronic message are disclosed. An electronic message and content associated with the electronic message is simulated in a virtual machine which emulates the destination computing device of the electronic message. A virtual firewall receives one or more commands as the electronic message or content associated with an electronic message is executed. Initially, the virtual firewall establishes a network connection and determines the type of action associated with the commands. If the type of action comprises a connection maintenance or configuration command, the network connection is maintained. If the type of action comprises a data transmission command, the network connection is terminated. This allows the virtual machine to simulate performance of a networked computer by transmitting a subset of the data through a network connection.
374 Citations
15 Claims
-
1. An apparatus for preventing propagation of malicious content specifying a destination computing device during simulation of execution of content, comprising:
- a plurality of virtual machines for executing the content in a simulation environment simulating an environment associated with the destination computing device;
a simulation manager for receiving the content and associating a destination virtual machine from the plurality of virtual machines with the content;
a virtual firewall adapted to communicate with the simulation manager and the plurality of virtual machines, the virtual firewall establishing a connection to a network, communicating the content to the destination virtual machine and applying one or more access rules to identify a network access command that includes a type of a network action received from the destination virtual machine during execution of the content, wherein the one or more access rules modify the connection to the network, the virtual firewall also preventing the network access command from propagating to a second virtual machine, and wherein the one or more access rules comprise responsive to determining the network access command is non-malicious, determining to allow the network access command to access the connection to the network;
responsive to determining the network access command is malicious, terminating the connection to the network before the network access command transmits data using the connection to the network; and
responsive to failing to determine whether the network access command is malicious or non-malicious, determining to allow the network access command to access the connection to the network, monitoring data including one or more data types transmitted by the network access command via the connection to the network, and responsive to detecting transmission of the one or more data types via the connection to the network, terminating the connection to the network, wherein the one or more data types include one or more of configuration data, user data, and registry data. - View Dependent Claims (2, 3, 4, 5, 6, 7)
- a plurality of virtual machines for executing the content in a simulation environment simulating an environment associated with the destination computing device;
-
8. A computer-implemented method for preventing propagation of malicious content during execution of content, comprising:
- associating the content with a virtual machine;
establishing a network connection;
receiving a network access command generated by execution of the content in the virtual machine using an environment similar to an environment of a destination computing device;
applying one or more access rules to identify the network access command that includes a type of network action, the one or more access rules specifying whether the network connection is maintained;
modifying the network connection responsive to the one or more access rules; and
wherein the one or more access rules comprise responsive to determining the network access command is non-malicious, determining to allow the network access command to access the connection to the network;
responsive to determining the network access command is malicious, terminating the connection to the network before the network access command transmits data using the connection to the network; and
responsive to failing to determine whether the network access command is malicious or non-malicious, determining to allow the network access command to access the connection to the network, monitoring data including one or more data types transmitted by the network access command via the connection to the network, and responsive to detecting transmission of the one or more data types via the connection to the network, terminating the connection to the network, wherein the one or more data types include one or more of configuration data, user data, and registry data. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- associating the content with a virtual machine;
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeTrustwave Holdings Incorporated (Singapore Telecommunications Limited)
-
Original AssigneeM86 Security Incorporated (Singapore Telecommunications Limited)
-
InventorsGreen, David E., Payne, Richard, Wood, Trevor
-
Primary Examiner(s)Gee, Jason
-
Application NumberUS12/130,609Time in Patent Office1,754 DaysField of Search726/11US Class Current726/11CPC Class CodesH04L 63/0227 Filtering policies mail mes...H04L 63/1416 Event detection, e.g. attac...
