Systems and methods for malware detection and scanning
First Claim
1. A computer-implemented method operating in a computing device, the method comprising:
- receiving, at the computing device, a malware scan request comprising a type and version of an internet browser and one or more parameters, the one or more parameters comprising target uniform resource (URIs), uniform resource locators (URLs), and/or uniform resource names (URNs) used to identify web pages upon which malware scanning is to be performed;
launching, in the computing device, a virtual machine in response to the received malware scan request;
launching, in the virtual machine of the computing device and in response to the received malware scan request, an internet browser of the type and version;
requesting, by the internet browser in the virtual machine and in response to the received malware scan request, data from the web page, over a network;
performing, in the virtual machine of the computing device, analysis on the web page using one or more analysis tools, wherein performing the analysis includes;
performing monitoring and recording of system application programming interface (API) calls,creating software objects associated with the web page,performing antivirus scanning of the software objects, andde-obfuscating code associated with the software objects; and
correlating data associated with the analysis that is performed to determine if the web page is a malicious web page.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are provided for malware scanning and detection in a computing system. In one exemplary embodiment, the method includes launching, in a computing device of the computing system, a virtual machine, and launching, in the virtual machine of the computing device, an internet browser. The method also includes requesting, by the internet browser, data from a web page, and performing, using one or more analysis tools, analysis on the web page. In the method, performing analysis on the web page includes performing monitoring and recording of system application programming interface (API) calls, and creating software objects associated with the web page. The method also includes performing antivirus scanning of the software objects, de-obfuscating JavaScript associated with the software objects, and correlating data associated with the performed analysis to determine if the web page is a malicious web page.
62 Citations
23 Claims
-
1. A computer-implemented method operating in a computing device, the method comprising:
-
receiving, at the computing device, a malware scan request comprising a type and version of an internet browser and one or more parameters, the one or more parameters comprising target uniform resource (URIs), uniform resource locators (URLs), and/or uniform resource names (URNs) used to identify web pages upon which malware scanning is to be performed; launching, in the computing device, a virtual machine in response to the received malware scan request; launching, in the virtual machine of the computing device and in response to the received malware scan request, an internet browser of the type and version; requesting, by the internet browser in the virtual machine and in response to the received malware scan request, data from the web page, over a network; performing, in the virtual machine of the computing device, analysis on the web page using one or more analysis tools, wherein performing the analysis includes; performing monitoring and recording of system application programming interface (API) calls, creating software objects associated with the web page, performing antivirus scanning of the software objects, and de-obfuscating code associated with the software objects; and correlating data associated with the analysis that is performed to determine if the web page is a malicious web page. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computing device for scanning and detection, the device comprising:
-
at least one memory to store data and instructions; and at least one processor configured to access memory and to execute instructions to; receive, at the computing device, a malware scan request comprising a type and version of a browser and one or more parameters, the one or more parameters including target uniform resource (URIs), uniform resource locators (URLs) and/or uniform resource names (URNs) used to identify a web page upon which malware scanning is to be performed; launch, in the computing device, a virtual machine in response to the received malware scan request; launch, in the virtual machine, an internet browser of the type and version; request, by the internet browser in the virtual machine, data from the web page over a network; and perform, in the virtual machine of the computing apparatus, analysis on the determined web page using one or more analysis tools, wherein when the at least one processor is configured to perform the analysis, the at least one processor is further configured to; perform monitoring and recording of system application programming interface (API) calls, create software objects associated with the web page, perform antivirus scanning of the software objects, de-obfuscate code associated with the software objects, and correlate data associated with the analysis that is performed to determine if the web page is a malicious web page. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable medium containing instructions that, when implemented by a computing device, cause the computing device to perform a method comprising:
-
receiving, at the computing device, a malware scan request comprising a type and version of a browser and one or more parameters, the one or more parameters including target uniform resource (URIs), uniform resource locators (URLs) and/or uniform resource names (URNs) used to identify a web page upon which malware scanning is to be performed; launching, in the computing device, a virtual machine in response to the received malware scan request; launching, in the virtual machine of the computing device, an internet browser of the type and version; requesting, by the internet browser in the virtual machine, data from the web page over a network; and performing, in the virtual machine of the computing device, analysis on the web page using one or more analysis tools, wherein performing the analysis includes; performing monitoring and recording of system application programming interface (API) calls, creating software objects associated with the web page, performing antivirus scanning of the software objects, and de-obfuscating code associated with the software objects; and correlating data associated with the analysis that is performed to determine if the web page is a malicious web page. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
Specification