Dynamically remote tuning of a malware content detection system
First Claim
1. An apparatus comprising:
- a processor; and
a memory communicatively coupled to the processor, the memory comprises one or more detection modules each being software that is configurable to enable, disable or modify capabilities for that corresponding detection module, a first detection module of the one or more detection modules, when executed by the processor, conducts a first capability including an analysis of a received object to determine if the received object is associated with a malicious attack,wherein the analysis is altered upon receipt of a configuration file that is substantially lesser in size than the software forming the first detection module and includes information to alter one or more rules controlling the first capability.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, an apparatus comprises a processor and memory. Communicatively coupled to the processor, the memory comprises one or more detection modules each being software that is configurable to enable, disable or modify capabilities for that corresponding detection module. A first detection module the detection modules, when executed by the processor, conducts a first capability including an analysis of a received object to determine if the received object is associated with a malicious attack. The analysis may be altered upon receipt of a configuration file that is substantially lesser in size than the software forming the first detection module and includes information to alter one or more rules controlling the first capability.
-
Citations
22 Claims
-
1. An apparatus comprising:
-
a processor; and a memory communicatively coupled to the processor, the memory comprises one or more detection modules each being software that is configurable to enable, disable or modify capabilities for that corresponding detection module, a first detection module of the one or more detection modules, when executed by the processor, conducts a first capability including an analysis of a received object to determine if the received object is associated with a malicious attack, wherein the analysis is altered upon receipt of a configuration file that is substantially lesser in size than the software forming the first detection module and includes information to alter one or more rules controlling the first capability. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An apparatus comprising:
- a processor;
a memory communicatively coupled to the processor, wherein the memory comprises;
a first detection engine configured to conduct an analysis of one or more objects that are part of incoming network traffic to identify an object that exhibits characteristics associated with a malicious attack and to output a first result including at least a portion of the analysis by the first detection engine;
a second detection engine configured to further conduct an analysis of the object by (i) virtually processing the object in a virtual environment including one or more virtual machines, (ii) monitoring behaviors occurring during the virtual processing of the object by monitoring logic, and (iii) outputting a second result including at least a portion of the analysis by the second detection engine, the behaviors include anomalous behaviors occurring during virtual processing of the object;
wherein the second detection engine is fully parameterized by including parameters that control operability of a first plurality of rules controlling operability of at least one of the one or more virtual machines or the monitoring logic, a first subset of the parameters is modifiable to alter one or more rules associated with the first plurality of rules to alter the analysis of the object conducted by the second detection engine, and wherein the analysis by the second detection engine is dynamically configurable by uploading a configuration file that is substantially lesser in size than the first detection engine and modifies the first subset of the parameters to alter the analysis in real time. - View Dependent Claims (15, 16, 17)
- a processor;
-
18. An apparatus comprising:
-
a processor; and a memory communicatively coupled to the processor, the memory comprises one or more detection modules each being software that is configurable to enable, disable or modify capabilities for that corresponding detection module, a first detection module of the one or more detection modules, when executed by the processor, including a first capability to analyzing a flow to determine if an object associated with the flow is an exploit, wherein the first capability is altered upon receipt of a configuration file that is substantially lesser in size than the software forming the first detection module and includes information to alter one or more rules controlling the first capability. - View Dependent Claims (19, 20, 21, 22)
-
Specification