Systems and methods for malware detection and scanning
First Claim
1. A computer-implemented method operating in a computing device, the method comprising:
- receiving, at a controller in the computing device, a malware scan request transmitted from a remote controller device via a network, the malware scan request comprising a type and version of an internet browser and one or more parameters, the one or more parameters comprising target uniform resource identifiers (URIs), uniform resource locators (URLs), and/or uniform resource names (URNs) used to identify web pages upon which malware scanning is to be performed, the computing device storing a plurality of virtual machines, wherein at least two of the plurality of virtual machines are within a same domain or a same netblock;
launching, by the controller, the plurality of virtual machines in the computing device, in response to the received malware scan request;
instructing, by the controller, each of the plurality of virtual machines of the computing device to;
launch an internet browser of the type and version,request data from a web server hosting a web page over the network via the internet browser, wherein at least one of the plurality of virtual machines that are within the same domain or the same netblock is rate-limited; and
perform, in the virtual machine of the computing device, analysis on the web page using one or more analysis tools; and
receiving, from each of the plurality of virtual machines, results of the performed analysis; and
storing, in a storage, the results of the performed analysis for malware analysis.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are provided for malware scanning and detection in a computing system. In one exemplary embodiment, the method includes launching, in a computing device of the computing system, a virtual machine, and launching, in the virtual machine of the computing device, an internet browser. The method also includes requesting, by the internet browser, data from a web page, and performing, using one or more analysis tools, analysis on the web page. In the method, performing analysis on the web page includes performing monitoring and recording of system application programming interface (API) calls, and creating software objects associated with the web page. The method also includes performing antivirus scanning of the software objects, de-obfuscating JavaScript associated with the software objects, and correlating data associated with the performed analysis to determine if the web page is a malicious web page.
27 Citations
24 Claims
-
1. A computer-implemented method operating in a computing device, the method comprising:
-
receiving, at a controller in the computing device, a malware scan request transmitted from a remote controller device via a network, the malware scan request comprising a type and version of an internet browser and one or more parameters, the one or more parameters comprising target uniform resource identifiers (URIs), uniform resource locators (URLs), and/or uniform resource names (URNs) used to identify web pages upon which malware scanning is to be performed, the computing device storing a plurality of virtual machines, wherein at least two of the plurality of virtual machines are within a same domain or a same netblock; launching, by the controller, the plurality of virtual machines in the computing device, in response to the received malware scan request; instructing, by the controller, each of the plurality of virtual machines of the computing device to; launch an internet browser of the type and version, request data from a web server hosting a web page over the network via the internet browser, wherein at least one of the plurality of virtual machines that are within the same domain or the same netblock is rate-limited; and perform, in the virtual machine of the computing device, analysis on the web page using one or more analysis tools; and receiving, from each of the plurality of virtual machines, results of the performed analysis; and storing, in a storage, the results of the performed analysis for malware analysis. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computing device for scanning and detection, the device comprising:
-
at least one memory to store data and instructions; and at least one processor to access memory and to execute instructions to; receive, at a virtual machine controller in the computing device, a malware scan request transmitted from a remote controller device via a network, the malware scan request comprising a type and version of an internet browser and one or more parameters, the one or more parameters comprising target uniform resource identifiers (URIs), uniform resource locators (URLs), and/or uniform resource names (URNs) used to identify web pages upon which malware scanning is to be performed, wherein at least two of the plurality of virtual machines are within a same domain or a same netblock; launch, by the virtual machine controller, a plurality of virtual machines in the computing device, in response to the received malware scan request; instruct, by the virtual machine controller, each of the plurality of virtual machines of the computing device to; launch an internet browser of the type and version, request data from a web server hosting a web page over the network via the internet browser, wherein at least one of the plurality of virtual machines that are within the same domain or the same netblock is rate-limited; and perform, in the virtual machine of the computing device, analysis on the web page using one or more analysis tools; receive, from each of the plurality of virtual machines, results of the performed analysis; and store, in a storage, the results of the performed analysis for malware analysis. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable medium containing instructions that, when executed by a computing device, cause the computing device to perform a method to:
-
receive, at a virtual machine controller in the computing device, a malware scan request comprising a type and version of an internet browser and one or more parameters, the one or more parameters comprising target uniform resource identifiers (URIs), uniform resource locators (URLs), and/or uniform resource names (URNs) used to identify web pages upon which malware scanning is to be performed, wherein at least two of the plurality of virtual machines are within a same domain or a same netblock; launch, by the virtual machine controller, a plurality of virtual machines in the computing device, in response to the received malware scan request; instruct, by the virtual machine controller, each of the plurality of virtual machines of the computing device to; launch an internet browser of the type and version, request data from a webserver hosting a web page over a network via the internet browser, wherein at least one of the plurality of virtual machines that are within the same domain or the same netblock is rate-limited; and perform, in the virtual machine of the computing device, analysis on the web page using one or more analysis tools; receive, from each of the plurality of virtual machines, results of the performed analysis; and store, in a storage, the results of the performed analysis for malware analysis. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification