System and method for detecting malicious code in random access memory
First Claim
1. A method for detection of malware on a computer, the method comprising:
- detecting, by a hardware processor, a process of an untrusted program on the computer;
identifying, by the hardware processor, function calls made by the process of the untrusted program, including inter-process function calls made by the process to a destination process;
collecting, by the hardware processor, information about the untrusted program;
applying, by the hardware processor, heuristic rules to information about the identified function calls and the information about the untrusted program to determine whether to perform malware analysis of a code in an address space of the destination process that was subject of an inter-process function call made by the process of the untrusted program; and
when it is determined to perform malware analysis, analyzing the code in an address space of the destination process that was subject of the inter-process function call made by the process of the untrusted program using antivirus software executable by the hardware processor.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are system and method for detecting malicious code in random access memory. An exemplary method comprises: detecting, by a hardware processor, a process of an untrusted program on the computer; identifying, by the hardware processor, function calls made by the process of the untrusted program, including inter-process function calls made by the process to a destination process; determining, by the hardware processor, whether to perform malware analysis of a code in an address space of the destination process that was subject of an inter-process function call made by the process of the untrusted program; and when it is determined to perform malware analysis, analyzing the code in an address space of the destination process that was subject of an inter-process function call made by the process of the untrusted program using antivirus software executable by the hardware processor.
44 Citations
20 Claims
-
1. A method for detection of malware on a computer, the method comprising:
-
detecting, by a hardware processor, a process of an untrusted program on the computer; identifying, by the hardware processor, function calls made by the process of the untrusted program, including inter-process function calls made by the process to a destination process; collecting, by the hardware processor, information about the untrusted program; applying, by the hardware processor, heuristic rules to information about the identified function calls and the information about the untrusted program to determine whether to perform malware analysis of a code in an address space of the destination process that was subject of an inter-process function call made by the process of the untrusted program; and when it is determined to perform malware analysis, analyzing the code in an address space of the destination process that was subject of the inter-process function call made by the process of the untrusted program using antivirus software executable by the hardware processor. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detection of malware on a computer, the system comprising:
a hardware processor configured to; detect a process of an untrusted program on the computer; identify function calls made by the process of the untrusted program, including inter-process function calls made by the process to a destination process; collect information about the untrusted program; apply heuristic rules to information about the identified function calls and the information about the untrusted program to determine whether to perform malware analysis of a code in an address space of the destination process that was subject of an inter-process function call made by the process of the untrusted program; and when it is determined to perform malware analysis, analyze the code in an address space of the destination process that was subject of the inter-process function call made by the process of the untrusted program using antivirus software executable by the hardware processor. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A non-transitory computer readable medium storing computer executable instructions for detection of malware on a computer, including instructions for:
-
detecting a process of an untrusted program on the computer; identifying function calls made by the process of the untrusted program, including inter-process function calls made by the process to a destination process; collecting information about the untrusted program; applying, by the hardware processor, heuristic rules to information about the identified function calls and the information about the untrusted program to determine whether to perform malware analysis of a code in an address space of the destination process that was subject of an inter-process function call made by the process of the untrusted program; and when it is determined to perform malware analysis, analyzing the code in an address space of the destination process that was subject of the inter-process function call made by the process of the untrusted program using antivirus software. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification