Malware detection using internal malware detection operations
First Claim
1. A system, comprising:
- one or more processors; and
a memory storing instructions that, when executed by the one or more processors, cause the one or more processors to;
determine to perform an internal malware detection operation to detect malware executing on a client device;
perform the internal malware detection operation,the internal malware detection operation being performed locally on a particular device without requiring communication with another device, andthe internal malware detection operation including at least one of;
an artifact persistence operation to delete a first artifact and determine whether the first artifact has been recreated,an artifact decoy operation to create a second artifact and determine whether the second artifact has been modified, oran artifact integrity operation to detect that a third artifact has been modified in a particular manner;
modify an environment executing on the particular device, to form a modified environment, based on performing the internal malware detection operation;
monitor the modified environment for a particular behavior indicative of a malware infection;
detect that the particular behavior has occurred; and
provide a notification that the client device is infected with malware based on detecting that the particular behavior has occurred,the notification causing one or more network devices to block network traffic to or from the client device.
1 Assignment
0 Petitions
Accused Products
Abstract
A system may determine to perform an internal malware detection operation to detect malware executing on a client device. The system may perform the internal malware detection operation. The internal malware detection operation may be performed locally on a particular device without requiring communication with another device. The system may modify an environment executing on the particular device, to form a modified environment, based on performing the internal malware detection operation. The system may monitor the modified environment for a particular behavior indicative of a malware infection. The system may detect that the particular behavior has occurred. The system may provide a notification that the client device is infected with malware based on detecting that the particular behavior has occurred. The notification may cause one or more network devices to block network traffic to or from the client device.
22 Citations
20 Claims
-
1. A system, comprising:
-
one or more processors; and a memory storing instructions that, when executed by the one or more processors, cause the one or more processors to; determine to perform an internal malware detection operation to detect malware executing on a client device; perform the internal malware detection operation, the internal malware detection operation being performed locally on a particular device without requiring communication with another device, and the internal malware detection operation including at least one of; an artifact persistence operation to delete a first artifact and determine whether the first artifact has been recreated, an artifact decoy operation to create a second artifact and determine whether the second artifact has been modified, or an artifact integrity operation to detect that a third artifact has been modified in a particular manner; modify an environment executing on the particular device, to form a modified environment, based on performing the internal malware detection operation; monitor the modified environment for a particular behavior indicative of a malware infection; detect that the particular behavior has occurred; and provide a notification that the client device is infected with malware based on detecting that the particular behavior has occurred, the notification causing one or more network devices to block network traffic to or from the client device. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
-
one or more instructions that, when executed by one or more processors, cause the one or more processors to; determine to perform an internal malware detection operation to detect malware executing on a client device; perform the internal malware detection operation, the internal malware detection operation being performed locally on a particular device without requiring communication with another device; monitor a particular location within an environment executing on the particular device; detect that an artifact has been created in the particular location of the environment; delete the artifact; monitor the particular location to determine whether the artifact has been recreated within a threshold amount of time; detect that the artifact has been recreated within the threshold amount of time and provide a notification that the client device is infected with malware based on detecting that the artifact has been recreated within the threshold amount of time the notification causing one or more network devices to block network traffic to or from the client device. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method, comprising:
-
determining, by a particular device, to perform an internal malware detection operation to detect malware executing on a client device; performing, by the particular device, the internal malware detection operation, the internal malware detection operation being performed locally on the particular device without requiring communication with another device, and performing the internal malware detection operation comprising; monitoring, by the particular device, a particular location within an environment executing on the particular device, detecting, by the particular device, that an artifact has been created in the particular location based on monitoring the particular location, modifying, by the particular device, the environment to form a modified environment based on performing the internal malware detection operation, modifying the environment comprising;
deleting the artifact,monitoring, by the particular device, the modified environment for a particular behavior indicative of a malware infection, monitoring the modified environment for the particular behavior indicative of the malware infection comprising;
monitoring the modified environment to determine whether the artifact has been recreated within a threshold amount of time;detecting, by the particular device, that the particular behavior has occurred, detecting that the particular behavior has occurred comprising;
detecting that the artifact has been recreated within the threshold amount of time; andproviding, by the particular device, a notification that the client device is infected with malware based on detecting that the particular behavior has occurred, providing the notification that the client device is infected with malware based on detecting that the particular behavior has occurred comprising;
providing the notification that the client device is infected with malware based on detecting that the artifact has been recreated within the threshold amount of time, andthe notification causing one or more network devices to block network traffic to or from the client device. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification