Dynamic content activation for automated analysis of embedded objects
First Claim
1. A non-transitory computer readable storage medium having stored thereon logic that, upon execution by one or more processors implemented within a network device, performs operations during processing of a first object in a virtual machine, comprising:
- launching the first object in the virtual machine;
querying a document object model corresponding to an object-type of the first object to determine whether an embedded object is included in the first object;
responsive to querying the document object model, receiving metadata associated with the embedded object, the metadata including an object-type of the embedded object;
responsive to determining the object-type of the embedded object is one of a predetermined set of object-types based on the metadata, processing the embedded object in the virtual machine; and
determining whether at least one of the first object or the embedded object is malicious.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a threat detection platform is integrated with at least one virtual machine that automatically performs a dynamic analysis of a received document object and monitors the processing during the dynamic analysis. The dynamic analysis includes a detection of embedded objects and may automatically process the embedded objects, while maintaining a context of the embedding, within the virtual machine processing the document object. The virtual machine may monitor the processing of both the document object and the embedded object. The results of the processing may be analyzed to determine whether the document object includes malware and/or a threat level of the document object.
735 Citations
73 Claims
-
1. A non-transitory computer readable storage medium having stored thereon logic that, upon execution by one or more processors implemented within a network device, performs operations during processing of a first object in a virtual machine, comprising:
-
launching the first object in the virtual machine; querying a document object model corresponding to an object-type of the first object to determine whether an embedded object is included in the first object; responsive to querying the document object model, receiving metadata associated with the embedded object, the metadata including an object-type of the embedded object; responsive to determining the object-type of the embedded object is one of a predetermined set of object-types based on the metadata, processing the embedded object in the virtual machine; and determining whether at least one of the first object or the embedded object is malicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 31, 32, 33)
-
-
13. A system for detecting malware during processing of a first object in a virtual machine, the system comprising:
-
one or more processors; and a storage module communicatively coupled to the one or more processors, the storage module comprising logic executed by the one or more processors, the logic comprising; a launcher that launches the first object in a plurality of versions of the first application processed in the virtual machine; an identification agent that utilizes an automation framework interface to query a document object model corresponding to the object-type of the first object to determine whether an embedded object is included with the first object and to receive metadata of the embedded object based on the query to the document object model, the metadata including an object-type of the embedded object, the identification agent further selects one version of the plurality of versions of the first application to utilize when (i) querying the document object model and (ii) no suspicious activity is observed within a predetermined amount of time; and an activation agent for launching the embedded object in a second application in the virtual machine. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A computerized method detecting malware associated with a first object being processed in a virtual machine, the method comprising:
-
launching the first object in the virtual machine; querying a document object model corresponding to an object-type of the first object to determine whether an embedded object is included in the first object; receiving metadata associated with the embedded object based on the querying of the document object model, the metadata including an object-type of the embedded object; responsive to determining the object-type of the embedded object is one of a predetermined set of object-types based on the metadata, processing the embedded object in the virtual machine; and determining whether at least one of the first object or the embedded object is malicious. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
34. A non-transitory computer readable storage medium having stored thereon logic that, upon execution by one or more processors implemented within a network device, performs operations during processing a first object in a virtual machine, comprising:
-
launching the first object in the virtual machine; querying a document object model corresponding to an object-type of the first object to determine whether an embedded object is included in the first object; responsive to querying the document object model, receiving metadata associated with the embedded object, the metadata including a location of the embedded object within the first object; responsive to determining the location of the embedded object based on the metadata, directing processing of the first object to a portion of the first object including the location of the embedded object, the portion of the first object being less than an entirety of the first object; processing the embedded object; and determining whether at least one of the first object or the embedded object is malicious. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
-
-
47. A system for detecting malware during processing of a first object in a virtual machine, the system comprising:
-
one or more processors; and a storage module communicatively coupled to the one or more processors, the storage module comprising logic executed by the one or more processors, the logic comprising; a launcher that launches the first object in a plurality of versions of the first application processed in the virtual machine; an identification agent that utilizes an automation framework interface to query a document object model corresponding to the object-type of the first object to determine whether an embedded object is included with the first object and to receive metadata of the embedded object based on the query to the document object model, the metadata including a location of the embedded object in the first object, the identification agent further selects one version of the plurality of versions of the first application to utilize when (i) querying the document object model and (ii) no suspicious activity is observed within a predetermined amount of time; and an activation agent for launching the embedded object in a second application in the virtual machine. - View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
-
-
61. A computerized method detecting malware associated with a first object being processed in a virtual machine, the method comprising:
-
launching the first object in the virtual machine; querying a document object model corresponding to an object-type of the first object to determine whether an embedded object is included in the first object; responsive to querying the document object model, receiving metadata associated with the embedded object, the metadata including a location of the embedded object; responsive to determining the location of the embedded object based on the metadata, directing processing of the first object to a portion of the first object including the location of the embedded object, the portion of the first object being less than an entirety of the first object; processing the embedded object; and determining whether at least one of the first object or the embedded object is malicious. - View Dependent Claims (62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73)
-
Specification