Methods for detecting file altering malware in VM based analysis
First Claim
Patent Images
1. A system comprising:
- one or more processors; and
a storage module communicatively coupled to the one or more processors, the storage module comprising logic that, upon execution by the one or more processors, performs operations comprising;
receiving a configuration file and an object by a virtual machine, the virtual machine including a file system;
placing a lure file within the file system according to information of the configuration file;
selectively modifying a name of the lure file;
processing the object within the virtual machine; and
determine whether the object exhibits file altering behavior based on a comparison of one or more actions performed while processing the object that are associated with the lure file and one more known file activity patterns.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a threat detection platform is integrated with at least one virtual machine that automatically performs a dynamic analysis of a received object and monitors the processing during the dynamic analysis for a change to a file system within the virtual machine wherein the change involves a lure file placed in the file system. The file system is configured based on a received configuration file. Upon detection of a change in the file system associated with a lure file, the changes associated with the lure file during processing are compared to known file activity patterns of changes caused by file altering malware to determine whether the object includes file altering malware.
-
Citations
29 Claims
-
1. A system comprising:
-
one or more processors; and a storage module communicatively coupled to the one or more processors, the storage module comprising logic that, upon execution by the one or more processors, performs operations comprising; receiving a configuration file and an object by a virtual machine, the virtual machine including a file system; placing a lure file within the file system according to information of the configuration file; selectively modifying a name of the lure file; processing the object within the virtual machine; and determine whether the object exhibits file altering behavior based on a comparison of one or more actions performed while processing the object that are associated with the lure file and one more known file activity patterns. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer readable medium that includes logic that, when executed by one or more processors, performs operations comprising:
-
receiving a configuration file and an object by a virtual machine, the virtual machine including a file system; placing a lure file within the file system according to information of the configuration file; selectively modifying a name of the lure file; processing the object within the virtual machine; and determine the object includes file altering malware when one or more actions performed while processing the object that are associated with the lure file match a known pattern. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
-
24. A computerized method comprising:
-
receiving a configuration file and an object by a virtual machine, the virtual machine including a file system; placing a lure file within the file system according to information of the configuration file; selectively modifying a name of the lure file; processing the object within the virtual machine; and determine the object includes file altering malware when one or more actions performed while processing the object that are associated with the lure file match a known pattern. - View Dependent Claims (25, 26, 27, 28, 29)
-
Specification