Malware protection
First Claim
Patent Images
1. A method of detecting malware in a computer system, the method comprising:
- determining that an executable file should be identified as not being legitimate by determining that an identifier for the executable file is contained in a database relating to executable files;
executing the executable file in a real environment, and providing indications to the executable file that it is being executed within an emulated environment by intercepting a communication between the executable file and the computer system during execution of the executable file, wherein upon executing, the executable file is caused to believe it is being executed in an emulated environment;
monitoring the behaviour of the executable file to determine if the executable file attempts to take an evasive action by at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment;
determining that the executable file, believing that it is being executed in the emulated environment, is taking the evasive action by failing to respond in a way in which a legitimate file is expected to act; and
determining that the executable file is malware.
2 Assignments
0 Petitions
Accused Products
Abstract
According to a first aspect of the present invention there is provided a method of protecting a computer system from malware, which malware attempts to prevent detection or analysis when executed in an emulated computer system. The method comprises determining if an executable file should be identified as being legitimate and, if not, executing the executable file while providing indications to the executable file that it is being executed within an emulated computer system.
28 Citations
14 Claims
-
1. A method of detecting malware in a computer system, the method comprising:
-
determining that an executable file should be identified as not being legitimate by determining that an identifier for the executable file is contained in a database relating to executable files; executing the executable file in a real environment, and providing indications to the executable file that it is being executed within an emulated environment by intercepting a communication between the executable file and the computer system during execution of the executable file, wherein upon executing, the executable file is caused to believe it is being executed in an emulated environment; monitoring the behaviour of the executable file to determine if the executable file attempts to take an evasive action by at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment; determining that the executable file, believing that it is being executed in the emulated environment, is taking the evasive action by failing to respond in a way in which a legitimate file is expected to act; and determining that the executable file is malware. - View Dependent Claims (2, 3, 4)
-
-
5. A non-transitory computer storage medium having stored thereon a computer program comprising computer program code means that performs all the steps of:
-
determining that an executable file should be identified as not being legitimate by determining that an identifier for the executable file is contained in a database relating to executable files; executing the executable file in a real environment, and providing indications to the executable file that it is being executed within an emulated environment by intercepting a communication between the executable file and the computer system during execution of the executable file, wherein upon executing, the executable file is caused to believe it is being executed in an emulated environment; monitoring the behaviour of the executable file to determine if the executable file attempts to take an evasive action by at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment; determining that the executable file, believing that it is being executed in the emulated environment, is taking the evasive action by failing to respond in a way in which a legitimate file is expected to act; and determining that the executable file is malware.
-
-
6. A computer system comprising:
-
at least one processor; and at least one non-transitory memory including computer program code, the at least one processor and computer program code configured to, with the at least one processor, cause the computer system to perform; determining that the executable file should be identified as not being legitimate by determining that an identifier for the executable file is contained in a database relating to executable files, and executing the executable file in a real environment, and providing indications to the executable file that it is being executed within an emulated computer system by intercepting a communication between the executable file and the computer system during execution of the executable file, wherein upon executing, the executable file is caused to believe it is being executed in an emulated environment, monitoring the behaviour of the executable file to determine if the executable file attempts to take an evasive action by at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment, determining that the executable file, believing that it is being executed in the emulated environment, is taking the evasive action by failing to respond in a way in which a legitimate file is expected to act, and determining that the executable file is malware. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
-
13. An apparatus for detecting potential malware, the apparatus comprising:
-
at least one processor; and at least one non-transitory memory including computer program code, the at least one processor and computer program code configured to, with the at least one processor, cause the apparatus to perform; determining that the executable file should be identified as not being legitimate by determining that an identifier for the executable file is contained in a database relating to executable files, and executing the executable file in a real environment, and providing indications to the executable file that it is being executed within an emulated computer system by intercepting a communication between the executable file and the computer system during execution of the executable file, wherein upon executing, the executable file is caused to believe it is being executed in an emulated environment, monitoring the behaviour of the executable file to determine if the executable file attempts to take an evasive action by at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment, determining that the executable file, believing that it is being executed in the emulated environment, is taking the evasive action by failing to respond in a way in which a legitimate file is expected to act, and determining that the executable file is malware. - View Dependent Claims (14)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeWithsecure Corporation
-
Original AssigneeF-Secure Oyj
-
InventorsNiemel, Jarno, Hyppnen, Mikko, Kangas, Santeri
-
Primary Examiner(s)Armouche, Hadi
-
Assistant Examiner(s)Shayanfar, Ali
-
Application NumberUS12/661,389Publication NumberTime in Patent Office2,444 DaysField of Search726/24, 726/26, 718/1US Class Current1/1CPC Class CodesG06F 21/53 by executing in a restricte...G06F 21/565 by checking file integrityG06F 21/566 Dynamic detection, i.e. det...G06F 21/629 to features or functions of...
