Virus detection by executing electronic message code in a virtual machine
First Claim
1. A method for detecting whether executable code associated with electronic messages is harmful, the method comprising:
- detecting that an electronic message includes executable code, the electronic message designating a destination email address;
identifying, for the electronic message, by executing an instruction with a processor, two or more destination computing systems corresponding to the destination email address specified in the electronic message prior to delivery of the electronic message to the two or more destination computing systems, the two or more destination computing systems including a first destination computing system and a second destination computing system different from the first destination computing system;
selecting, by executing an instruction with the processor, a first simulation environment among a plurality of simulation environments based on a first environment of the first destination computing system;
selecting, by executing an instruction with the processor, a second simulation environment among the plurality of simulation environments based on a second environment of the second destination computing system, the second simulation environment different from the first simulation environment;
executing the executable code in the first simulation environment and the second simulation environment;
determining, by executing an instruction with the processor, whether the executable code is harmful in at least one of the two or more destination computing systems by monitoring for a viral action in response to execution of the executable code in the first simulation environment and the second simulation environment; and
delivering the electronic message to the destination email address if the executable code is not harmful in the at least one of the two or more destination computing systems.
6 Assignments
0 Petitions
Accused Products
Abstract
An intermediary isolation server receives electronic messages and isolates any viral behavior from harming its intended destination. After the intermediary receives an electronic message, it determines that the electronic message has associated executable code, and then identifies the environment in which the electronic message code would be executed if delivered. The intermediary then executes the code by emulating how it would be executed in its ultimate environment. If a viral-like behavior is detected, appropriate action is taken to prevent the execution of the code at its intended destination. The attachment is executed in a contained environment that allows for the contained environment to be easily restarted in a clean state.
81 Citations
19 Claims
-
1. A method for detecting whether executable code associated with electronic messages is harmful, the method comprising:
-
detecting that an electronic message includes executable code, the electronic message designating a destination email address; identifying, for the electronic message, by executing an instruction with a processor, two or more destination computing systems corresponding to the destination email address specified in the electronic message prior to delivery of the electronic message to the two or more destination computing systems, the two or more destination computing systems including a first destination computing system and a second destination computing system different from the first destination computing system; selecting, by executing an instruction with the processor, a first simulation environment among a plurality of simulation environments based on a first environment of the first destination computing system; selecting, by executing an instruction with the processor, a second simulation environment among the plurality of simulation environments based on a second environment of the second destination computing system, the second simulation environment different from the first simulation environment; executing the executable code in the first simulation environment and the second simulation environment; determining, by executing an instruction with the processor, whether the executable code is harmful in at least one of the two or more destination computing systems by monitoring for a viral action in response to execution of the executable code in the first simulation environment and the second simulation environment; and delivering the electronic message to the destination email address if the executable code is not harmful in the at least one of the two or more destination computing systems. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A tangible computer-readable storage disc or storage device comprising instructions which, when executed, cause a machine to at least:
-
detect that an electronic message designates destination email address and includes executable code; identify, for the electronic message, two or more destination computing systems corresponding to the destination email address specified in the electronic message prior to delivery of the electronic message to the two or more destination computing systems, the two or more destination computing systems including a first destination computing system and a second destination computing system different from the first destination computing system; select a first simulation environment among a plurality of simulation environments based on a first environment of the first destination computing system; select a second simulation environment among the plurality of simulation environments based on a second environment of the second destination computing system, the second simulation environment being different from the first simulation environment; execute the executable code in the first simulation environment and the second simulation environment; and determine whether the executable code is harmful in at least one of the two or more destination computing systems by monitoring for a viral action in response to execution of the executable code in the first simulation environment and the second simulation environment; and deliver the electronic message to the destination email address if the executable code is not harmful in the at least one of the two or more destination computing systems. - View Dependent Claims (16, 17, 18, 19)
-
Specification