Virus detection by executing electronic message code in a virtual machine

US 9,652,613 B1
Filed: 04/30/2008
Issued: 05/16/2017
Est. Priority Date: 01/17/2002
Status: Active Grant

First Claim

Patent Images

1. A method for detecting whether executable code associated with electronic messages is harmful, the method comprising:

detecting that an electronic message includes executable code, the electronic message designating a destination email address;

identifying, for the electronic message, by executing an instruction with a processor, two or more destination computing systems corresponding to the destination email address specified in the electronic message prior to delivery of the electronic message to the two or more destination computing systems, the two or more destination computing systems including a first destination computing system and a second destination computing system different from the first destination computing system;

selecting, by executing an instruction with the processor, a first simulation environment among a plurality of simulation environments based on a first environment of the first destination computing system;

selecting, by executing an instruction with the processor, a second simulation environment among the plurality of simulation environments based on a second environment of the second destination computing system, the second simulation environment different from the first simulation environment;

executing the executable code in the first simulation environment and the second simulation environment;

determining, by executing an instruction with the processor, whether the executable code is harmful in at least one of the two or more destination computing systems by monitoring for a viral action in response to execution of the executable code in the first simulation environment and the second simulation environment; and

delivering the electronic message to the destination email address if the executable code is not harmful in the at least one of the two or more destination computing systems.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intermediary isolation server receives electronic messages and isolates any viral behavior from harming its intended destination. After the intermediary receives an electronic message, it determines that the electronic message has associated executable code, and then identifies the environment in which the electronic message code would be executed if delivered. The intermediary then executes the code by emulating how it would be executed in its ultimate environment. If a viral-like behavior is detected, appropriate action is taken to prevent the execution of the code at its intended destination. The attachment is executed in a contained environment that allows for the contained environment to be easily restarted in a clean state.

81 Citations

View as Search Results

19 Claims

1. A method for detecting whether executable code associated with electronic messages is harmful, the method comprising:
- detecting that an electronic message includes executable code, the electronic message designating a destination email address;
  
  identifying, for the electronic message, by executing an instruction with a processor, two or more destination computing systems corresponding to the destination email address specified in the electronic message prior to delivery of the electronic message to the two or more destination computing systems, the two or more destination computing systems including a first destination computing system and a second destination computing system different from the first destination computing system;
  
  selecting, by executing an instruction with the processor, a first simulation environment among a plurality of simulation environments based on a first environment of the first destination computing system;
  
  selecting, by executing an instruction with the processor, a second simulation environment among the plurality of simulation environments based on a second environment of the second destination computing system, the second simulation environment different from the first simulation environment;
  
  executing the executable code in the first simulation environment and the second simulation environment;
  
  determining, by executing an instruction with the processor, whether the executable code is harmful in at least one of the two or more destination computing systems by monitoring for a viral action in response to execution of the executable code in the first simulation environment and the second simulation environment; and
  
  delivering the electronic message to the destination email address if the executable code is not harmful in the at least one of the two or more destination computing systems.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further including flagging the electronic message as having viral executable code when the viral action is detected in the at least one of the two or more destination computing systems.
  - 3. The method of claim 1, further including:
    - determining a sender of the electronic message; and
      
      restricting future electronic message deliveries from the sender when the viral action is detected in the at least one of the two or more destination computing systems.
  - 4. The method of claim 1, further including notifying a receiving user that the electronic message may be harmful, the notifying occurring when the viral action is detected in the at least one of the two or more destination computing systems.
  - 5. The method of claim 1, further including notifying a system administrator that the electronic message may be harmful, the notifying occurring when the viral action is detected in the at least one of the two or more destination computing systems.
  - 6. The method of claim 1, wherein the executable code is an attachment of the electronic message.
  - 7. The method of claim 1, wherein the executable code is embedded within a body of the electronic message.
  - 8. The method of claim 1, wherein the destination email address is a first destination email address, and further including:
    - detecting a second electronic message that includes second executable code, the second electronic message designating a second destination email address;
      
      identifying a third environment of a third destination computing system associated with the second destination email address;
      
      selecting a third simulation environment that simulates the third environment of the third destination computing system;
      
      executing the second executable code in the third simulation environment; and
      
      monitoring for the viral action in response to execution of the second executable code in the third simulation environment.
  - 9. The method of claim 1, further including:
    - determining an operating system running on the first environment of the first destination computing system;
      
      accessing configuration information associated with the first environment of the first destination computing system, the accessed configuration information describing a characteristic of the first environment of the first destination computing system; and
      
      selecting the first simulation environment based on the operating system running on the first environment of the first destination computing system and based on the configuration information associated with the first environment of the first destination computing system.
  - 10. The method of claim 1, further including:
    - identifying client software installed on the first destination computing system; and
      
      selecting the first simulation environment where software representative of the client software is installed.
  - 11. The method of claim 10, further including:
    - accessing configuration information associated with the client software installed on the first destination computing system; and
      
      configuring the software representative of the client software using the configuration information.
  - 12. The method of claim 1, wherein the viral action includes at least one of accessing an address book, modifying a file, or reading a file.
  - 13. The method of claim 1, wherein the viral action includes modifying sector zero of a storage disc or storage device.
  - 14. The method as described in claim 1, wherein the first simulation environment represents a program to be executed by the first destination computing system.

15. A tangible computer-readable storage disc or storage device comprising instructions which, when executed, cause a machine to at least:
- detect that an electronic message designates destination email address and includes executable code;
  
  identify, for the electronic message, two or more destination computing systems corresponding to the destination email address specified in the electronic message prior to delivery of the electronic message to the two or more destination computing systems, the two or more destination computing systems including a first destination computing system and a second destination computing system different from the first destination computing system;
  
  select a first simulation environment among a plurality of simulation environments based on a first environment of the first destination computing system;
  
  select a second simulation environment among the plurality of simulation environments based on a second environment of the second destination computing system, the second simulation environment being different from the first simulation environment;
  
  execute the executable code in the first simulation environment and the second simulation environment; and
  
  determine whether the executable code is harmful in at least one of the two or more destination computing systems by monitoring for a viral action in response to execution of the executable code in the first simulation environment and the second simulation environment; and
  
  deliver the electronic message to the destination email address if the executable code is not harmful in the at least one of the two or more destination computing systems.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The tangible computer-readable storage disc or storage device of claim 15, wherein the instructions, when executed, cause the machine to flag the electronic message as having viral code.
  - 17. The tangible computer-readable storage disc or storage device of claim 15, wherein the instructions, when executed, cause the machine to at least:
    - determine a sender of the electronic message; and
      
      restrict future electronic message deliveries from the sender.
  - 18. The tangible computer-readable storage disc or storage device of claim 15, wherein the instructions, when executed, cause the machine to notify the destination email address or a system administrator that the electronic message may be harmful.
  - 19. The tangible computer-readable storage disc or storage device of claim 15, wherein the destination email address is a first destination email address, and wherein the instructions, when executed, cause the machine to at least:
    - detect a second electronic message that includes a second executable code, the second electronic message designating a second destination email address;
      
      identify a third environment of a third destination computing system associated with the second destination email address;
      
      select a third simulation environment that simulates the third environment of the third destination computing system;
      
      execute the second executable code in the third simulation environment; and
      
      monitor for a viral action in response to execution of the second executable code in the third simulation environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Green, David E., Marsden, Walter L.
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
Lavelle, Gary

Application Number

US12/113,010
Time in Patent Office

3,303 Days
Field of Search

726 22- 25
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

G06F 2221/2149   Restricted operating enviro...

Virus detection by executing electronic message code in a virtual machine

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

81 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Virus detection by executing electronic message code in a virtual machine

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links