Malware detection using internal and/or external malware detection operations
First Claim
1. A system, comprising:
- one or more processors to;
determine to perform an internal malware detection operation and an external malware detection operation that detects malware executing on a client device;
perform the internal malware detection operation,the internal malware detection operation including modifying an environment, to form a modified environment,the internal malware detection operation including an artifact persistence operation to delete stored information and determine whether the deleted stored information has been recreated;
perform the external malware detection operation,the external malware detection operation including performing a communication with another device;
monitor the modified environment for a first behavior indicative of the malware executing on the client device without monitoring the communication with the other device,the first behavior including the deleted stored information being recreated within a threshold amount of time;
recreate the deleted stored information if the deleted stored information is not recreated within the threshold amount of time;
monitor a result of performing the communication for a second behavior indicative of the malware executing on the client device;
detect that the first behavior or the second behavior has occurred based on monitoring the modified environment and monitoring the result,the first behavior being detected if the deleted stored information is recreated within the threshold amount of time;
determine that the client device is infected with malware based on detecting the first behavior or the second behavior has occurred,the client device being determined to be infected with malware if the deleted stored information is recreated within the threshold amount of time; and
provide a notification that the client device is infected with the malware based on determining that the client device is infected with malware,the notification causing one or more network devices to block network traffic to or from the client device.
1 Assignment
0 Petitions
Accused Products
Abstract
A system may determine to perform an internal and an external malware detection operation to detect a malware infection associated with a client device. The system may perform the internal operation by modifying an environment, executing on a particular device, to form a modified environment. The system may perform the external operation by performing a communication from the particular device. The system may monitor the modified environment for a first behavior indicative of the malware infection, and may monitor a result of performing the communication for a second behavior indicative of the malware infection. The system may detect that the first or second behavior has occurred. The system may provide a notification that the client device is infected with malware based on detecting that the first or second behavior has occurred. The notification may cause one or more network devices to block network traffic to or from the client device.
10 Citations
19 Claims
-
1. A system, comprising:
one or more processors to; determine to perform an internal malware detection operation and an external malware detection operation that detects malware executing on a client device; perform the internal malware detection operation, the internal malware detection operation including modifying an environment, to form a modified environment, the internal malware detection operation including an artifact persistence operation to delete stored information and determine whether the deleted stored information has been recreated; perform the external malware detection operation, the external malware detection operation including performing a communication with another device; monitor the modified environment for a first behavior indicative of the malware executing on the client device without monitoring the communication with the other device, the first behavior including the deleted stored information being recreated within a threshold amount of time; recreate the deleted stored information if the deleted stored information is not recreated within the threshold amount of time; monitor a result of performing the communication for a second behavior indicative of the malware executing on the client device; detect that the first behavior or the second behavior has occurred based on monitoring the modified environment and monitoring the result, the first behavior being detected if the deleted stored information is recreated within the threshold amount of time; determine that the client device is infected with malware based on detecting the first behavior or the second behavior has occurred, the client device being determined to be infected with malware if the deleted stored information is recreated within the threshold amount of time; and provide a notification that the client device is infected with the malware based on determining that the client device is infected with malware, the notification causing one or more network devices to block network traffic to or from the client device. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors of a particular device, cause the one or more processors to; determine to perform an internal malware detection operation and an external malware detection operation that detects malware executing on a client device; perform the internal malware detection operation, the internal malware detection operation including modifying an environment, to form a modified environment; perform the external malware detection operation, the internal malware detection operation including an artifact persistence operation to delete stored information and determine whether the deleted stored information has been recreated; the external malware detection operation including performing a communication with another device; monitor the modified environment for a first behavior indicative of the malware executing on the client device without monitoring the communication with the other device, the first behavior including the deleted stored information being recreated within a threshold amount of time; recreate the deleted stored information if the deleted stored information is not recreated within the threshold amount of time; monitor a result of performing the communication for a second behavior indicative of the malware executing on the client device; detect that the first behavior or the second behavior has occurred based on monitoring the modified environment and monitoring the result, the first behavior being detected if the deleted stored information is recreated within the threshold amount of time; determine that the client device is infected with malware based on detecting the first behavior or the second behavior has occurred, the client device being determined to be infected with malware if the deleted stored information is recreated within the threshold amount of time; and provide a notification that the client device is infected with the malware based on determining that the client device is infected with malware, the notification causing one or more network devices to block network traffic to or from the client device. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A method, comprising:
-
determining, by a particular device, to perform an internal malware detection operation and an external malware detection operation that detects malware executing on a client device; performing, by the particular device, the internal malware detection operation, the internal malware detection operation including modifying an environment, to form a modified environment; the internal malware detection operation including an artifact persistence operation to delete stored information and determine whether the deleted stored information has been recreated; performing, by the particular device, the external malware detection operation, the external malware detection operation including performing a communication with another device; monitoring, by the particular device, the modified environment for a first behavior indicative of the malware executing on the client device without monitoring the communication with the other device, the first behavior including the deleted stored information being recreated within a threshold amount of time; monitoring, by the particular device, a result of performing the communication for a second behavior indicative of the malware executing on the client device; detecting, by the particular device, that the first behavior or the second behavior has occurred based on monitoring the modified environment and monitoring the result, the first behavior being detected if the deleted stored information is recreated within the threshold amount of time; recreating, by the particular device, the deleted stored information if the deleted stored information is not recreated within the threshold amount of time; determining, by the particular device, that the client device is infected with malware based on detecting the first behavior or the second behavior has occurred, the client device being determined to be infected with malware if the deleted stored information is recreated within the threshold amount of time; and providing, by the particular device, a notification that the client device is infected with the malware based on determining that the client device is infected with malware, the notification causing one or more network devices to block network traffic to or from the client device. - View Dependent Claims (16, 17, 18, 19)
-
Specification