Malware protection
First Claim
Patent Images
1. A method of detecting malware in a computer system, the method comprising:
- determining that an executable file should be identified as not being legitimate by inspecting a database containing identifiers of legitimate and/or not legitimate executable files;
executing the executable file in an emulated environment;
monitoring the behaviour of the executable file to determine that the executable file, aware that it is being executed in the emulated environment, is taking evasive action by failing to respond in a way in which it would be expected to act when executed in a real environment, wherein the evasive action comprises at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment; and
determining that the executable file is malware.
1 Assignment
0 Petitions
Accused Products
Abstract
According to a first aspect of the present invention there is provided a method of protecting a computer system from malware, which malware attempts to prevent detection or analysis when executed in an emulated computer system. The method comprises determining if an executable file should be identified as being legitimate and, if not, executing the executable file while providing indications to the executable file that it is being executed within an emulated computer system.
-
Citations
13 Claims
-
1. A method of detecting malware in a computer system, the method comprising:
-
determining that an executable file should be identified as not being legitimate by inspecting a database containing identifiers of legitimate and/or not legitimate executable files; executing the executable file in an emulated environment; monitoring the behaviour of the executable file to determine that the executable file, aware that it is being executed in the emulated environment, is taking evasive action by failing to respond in a way in which it would be expected to act when executed in a real environment, wherein the evasive action comprises at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment; and determining that the executable file is malware. - View Dependent Claims (2, 3, 4)
-
-
5. A non-transitory computer storage medium having stored thereon a computer program comprising computer program code means that performs:
-
determining that an executable file should be identified as not being legitimate by inspecting a database containing identifiers of legitimate and/or not legitimate executable files; executing the executable file in an emulated environment; monitoring the behaviour of the executable file to determine that the executable file, aware that it is being executed in the emulated environment, is taking the evasive action by failing to respond in a way in which it would be expected to act when executed in a real environment, wherein the evasive action comprises at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment; and determining that the executable file is malware.
-
-
6. A computer system comprising:
-
at least one processor; and at least one non-transitory memory including computer program code, the at least one processor and computer program code configured to, with the at least one processor, cause the computer system to perform; determining that an executable file should be identified as not being legitimate by inspecting a database containing identifiers of legitimate and/or not legitimate executable files, executing the executable file in an emulated computer system, monitoring the behaviour of the executable file to determine that the executable file, aware that it is being executed in the emulated environment, is taking evasive action by failing to respond in a way in which it would be expected to act when executed in a real environment, wherein the evasive action comprises at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment, and determining that the executable file is malware. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
-
13. An apparatus for detecting potential malware, the apparatus comprising:
-
at least one processor; and at least one non-transitory memory including computer program code, the at least one processor and computer program code configured to, with the at least one processor, cause the apparatus to perform; determining that the executable file should be identified as not being legitimate by inspecting a database containing identifiers of legitimate and/or not legitimate executable files, executing the executable file in an emulated computer system, monitoring the behaviour of the executable file to determine that the executable file, aware that it is being executed in the emulated environment, is taking the evasive action by failing to respond in a way in which it would be expected to act when executed in a real environment, wherein the evasive action comprises at least one of failing to request access to the Internet, failing to attempt to provide a notification, and failing to attempt to collect information relating to the emulated environment, and determining that the executable file is malware.
-
Specification