Mitigation of anti-sandbox malware techniques

US 9,917,859 B2
Filed: 11/02/2015
Issued: 03/13/2018
Est. Priority Date: 10/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing a plurality of available sandbox environments including at least one dedicated hardware sandbox environment and at least one virtual machine sandbox environment;

performing a static analysis of a sample of a software object using one or more signatures of one or more known malware objects; and

when the static analysis identifies an anti-sandbox component, selecting a dedicated hardware sandbox environment from among the plurality of available sandbox environments to process the software object for malware testing.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Static analysis is applied to unrecognized software objects in order to identify and address potential anti-sandboxing techniques. Where static analysis suggests the presence of any such corresponding code, the software object may be forwarded to a sandbox for further analysis. In another aspect, multiple types of sandboxes may be provided, with the type being selected according to the type of exploit suggested by the static analysis.

Citations

18 Claims

1. A method comprising:
- providing a plurality of available sandbox environments including at least one dedicated hardware sandbox environment and at least one virtual machine sandbox environment;
  
  performing a static analysis of a sample of a software object using one or more signatures of one or more known malware objects; and
  
  when the static analysis identifies an anti-sandbox component, selecting a dedicated hardware sandbox environment from among the plurality of available sandbox environments to process the software object for malware testing.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the plurality of available sandbox environments includes a sandbox with a predetermined operating system.
  - 3. The method of claim 1 wherein the plurality of available sandbox environments includes a sandbox with a predetermined software configuration.
  - 4. The method of claim 1 wherein the plurality of available sandbox environments includes a virtual sandbox instrumented to detect at least one known anti-sandbox component.
  - 5. The method of claim 1 wherein the one or more known malware objects include at least one of a virtual environment detection component, a sandbox detection component, a hardware-specific exploit, and a software-specific exploit.
  - 6. The method of claim 5 wherein the one or more known malware objects include at least one of an operating system exploit and an application exploit.

7. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- providing a plurality of available sandbox environments including at least one dedicated hardware sandbox environment and at least one virtual machine sandbox environment;
  
  performing a static analysis of a sample of a software object using one or more signatures of one or more known malware objects; and
  
  when the static analysis identifies an anti-sandbox component, selecting a dedicated hardware sandbox environment from among the plurality of available sandbox environments to process the software object for malware testing.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The computer program product of claim 7 wherein the plurality of available sandbox environments includes a sandbox with a predetermined operating system.
  - 9. The computer program product of claim 7 wherein the plurality of available sandbox environments includes a sandbox with a predetermined software configuration.
  - 10. The computer program product of claim 7 wherein the plurality of available sandbox environments includes a virtual sandbox instrumented to detect at least one known anti-sandbox component.
  - 11. The computer program product of claim 7 wherein the one or more known malware objects include at least one of a virtual environment detection component, a sandbox detection component, a hardware-specific exploit, and a software-specific exploit.
  - 12. The computer program product of claim 11 wherein the one or more known malware objects include at least one of an operating system exploit and an application exploit.
  - 13. The computer program product of claim 7 wherein the one or more computing devices include at least one of an endpoint, a web gateway, an electronic mail gateway, a firewall, and a threat management facility.

14. A system comprising:
- a computing device coupled to a network;
  
  a processor; and
  
  a memory bearing computer executable code configured to be executed by the processor to cause the computing device to perform the steps of performing a static analysis of a sample of a software object using one or more signatures of one or more known malware objects; and
  
  when the static analysis identifies an anti-sandbox component, selecting a dedicated hardware sandbox environment from among a plurality of available sandbox environments including the dedicated hardware sandbox environment and one or more software sandbox environments to process the software object for malware testing.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14 wherein the computing device includes an electronic mail gateway to an enterprise network.
  - 16. The system of claim 14 wherein the computing device includes an endpoint in an enterprise network.
  - 17. The system of claim 14 wherein the computing device includes a firewall to an enterprise network.
  - 18. The system of claim 14 wherein the computing device includes a threat management facility for an enterprise network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Harris, Mark David, Stutz, Daniel, Lynch, Vincent Kevin
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US14/929,910
Publication Number

US 20170109528A1
Time in Patent Office

862 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Mitigation of anti-sandbox malware techniques

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigation of anti-sandbox malware techniques

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links