Mitigation of anti-sandbox malware techniques
First Claim
Patent Images
1. A method for configuring a sandbox for malware testing, the method comprising:
- performing a reputation analysis of a sample of a software object to detect a known, safe software object that can be executed without further analysis; and
when the software object is determined, using the reputation analysis, to be other than safe,performing the steps of;
determining a configuration of a target endpoint for the software object;
configuring a first sandbox to match the configuration of the target endpoint;
forwarding the software object to the first sandbox for execution; and
transferring the software object to at least one additional sandbox for further testing when the software object cannot confidently be categorized as safe or unsafe by the first sandbox.
4 Assignments
0 Petitions
Accused Products
Abstract
Static analysis is applied to unrecognized software objects in order to identify and address potential anti-sandboxing techniques. Where static analysis suggests the presence of any such corresponding code, the software object may be forwarded to a sandbox for further analysis. In another aspect, multiple types of sandboxes may be provided, with the type being selected according to the type of exploit suggested by the static analysis.
-
Citations
20 Claims
-
1. A method for configuring a sandbox for malware testing, the method comprising:
-
performing a reputation analysis of a sample of a software object to detect a known, safe software object that can be executed without further analysis; and when the software object is determined, using the reputation analysis, to be other than safe, performing the steps of; determining a configuration of a target endpoint for the software object; configuring a first sandbox to match the configuration of the target endpoint; forwarding the software object to the first sandbox for execution; and transferring the software object to at least one additional sandbox for further testing when the software object cannot confidently be categorized as safe or unsafe by the first sandbox. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer program product for configuring a sandbox for malware testing, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
-
performing a reputation analysis of a sample of a software object to detect a known, safe software object that can be executed without further analysis; and when the software object is determined, using the reputation analysis, to be other than safe, performing the steps of; determining a configuration of a target endpoint for the software object; configuring a first sandbox to match the configuration of the target endpoint; forwarding the software object to the first sandbox for execution; and transferring the software object to at least one additional sandbox for further testing when the software object cannot confidently be categorized as safe or unsafe by the first sandbox. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system comprising:
-
a computing device coupled to a network; a processor; and a memory bearing computer executable code configured to be executed by the processor to cause the computing device to perform the steps of performing a reputation analysis of a sample of a software object to detect a known, safe software object that can be executed without further analysis, and when the software object is determined, using the reputation analysis, to be other than safe, performing the steps of determining a configuration of a target endpoint for the software object, configuring a first sandbox to match the configuration of the target endpoint, and forwarding the software object to the first sandbox for execution, and transferring the software object to at least one additional sandbox for further testing when the software object cannot confidently be categorized as safe or unsafe by the first sandbox. - View Dependent Claims (19, 20)
-
Specification