Mitigation of anti-sandbox malware techniques

US 9,942,263 B2
Filed: 11/02/2015
Issued: 04/10/2018
Est. Priority Date: 10/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method for configuring a sandbox for malware testing, the method comprising:

performing a reputation analysis of a sample of a software object to detect a known, safe software object that can be executed without further analysis; and

when the software object is determined, using the reputation analysis, to be other than safe,performing the steps of;

determining a configuration of a target endpoint for the software object;

configuring a first sandbox to match the configuration of the target endpoint;

forwarding the software object to the first sandbox for execution; and

transferring the software object to at least one additional sandbox for further testing when the software object cannot confidently be categorized as safe or unsafe by the first sandbox.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Static analysis is applied to unrecognized software objects in order to identify and address potential anti-sandboxing techniques. Where static analysis suggests the presence of any such corresponding code, the software object may be forwarded to a sandbox for further analysis. In another aspect, multiple types of sandboxes may be provided, with the type being selected according to the type of exploit suggested by the static analysis.

Citations

20 Claims

1. A method for configuring a sandbox for malware testing, the method comprising:
- performing a reputation analysis of a sample of a software object to detect a known, safe software object that can be executed without further analysis; and
  
  when the software object is determined, using the reputation analysis, to be other than safe,performing the steps of;
  
  determining a configuration of a target endpoint for the software object;
  
  configuring a first sandbox to match the configuration of the target endpoint;
  
  forwarding the software object to the first sandbox for execution; and
  
  transferring the software object to at least one additional sandbox for further testing when the software object cannot confidently be categorized as safe or unsafe by the first sandbox.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising monitoring execution of the software object in the first sandbox for a presence of a malicious action.
  - 3. The method of claim 1 wherein the configuration includes an application configuration.
  - 4. The method of claim 1 wherein the configuration includes an operating system configuration.
  - 5. The method of claim 1 wherein the configuration includes a hardware configuration.
  - 6. The method of claim 1 wherein determining the configuration of the target endpoint includes querying the target endpoint for configuration information.
  - 7. The method of claim 1 wherein configuring the first sandbox includes creating a new virtual machine corresponding to the configuration of the target endpoint.
  - 8. The method of claim 1 wherein configuring the first sandbox includes installing software on a preexisting virtual machine to match a software configuration of the target endpoint.

9. A computer program product for configuring a sandbox for malware testing, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- performing a reputation analysis of a sample of a software object to detect a known, safe software object that can be executed without further analysis; and
  
  when the software object is determined, using the reputation analysis, to be other than safe,performing the steps of;
  
  determining a configuration of a target endpoint for the software object;
  
  configuring a first sandbox to match the configuration of the target endpoint;
  
  forwarding the software object to the first sandbox for execution; and
  
  transferring the software object to at least one additional sandbox for further testing when the software object cannot confidently be categorized as safe or unsafe by the first sandbox.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The computer program product of claim 9 further comprising code that performs the step of monitoring execution of the software object in the first sandbox for a presence of a malicious action.
  - 11. The computer program product of claim 9 wherein the configuration includes an application configuration.
  - 12. The computer program product of claim 9 wherein the configuration includes an operating system configuration.
  - 13. The computer program product of claim 9 wherein the configuration includes a hardware configuration.
  - 14. The computer program product of claim 9 wherein determining the configuration of the target endpoint includes querying the target endpoint for configuration information.
  - 15. The computer program product of claim 9 wherein configuring the first sandbox includes creating a new virtual machine corresponding to the configuration of the target endpoint.
  - 16. The computer program product of claim 9 wherein configuring the first sandbox includes installing software on a preexisting virtual machine to match a software configuration of the target endpoint.
  - 17. The computer program product of claim 9 wherein the one or more computing devices include at least one of an endpoint, a web gateway, an electronic mail gateway, a firewall, and a threat management facility.

18. A system comprising:
- a computing device coupled to a network;
  
  a processor; and
  
  a memory bearing computer executable code configured to be executed by the processor to cause the computing device to perform the steps of performing a reputation analysis of a sample of a software object to detect a known, safe software object that can be executed without further analysis, and when the software object is determined, using the reputation analysis, to be other than safe, performing the steps of determining a configuration of a target endpoint for the software object, configuring a first sandbox to match the configuration of the target endpoint, and forwarding the software object to the first sandbox for execution, and transferring the software object to at least one additional sandbox for further testing when the software object cannot confidently be categorized as safe or unsafe by the first sandbox.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18 wherein the computing device is a network enterprise endpoint.
  - 20. The system of claim 18 wherein the computing device includes at least one of a web gateway, an electronic mail gateway, a firewall, and a threat management facility.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Kraft, Chris Douglas
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US14/929,966
Publication Number

US 20170109529A1
Time in Patent Office

890 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Mitigation of anti-sandbox malware techniques

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigation of anti-sandbox malware techniques

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links