Mitigation of anti-sandbox malware techniques

US 10,135,861 B2
Filed: 11/02/2015
Issued: 11/20/2018
Est. Priority Date: 10/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method of securing an endpoint against malware that contains sandbox detection mechanisms, the method comprising:

receiving a sample of a software object;

performing a first static analysis of the sample using one or more signatures of known malware;

when malware is detected in the first static analysis, rejecting a file containing the sample for use on the endpoint;

when malware is not detected in the first static analysis, performing a reputation analysis of the sample to detect a known, safe software object that can be executed on the endpoint without further analysis;

when a known, safe software object is not detected in the reputation analysis, performing a second static analysis of the sample to detect a component configured to detect one or more aspects of a virtualized environment;

when an anti-sandbox component is detected in the second static analysis, selecting, based on the anti-sandbox component detected in the second static analysis, a least computationally expensive sandbox from a number of different types of sandboxes having different computational costs, and forwarding the sample to the least computationally expensive sandbox for execution and testing; and

when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Static analysis is applied to unrecognized software objects in order to identify and address potential anti-sandboxing techniques. Where static analysis suggests the presence of any such corresponding code, the software object may be forwarded to a sandbox for further analysis. In another aspect, multiple types of sandboxes may be provided, with the type being selected according to the type of exploit suggested by the static analysis.

21 Citations

View as Search Results

15 Claims

1. A method of securing an endpoint against malware that contains sandbox detection mechanisms, the method comprising:
- receiving a sample of a software object;
  
  performing a first static analysis of the sample using one or more signatures of known malware;
  
  when malware is detected in the first static analysis, rejecting a file containing the sample for use on the endpoint;
  
  when malware is not detected in the first static analysis, performing a reputation analysis of the sample to detect a known, safe software object that can be executed on the endpoint without further analysis;
  
  when a known, safe software object is not detected in the reputation analysis, performing a second static analysis of the sample to detect a component configured to detect one or more aspects of a virtualized environment;
  
  when an anti-sandbox component is detected in the second static analysis, selecting, based on the anti-sandbox component detected in the second static analysis, a least computationally expensive sandbox from a number of different types of sandboxes having different computational costs, and forwarding the sample to the least computationally expensive sandbox for execution and testing; and
  
  when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the software object is at least one of a file, a document, an application, a media file, and electronic mail, and an item of executable code.
  - 3. The method of claim 1, wherein the sample is all of the software object.
  - 4. The method of claim 1, wherein the sample is a representative portion of the software object.
  - 5. The method of claim 1, wherein the reputation analysis includes an analysis of at least one digital signature of the software object that verifies an origin of the software object.
  - 6. The method of claim 1, wherein the anti-sandbox component includes a component configured to avoid detection within a predetermined sandbox environment.
  - 7. The method of claim 1, wherein the least computationally expensive sandbox includes a hardware sandbox.
  - 8. The method of claim 1, wherein the least computationally expensive sandbox includes a virtual sandbox instrumented to detect at least one known anti-sandbox malware component.
  - 9. The method of claim 1, wherein permitting the software object to be processed on the endpoint includes forwarding the software object from at least one of a web gateway, an electronic mail gateway, a firewall, and a threat management facility.
  - 10. The method of claim 1, wherein permitting the software object to be processed on the endpoint includes releasing the software object from an antivirus engine executing on the endpoint.

11. A computer program product for securing an endpoint against malware that contains sandbox detection mechanisms, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- receiving a sample of a software object;
  
  performing a first static analysis of the sample using one or more signatures of known malware;
  
  when malware is detected in the first static analysis, rejecting a file containing the sample for use on an endpoint;
  
  when malware is not detected in the first static analysis, performing a reputation analysis of the sample to detect a known, safe software object that can be executed on the endpoint without further analysis;
  
  when a known, safe software object is not detected in the reputation analysis, performing a second static analysis of the sample to detect a component configured to detect one or more aspects of a virtualized environment;
  
  when an anti-sandbox component is detected in the second static analysis, selecting, based on the anti-sandbox component detected in the second static analysis, a least computationally expensive sandbox from a number of different types of sandboxes having different associated computational costs, and forwarding the sample to the least computationally expensive sandbox for execution and testing; and
  
  when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint.
- View Dependent Claims (12, 13, 14)
- - 12. The computer program product of claim 11, wherein the software object is at least one of a file, a document, an application, a media file, and electronic mail, and an item of executable code.
  - 13. The computer program product of claim 11, wherein the one or more computing devices include at least one of an endpoint, a web gateway, an electronic mail gateway, a firewall, and a threat management facility.
  - 14. The computer program product of claim 11, wherein permitting the software object to be processed on the endpoint includes releasing the software object from an antivirus engine executing on the endpoint.

15. A system for securing an endpoint against malware that contains sandbox detection mechanisms, the system comprising:
- a computing device coupled to a network;
  
  a processor; and
  
  a memory bearing computer executable code configured to be executed by the processor to cause the computing device to perform the steps of receiving a sample of a software object over the network, performing a first static analysis of the sample using one or more signatures of known malware, when malware is detected in the first static analysis, rejecting a file containing the sample for use on the endpoint, when malware is not detected in the first static analysis, performing a reputation analysis of the sample to detect a known, safe software object that can be executed on the endpoint without further analysis, when a known, safe software object is not detected in the reputation analysis performing a second static analysis of the sample to detect a component configured to detect one or more aspects of a virtualized environment, when an anti-sandbox component is detected in the second static analysis, selecting, based on the anti-sandbox component detected in the second static analysis, a least computationally expensive sandbox from a number of different types of sandboxes having different associated computational costs, and forwarding the sample to the least computationally expensive sandbox for execution and testing, and when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Harris, Mark David, Stutz, Daniel, Lynch, Vincent Kevin
Primary Examiner(s)
Armouche, Hadi S
Assistant Examiner(s)
Wade, Shaqueal D

Application Number

US14/929,851
Publication Number

US 20170111374A1
Time in Patent Office

1,114 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Mitigation of anti-sandbox malware techniques

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigation of anti-sandbox malware techniques

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links