Method and apparatus for determination of the non-replicative behavior of a malicious program
DC
First Claim
1. A computer executed method for processing a suspect executable file, comprising:
- attempting to infect a known file using the suspect executable file and, if the attempt is successful, providing the infected known file as a sample, executing the sample in a controlled environment;
determining a record of side effects that occur in the environment as a result of a non-replicative behavior of the sample during its execution;
comparing the record to a stored record of side effects that occur in the environment as a result of a non-replicative behavior of the known file during its execution and deriving a set of characteristic side effects; and
undoing a detected change that results from execution of an undesirable software entity and/or informing a user of the side effects;
if the attempt to infect the known file is not successful, the method further includes;
attempting to repair the suspect executable file and, if the attempt is successful, providing the repaired file as the sample;
executing the sample in the controlled environment;
determining a first record of side effects that occur in the environment as a result of a non-replicative behavior of the sample during its execution;
executing the suspect executable file in the controlled environment;
determining a second record of side effects that occur in the environment as a result of a non-replicative behavior of the suspect executable file during its execution;
comparing the first record to the second record and deriving the set of characteristic side effects; and
undoing a detected change that results from execution of an undesirable software entity and/or informing a user of the side effects.
13 Assignments
Litigations
0 Petitions
Accused Products
Abstract
Disclosed is a method, a computer system and a computer readable media product that contains a set of computer executable software instructions for directing the computer system to execute a process for determining a non-replicative behavior of a program that is suspected of containing an undesirable software entity. The process causes execution of the program in at least one known environment and automatically examines the at least one known environment to detect if a change has occurred in the environment as a result of the execution of the program. If a change is detected, the process automatically analyzes the detected change (i.e., the process performs a side effects analysis) to determine if the change resulted from execution of the program or from execution of the undesirable software entity. The process then uses the result of the analysis at least for undoing a detected change that results from execution of the undesirable software entity. The result of the analysis can also be used for informing a user of an anti-virus system of the non-replicative changes made to the environment.
64 Citations
8 Claims
-
1. A computer executed method for processing a suspect executable file, comprising:
-
attempting to infect a known file using the suspect executable file and, if the attempt is successful, providing the infected known file as a sample, executing the sample in a controlled environment; determining a record of side effects that occur in the environment as a result of a non-replicative behavior of the sample during its execution; comparing the record to a stored record of side effects that occur in the environment as a result of a non-replicative behavior of the known file during its execution and deriving a set of characteristic side effects; and undoing a detected change that results from execution of an undesirable software entity and/or informing a user of the side effects; if the attempt to infect the known file is not successful, the method further includes; attempting to repair the suspect executable file and, if the attempt is successful, providing the repaired file as the sample; executing the sample in the controlled environment; determining a first record of side effects that occur in the environment as a result of a non-replicative behavior of the sample during its execution; executing the suspect executable file in the controlled environment; determining a second record of side effects that occur in the environment as a result of a non-replicative behavior of the suspect executable file during its execution; comparing the first record to the second record and deriving the set of characteristic side effects; and undoing a detected change that results from execution of an undesirable software entity and/or informing a user of the side effects. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
Specification
-
- Resources
-
Current AssigneeBarracuda Networks Incorporated
-
Original AssigneeInternational Business Machines Corporation
-
InventorsWhalley, Ian N., Morar, John F., Arnold, William C., Segal, Alla, Chess, David M., White, Steve R.
-
Primary Examiner(s)Song, Hosuk
-
Assistant Examiner(s)TO, BAOTRAN N
-
Application NumberUS10/141,896Publication NumberTime in Patent Office1,581 DaysField of Search714/3, 714/38, 726/24, 726/26, 726/22, 726/23, 726/25, 717/188, 713/188US Class Current726/22CPC Class CodesG06F 21/566 Dynamic detection, i.e. det...
