System and method for malware detection
First Claim
1. A computer-implemented method for execution on one or more processors, the method comprising:
- receiving a first file;
determining a file type of the first file;
determining, according to a first policy, a plurality of malware detection schemes to apply sequentially to the first file based on the determined file type of the first file;
scheduling an application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy including scheduling a first malware detection scheme of the plurality of malware detection schemes at first time and scheduling a second malware detection scheme of the plurality of malware detection schemes at a second time after the first time, wherein each of the plurality of detection nodes includes a virtual machine configured to run at least one of the plurality of malware detection schemes, wherein each virtual machine is configured to run on at least one hypervisor;
executing a first malware detection scheme of the plurality of malware detection schemes on the first file in a first virtual machine of the virtual machines at the first time, wherein the first virtual machine is configured to run the first malware detection scheme, wherein execution of processes of the first virtual machine associated with executing the first malware detection scheme comprise causing, using the hypervisor, the execution of the first malware detection scheme to skip a wait state associated with a guest operating system of the first virtual machine to speed up execution of the first malware detection scheme;
monitoring, using the at least one hypervisor, the applying of the first malware detection scheme without running a process in the one or more virtual machines to thwart attempts by malware to detect if the first malware detection scheme is being applied to the malware;
determining results of applying the first malware detection scheme;
in response to determining the results of applying the first malware detection scheme, determining whether the first file is malware;
in response to determining the first file is malware, indicating that the first file is malware and refraining from executing any more detection schemes of the plurality of detection schemes on the first file;
in response to determining the first file is not malware, applying the second malware detection scheme of the plurality of malware detection schemes in a second virtual machine of the virtual machines at the second time;
determining results of applying the second malware detection scheme;
in response to determining the results of applying the first and second malware detection schemes, determining that the first file is suspected malware or determining that the first file is malware according to a third policy and based on the results of applying the first and second malware detection schemes; and
wherein scheduling the application of the determined plurality of malware detection schemes includes prioritizing the application of the determined plurality of malware detection schemes to the first file when the first file is received as an e-mail attachment.
11 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a computer-implemented method for execution on one or more processors includes receiving a first file and determining a file type of the first file. The method also includes determining, according to a first policy, a plurality of malware detection schemes to apply to the first file based on the determined file type of the first file. In addition, the method includes scheduling the application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy. Further, the method includes determining, in response to determining the results of applying the plurality of malware detection schemes, that the first file is malware or determining that the first file is suspected malware according to a third policy.
-
Citations
30 Claims
-
1. A computer-implemented method for execution on one or more processors, the method comprising:
-
receiving a first file; determining a file type of the first file; determining, according to a first policy, a plurality of malware detection schemes to apply sequentially to the first file based on the determined file type of the first file; scheduling an application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy including scheduling a first malware detection scheme of the plurality of malware detection schemes at first time and scheduling a second malware detection scheme of the plurality of malware detection schemes at a second time after the first time, wherein each of the plurality of detection nodes includes a virtual machine configured to run at least one of the plurality of malware detection schemes, wherein each virtual machine is configured to run on at least one hypervisor; executing a first malware detection scheme of the plurality of malware detection schemes on the first file in a first virtual machine of the virtual machines at the first time, wherein the first virtual machine is configured to run the first malware detection scheme, wherein execution of processes of the first virtual machine associated with executing the first malware detection scheme comprise causing, using the hypervisor, the execution of the first malware detection scheme to skip a wait state associated with a guest operating system of the first virtual machine to speed up execution of the first malware detection scheme; monitoring, using the at least one hypervisor, the applying of the first malware detection scheme without running a process in the one or more virtual machines to thwart attempts by malware to detect if the first malware detection scheme is being applied to the malware; determining results of applying the first malware detection scheme; in response to determining the results of applying the first malware detection scheme, determining whether the first file is malware; in response to determining the first file is malware, indicating that the first file is malware and refraining from executing any more detection schemes of the plurality of detection schemes on the first file; in response to determining the first file is not malware, applying the second malware detection scheme of the plurality of malware detection schemes in a second virtual machine of the virtual machines at the second time; determining results of applying the second malware detection scheme; in response to determining the results of applying the first and second malware detection schemes, determining that the first file is suspected malware or determining that the first file is malware according to a third policy and based on the results of applying the first and second malware detection schemes; and wherein scheduling the application of the determined plurality of malware detection schemes includes prioritizing the application of the determined plurality of malware detection schemes to the first file when the first file is received as an e-mail attachment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer-implemented method for execution on one or more processors, the method comprising:
-
receiving a first file and a second file from a messaging agent, wherein the first file and the second file are attachments to a first message; scheduling a sequential application of a first plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a first policy including scheduling a first malware detection scheme of the plurality of malware detection schemes to execute at a first time and scheduling a second malware detection scheme of the plurality of malware detection schemes to execute at a second time after the first time, wherein each of the plurality of detection nodes includes a virtual machine configured to run at least one of the plurality of malware detection schemes, wherein each virtual machine is configured to run on a hypervisor; executing the first malware detection scheme of the plurality of malware detection schemes on the first file at a first detection node of the plurality of detection nodes using a first virtual machine of the first detection node, wherein the first virtual machine runs on the hypervisor, and wherein at least one of the first plurality of malware detection schemes includes accessing the first file in a plurality of different operating systems, wherein execution of processes of the first virtual machine associated with executing the first malware detection scheme comprise causing, using the hypervisor of the first virtual machine, the execution of the first malware detection scheme to skip a wait state associated with a guest operating system of the first virtual machine so as to speed up execution of the first malware detection scheme; monitoring, using the hypervisor, the applying of the first malware detection scheme without running a process in the first virtual machine so as to thwart attempts by malware to detect if the first malware detection scheme is being applied to the malware; determining the results of applying the first malware detection scheme to the first file; in response to determining the results of applying the first malware detection scheme, determining whether the first file is malware; in response to determining the first file is malware, indicating that the first file is malware and refraining from executing any more detection schemes of the first plurality of detection schemes on the first file; in response to determining the first file is not malware, applying the second malware detection scheme of the plurality of malware detection schemes in a second node of the plurality of nodes including a second virtual machine at the second time; determining results of applying the second malware detection scheme; increasing the priority of the second file in a queue associated with a detection node of the plurality of detection nodes, and applying a second plurality of malware detection schemes to the second file in response to determining results of applying the first plurality of malware detection schemes to the first file, wherein at least one of the second plurality of malware detection schemes includes accessing the first file from a plurality of applications, wherein each of the plurality of applications are different versions of the same application; and wherein scheduling the application of the determined plurality of malware detection schemes includes prioritizing the application of the determined plurality of malware detection schemes to the first file when the first file is received as an e-mail attachment. - View Dependent Claims (15)
-
-
16. A computer-implemented method for execution on one or more processors, the method comprising:
-
receiving a first file; determining a plurality of malware detection schemes to sequentially apply to the first file, wherein at least one of the plurality of malware detection schemes includes accessing the first file from a plurality of applications, wherein each of the plurality of applications are different versions of the same application, and wherein at least one of the plurality of malware detection schemes includes accessing the first file in a plurality of different operating systems; scheduling an application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy including scheduling a first malware detection scheme of the plurality of malware detection schemes at first time and scheduling a second malware detection scheme of the plurality of malware detection schemes at a second time after the first time, wherein each of the plurality of detection nodes includes a virtual machine configured to run at least one of the plurality of malware detection schemes, wherein each virtual machine is configured to run on at least one hypervisor; accessing the first file in a guest operating system of a first virtual machine of a first detection node in accordance with the determined plurality malware detection schemes; executing the first malware detection scheme of the plurality of malware detection schemes on the first file using the guest operating system of the first virtual machine, wherein the guest operating system is configured to run the first malware detection scheme, wherein execution of processes of the guest operating system associated with executing the first malware detection scheme comprise causing, using the hypervisor, the execution of the first malware detection scheme to skip a wait state associated with the guest operating system so as to speed up execution of the first malware detection scheme; monitoring, using the at least one hypervisor, the applying of the first malware detection scheme without running a process in the guest operating system so as to thwart attempts by malware to detect if the first malware detection scheme is being applied to the malware; determining the results of applying the first malware detection scheme to the first file; in response to determining the results of applying the first malware detection scheme, determining whether the first file is malware; in response to determining the first file is malware, indicating that the first file is malware and refraining from executing any more detection schemes of the plurality of detection schemes on the first file; in response to determining the first file is not malware, applying the second malware detection scheme of the plurality of malware detection schemes in a second virtual machine of the virtual machines at the second time; determining results of applying the second malware detection scheme; determining that the first file is malware or determining that the file is suspected malware in response to determining the results of applying the first and second malware detection schemes; and wherein scheduling the application of the determined plurality of malware detection schemes includes prioritizing the application of the determined plurality of malware detection schemes to the first file when the first file is received as an e-mail attachment. - View Dependent Claims (17)
-
-
18. A system for malware detection comprising:
-
at least one computer processor; an ingest module coupled to the at least one computer processor, the ingest module including instructions stored in a memory, which when executed by the at least one processor, cause the at least one processor to; receive a first file; determine a file type of the first file; and determine, according to a first policy, a plurality of malware detection schemes to apply to the first file based on the determined file type of the first file; a plurality of detection nodes, each of the plurality of detection nodes includes a virtual machine configured to run at least one of the plurality of malware detection schemes, the virtual machines configured to run on at least one hypervisor, the at least one hypervisor configured to monitor a malware detection scheme being run on at least one of the virtual machines without running a process in the one or more virtual machines so as to thwart attempts by malware to detect if a malware detection scheme of the plurality of malware detection schemes is being applied to the malware; a scheduling module coupled to the at least one computer processor, the scheduling module including instructions stored in the memory, which when executed by the at least one processor, cause the at least one processor to schedule an application of the determined plurality of malware detection schemes to the first file amongst the plurality of detection nodes according to a second policy including scheduling a first malware detection scheme of the plurality of malware detection schemes at first time and scheduling a second malware detection scheme of the plurality of malware detection schemes at a second time after the first time; wherein a first virtual machine of a first detection node of the plurality of detection nodes is configured to execute the first malware detection scheme of the plurality of malware detection schemes on the first file using a guest operating system of the first virtual machine, wherein execution of processes of the guest operating system associated with executing the first malware detection scheme comprise causing, using the hypervisor, the execution of the first malware detection scheme to skip a wait state associated with the guest operating system so as to speed up execution of the first malware detection scheme; wherein the processor is configured to determine results of applying the first malware detection scheme to the first file; an adjudication and disposition module coupled to the at least one computer processor, the adjudication and disposition module including instructions stored in the memory, which when executed by the at least one processor, cause the at least one processor to; determine, in response to determining the results of applying the first malware detection scheme, whether the first file is malware according to a third policy, and in response to determining the first file is malware, indicate that the first file is malware to cause the plurality of detection nodes to refrain from executing any more malware detection schemes of the plurality of malware detection schemes on the first file, wherein a second virtual machine of a second detection node of the plurality of detection nodes is configured to, in response to determining the first file is not malware, execute the second malware detection scheme of the plurality of malware detection schemes on the first file at the second time; wherein the processor is configured to determine results of applying the second malware detection scheme; and wherein scheduling the application of the determined plurality of malware detection schemes includes prioritizing the application of the determined plurality of malware detection schemes to the first file when the first file is received as an e-mail attachment. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification