US20130247198A1 - Emulator updating system and method - Google Patents
Emulator updating system and method Download PDFInfo
- Publication number
- US20130247198A1 US20130247198A1 US11/062,185 US6218505A US2013247198A1 US 20130247198 A1 US20130247198 A1 US 20130247198A1 US 6218505 A US6218505 A US 6218505A US 2013247198 A1 US2013247198 A1 US 2013247198A1
- Authority
- US
- United States
- Prior art keywords
- emulator
- extension
- suspect code
- code
- emulation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Definitions
- the present invention relates to systems for detecting unwanted software. More specifically, the present invention relates to a method and an apparatus for emulating unwanted software that operates by patching additional instructions into an emulator in order to aid in the process of detecting, decrypting or disinfecting code containing unwanted software.
- Malicious software such as a computer virus, can enter a computer system in a number of ways. It can be introduced on a disk or a CD-ROM that is inserted into the computer system. It can also enter from a computer network, for example, within an email message.
- malware If malicious software is executed by a computer system, it can cause a number of problems.
- the software can compromise security, by stealing passwords; by creating a “back door” into the computer system; or by otherwise accessing sensitive information.
- the software can also cause damage to the computer system, for example, by deleting files or by causing the computer system to fail.
- Some types of malicious programs can be easily detected using simple detection techniques, such as scanning for a search string. However, this type of detection process can be easily subverted by converting a malicious algorithm into program code in different ways.
- Another approach to detecting malicious software is to run a program on a real machine while attempting to intercept malicious actions.
- This technique which is known as “behavior blocking,” has a number of disadvantages.
- the program may nevertheless cause harm to the computer system.
- the behavior blocking mechanism typically cannot view an entire log of actions in making a blocking determination.
- the behavior blocking mechanism may make sub-optimal blocking decisions, which means harmless programs may be blocked or harmful programs may be allowed to execute.
- Yet another approach to detecting malicious software is to “emulate” suspect code within an insulated environment in a computer system so that the computer system is protected from malicious actions of the suspect code.
- emulators are typically able to emulate only commonly occurring program instructions and system calls.
- This problem can be overcome by updating and recompiling an emulator to implement new system calls and new program instructions as different pieces of malicious software are encountered that make use of these new system calls and new program instructions. However, doing so can lead to logistical problems in keeping emulation programs up to date.
- Another problem with current emulators is that they cannot deal with conflicting emulator environments. For example, one virus may be triggered by a system call returning the year 1999, while another virus is triggered by the same system call returning the year 2000.
- What is needed is a method and an apparatus for emulating suspect code that can be easily reconfigured to accommodate new program instructions, system calls and emulation environments.
- One embodiment includes a method and computer program product for distributing and/or receiving a first emulator extension with respect to an emulator capable of performing an emulation using emulation code.
- the first emulator extension includes program instructions that aid in the process of emulating in order to detect potentially unwanted computer software.
- Such program instructions of the first emulator extension are additional beyond that associated with the emulator code, for assisting the emulator code in the emulation by patching the additional program instructions into the emulator in order to aid in detecting the potentially unwanted computer software within the suspect code.
- an emulation is performed using the first emulator extension and the suspect code. The emulation is performed within an insulated environment in a computer system so that the computer system is insulated from potentially unwanted actions of the suspect code.
- FIG. 1 illustrates a computer system in accordance with an embodiment of the present invention.
- FIG. 2 illustrates the internal structure of an emulator for emulating and analyzing code for malicious behavior in accordance with an embodiment of the present invention.
- FIG. 3 is a flow chart illustrating the process of emulating and analyzing code for malicious behavior using emulator extensions in accordance with an embodiment of the present invention.
- a computer readable storage medium which may be any device or medium that can store code and/or data for use by a computer system.
- the transmission medium may include a communications network, such as the Internet.
- FIG. 1 illustrates a computer system 106 in accordance with an embodiment of the present invention.
- Computer system 106 may include any type of computer system, including, but not limited to, a computer system based on a microprocessor, a mainframe computer, a digital signal processor, a personal organizer, a device controller, and a computational engine within an appliance.
- Computer system 106 can receive suspect code 108 (which can potentially be malicious) from a number of different sources.
- Suspect code 108 may be introduced into computer system 106 by a remote host 101 across a network 102 .
- suspect code 108 may be included within an electronic mail (email) message from remote host 101 to computer system 106 .
- Remote host 101 can include any entity that is capable of sending suspect code 108 across network 102 to computer system 106 .
- Network 102 can include any type of wire or wireless communication channel capable of coupling together computing nodes. This includes, but is not limited to, a local area network, a wide area network, or a combination of networks. In one embodiment of the present invention, network 102 includes the Internet.
- Suspect code 108 may additionally be introduced into computer system 106 by encoding suspect code 108 on a computer-readable storage medium, such as disk 104 , and introducing disk 104 into computer system 106 .
- disk 104 can generally include any type of computer-readable storage medium, such as a magnetic disk, a magnetic tape and a CD-ROM.
- Emulator 110 analyzes suspect code 108 by executing emulator code 203 and emulator extensions 204 as is described below with reference to FIGS. 2 and 3 .
- FIG. 2 illustrates the internal structure of an emulator 110 for emulating and analyzing suspect code 108 for malicious behavior in accordance with an embodiment of the present invention.
- Emulator 110 includes emulator code 203 , emulator buffer 201 and database 206 .
- Emulator code 203 includes code to perform the emulation.
- Emulator buffer 201 is a protected region of memory (also known as a sandbox or a working space) in which suspect code 108 is stored and emulated. Emulator buffer 201 stores suspect code 108 as well as emulator extension 204 . Emulator buffer 201 and emulator code 203 are designed so that while suspect code 108 that is executing within emulator buffer 201 , suspect code 108 cannot damage or compromise computer system 106 . Emulator extension 204 includes additional program instructions that assist emulator code 203 in the emulation process.
- emulator buffer 201 is not within the program space of computer system 106 , but is instead in the data space. Hence, instructions within emulator extension 204 must themselves be emulated by emulator code 203 .
- emulator extension 204 is loaded as a patch into the program space of computer system 106 . In this alternative embodiment, emulator extension can be executed directly on computer system 106 .
- Emulator extension 204 is retrieved from database 206 , which contains a plurality of emulator extensions 208 , which can be successively loaded into emulator buffer 201 during the emulation process.
- Database 206 can include any type of volatile or non-volatile memory or storage device that can be used to store emulator extensions 208 .
- Database 206 can reside within computer system 106 , or alternatively, can reside on an external database server that is separate from computer system 106 .
- emulator extension 204 can read suspect code 108 looking for patterns indicating the suspect code 108 contains a virus or other type of malicious software. Alternatively, emulator extension 204 can set up an environment that is conducive to emulating suspect code 108 . For example, emulator extension 204 can configure the system to emulate uncommonly used system calls or opcodes. This enables emulator code 203 and/or emulator extension 204 to determine of suspect code 108 exhibits malicious behavior. Emulator code 203 (working with emulator extension 204 ) ultimately outputs a decision 212 indicating whether suspect code 108 is malicious or not.
- emulator extension 204 can be emulated in a number of different ways. (1) Emulator extension 204 can be emulated as part of suspect code 108 by patching the emulator extension 204 into suspect code 108 , possibly replacing, overlapping or overwriting portions of suspect code 108 . In this case, the location where the patching occurs is defined in the database 206 . (2) Emulator extension 204 can be executed before the suspect code 108 is executed, which enables emulator extension 204 to set up the environment that emulator extension 204 is responsible for handling. After this environment is set up, emulator extension 204 passes control suspect code 108 . (3) Emulator extension 204 can replace suspect code 108 entirely.
- emulator extension 204 produces decision 212 after analyzing the suspect code 108 as data.
- Emulator extension 204 can be emulated after the suspect code 108 is emulated. This allows emulator extension 204 to analyze the results of running the suspect code 108 in order to produce decision 212 .
- FIG. 3 is a flow chart illustrating the process of emulating and analyzing code for malicious behavior using emulator extensions in accordance with an embodiment of the present invention.
- the system starts by receiving suspect code 108 from one of a number of possible sources as is described above with reference to FIG. 1 (step 302 ).
- the system loads this suspect code into emulator buffer 201 (step 304 ).
- the system runs emulator 110 (step 306 ). This causes suspect code 108 to be examined and/or emulated by emulator code 203 . During the emulation process, the system determines whether or not suspect code 108 contains code that is likely to exhibit malicious behavior (step 308 ). If so, the system reports the malicious code to a system user or system administrator (step 310 ).
- the system determines if there are any emulator extensions remaining in database 206 that have not already been used (step 312 ). If not, the system proceeds to the next file containing suspect code to repeat the entire process (step 314 ).
- the system loads the next emulator extension into emulator 110 (step 315 ). In one embodiment of the present invention, this involves loading emulator extension 204 into emulator buffer 201 within emulator 110 . In an alternative embodiment, this involves loading emulator extension 204 into the program space of computer system 106 so that it can work in concert with emulator code 203 in performing a subsequent emulation.
- the system sets up emulator 110 to run emulator extension 204 (step 316 ). This may involve configuring emulator code 203 to initially run emulator extension 204 .
- the system returns to step 306 to continue with the emulation process using the new emulator extension.
- a first emulator extension can configure emulator 110 to detect a virus that is triggered by a system call returning the year 1999
- a second emulator extension can configure emulator 110 to detect a virus that is triggered by the same system call returning the year 2000.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
- Storage Device Security (AREA)
Abstract
One embodiment includes a method and computer program product for distributing and/or receiving a first emulator extension with respect to an emulator capable of performing an emulation using emulation code. The first emulator extension includes program instructions that aid in the process of emulating in order to detect potentially unwanted computer software. Such program instructions of the first emulator extension are additional beyond that associated with the emulator code, for assisting the emulator code in the emulation by patching the additional program instructions into the emulator in order to aid in detecting the potentially unwanted computer software within the suspect code. In use, an emulation is performed using the first emulator extension and the suspect code. The emulation is performed within an insulated environment in a computer system so that the computer system is insulated from potentially unwanted actions of the suspect code.
Description
- The present application is a continuation of an application filed Jun. 1, 2000 under application Ser. No. 09/586,671, which is incorporated herein by reference, in its entirety for all purposes.
- 1. Field of the Invention
- The present invention relates to systems for detecting unwanted software. More specifically, the present invention relates to a method and an apparatus for emulating unwanted software that operates by patching additional instructions into an emulator in order to aid in the process of detecting, decrypting or disinfecting code containing unwanted software.
- 2. Related Art
- Malicious software, such as a computer virus, can enter a computer system in a number of ways. It can be introduced on a disk or a CD-ROM that is inserted into the computer system. It can also enter from a computer network, for example, within an email message.
- If malicious software is executed by a computer system, it can cause a number of problems. The software can compromise security, by stealing passwords; by creating a “back door” into the computer system; or by otherwise accessing sensitive information. The software can also cause damage to the computer system, for example, by deleting files or by causing the computer system to fail.
- Some types of malicious programs can be easily detected using simple detection techniques, such as scanning for a search string. However, this type of detection process can be easily subverted by converting a malicious algorithm into program code in different ways.
- Another approach to detecting malicious software is to run a program on a real machine while attempting to intercept malicious actions. This technique, which is known as “behavior blocking,” has a number of disadvantages. In spite of the attempt to intercept malicious actions, the program may nevertheless cause harm to the computer system. Furthermore, the behavior blocking mechanism typically cannot view an entire log of actions in making a blocking determination. Hence, the behavior blocking mechanism may make sub-optimal blocking decisions, which means harmless programs may be blocked or harmful programs may be allowed to execute.
- Yet another approach to detecting malicious software is to “emulate” suspect code within an insulated environment in a computer system so that the computer system is protected from malicious actions of the suspect code.
- One disadvantage to emulation is that it is almost impossible to provide complete emulation for all program instructions, all operating system calls and operating system environments that may be accessed by a piece of code being emulated without replicating the entire operating system in the process. Hence, in practice, emulators are typically able to emulate only commonly occurring program instructions and system calls.
- This problem can be overcome by updating and recompiling an emulator to implement new system calls and new program instructions as different pieces of malicious software are encountered that make use of these new system calls and new program instructions. However, doing so can lead to logistical problems in keeping emulation programs up to date.
- Another problem with current emulators is that they cannot deal with conflicting emulator environments. For example, one virus may be triggered by a system call returning the year 1999, while another virus is triggered by the same system call returning the year 2000.
- What is needed is a method and an apparatus for emulating suspect code that can be easily reconfigured to accommodate new program instructions, system calls and emulation environments.
- One embodiment includes a method and computer program product for distributing and/or receiving a first emulator extension with respect to an emulator capable of performing an emulation using emulation code. The first emulator extension includes program instructions that aid in the process of emulating in order to detect potentially unwanted computer software. Such program instructions of the first emulator extension are additional beyond that associated with the emulator code, for assisting the emulator code in the emulation by patching the additional program instructions into the emulator in order to aid in detecting the potentially unwanted computer software within the suspect code. In use, an emulation is performed using the first emulator extension and the suspect code. The emulation is performed within an insulated environment in a computer system so that the computer system is insulated from potentially unwanted actions of the suspect code.
-
FIG. 1 illustrates a computer system in accordance with an embodiment of the present invention. -
FIG. 2 illustrates the internal structure of an emulator for emulating and analyzing code for malicious behavior in accordance with an embodiment of the present invention. -
FIG. 3 is a flow chart illustrating the process of emulating and analyzing code for malicious behavior using emulator extensions in accordance with an embodiment of the present invention. - The following description is presented to enable any person skilled in the art to make and use the invention, and is provided in the context of a particular application and its requirements. Various modifications to the disclosed embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to other embodiments and applications without departing from the spirit and scope of the present invention. Thus, the present invention is not intended to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.
- The data structures and code described in this detailed description are typically stored on a computer readable storage medium, which may be any device or medium that can store code and/or data for use by a computer system. This includes, but is not limited to, magnetic and optical storage devices such as disk drives, magnetic tape, CDs (compact discs) and DVDs (digital video discs), and computer instruction signals embodied in a transmission medium (with or without a carrier wave upon which the signals are modulated). For example, the transmission medium may include a communications network, such as the Internet.
-
FIG. 1 illustrates acomputer system 106 in accordance with an embodiment of the present invention.Computer system 106 may include any type of computer system, including, but not limited to, a computer system based on a microprocessor, a mainframe computer, a digital signal processor, a personal organizer, a device controller, and a computational engine within an appliance. -
Computer system 106 can receive suspect code 108 (which can potentially be malicious) from a number of different sources. Suspectcode 108 may be introduced intocomputer system 106 by aremote host 101 across anetwork 102. For example,suspect code 108 may be included within an electronic mail (email) message fromremote host 101 tocomputer system 106.Remote host 101 can include any entity that is capable of sendingsuspect code 108 acrossnetwork 102 tocomputer system 106. Network 102 can include any type of wire or wireless communication channel capable of coupling together computing nodes. This includes, but is not limited to, a local area network, a wide area network, or a combination of networks. In one embodiment of the present invention,network 102 includes the Internet. - Suspect
code 108 may additionally be introduced intocomputer system 106 by encodingsuspect code 108 on a computer-readable storage medium, such asdisk 104, and introducingdisk 104 intocomputer system 106. Note thatdisk 104 can generally include any type of computer-readable storage medium, such as a magnetic disk, a magnetic tape and a CD-ROM. - Before executing
suspect code 108,computer system 106 usesemulator 110 to analyzesuspect code 108.Emulator 110 analyzessuspect code 108 by executingemulator code 203 andemulator extensions 204 as is described below with reference toFIGS. 2 and 3 . -
FIG. 2 illustrates the internal structure of anemulator 110 for emulating and analyzingsuspect code 108 for malicious behavior in accordance with an embodiment of the present invention. Emulator 110 includesemulator code 203, emulator buffer 201 anddatabase 206.Emulator code 203 includes code to perform the emulation. - Emulator buffer 201 is a protected region of memory (also known as a sandbox or a working space) in which suspect
code 108 is stored and emulated. Emulator buffer 201 stores suspectcode 108 as well asemulator extension 204. Emulator buffer 201 andemulator code 203 are designed so that whilesuspect code 108 that is executing within emulator buffer 201,suspect code 108 cannot damage orcompromise computer system 106.Emulator extension 204 includes additional program instructions that assistemulator code 203 in the emulation process. - Note that emulator buffer 201 is not within the program space of
computer system 106, but is instead in the data space. Hence, instructions withinemulator extension 204 must themselves be emulated byemulator code 203. In an alternative embodiment of the present invention,emulator extension 204 is loaded as a patch into the program space ofcomputer system 106. In this alternative embodiment, emulator extension can be executed directly oncomputer system 106. -
Emulator extension 204 is retrieved fromdatabase 206, which contains a plurality ofemulator extensions 208, which can be successively loaded into emulator buffer 201 during the emulation process.Database 206 can include any type of volatile or non-volatile memory or storage device that can be used to storeemulator extensions 208.Database 206 can reside withincomputer system 106, or alternatively, can reside on an external database server that is separate fromcomputer system 106. - During the emulation process,
emulator extension 204 can readsuspect code 108 looking for patterns indicating thesuspect code 108 contains a virus or other type of malicious software. Alternatively,emulator extension 204 can set up an environment that is conducive to emulatingsuspect code 108. For example,emulator extension 204 can configure the system to emulate uncommonly used system calls or opcodes. This enablesemulator code 203 and/oremulator extension 204 to determine ofsuspect code 108 exhibits malicious behavior. Emulator code 203 (working with emulator extension 204) ultimately outputs a decision 212 indicating whethersuspect code 108 is malicious or not. - Note that
emulator extension 204 can be emulated in a number of different ways. (1)Emulator extension 204 can be emulated as part ofsuspect code 108 by patching theemulator extension 204 intosuspect code 108, possibly replacing, overlapping or overwriting portions ofsuspect code 108. In this case, the location where the patching occurs is defined in thedatabase 206. (2)Emulator extension 204 can be executed before thesuspect code 108 is executed, which enablesemulator extension 204 to set up the environment that emulatorextension 204 is responsible for handling. After this environment is set up,emulator extension 204 passes controlsuspect code 108. (3)Emulator extension 204 can replacesuspect code 108 entirely. In this case, thesuspect code 108 is not emulated at all, andemulator extension 204 produces decision 212 after analyzing thesuspect code 108 as data. (4)Emulator extension 204 can be emulated after thesuspect code 108 is emulated. This allowsemulator extension 204 to analyze the results of running thesuspect code 108 in order to produce decision 212. -
FIG. 3 is a flow chart illustrating the process of emulating and analyzing code for malicious behavior using emulator extensions in accordance with an embodiment of the present invention. The system starts by receivingsuspect code 108 from one of a number of possible sources as is described above with reference toFIG. 1 (step 302). The system loads this suspect code into emulator buffer 201 (step 304). - Next, the system runs emulator 110 (step 306). This causes
suspect code 108 to be examined and/or emulated byemulator code 203. During the emulation process, the system determines whether or notsuspect code 108 contains code that is likely to exhibit malicious behavior (step 308). If so, the system reports the malicious code to a system user or system administrator (step 310). - If no malicious code is detected, the system determines if there are any emulator extensions remaining in
database 206 that have not already been used (step 312). If not, the system proceeds to the next file containing suspect code to repeat the entire process (step 314). - Otherwise, if there are emulator extensions remaining, the system loads the next emulator extension into emulator 110 (step 315). In one embodiment of the present invention, this involves loading
emulator extension 204 into emulator buffer 201 withinemulator 110. In an alternative embodiment, this involves loadingemulator extension 204 into the program space ofcomputer system 106 so that it can work in concert withemulator code 203 in performing a subsequent emulation. - Next, the system sets up
emulator 110 to run emulator extension 204 (step 316). This may involve configuringemulator code 203 to initially runemulator extension 204. Next, the system returns to step 306 to continue with the emulation process using the new emulator extension. - Note that by using multiple emulator extensions it is possible to deal with conflicting emulator environments. For example, a first emulator extension can configure
emulator 110 to detect a virus that is triggered by a system call returning the year 1999, while a second emulator extension can configureemulator 110 to detect a virus that is triggered by the same system call returning the year 2000. - The foregoing descriptions of embodiments of the invention have been presented for purposes of illustration and description only. They are not intended to be exhaustive or to limit the present invention to the forms disclosed. Accordingly, many modifications and variations will be apparent to practitioners skilled in the art. Additionally, the above disclosure is not intended to limit the present invention. The scope of the present invention is defined by the appended claims.
Claims (22)
1. A method to be performed in conjunction with a processor and a memory, the method comprising:
receiving a first emulator extension from among a plurality of different emulator extensions at an emulator for performing an emulation using emulation code, each of the plurality of different emulator extensions including program instructions that read suspect code of a computer system during the process of emulating in order to detect that the suspect code includes potentially unwanted computer software;
performing a first emulation using the first emulator extension and the suspect code to detect whether the suspect code contains potentially unwanted computer software, the first emulation being performed within an insulated environment in the computer system, wherein each of the plurality of different emulator extensions is configured for loading, from a database containing the plurality of different emulator extensions, into an emulator buffer as a patch to the suspect code such that at least some of the suspect code is overwritten, and wherein a location within the suspect code where the patching occurs is defined in the database; and
if the first emulation does not detect that the suspect contains potentially unwanted computer software:
receiving a second emulator extension from among the plurality of different emulator extensions; and
performing a second emulation using the second emulator extension and the suspect code to detect whether the suspect code contains potentially unwanted computer software; and
reporting the suspect code, if a computer virus or other unwanted software is detected within the suspect code.
2. (canceled)
3. (canceled)
4. (canceled)
5. The method of claim 1 , further comprising emulating the suspect code prior to loading the first emulator extension into the emulator buffer.
6. (canceled)
7. The method of claim 1 , wherein the first emulator extension and the second emulator extension provide support for conflicting emulator environments.
8. (canceled)
9. (canceled)
10. (canceled)
11. The method of claim 1 , wherein the first emulator extension facilitates emulating a non-standard computer instruction opcode.
12. The method of claim 1 , wherein the first emulator extension facilitates emulating an uncommonly used operating system call.
13. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method, the method comprising:
receiving a first emulator extension from among a plurality of different emulator extensions at an emulator for performing an emulation using emulation code, each of the plurality of different the first emulator extensions including program instructions that read suspect code of a computer system during the process of emulating in order to detect that the suspect code includes potentially unwanted computer software;
performing a first emulation using the first emulator extension and the suspect code to detect whether the suspect code contains potentially unwanted computer software, the first emulation being performed within an insulated environment in the computer system, wherein each of the plurality of different emulator extensions is configured for loading, from a database containing the plurality of different emulator extensions, into an emulator buffer as a patch to the suspect code such that at least some of the suspect code is overwritten, and wherein a location within the suspect code where the patching occurs is defined in the database; and
if the first emulation does not detect that the suspect contains potentially unwanted computer software:
receiving a second emulator extension from among the plurality of emulator extensions; and
performing a second emulation using the second emulator extension and the suspect code; and
reporting the suspect code, if a computer virus or other unwanted software is detected within the suspect code.
14. (canceled)
15. (canceled)
16. (canceled)
17. The non-transitory computer-readable storage medium of claim 13 , wherein the method further comprises emulating the suspect code prior to loading the first emulator extension into the emulator buffer.
18. (canceled)
19. (canceled)
20. (canceled)
21. The method of claim 1 , wherein the first emulator extension is executed for setting up an environment used for emulating the suspect code.
22. The method of claim 1 , wherein each of the plurality of different emulator extensions further includes program instructions that when emulated by the emulator identify patterns within the suspect code indicating that the suspect code contains potentially unwanted computer software.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/062,185 US20130247198A1 (en) | 2000-06-01 | 2005-02-18 | Emulator updating system and method |
US11/855,960 US20130246038A1 (en) | 2000-06-01 | 2007-09-14 | Emulator updating system and method |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/586,671 US6907396B1 (en) | 2000-06-01 | 2000-06-01 | Detecting computer viruses or malicious software by patching instructions into an emulator |
US11/062,185 US20130247198A1 (en) | 2000-06-01 | 2005-02-18 | Emulator updating system and method |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/586,671 Continuation US6907396B1 (en) | 2000-06-01 | 2000-06-01 | Detecting computer viruses or malicious software by patching instructions into an emulator |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/855,960 Continuation US20130246038A1 (en) | 2000-06-01 | 2007-09-14 | Emulator updating system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
US20130247198A1 true US20130247198A1 (en) | 2013-09-19 |
Family
ID=34633045
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/586,671 Expired - Lifetime US6907396B1 (en) | 2000-06-01 | 2000-06-01 | Detecting computer viruses or malicious software by patching instructions into an emulator |
US11/062,185 Abandoned US20130247198A1 (en) | 2000-06-01 | 2005-02-18 | Emulator updating system and method |
US11/855,960 Abandoned US20130246038A1 (en) | 2000-06-01 | 2007-09-14 | Emulator updating system and method |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/586,671 Expired - Lifetime US6907396B1 (en) | 2000-06-01 | 2000-06-01 | Detecting computer viruses or malicious software by patching instructions into an emulator |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/855,960 Abandoned US20130246038A1 (en) | 2000-06-01 | 2007-09-14 | Emulator updating system and method |
Country Status (1)
Country | Link |
---|---|
US (3) | US6907396B1 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103778372A (en) * | 2014-01-13 | 2014-05-07 | 陈黎飞 | Spectral method for identifying computer software action |
WO2016113663A1 (en) * | 2015-01-18 | 2016-07-21 | Checkmarx Ltd. | Rasp for scripting languages |
US20160283716A1 (en) * | 2015-03-28 | 2016-09-29 | Leviathan, Inc. | System and Method for Emulation-based Detection of Malicious Code with Unmet Operating System or Architecture Dependencies |
US10120997B2 (en) | 2015-01-01 | 2018-11-06 | Checkmarx Ltd. | Code instrumentation for runtime application self-protection |
US10387656B2 (en) | 2016-03-21 | 2019-08-20 | Checkmarx Ltd. | Integrated interactive application security testing |
US11087002B2 (en) | 2017-05-10 | 2021-08-10 | Checkmarx Ltd. | Using the same query language for static and dynamic application security testing tools |
US20210334197A1 (en) * | 2020-04-28 | 2021-10-28 | Salesforce.Com, Inc. | Browser-based tests for hybrid applications using a launcher plug-in |
US11836258B2 (en) | 2020-07-28 | 2023-12-05 | Checkmarx Ltd. | Detecting exploitable paths in application software that uses third-party libraries |
Families Citing this family (175)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8479293B2 (en) * | 2000-11-30 | 2013-07-02 | Access Co., Ltd. | Security technique for an open computing platform system |
US7234167B2 (en) * | 2001-09-06 | 2007-06-19 | Mcafee, Inc. | Automatic builder of detection and cleaning routines for computer viruses |
US20040006706A1 (en) | 2002-06-06 | 2004-01-08 | Ulfar Erlingsson | Methods and systems for implementing a secure application execution environment using derived user accounts for internet content |
KR100503387B1 (en) * | 2003-03-14 | 2005-07-26 | 주식회사 안철수연구소 | Method to decrypt and analyze the encrypted malicious scripts |
KR100509650B1 (en) * | 2003-03-14 | 2005-08-23 | 주식회사 안철수연구소 | Method to detect malicious scripts using code insertion technique |
US9118710B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | System, method, and computer program product for reporting an occurrence in different manners |
US9118711B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9118708B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Multi-path remediation |
US9100431B2 (en) | 2003-07-01 | 2015-08-04 | Securityprofiling, Llc | Computer program product and apparatus for multi-path remediation |
US20070113272A2 (en) | 2003-07-01 | 2007-05-17 | Securityprofiling, Inc. | Real-time vulnerability monitoring |
US8984644B2 (en) | 2003-07-01 | 2015-03-17 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9350752B2 (en) | 2003-07-01 | 2016-05-24 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9118709B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US7395524B2 (en) * | 2003-08-28 | 2008-07-01 | International Business Machines Corporation | Method, system and program product providing a configuration specification language having clone latch support |
US7913305B2 (en) * | 2004-01-30 | 2011-03-22 | Microsoft Corporation | System and method for detecting malware in an executable code module according to the code module's exhibited behavior |
US7730530B2 (en) * | 2004-01-30 | 2010-06-01 | Microsoft Corporation | System and method for gathering exhibited behaviors on a .NET executable module in a secure manner |
US9027135B1 (en) | 2004-04-01 | 2015-05-05 | Fireeye, Inc. | Prospective client identification using malware attack detection |
US8549638B2 (en) | 2004-06-14 | 2013-10-01 | Fireeye, Inc. | System and method of containing computer worms |
US7587537B1 (en) | 2007-11-30 | 2009-09-08 | Altera Corporation | Serializer-deserializer circuits formed from input-output circuit registers |
US8566946B1 (en) | 2006-04-20 | 2013-10-22 | Fireeye, Inc. | Malware containment on connection |
US8171553B2 (en) | 2004-04-01 | 2012-05-01 | Fireeye, Inc. | Heuristic based capture with replay to virtual machine |
US9106694B2 (en) | 2004-04-01 | 2015-08-11 | Fireeye, Inc. | Electronic message analysis for malware detection |
US8528086B1 (en) | 2004-04-01 | 2013-09-03 | Fireeye, Inc. | System and method of detecting computer worms |
US8793787B2 (en) | 2004-04-01 | 2014-07-29 | Fireeye, Inc. | Detecting malicious network content using virtual environment components |
US8584239B2 (en) | 2004-04-01 | 2013-11-12 | Fireeye, Inc. | Virtual machine with dynamic data flow analysis |
US8898788B1 (en) | 2004-04-01 | 2014-11-25 | Fireeye, Inc. | Systems and methods for malware attack prevention |
US8881282B1 (en) | 2004-04-01 | 2014-11-04 | Fireeye, Inc. | Systems and methods for malware attack detection and identification |
US7490268B2 (en) * | 2004-06-01 | 2009-02-10 | The Trustees Of Columbia University In The City Of New York | Methods and systems for repairing applications |
US8024815B2 (en) * | 2006-09-15 | 2011-09-20 | Microsoft Corporation | Isolation environment-based information access |
US8176477B2 (en) | 2007-09-14 | 2012-05-08 | International Business Machines Corporation | Method, system and program product for optimizing emulation of a suspected malware |
US20090103474A1 (en) * | 2007-10-18 | 2009-04-23 | Gang Lu | System and method for improving bluetooth performance in the presence of a coexistent, non-bluetooth, wireless device |
US8850571B2 (en) | 2008-11-03 | 2014-09-30 | Fireeye, Inc. | Systems and methods for detecting malicious network content |
US8997219B2 (en) | 2008-11-03 | 2015-03-31 | Fireeye, Inc. | Systems and methods for detecting malicious PDF network content |
US8832829B2 (en) | 2009-09-30 | 2014-09-09 | Fireeye, Inc. | Network-based binary file extraction and analysis for malware detection |
US9519782B2 (en) | 2012-02-24 | 2016-12-13 | Fireeye, Inc. | Detecting malicious network content |
US10572665B2 (en) | 2012-12-28 | 2020-02-25 | Fireeye, Inc. | System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events |
US9195829B1 (en) | 2013-02-23 | 2015-11-24 | Fireeye, Inc. | User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications |
US9824209B1 (en) | 2013-02-23 | 2017-11-21 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications that is usable to harden in the field code |
US9367681B1 (en) | 2013-02-23 | 2016-06-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application |
US9176843B1 (en) | 2013-02-23 | 2015-11-03 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US8990944B1 (en) | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
US9009823B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications installed on mobile devices |
US9009822B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for multi-phase analysis of mobile applications |
US9159035B1 (en) | 2013-02-23 | 2015-10-13 | Fireeye, Inc. | Framework for computer application analysis of sensitive information tracking |
US9565202B1 (en) | 2013-03-13 | 2017-02-07 | Fireeye, Inc. | System and method for detecting exfiltration content |
US9355247B1 (en) | 2013-03-13 | 2016-05-31 | Fireeye, Inc. | File extraction from memory dump for malicious content analysis |
US9626509B1 (en) | 2013-03-13 | 2017-04-18 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US9104867B1 (en) | 2013-03-13 | 2015-08-11 | Fireeye, Inc. | Malicious content analysis using simulated user interaction without user involvement |
US9311479B1 (en) | 2013-03-14 | 2016-04-12 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of a malware attack |
US9430646B1 (en) | 2013-03-14 | 2016-08-30 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
WO2014145805A1 (en) | 2013-03-15 | 2014-09-18 | Mandiant, Llc | System and method employing structured intelligence to verify and contain threats at endpoints |
US10713358B2 (en) | 2013-03-15 | 2020-07-14 | Fireeye, Inc. | System and method to extract and utilize disassembly features to classify software intent |
US9251343B1 (en) | 2013-03-15 | 2016-02-02 | Fireeye, Inc. | Detecting bootkits resident on compromised computers |
US9495180B2 (en) | 2013-05-10 | 2016-11-15 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US9635039B1 (en) | 2013-05-13 | 2017-04-25 | Fireeye, Inc. | Classifying sets of malicious indicators for detecting command and control communications associated with malware |
US9536091B2 (en) | 2013-06-24 | 2017-01-03 | Fireeye, Inc. | System and method for detecting time-bomb malware |
US10133863B2 (en) | 2013-06-24 | 2018-11-20 | Fireeye, Inc. | Zero-day discovery system |
US9300686B2 (en) | 2013-06-28 | 2016-03-29 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
US9888016B1 (en) | 2013-06-28 | 2018-02-06 | Fireeye, Inc. | System and method for detecting phishing using password prediction |
US9171160B2 (en) | 2013-09-30 | 2015-10-27 | Fireeye, Inc. | Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses |
US10089461B1 (en) | 2013-09-30 | 2018-10-02 | Fireeye, Inc. | Page replacement code injection |
US9294501B2 (en) | 2013-09-30 | 2016-03-22 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US9736179B2 (en) | 2013-09-30 | 2017-08-15 | Fireeye, Inc. | System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection |
US10515214B1 (en) | 2013-09-30 | 2019-12-24 | Fireeye, Inc. | System and method for classifying malware within content created during analysis of a specimen |
US9628507B2 (en) | 2013-09-30 | 2017-04-18 | Fireeye, Inc. | Advanced persistent threat (APT) detection center |
US9690936B1 (en) | 2013-09-30 | 2017-06-27 | Fireeye, Inc. | Multistage system and method for analyzing obfuscated content for malware |
US10192052B1 (en) | 2013-09-30 | 2019-01-29 | Fireeye, Inc. | System, apparatus and method for classifying a file as malicious using static scanning |
US9921978B1 (en) | 2013-11-08 | 2018-03-20 | Fireeye, Inc. | System and method for enhanced security of storage devices |
US9189627B1 (en) | 2013-11-21 | 2015-11-17 | Fireeye, Inc. | System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection |
US9747446B1 (en) | 2013-12-26 | 2017-08-29 | Fireeye, Inc. | System and method for run-time object classification |
US9756074B2 (en) | 2013-12-26 | 2017-09-05 | Fireeye, Inc. | System and method for IPS and VM-based detection of suspicious objects |
US9292686B2 (en) | 2014-01-16 | 2016-03-22 | Fireeye, Inc. | Micro-virtualization architecture for threat-aware microvisor deployment in a node of a network environment |
US9262635B2 (en) | 2014-02-05 | 2016-02-16 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US9241010B1 (en) | 2014-03-20 | 2016-01-19 | Fireeye, Inc. | System and method for network behavior detection |
US10242185B1 (en) | 2014-03-21 | 2019-03-26 | Fireeye, Inc. | Dynamic guest image creation and rollback |
US9591015B1 (en) | 2014-03-28 | 2017-03-07 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US9432389B1 (en) | 2014-03-31 | 2016-08-30 | Fireeye, Inc. | System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object |
US9223972B1 (en) | 2014-03-31 | 2015-12-29 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
US9973531B1 (en) | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
US9438623B1 (en) | 2014-06-06 | 2016-09-06 | Fireeye, Inc. | Computer exploit detection using heap spray pattern matching |
US9594912B1 (en) | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
US10084813B2 (en) | 2014-06-24 | 2018-09-25 | Fireeye, Inc. | Intrusion prevention and remedy system |
US9398028B1 (en) | 2014-06-26 | 2016-07-19 | Fireeye, Inc. | System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers |
US10805340B1 (en) | 2014-06-26 | 2020-10-13 | Fireeye, Inc. | Infection vector and malware tracking with an interactive user display |
US10002252B2 (en) | 2014-07-01 | 2018-06-19 | Fireeye, Inc. | Verification of trusted threat-aware microvisor |
US9363280B1 (en) | 2014-08-22 | 2016-06-07 | Fireeye, Inc. | System and method of detecting delivery of malware using cross-customer data |
US10671726B1 (en) | 2014-09-22 | 2020-06-02 | Fireeye Inc. | System and method for malware analysis using thread-level event monitoring |
US9773112B1 (en) | 2014-09-29 | 2017-09-26 | Fireeye, Inc. | Exploit detection of malware and malware families |
US10027689B1 (en) | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
US9690933B1 (en) | 2014-12-22 | 2017-06-27 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US10075455B2 (en) | 2014-12-26 | 2018-09-11 | Fireeye, Inc. | Zero-day rotating guest image profile |
US9934376B1 (en) | 2014-12-29 | 2018-04-03 | Fireeye, Inc. | Malware detection appliance architecture |
US9838417B1 (en) | 2014-12-30 | 2017-12-05 | Fireeye, Inc. | Intelligent context aware user interaction for malware detection |
US9690606B1 (en) | 2015-03-25 | 2017-06-27 | Fireeye, Inc. | Selective system call monitoring |
US10148693B2 (en) | 2015-03-25 | 2018-12-04 | Fireeye, Inc. | Exploit detection system |
US9438613B1 (en) | 2015-03-30 | 2016-09-06 | Fireeye, Inc. | Dynamic content activation for automated analysis of embedded objects |
US10474813B1 (en) | 2015-03-31 | 2019-11-12 | Fireeye, Inc. | Code injection technique for remediation at an endpoint of a network |
US9477837B1 (en) * | 2015-03-31 | 2016-10-25 | Juniper Networks, Inc. | Configuring a sandbox environment for malware testing |
US10417031B2 (en) | 2015-03-31 | 2019-09-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US9483644B1 (en) | 2015-03-31 | 2016-11-01 | Fireeye, Inc. | Methods for detecting file altering malware in VM based analysis |
US9654485B1 (en) | 2015-04-13 | 2017-05-16 | Fireeye, Inc. | Analytics-based security monitoring system and method |
US9594904B1 (en) | 2015-04-23 | 2017-03-14 | Fireeye, Inc. | Detecting malware based on reflection |
WO2016203759A1 (en) * | 2015-06-16 | 2016-12-22 | 日本電気株式会社 | Analysis system, analysis method, analysis device, and recording medium in which computer program is stored |
US10454950B1 (en) | 2015-06-30 | 2019-10-22 | Fireeye, Inc. | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks |
US10642753B1 (en) | 2015-06-30 | 2020-05-05 | Fireeye, Inc. | System and method for protecting a software component running in virtual machine using a virtualization layer |
US11113086B1 (en) | 2015-06-30 | 2021-09-07 | Fireeye, Inc. | Virtual system and method for securing external network connectivity |
US10726127B1 (en) | 2015-06-30 | 2020-07-28 | Fireeye, Inc. | System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer |
US10715542B1 (en) | 2015-08-14 | 2020-07-14 | Fireeye, Inc. | Mobile application risk analysis |
US10176321B2 (en) | 2015-09-22 | 2019-01-08 | Fireeye, Inc. | Leveraging behavior-based rules for malware family classification |
US10033747B1 (en) | 2015-09-29 | 2018-07-24 | Fireeye, Inc. | System and method for detecting interpreter-based exploit attacks |
US9825989B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
US9825976B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Detection and classification of exploit kits |
US10601865B1 (en) | 2015-09-30 | 2020-03-24 | Fireeye, Inc. | Detection of credential spearphishing attacks using email analysis |
US10817606B1 (en) | 2015-09-30 | 2020-10-27 | Fireeye, Inc. | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic |
US10210329B1 (en) | 2015-09-30 | 2019-02-19 | Fireeye, Inc. | Method to detect application execution hijacking using memory protection |
US10706149B1 (en) | 2015-09-30 | 2020-07-07 | Fireeye, Inc. | Detecting delayed activation malware using a primary controller and plural time controllers |
US10284575B2 (en) | 2015-11-10 | 2019-05-07 | Fireeye, Inc. | Launcher for setting analysis environment variations for malware detection |
US10846117B1 (en) | 2015-12-10 | 2020-11-24 | Fireeye, Inc. | Technique for establishing secure communication between host and guest processes of a virtualization architecture |
US10447728B1 (en) | 2015-12-10 | 2019-10-15 | Fireeye, Inc. | Technique for protecting guest processes using a layered virtualization architecture |
US10108446B1 (en) | 2015-12-11 | 2018-10-23 | Fireeye, Inc. | Late load technique for deploying a virtualization layer underneath a running operating system |
US10050998B1 (en) * | 2015-12-30 | 2018-08-14 | Fireeye, Inc. | Malicious message analysis system |
US10621338B1 (en) | 2015-12-30 | 2020-04-14 | Fireeye, Inc. | Method to detect forgery and exploits using last branch recording registers |
US10565378B1 (en) | 2015-12-30 | 2020-02-18 | Fireeye, Inc. | Exploit of privilege detection framework |
US10133866B1 (en) | 2015-12-30 | 2018-11-20 | Fireeye, Inc. | System and method for triggering analysis of an object for malware in response to modification of that object |
US11552986B1 (en) | 2015-12-31 | 2023-01-10 | Fireeye Security Holdings Us Llc | Cyber-security framework for application of virtual features |
US10581874B1 (en) | 2015-12-31 | 2020-03-03 | Fireeye, Inc. | Malware detection system with contextual analysis |
US9824216B1 (en) | 2015-12-31 | 2017-11-21 | Fireeye, Inc. | Susceptible environment detection system |
US10476906B1 (en) | 2016-03-25 | 2019-11-12 | Fireeye, Inc. | System and method for managing formation and modification of a cluster within a malware detection system |
US10671721B1 (en) | 2016-03-25 | 2020-06-02 | Fireeye, Inc. | Timeout management services |
US10785255B1 (en) | 2016-03-25 | 2020-09-22 | Fireeye, Inc. | Cluster configuration within a scalable malware detection system |
US10601863B1 (en) | 2016-03-25 | 2020-03-24 | Fireeye, Inc. | System and method for managing sensor enrollment |
US10893059B1 (en) | 2016-03-31 | 2021-01-12 | Fireeye, Inc. | Verification and enhancement using detection systems located at the network periphery and endpoint devices |
US10826933B1 (en) | 2016-03-31 | 2020-11-03 | Fireeye, Inc. | Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints |
US10169585B1 (en) | 2016-06-22 | 2019-01-01 | Fireeye, Inc. | System and methods for advanced malware detection through placement of transition events |
US10462173B1 (en) | 2016-06-30 | 2019-10-29 | Fireeye, Inc. | Malware detection verification and enhancement by coordinating endpoint and malware detection systems |
US10592678B1 (en) | 2016-09-09 | 2020-03-17 | Fireeye, Inc. | Secure communications between peers using a verified virtual trusted platform module |
US10491627B1 (en) | 2016-09-29 | 2019-11-26 | Fireeye, Inc. | Advanced malware detection using similarity analysis |
US10795991B1 (en) | 2016-11-08 | 2020-10-06 | Fireeye, Inc. | Enterprise search |
US10587647B1 (en) | 2016-11-22 | 2020-03-10 | Fireeye, Inc. | Technique for malware detection capability comparison of network security devices |
US10581879B1 (en) | 2016-12-22 | 2020-03-03 | Fireeye, Inc. | Enhanced malware detection for generated objects |
US10552610B1 (en) | 2016-12-22 | 2020-02-04 | Fireeye, Inc. | Adaptive virtual machine snapshot update framework for malware behavioral analysis |
US10523609B1 (en) | 2016-12-27 | 2019-12-31 | Fireeye, Inc. | Multi-vector malware detection and analysis |
US10904286B1 (en) | 2017-03-24 | 2021-01-26 | Fireeye, Inc. | Detection of phishing attacks using similarity analysis |
US10791138B1 (en) | 2017-03-30 | 2020-09-29 | Fireeye, Inc. | Subscription-based malware detection |
US10902119B1 (en) | 2017-03-30 | 2021-01-26 | Fireeye, Inc. | Data extraction system for malware analysis |
US10798112B2 (en) | 2017-03-30 | 2020-10-06 | Fireeye, Inc. | Attribute-controlled malware detection |
US10554507B1 (en) | 2017-03-30 | 2020-02-04 | Fireeye, Inc. | Multi-level control for enhanced resource and object evaluation management of malware detection system |
US10855700B1 (en) | 2017-06-29 | 2020-12-01 | Fireeye, Inc. | Post-intrusion detection of cyber-attacks during lateral movement within networks |
US10503904B1 (en) | 2017-06-29 | 2019-12-10 | Fireeye, Inc. | Ransomware detection and mitigation |
US10601848B1 (en) | 2017-06-29 | 2020-03-24 | Fireeye, Inc. | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators |
US10893068B1 (en) | 2017-06-30 | 2021-01-12 | Fireeye, Inc. | Ransomware file modification prevention technique |
US10747872B1 (en) | 2017-09-27 | 2020-08-18 | Fireeye, Inc. | System and method for preventing malware evasion |
US10805346B2 (en) | 2017-10-01 | 2020-10-13 | Fireeye, Inc. | Phishing attack detection |
US11108809B2 (en) | 2017-10-27 | 2021-08-31 | Fireeye, Inc. | System and method for analyzing binary code for malware classification using artificial neural network techniques |
US11005860B1 (en) | 2017-12-28 | 2021-05-11 | Fireeye, Inc. | Method and system for efficient cybersecurity analysis of endpoint events |
US11271955B2 (en) | 2017-12-28 | 2022-03-08 | Fireeye Security Holdings Us Llc | Platform and method for retroactive reclassification employing a cybersecurity-based global data store |
US11240275B1 (en) | 2017-12-28 | 2022-02-01 | Fireeye Security Holdings Us Llc | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture |
US10826931B1 (en) | 2018-03-29 | 2020-11-03 | Fireeye, Inc. | System and method for predicting and mitigating cybersecurity system misconfigurations |
US11003773B1 (en) | 2018-03-30 | 2021-05-11 | Fireeye, Inc. | System and method for automatically generating malware detection rule recommendations |
US11558401B1 (en) | 2018-03-30 | 2023-01-17 | Fireeye Security Holdings Us Llc | Multi-vector malware detection data sharing system for improved detection |
US10956477B1 (en) | 2018-03-30 | 2021-03-23 | Fireeye, Inc. | System and method for detecting malicious scripts through natural language processing modeling |
US11314859B1 (en) | 2018-06-27 | 2022-04-26 | FireEye Security Holdings, Inc. | Cyber-security system and method for detecting escalation of privileges within an access token |
US11075930B1 (en) | 2018-06-27 | 2021-07-27 | Fireeye, Inc. | System and method for detecting repetitive cybersecurity attacks constituting an email campaign |
US11228491B1 (en) | 2018-06-28 | 2022-01-18 | Fireeye Security Holdings Us Llc | System and method for distributed cluster configuration monitoring and management |
US11316900B1 (en) | 2018-06-29 | 2022-04-26 | FireEye Security Holdings Inc. | System and method for automatically prioritizing rules for cyber-threat detection and mitigation |
US11182473B1 (en) | 2018-09-13 | 2021-11-23 | Fireeye Security Holdings Us Llc | System and method for mitigating cyberattacks against processor operability by a guest process |
US11763004B1 (en) | 2018-09-27 | 2023-09-19 | Fireeye Security Holdings Us Llc | System and method for bootkit detection |
US11368475B1 (en) | 2018-12-21 | 2022-06-21 | Fireeye Security Holdings Us Llc | System and method for scanning remote services to locate stored objects with malware |
US11258806B1 (en) | 2019-06-24 | 2022-02-22 | Mandiant, Inc. | System and method for automatically associating cybersecurity intelligence to cyberthreat actors |
US11556640B1 (en) | 2019-06-27 | 2023-01-17 | Mandiant, Inc. | Systems and methods for automated cybersecurity analysis of extracted binary string sets |
US11392700B1 (en) | 2019-06-28 | 2022-07-19 | Fireeye Security Holdings Us Llc | System and method for supporting cross-platform data verification |
US11886585B1 (en) | 2019-09-27 | 2024-01-30 | Musarubra Us Llc | System and method for identifying and mitigating cyberattacks through malicious position-independent code execution |
US11637862B1 (en) | 2019-09-30 | 2023-04-25 | Mandiant, Inc. | System and method for surfacing cyber-security threats with a self-learning recommendation engine |
US11563765B2 (en) * | 2020-04-10 | 2023-01-24 | AttackIQ, Inc. | Method for emulating a known attack on a target computer network |
US11677775B2 (en) * | 2020-04-10 | 2023-06-13 | AttackIQ, Inc. | System and method for emulating a multi-stage attack on a node within a target network |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5854916A (en) * | 1995-09-28 | 1998-12-29 | Symantec Corporation | State-based cache for antivirus software |
US5960170A (en) * | 1997-03-18 | 1999-09-28 | Trend Micro, Inc. | Event triggered iterative virus detection |
US6067410A (en) * | 1996-02-09 | 2000-05-23 | Symantec Corporation | Emulation repair system |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5619698A (en) * | 1995-05-05 | 1997-04-08 | Apple Computer, Inc. | Method and apparatus for patching operating systems |
US6014702A (en) * | 1997-06-04 | 2000-01-11 | International Business Machines Corporation | Host information access via distributed programmed objects |
US6112304A (en) * | 1997-08-27 | 2000-08-29 | Zipsoft, Inc. | Distributed computing architecture |
US6275938B1 (en) * | 1997-08-28 | 2001-08-14 | Microsoft Corporation | Security enhancement for untrusted executable code |
US6035405A (en) * | 1997-12-22 | 2000-03-07 | Nortel Networks Corporation | Secure virtual LANs |
US6052531A (en) * | 1998-03-25 | 2000-04-18 | Symantec Corporation | Multi-tiered incremental software updating |
-
2000
- 2000-06-01 US US09/586,671 patent/US6907396B1/en not_active Expired - Lifetime
-
2005
- 2005-02-18 US US11/062,185 patent/US20130247198A1/en not_active Abandoned
-
2007
- 2007-09-14 US US11/855,960 patent/US20130246038A1/en not_active Abandoned
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5854916A (en) * | 1995-09-28 | 1998-12-29 | Symantec Corporation | State-based cache for antivirus software |
US6067410A (en) * | 1996-02-09 | 2000-05-23 | Symantec Corporation | Emulation repair system |
US5960170A (en) * | 1997-03-18 | 1999-09-28 | Trend Micro, Inc. | Event triggered iterative virus detection |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103778372A (en) * | 2014-01-13 | 2014-05-07 | 陈黎飞 | Spectral method for identifying computer software action |
US10120997B2 (en) | 2015-01-01 | 2018-11-06 | Checkmarx Ltd. | Code instrumentation for runtime application self-protection |
WO2016113663A1 (en) * | 2015-01-18 | 2016-07-21 | Checkmarx Ltd. | Rasp for scripting languages |
US20160283716A1 (en) * | 2015-03-28 | 2016-09-29 | Leviathan, Inc. | System and Method for Emulation-based Detection of Malicious Code with Unmet Operating System or Architecture Dependencies |
US10229268B2 (en) * | 2015-03-28 | 2019-03-12 | Leviathan, Inc. | System and method for emulation-based detection of malicious code with unmet operating system or architecture dependencies |
US10387656B2 (en) | 2016-03-21 | 2019-08-20 | Checkmarx Ltd. | Integrated interactive application security testing |
US11087002B2 (en) | 2017-05-10 | 2021-08-10 | Checkmarx Ltd. | Using the same query language for static and dynamic application security testing tools |
US20210334197A1 (en) * | 2020-04-28 | 2021-10-28 | Salesforce.Com, Inc. | Browser-based tests for hybrid applications using a launcher plug-in |
US11836258B2 (en) | 2020-07-28 | 2023-12-05 | Checkmarx Ltd. | Detecting exploitable paths in application software that uses third-party libraries |
Also Published As
Publication number | Publication date |
---|---|
US20130246038A1 (en) | 2013-09-19 |
US6907396B1 (en) | 2005-06-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6907396B1 (en) | Detecting computer viruses or malicious software by patching instructions into an emulator | |
US11853414B2 (en) | Mitigation of return-oriented programming attacks | |
US6775780B1 (en) | Detecting malicious software by analyzing patterns of system calls generated during emulation | |
EP3123311B1 (en) | Malicious code protection for computer systems based on process modification | |
EP0636977B1 (en) | Method and apparatus for detection of computer viruses | |
RU2468426C2 (en) | File conversion in restricted process | |
US7512977B2 (en) | Intrustion protection system utilizing layers | |
US7669059B2 (en) | Method and apparatus for detection of hostile software | |
US7620990B2 (en) | System and method for unpacking packed executables for malware evaluation | |
US20100306851A1 (en) | Method and apparatus for preventing a vulnerability of a web browser from being exploited | |
US20200380127A1 (en) | Detection of exploitative program code | |
US11822654B2 (en) | System and method for runtime detection, analysis and signature determination of obfuscated malicious code | |
US7730530B2 (en) | System and method for gathering exhibited behaviors on a .NET executable module in a secure manner | |
US20020178375A1 (en) | Method and system for protecting against malicious mobile code | |
US8640233B2 (en) | Environmental imaging | |
US20020083334A1 (en) | Detection of viral code using emulation of operating system functions | |
US7024694B1 (en) | Method and apparatus for content-based instrusion detection using an agile kernel-based auditor | |
US20080028462A1 (en) | System and method for loading and analyzing files | |
US7620983B1 (en) | Behavior profiling | |
US7350235B2 (en) | Detection of decryption to identify encrypted virus | |
US8578495B2 (en) | System and method for analyzing packed files | |
Webb | Evaluating tool based automated malware analysis through persistence mechanism detection | |
CN103632086B (en) | The method and apparatus for repairing basic input-output system BIOS rogue program | |
CN105574409A (en) | Injection code extraction method and device | |
CN104834861A (en) | Trojan searching and killing method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: NETWORK ASSOCIATES, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MUTTIK, IGOR;LONG, DUNCAN V.;REEL/FRAME:016317/0989 Effective date: 20000601 |
|
AS | Assignment |
Owner name: MCAFEE, INC., CALIFORNIA Free format text: MERGER;ASSIGNOR:NETWORKS ASSOCIATES TECHNOLOGY, INC.;REEL/FRAME:016646/0513 Effective date: 20041119 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |