US Patent Application 17825684. PREVENTING ACTIVATION OF MALWARE BY EXHIBITING SANDBOX BEHAVIOR IN A NON-SANDBOX ENVIRONMENT simplified abstract

From WikiPatents
Jump to navigation Jump to search

PREVENTING ACTIVATION OF MALWARE BY EXHIBITING SANDBOX BEHAVIOR IN A NON-SANDBOX ENVIRONMENT

Organization Name

VMware, Inc.

Inventor(s)

Rayanagouda Bheemanagouda Patil of Pune (IN)

Kedar Bhalchandra Chaudhari of Pune (IN)

Clemens Kolbitsch of Goleta CA (US)

Laxmikant Vithal Gunda of San Jose CA (US)

Vaibhav Kulkarni of Pune (IN)

PREVENTING ACTIVATION OF MALWARE BY EXHIBITING SANDBOX BEHAVIOR IN A NON-SANDBOX ENVIRONMENT - A simplified explanation of the abstract

This abstract first appeared for US patent application 17825684 titled 'PREVENTING ACTIVATION OF MALWARE BY EXHIBITING SANDBOX BEHAVIOR IN A NON-SANDBOX ENVIRONMENT

Simplified Explanation

The patent application describes a method for executing unknown processes while preventing sandbox-evading malware from causing harm.

  • The method detects a process execution event associated with an executable that is to be executed in a production environment.
  • If the executable is determined to be unknown (not analyzed for malware), a sandbox simulator is activated.
  • The process of the executable is then executed in the production environment.
  • Any function calls made by the executing process are intercepted by the sandbox simulator.
  • The sandbox simulator generates sandbox-style responses to these intercepted function calls using sandbox response data.
  • The generated sandbox responses are provided to the executing process, making the malware behave as if it is running in a sandbox environment.


Original Abstract Submitted

The disclosure herein describes executing unknown processes while preventing sandbox-evading malware therein from performing malicious behavior. A process execution event associated with an executable is detected, wherein the executable is to be executed in a production environment. The executable is determined to be an unknown executable (e.g., an executable that has not been analyzed for malware) using signature data in the process execution event. A function call hook interface of a sandbox simulator is activated, and a process of the executable is executed in the production environment. Any function calls from the executing process are intercepted by the activated function call hook interface, and sandbox-style responses to the intercepted function call are generated using sandbox response data of the sandbox simulator. The generated sandbox responses are provided to the executing process, whereby malware included in the executable behaves as if the executing process is executing in a sandbox environment.

Retrieved from "http://wikipatents.org/index.php?title=US_Patent_Application_17825684._PREVENTING_ACTIVATION_OF_MALWARE_BY_EXHIBITING_SANDBOX_BEHAVIOR_IN_A_NON-SANDBOX_ENVIRONMENT_simplified_abstract&oldid=12694"