公开(公告)号：US10887328B1

公开(公告)日：2021-01-05

申请号：US16042998

申请日：2018-07-23

Applicant: FireEye, Inc.

Inventor： Sushant Paithane ,  Sai Omkar Vashisht

IPC: G06F21/56 ,  H04L29/06 ,  G06F21/55 ,  G06F21/53

Abstract: For one embodiment, a computerized method for detecting exploit attacks on an interpreter comprises configuring a virtual machine including a user mode and a kernel mode and processing an object by an application operating in the user mode of the virtual machine. Responsive to the processing of the object, detecting a loading of an interpreter. Furthermore, responsive to the loading of the interpreter, inserting one or more intercept points for detecting one or more types of software calls from the interpreter or for detecting a certain type or certain types of activities occurring within the interpreter. Thereafter, an exploit attack is detected as being conducted by the object in response to the interpreter invoking a software call that corresponds to the one or more types of software calls that is considered anomalous when invoked by the interpreter or an anomalous activity being conducted within the interpreter.

公开(公告)号：US10552610B1

公开(公告)日：2020-02-04

申请号：US15627272

申请日：2017-06-19

Applicant: FireEye, Inc.

Inventor： Sai Omkar Vashisht ,  Phung-Te Ha ,  Sushant Paithane ,  Sumer Deshpande

IPC: G06F12/14 ,  G06F21/56 ,  G06F9/455 ,  G06F3/06

Abstract: A method for updating a virtual machine disk snapshot for use in instantiating one or more virtual guest instances for malware detection is described. The method features (i) detecting a guest image update package that includes information for updating one or more software components included as part of the virtual machine disk snapshot, and (ii) determining whether the guest image update package is currently contained in a contiguous storage area that is part of the virtual machine disk snapshot. Responsive to determining that the guest image update package is more recent than content currently contained in the contiguous storage area, the guest image update package is inserted into the contiguous storage area that is part of the virtual machine disk snapshot to generate a revised virtual machine disk snapshot that includes the one or more updated software components.

公开(公告)号：US10902119B1

公开(公告)日：2021-01-26

申请号：US15627266

申请日：2017-06-19

Applicant: FireEye, Inc.

Inventor： Sai Omkar Vashisht ,  Phung-Te Ha ,  Sushant Paithane ,  Durvesh Ashok Raut

IPC: G06F21/56 ,  G06F9/455 ,  G06F21/55

Abstract: According to one embodiment, a computerized method features monitoring behaviors of an object during processing within a guest system of a virtual machine. Within a guest system, a rule-based analysis of data associated with the monitored behaviors is conducted. The rule-based analysis includes prioritizing data associated with the monitored behaviors that correspond to an exception, and thereafter, storing the data associated with the monitored behaviors that correspond to the exception into a prescribed area of a virtual image file. The prescribed area is accessible by (i) logic within the guest system and (ii) logic within a host system of the virtual machine.

公开(公告)号：US10033747B1

公开(公告)日：2018-07-24

申请号：US14869901

申请日：2015-09-29

Applicant: FireEye, Inc.

Inventor： Sushant Paithane ,  Sai Omkar Vashisht

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  G06F21/54 ,  H04L63/1425 ,  H04L63/1466

Abstract: For one embodiment, a computerized method for detecting exploit attacks on an interpreter comprises configuring a virtual machine including a user mode and a kernel mode and processing an object by an application operating in the user mode of the virtual machine. Responsive to the processing of the object, detecting a loading of an interpreter. Furthermore, responsive to the loading of the interpreter, inserting one or more intercept points for detecting one or more types of software calls from the interpreter or for detecting a certain type or certain types of activities occurring within the interpreter. Thereafter, an exploit attack is detected as being conducted by the object in response to the interpreter invoking a software call that corresponds to the one or more types of software calls that is considered anomalous when invoked by the interpreter or an anomalous activity being conducted within the interpreter.

公开(公告)号：US10834107B1

公开(公告)日：2020-11-10

申请号：US16404546

申请日：2019-05-06

Applicant: FireEye, Inc.

Inventor： Sushant Paithane ,  Sai Omkar Vashisht ,  Yasir Khalid ,  Alexandre Pilipenko

IPC: G06F11/00 ,  H04L29/06 ,  G06F21/56 ,  G06F21/55 ,  G06F21/53 ,  G06F21/62 ,  G06F12/14

Abstract: A system and method for automatically analyzing an object for malware is described. Operating one or more virtual machines, the system and method provide an analysis environment variation framework to provide a more robust analysis of an object for malware. The multi-application, multi-plugin processing framework is configured within a virtual machine, where the framework for configuring a plurality of processes for analyzing the object for malware and each of plurality of processes is configured with a different application and plug-in combination selected based in part on a type of object being analyzed and operating concurrently with each other.

公开(公告)号：US10430586B1

公开(公告)日：2019-10-01

申请号：US15258993

申请日：2016-09-07

Applicant: FireEye, Inc.

Inventor： Sushant Paithane ,  Sai Omkar Vashisht

IPC: G06F21/56 ,  G06F3/06 ,  H04L29/06

Abstract: A non-transitory storage medium including instructions that are executable by one or more processors to perform operations including instrumenting a VM is shown. The VM is used to process an object to determine whether the object is associated with malware. Logic within the VM analyzes memory allocated for a process within the VM for a point of interest (POI), the POI being an address of one of a set predetermined instructions likely to be associated with malware. The VMM detects a memory violation during processing of the object and responsive to detecting the memory violation, injects a transition event at the POI on the page on which the POI is located in memory. Further, responsive to detecting an attempted execution of the transition event, the VMM (i) emulates an instruction located at the POI, and (ii) the logic within the VM performs one or more malware detection routines.

公开(公告)号：US10581879B1

公开(公告)日：2020-03-03

申请号：US15627270

申请日：2017-06-19

Applicant: FireEye, Inc.

Inventor： Sushant Paithane ,  Sai Omkar Vashisht

IPC: H04L29/06 ,  G06F9/455

Abstract: A computerized method to identify malicious code generated by seemingly benign objects is described. The generated malware detection system described identifies generated objects (code) and analyzes each generated object to collect features which may be associated with maliciousness. The analysis may determine if an Abstract Syntax Tree (AST) representation of the generated object is correlated with known malware ASTs. Correlation of the features identified during processing of the generated objects, including the sequences of generated object, may be used in classifying the object as malicious. The malware detection system may communicate with the one or more endpoint devices to influence detection and reporting of behaviors and malware by those device(s).

公开(公告)号：US10581874B1

公开(公告)日：2020-03-03

申请号：US14986417

申请日：2015-12-31

Applicant: FireEye, Inc.

Inventor： Yasir Khalid ,  Sai Omkar Vashisht ,  Alexander Otvagin

IPC: H04L9/00 ,  H04L29/06 ,  H04L29/08

Abstract: A computerized method for detecting malware associated with an object. The method includes operations of analyzing an object to obtain a first set of attributes, where the first set of attributes include one or more characteristics associated with the object. Furthermore, the object is processed with a virtual machine to obtain a second set of attributes. The second set of attributes corresponds to one or more monitored behaviors of the virtual machine during processing of the object. Thereafter, a threat index is determined based, at least in part, on a combination of at least one attribute of the first set of attributes and at least one attribute of the second set of attributes. The threat index represents a probability of maliciousness associated with the object.

公开(公告)号：US20180048660A1

公开(公告)日：2018-02-15

申请号：US14937802

申请日：2015-11-10

Applicant: FireEye, Inc.

Inventor： Sushant Paithane ,  Sai Omkar Vashisht ,  Yasir Khalid ,  Alexandre Pilipenko

IPC: H04L29/06 ,  G06F21/62

CPC classification number: H04L63/1416 ,  G06F21/53 ,  G06F21/554 ,  G06F21/566 ,  G06F21/6218

Abstract: A system and method for automatically analyzing an object for malware is described. Operating one or more virtual machines, the system and method provide an analysis environment variation framework to provide a more robust analysis of an object for malware. The multi-application, multi-plugin processing framework is configured within a virtual machine, where the framework generates a plurality of processes for analyzing the object for malware and each of plurality of processes is configured with a different application and plug-in combination selected based in part on a type of object being analyzed.