公开(公告)号：US20230385413A1

公开(公告)日：2023-11-30

申请号：US17825684

申请日：2022-05-26

Applicant: VMware, Inc.

Inventor： Rayanagouda Bheemanagouda PATIL ,  Kedar Bhalchandra CHAUDHARI ,  Clemens KOLBITSCH ,  Laxmikant Vithal GUNDA ,  Vaibhav KULKARNI

IPC: G06F21/56 ,  G06F21/53

CPC classification number: G06F21/566 ,  G06F21/53 ,  G06F2221/034

Abstract: The disclosure herein describes executing unknown processes while preventing sandbox-evading malware therein from performing malicious behavior. A process execution event associated with an executable is detected, wherein the executable is to be executed in a production environment. The executable is determined to be an unknown executable (e.g., an executable that has not been analyzed for malware) using signature data in the process execution event. A function call hook interface of a sandbox simulator is activated, and a process of the executable is executed in the production environment. Any function calls from the executing process are intercepted by the activated function call hook interface, and sandbox-style responses to the intercepted function call are generated using sandbox response data of the sandbox simulator. The generated sandbox responses are provided to the executing process, whereby malware included in the executable behaves as if the executing process is executing in a sandbox environment.