公开(公告)号：US20230385413A1

公开(公告)日：2023-11-30

申请号：US17825684

申请日：2022-05-26

Applicant: VMware, Inc.

Inventor： Rayanagouda Bheemanagouda PATIL ,  Kedar Bhalchandra CHAUDHARI ,  Clemens KOLBITSCH ,  Laxmikant Vithal GUNDA ,  Vaibhav KULKARNI

IPC: G06F21/56 ,  G06F21/53

CPC classification number: G06F21/566 ,  G06F21/53 ,  G06F2221/034

Abstract: The disclosure herein describes executing unknown processes while preventing sandbox-evading malware therein from performing malicious behavior. A process execution event associated with an executable is detected, wherein the executable is to be executed in a production environment. The executable is determined to be an unknown executable (e.g., an executable that has not been analyzed for malware) using signature data in the process execution event. A function call hook interface of a sandbox simulator is activated, and a process of the executable is executed in the production environment. Any function calls from the executing process are intercepted by the activated function call hook interface, and sandbox-style responses to the intercepted function call are generated using sandbox response data of the sandbox simulator. The generated sandbox responses are provided to the executing process, whereby malware included in the executable behaves as if the executing process is executing in a sandbox environment.

公开(公告)号：US20230367877A1

公开(公告)日：2023-11-16

申请号：US17743274

申请日：2022-05-12

Applicant: VMware, Inc.

Inventor： Kedar Bhalchandra CHAUDHARI ,  Pranav GOKHALE ,  Mandar BARVE

IPC: G06F21/56 ,  G06F21/53

CPC classification number: G06F21/566 ,  G06F21/53

Abstract: The disclosure herein describes the processing of malware scan requests from VCIs by an anti-malware scanner (AMS) on a host device. A malware scan request is received by the AMS from a VCI, the malware scan request including script data of a script from a memory buffer of the VCI. The AMS scans the script data of the malware scan request, outside of the VCI, and determines that the script includes malware. The AMS notifies the VCI that the script includes malware, whereby the VCI is configured to prevent execution of the script or take other mitigating action. The AMS provides scanning for fileless malware to VCIs on a host device without consuming or otherwise affecting resources of the VCIs.

公开(公告)号：US20230297687A1

公开(公告)日：2023-09-21

申请号：US17655779

申请日：2022-03-21

Applicant: VMware, Inc.

Inventor： Shivali SHARMA ,  Raunak Ravindra SINGWI ,  Kedar Bhalchandra CHAUDHARI ,  Akeem Lamar JENKINS

IPC: G06F21/57 ,  G06F21/56

CPC classification number: G06F21/577 ,  G06F21/566 ,  G06F2221/033 ,  G06F2221/2141

Abstract: A method for assigning permissions to files in a malware detection system, is provided. The method generally includes assigning a first subset of permissions to a first file classified as an unknown file, opening the first file in accordance with the first subset of permissions, determining a first verdict for the first file, the first verdict indicating the first file is benign, assigning a second subset of permissions to the first file based on determining the first verdict indicating the first file is benign, and executing the first file in accordance with the second subset of permissions.

公开(公告)号：US20230328099A1

公开(公告)日：2023-10-12

申请号：US17658588

申请日：2022-04-08

Applicant: VMware,Inc.

Inventor： Rayanagouda Bheemanagouda PATIL ,  Kedar Bhalchandra CHAUDHARI ,  Shivali SHARMA ,  Laxmikant Vithal GUNDA ,  Sriram GOPALAKRISHNAN

IPC: H04L9/40

CPC classification number: H04L63/145 ,  H04L63/1416 ,  H04L63/1425

Abstract: A method for opening unknown files in a malware detection system, is provided. The method generally includes receiving a request to open a file classified as an unknown file, opening the file in a container, collecting at least one of a log of events carried out by the file or observed behavior traces of the file while open in the container, transmitting, to a file analyzer, at least one of the file, the log of events, or the behavior traces for static analysis, determining, a final verdict for the file, based on at least one of the file, the log of events, or the behavior traces, wherein the final verdict for the file is based on the static analysis or dynamic analysis of the file, and taking one or more actions based on a policy configured for the first endpoint and the final verdict.