公开(公告)号：US20230110049A1

公开(公告)日：2023-04-13

申请号：US17450738

申请日：2021-10-13

Applicant: VMware, Inc.

Inventor： Anand Jaysingh BHALERAO ,  Vaibhav KULKARNI ,  Taher BARODAWALA

IPC: G06F21/56 ,  G06F21/55

Abstract: A method for detecting malware in a distributed malware detection system comprising a plurality of endpoints, is provided. The method generally includes inspecting, at a first endpoint of the plurality of endpoints, a file classified as an unknown file; based on the inspecting, determining, at the first endpoint, a first verdict for the file, the first verdict indicating the file is benign or malicious; determining whether an aggregate number of verdicts for the file from the plurality of endpoints, including the first verdict, meets a first threshold; and selectively reclassifying the file as benign or malicious based on whether the aggregate number of verdicts for the file meets the first threshold.

公开(公告)号：US20230385413A1

公开(公告)日：2023-11-30

申请号：US17825684

申请日：2022-05-26

Applicant: VMware, Inc.

Inventor： Rayanagouda Bheemanagouda PATIL ,  Kedar Bhalchandra CHAUDHARI ,  Clemens KOLBITSCH ,  Laxmikant Vithal GUNDA ,  Vaibhav KULKARNI

IPC: G06F21/56 ,  G06F21/53

CPC classification number: G06F21/566 ,  G06F21/53 ,  G06F2221/034

Abstract: The disclosure herein describes executing unknown processes while preventing sandbox-evading malware therein from performing malicious behavior. A process execution event associated with an executable is detected, wherein the executable is to be executed in a production environment. The executable is determined to be an unknown executable (e.g., an executable that has not been analyzed for malware) using signature data in the process execution event. A function call hook interface of a sandbox simulator is activated, and a process of the executable is executed in the production environment. Any function calls from the executing process are intercepted by the activated function call hook interface, and sandbox-style responses to the intercepted function call are generated using sandbox response data of the sandbox simulator. The generated sandbox responses are provided to the executing process, whereby malware included in the executable behaves as if the executing process is executing in a sandbox environment.