US12072978B2 - Fast antimalware scan - Google Patents

Fast antimalware scan Download PDF

Info

Publication number
US12072978B2
US12072978B2 US17/652,285 US202217652285A US12072978B2 US 12072978 B2 US12072978 B2 US 12072978B2 US 202217652285 A US202217652285 A US 202217652285A US 12072978 B2 US12072978 B2 US 12072978B2
Authority
US
United States
Prior art keywords
file
unknown
malware
known malware
blocks
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US17/652,285
Other versions
US20230267202A1 (en
Inventor
Andrey Kulaga
Serguei Beloussov
Stanislav Protasov
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Acronis International GmbH
Original Assignee
Acronis International GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Acronis International GmbH filed Critical Acronis International GmbH
Priority to US17/652,285 priority Critical patent/US12072978B2/en
Assigned to MIDCAP FINANCIAL TRUST reassignment MIDCAP FINANCIAL TRUST REAFFIRMATION AGREEMENT Assignors: 5NINE SOFTWARE, INC., ACRONIS AG, ACRONIS BULGARIA EOOD, ACRONIS GERMANY GMBH, ACRONIS INC., ACRONIS INTERNATIONAL GMBH, ACRONIS MANAGEMENT LLC, ACRONIS NETHERLANDS B.V., ACRONIS SCS, INC., ACRONIS, INC., DEVICELOCK, INC., DEVLOCKCORP LTD, GROUPLOGIC, INC., NSCALED INC.
Publication of US20230267202A1 publication Critical patent/US20230267202A1/en
Assigned to ACRONIS INTERNATIONAL GMBH reassignment ACRONIS INTERNATIONAL GMBH ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BELOUSSOV, SERGUEI, KULAGA, ANDREY, PROTASOV, STANISLAV
Application granted granted Critical
Publication of US12072978B2 publication Critical patent/US12072978B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • the invention pertains to computer systems and the identification of files that are not known malware within the computer systems using fast antimalware scan systems and methods.
  • One of the traditional approaches to detect malicious programs and files is to compare the “signatures” of the files under investigation.
  • antivirus applications detect a new sample, they analyze it and create a “signature” that is released as an update to clients. That “signature” is added as a data element to the malware file collection.
  • the process of answering the question of whether a given file is found in a malware list includes calculating a “signature” of that file and further comparison of that “signature” to “signatures” of each of the files in the list of known malware files.
  • antimalware scan should be as fast as possible, and should consume a minimum amount of CPU and I/O resources.
  • the present invention is directed to providing a system and a method for faster detection of some of the “good” files by performing partial matching of one or more continuous byte sequences (blocks) of an unknown file to corresponding block(s) of known malware files while also minimizing the false positive (FP) rate.
  • This problem can be solved by using one or more-continuous byte sequences (blocks) of the unknown file selected according to a certain algorithm/selection criterion to match to the corresponding continuous byte sequences (blocks) of the known malware file.
  • the block selection algorithm may be based on pre-defined number of blocks, lengths, and offsets or on dynamically calculated number of blocks, lengths, and offsets, on or any combination thereof.
  • the block selection algorithm may be based on prior knowledge, e.g., analysis of common blocks within a given malware family or knowledge of the internal format of a file type.
  • the block selection algorithm may be based on the results of the optimization process using a certain sample.
  • the block selection algorithm may be used as a subject of an optimization process.
  • the block selection algorithm may be selected using an artificial intelligence (AI) algorithm including but not limited to neural networks, heuristics, or support vector machines.
  • AI artificial intelligence
  • Selected blocks of the unknown file and corresponding blocks of the known malware file may be compared to each other one-by-one or in concatenated form, possibly with certain separator between blocks, by forming the “synthetic” versions of both files that are later compared to each other using one of the known file comparison algorithms, e.g., by calculating and comparing “signatures”.
  • blocks of an unknown file match corresponding blocks of the known malware file, one or more additional matching steps may be performed to make the match/no match decision.
  • the exemplary invention provides a system and a method for detection of files not matching a known malware file in a computing environment.
  • the exemplary system includes a processor (CPU) of a computer coupled to a memory storing instructions to permit the processor to function as an analyzer.
  • processor CPU
  • memory storing instructions to permit the processor to function as an analyzer.
  • the analyzer is configured to receive as input an unknown file and a known malware file, compare the unknown file to the known malware file by comparing N (where N is greater of equal to 1) blocks B 1 , . . . , B N of lengths L 1 , . . . , L N located at offsets O 1 , . . . , O N such that the number of blocks, lengths and offsets are calculated according to a pre defined algorithm, and output a value indicating that the unknown file is different from the known malware file if exists at least one j that a B j block of the unknown file is different from a B j block of the known malware file.
  • the present system and method can provide an efficient matching of an unknown file within a computer system to a list of known malware files for a fast malware scan of the unknown files with various variants.
  • optimization of the comparison process will be achieved under the following conditions: (1) there exists a cost function C(x) that determines the total cost of an operation, (2) selected block comparison algorithm B identifies P W percentage of files as “good”, and (3) selected block comparison algorithm B identifies (1 ⁇ P W ) percentage of files as “requiring further check” and requiring a full-scale comparison, e.g., using a “signature” algorithm S.
  • Complexity of comparing an unknown file to the selected known malware file is C(S).
  • Complexity of comparing of an unknown file to the selected known malware file using the block-level algorithm is 1*C(B)—comparison of all files using the block algorithm plus (1 ⁇ P w )*C(S)—checking all files that were not identified as “good” with the “signature”.
  • FIG. 1 shows an exemplary procedure for detection of files not matching a known malware file in a computing environment according to an exemplary embodiment
  • FIG. 2 shows the components and interactions of an exemplary system embodying the invention
  • FIG. 3 shows exemplary method steps for implementing the invention to match an unknown file to a collection of known malware files.
  • An exemplary aspect of the present invention is directed to optimize malware signatures for minimum amount of CPU and I/O resources consumption without compromising other quality metrics. It can be implemented by a two-stage scan process.
  • the procedure 100 starts in step 101 with a file scan of reading a fixed amount of data from a particular file. It can be, for example, 64 KB from the beginning of the file, 32 KB from the middle of the file, and 32 KB from the end of the file.
  • the procedure 101 identifies that at least one of the blocks of the unknown file is different from the corresponding block of the known malware file, the procedure issues the “Clean” verdict 105 , meaning that the unknown file does not match to the known malware file presented for comparison.
  • step 102 a special “read more data” signature to antimalware database is performed to determine when more data is required to decide if the file is clean or malware.
  • Read more data is an indicator that more data and other comparison operation(s) need to be performed on the file to answer the match/no match question.
  • the goal of the algorithm is to make the “Read more data” to be infrequent for clean files, so these signatures do not add significant impact for scan time and average amount of resources required for scanning.
  • step 103 additional scans are performed to detect malware, and “clean” and “malware” file verdicts based on the additional scans are identified in step 104 .
  • FIG. 2 shows an exemplary system 200 for implementing a fast antimalware scan algorithm that is applied to computer files for matching them against the list of known malware files.
  • the system 200 for detection of files not matching a known malware file in a computing environment includes a processor coupled to a memory storing instructions to permit the processor to function as an analyzer 203 .
  • the analyzer 203 is configured to receive, as input, an unknown file 201 and a known malware file 202 .
  • Analyzer 203 compares the unknown file 201 to the known malware file 202 by applying an algorithm that uses N (where N is greater or equal to 1) blocks B 1 , . . . , B N of lengths L 1 , . . . , L N located at offsets O 1 , . . . , O N such that each the number of blocks, length and offset can be calculated according to a pre-defined algorithm (e.g., X bytes from the beginning of the file, Y bytes from the middle of the file, and Z bytes before the end of the file, etc.).
  • N is greater or equal to 1
  • an additional matching step may be used to make the match/no match decision.
  • Algorithms may be repeated for each F malware file in the known malware list presented for matching.
  • F unknown may be considered not matching any of the files from the malware list presented for matching.
  • additional matching using one or more different criteria may be used prior to performing the block-level comparison of F unknown and each of the F malware files to determine that F unknown and F malware are different.
  • another additional matching (e.g., calculating a “signature” of F unknown and comparing it to the “signature” of F malware ) using one or more different criteria may be used after performing the block-level comparison of F unknown and F malware files if all blocks of F unknown were found to be identical to corresponding blocks of F malware to make the match/no match decision.
  • the block-level comparison algorithm may be repeated with different sets of blocks (different number of blocks and/or different size of all or some individual blocks and/or offset of all or some individual blocks).
  • the total size of all blocks equals the size of at least one of the following “hash” functions: MD5, SHA1, or any of the SHA-2 family.
  • 3 blocks from each file are used. First block 64 KB at the beginning of each file, second block of 32 KB in the middle of the file, and the third block—last 32 KB of the file.
  • N blocks from each of the F malware files from a known malware collection are pre-calculated and stored in the list of malware files presented for matching.
  • N blocks from each of the F malware files from a known malware collection are extracted from the actual known malware files presented for matching.
  • additional information for each of the F malware files (e.g., “signatures”) is pre-calculated and stored in the list of malware files presented for matching.
  • FIG. 3 shows an exemplary method 300 for detection of files not matching a known malware file in a computing environment.
  • Method 300 includes receiving an unknown file 301 and a known malware file collection 302 in a processor of a computer coupled to a memory device.
  • the unknown file 301 and the known malware file 302 collection are compared in step 303 , by an analyzer of the processor, by comparing N (where N is greater or equal to 1) blocks B 1 , . . . , B N of lengths L 1 , . . . , L N located at offsets O 1 , . . . , O N such that the number of blocks, lengths and offsets are calculated according to a pre-defined algorithm.
  • the method may apply other post-comparison criteria such as comparing at least one signature of the unknown file with at least one signature of the known malware file in step 305 .
  • step 306 it is determined whether the known malware file collection 302 matches the unknown file 301 .
  • step 307 it identifies that the unknown file is a known malware file.
  • step 311 it is checked if the file is the last file in collection.
  • step 310 if all the blocks are not matching in step 310 , it is checked if the file is the last file in collection in step 311 .
  • step 309 fetching another file for collection.
  • step 311 it is confirmed that the file is the last file in the collection
  • step 308 it is determined that the unknown file. 301 is not a known malware file as the files of known malware file collection 302 .
  • a value is outputted to indicate that the unknown file 301 is different from the known malware file collection 302 if there exists at least one j, such that a B j block of the unknown file is different from a B j block of the known malware file.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A system for detection of files not matching a known malware file in a computing environment that includes a processor coupled to a memory storing instructions to permit the processor to function as an analyzer. The analyzer is configured to receive, as input, an unknown file and the known malware file, compare the unknown file to the known malware file by comparing N (where N is greater of equal to 1) blocks B1, . . . , BN of lengths L1, . . . , LN located at offsets O1, . . . , ON such that the number of blocks, lengths and offsets are calculated according to pre-defined algorithm, and output a value indicating that the unknown file is different from the known malware file if exists at least one j that a Bj block of the unknown file is different from a Bj block of the known malware file.

Description

TECHNICAL FIELD
The invention pertains to computer systems and the identification of files that are not known malware within the computer systems using fast antimalware scan systems and methods.
BACKGROUND
Malicious software penetrates and harms computer systems without the knowledge or consent of the owners. Malware is an ongoing problem in computer security. One of the ways to identify malware is to match a given file to a known malware file collection.
One of the traditional approaches to detect malicious programs and files is to compare the “signatures” of the files under investigation. When antivirus applications detect a new sample, they analyze it and create a “signature” that is released as an update to clients. That “signature” is added as a data element to the malware file collection.
These “signatures” are normally calculated using the contents of the entire file, and hence the entire file has to be read in order for the “signature” to be calculated.
That is, in conventional systems, the process of answering the question of whether a given file is found in a malware list includes calculating a “signature” of that file and further comparison of that “signature” to “signatures” of each of the files in the list of known malware files.
Accordingly, existing solutions in conventional systems require full sample scan to detect a malware signature.
However, antimalware scan should be as fast as possible, and should consume a minimum amount of CPU and I/O resources.
Therefore, faster and more efficient systems and methods for matching an unknown file within a computer system to a list of known malware files are needed to compensate for the ever-increasing number of known malware variants.
SUMMARY
The present invention is directed to providing a system and a method for faster detection of some of the “good” files by performing partial matching of one or more continuous byte sequences (blocks) of an unknown file to corresponding block(s) of known malware files while also minimizing the false positive (FP) rate.
The main problem with using “signatures” (e.g., cryptographic hash functions) is that each unknown file needs to be read in its entirety to calculate the “signature” that is later used to match against the “signatures” of known malware files.
This problem can be solved by using one or more-continuous byte sequences (blocks) of the unknown file selected according to a certain algorithm/selection criterion to match to the corresponding continuous byte sequences (blocks) of the known malware file.
The block selection algorithm may be based on pre-defined number of blocks, lengths, and offsets or on dynamically calculated number of blocks, lengths, and offsets, on or any combination thereof.
The block selection algorithm may be based on prior knowledge, e.g., analysis of common blocks within a given malware family or knowledge of the internal format of a file type.
The block selection algorithm may be based on the results of the optimization process using a certain sample.
The block selection algorithm may be used as a subject of an optimization process.
The block selection algorithm may be selected using an artificial intelligence (AI) algorithm including but not limited to neural networks, heuristics, or support vector machines.
Selected blocks of the unknown file and corresponding blocks of the known malware file may be compared to each other one-by-one or in concatenated form, possibly with certain separator between blocks, by forming the “synthetic” versions of both files that are later compared to each other using one of the known file comparison algorithms, e.g., by calculating and comparing “signatures”.
In case of block-by-block comparison, if at least one of the blocks of an unknown file does not match a corresponding block of the known malware file, then the unknown file is definitely different from the known malware file.
If blocks of an unknown file match corresponding blocks of the known malware file, one or more additional matching steps may be performed to make the match/no match decision.
The exemplary invention provides a system and a method for detection of files not matching a known malware file in a computing environment.
The exemplary system includes a processor (CPU) of a computer coupled to a memory storing instructions to permit the processor to function as an analyzer.
The analyzer is configured to receive as input an unknown file and a known malware file, compare the unknown file to the known malware file by comparing N (where N is greater of equal to 1) blocks B1, . . . , BN of lengths L1, . . . , LN located at offsets O1, . . . , ON such that the number of blocks, lengths and offsets are calculated according to a pre defined algorithm, and output a value indicating that the unknown file is different from the known malware file if exists at least one j that a Bj block of the unknown file is different from a Bj block of the known malware file.
The present system and method can provide an efficient matching of an unknown file within a computer system to a list of known malware files for a fast malware scan of the unknown files with various variants.
Optimization of the comparison process will be achieved under the following conditions: (1) there exists a cost function C(x) that determines the total cost of an operation, (2) selected block comparison algorithm B identifies PW percentage of files as “good”, and (3) selected block comparison algorithm B identifies (1−PW) percentage of files as “requiring further check” and requiring a full-scale comparison, e.g., using a “signature” algorithm S.
Complexity of comparing an unknown file to the selected known malware file is C(S). Complexity of comparing of an unknown file to the selected known malware file using the block-level algorithm is 1*C(B)—comparison of all files using the block algorithm plus (1−Pw)*C(S)—checking all files that were not identified as “good” with the “signature”.
Overall, the algorithm yields optimization if C(S)>C(B)+(1−Pw)*C(S).
SUMMARY OF FIGURES
The exemplary aspects of the invention will be better understood from the following detailed description of the exemplary embodiments of the invention with reference to the drawings:
FIG. 1 shows an exemplary procedure for detection of files not matching a known malware file in a computing environment according to an exemplary embodiment;
FIG. 2 shows the components and interactions of an exemplary system embodying the invention; and
FIG. 3 shows exemplary method steps for implementing the invention to match an unknown file to a collection of known malware files.
 DETAILED DESCRIPTION
An exemplary aspect of the present invention is directed to optimize malware signatures for minimum amount of CPU and I/O resources consumption without compromising other quality metrics. It can be implemented by a two-stage scan process.
Most files will be scanned by “single read” with a fixed amount of CPU and VO resources. Few of the files require more data to decide and what needs to be scanned can be determined by content of the first read.
As shown in FIG. 1 , the procedure 100 starts in step 101 with a file scan of reading a fixed amount of data from a particular file. It can be, for example, 64 KB from the beginning of the file, 32 KB from the middle of the file, and 32 KB from the end of the file.
If the procedure 101 identifies that at least one of the blocks of the unknown file is different from the corresponding block of the known malware file, the procedure issues the “Clean” verdict 105, meaning that the unknown file does not match to the known malware file presented for comparison.
In a case that all blocks of the unknown file match all the corresponding blocks of the known malware file, and hence it is impossible to make a decision that files are different using the abbreviated scan, in step 102, a special “read more data” signature to antimalware database is performed to determine when more data is required to decide if the file is clean or malware.
“Read more data” is an indicator that more data and other comparison operation(s) need to be performed on the file to answer the match/no match question.
The goal of the algorithm is to make the “Read more data” to be infrequent for clean files, so these signatures do not add significant impact for scan time and average amount of resources required for scanning.
In step 103, additional scans are performed to detect malware, and “clean” and “malware” file verdicts based on the additional scans are identified in step 104.
FIG. 2 shows an exemplary system 200 for implementing a fast antimalware scan algorithm that is applied to computer files for matching them against the list of known malware files.
The system 200 for detection of files not matching a known malware file in a computing environment includes a processor coupled to a memory storing instructions to permit the processor to function as an analyzer 203.
The analyzer 203 is configured to receive, as input, an unknown file 201 and a known malware file 202.
Analyzer 203 compares the unknown file 201 to the known malware file 202 by applying an algorithm that uses N (where N is greater or equal to 1) blocks B1, . . . , BN of lengths L1, . . . , LN located at offsets O1, . . . , ON such that each the number of blocks, length and offset can be calculated according to a pre-defined algorithm (e.g., X bytes from the beginning of the file, Y bytes from the middle of the file, and Z bytes before the end of the file, etc.).
To match an unknown file Funknown to the known malware file Fmalware, the following steps are performed. For each i from 1 to N (where N is a natural number greater or equal to 1), compare blocks B1, . . . , BN of Funknown to corresponding blocks of Fmalware. If there exists at least one such j between 1 and N that Bj(Funknown) is different from Bj(Fmalware) then Funknown is different from Fmalware.
If all blocks of Funknown match corresponding blocks of Fmalware, an additional matching step may be used to make the match/no match decision.
Algorithms may be repeated for each Fmalware file in the known malware list presented for matching.
If Funknown is different from each Fmalware file from the malware list presented for matching, Funknown may be considered not matching any of the files from the malware list presented for matching.
In an exemplary embodiment, additional matching using one or more different criteria (e.g., comparing certain file attributes such as file lengths of Funknown and Fmalware) may be used prior to performing the block-level comparison of Funknown and each of the Fmalware files to determine that Funknown and Fmalware are different.
In an exemplary embodiment, another additional matching (e.g., calculating a “signature” of Funknown and comparing it to the “signature” of Fmalware) using one or more different criteria may be used after performing the block-level comparison of Funknown and Fmalware files if all blocks of Funknown were found to be identical to corresponding blocks of Fmalware to make the match/no match decision.
In an exemplary embodiment, the block-level comparison algorithm may be repeated with different sets of blocks (different number of blocks and/or different size of all or some individual blocks and/or offset of all or some individual blocks).
In an exemplary embodiment, the total size of all blocks equals the size of at least one of the following “hash” functions: MD5, SHA1, or any of the SHA-2 family.
In an exemplary embodiment, 3 blocks from each file are used. First block 64 KB at the beginning of each file, second block of 32 KB in the middle of the file, and the third block—last 32 KB of the file.
In an exemplary embodiment, N blocks from each of the Fmalware files from a known malware collection are pre-calculated and stored in the list of malware files presented for matching.
In an exemplary embodiment, N blocks from each of the Fmalware files from a known malware collection are extracted from the actual known malware files presented for matching.
In an exemplary embodiment, additional information for each of the Fmalware files (e.g., “signatures”) is pre-calculated and stored in the list of malware files presented for matching.
FIG. 3 shows an exemplary method 300 for detection of files not matching a known malware file in a computing environment.
Method 300 includes receiving an unknown file 301 and a known malware file collection 302 in a processor of a computer coupled to a memory device.
The unknown file 301 and the known malware file 302 collection are compared in step 303, by an analyzer of the processor, by comparing N (where N is greater or equal to 1) blocks B1, . . . , BN of lengths L1, . . . , LN located at offsets O1, . . . , ON such that the number of blocks, lengths and offsets are calculated according to a pre-defined algorithm.
When all block files are matching, in step 304, the method may apply other post-comparison criteria such as comparing at least one signature of the unknown file with at least one signature of the known malware file in step 305.
In step 306, it is determined whether the known malware file collection 302 matches the unknown file 301.
When the known malware file collection 302 matches the unknown file 301, in step 307, it identifies that the unknown file is a known malware file.
When the known malware file collection 302 does not match the unknown file 301, in step 311, it is checked if the file is the last file in collection.
Further, in the comparison process 303, if all the blocks are not matching in step 310, it is checked if the file is the last file in collection in step 311.
When the file is not the last file in the collection, the iteration continues in step 309 by fetching another file for collection.
When in step 311 it is confirmed that the file is the last file in the collection, in step 308, it is determined that the unknown file. 301 is not a known malware file as the files of known malware file collection 302.
Based on the above system and method of present invention, a fast procedure to classify all files with evaluating by deeper scan by applying a two-stage approach to malware detection can be provided.
That is, a value is outputted to indicate that the unknown file 301 is different from the known malware file collection 302 if there exists at least one j, such that a Bj block of the unknown file is different from a Bj block of the known malware file.

Claims (18)

The invention claimed is:
1. A system for detection of files not matching a known malware file in a computing environment, the system comprising:
a processor coupled to a memory storing instructions to permit the processor to function as an analyzer,
wherein the analyzer is configured to:
receive, as input, an unknown file and the known malware file;
compare the unknown file to the known malware file by comparing N (where N is greater than 1) blocks B1, . . . , BN, of lengths L1, . . . , LN, located at offsets O1, . . . , ON of the unknown file to the corresponding blocks of the known malware file at the offsets such that a number of blocks N, the lengths and the offsets are calculated according to predefined algorithm based on malware file types, wherein each of the offsets is calculated for a first number of bytes at a beginning of a file, a second number of bytes at a middle of the file, and a third number of bytes before an end of the file; and
output a value based on the comparison, indicating that the unknown file is different from the known malware file if there exists at least one j such that 1<=i<=N and a Bj block of the unknown file is different from a Bj block of the known malware file.
2. The system of claim 1, wherein selected file attributes of the known file are compared to file attributes of the known malware file and, if the selected file attributes of the known file are not the same as the file attributes of the known malware file, a decision is made that the unknown file is different from the malware file.
3. The system of cairn 1, wherein the analyzer compares the unknown file to every file in a malware fife collection comprising the known malware file.
4. The system of claim 1, wherein the analyzer outputs the value indicating that the unknown file is different from every file in the malware file collection.
5. The system of claim 1, wherein, before the analyzer determines if the unknown file is different from the known malware file, the processor is configured to perform a pre-comparison of the unknown file with the known malware file.
6. The system of claim 4, wherein the pre-comparison comprises comparing a file size of the unknown file to a file size of the known malware file.
7. The system of claim 5, wherein, after that the analyzer determines if the unknown file is different from the known malware file, the processor is further configured to perform a post-comparison.
8. The system of claim 6, wherein the post-comparison comprises comparing at least one signature of the unknown file with at least one signature of the known malware file.
9. The system of claim 1, wherein, after that the analyzer determines if the unknown file is different from the known malware file, the processor is further configured to perform a post-comparison.
10. The system of claim 8, wherein the post-comparison comprises comparing at least one signature of the unknown file with at least one signature of the known malware file.
11. The system of claim 1, wherein blocks are strings comprising sequences of bytes or characters within the file that end with one or more specific bytes or characters used within a given file as an indicator of “end of the line” or “carriage return”.
12. The system of claim 1, wherein blocks are selected based on a known file format.
13. The system of claim 1, wherein blocks of the unknown file are compared to corresponding blocks of the known malware file one-by-one.
14. The system of claim 1, wherein selected blocks of the unknown file and corresponding blocks of the known malware file are concatenated in two “synthetic” A files that are later compared using one of known file comparison algorithms.
15. A method for detection of files not matching a known malware file in a computing environment, the method comprising:
receiving an unknown file and the known malware file;
comparing the unknown file to the known malware file by comparing N (where N is greater than 1) blocks B1, . . . , BN, of pre-defined lengths L1, . . . , LN, located at offsets O1, . . . , ON of the unknown file to the corresponding blocks of the known malware file at the offsets such that a number of blocks N, the lengths and the offsets are calculated according to predefined algorithm based on malware file types, wherein each of the offsets is calculated for a first number of bytes at a beginning of a file, a second number of bytes at a middle of the file, and a third number of bytes before an end of the file; and
outputting a value based on the comparison, indicating that the unknown file is different from the known malware file if there exists at least one j such that 1<=i<=N and a Bj block of the unknown file is different from a Bj block of the known malware file.
16. The method of claim 15, wherein certain file attributes of the known file are compared to file attributes of the known malware file and, if the certain file attributes of the known file are not the same as the file attributes of the known malware file, a decision is made that the unknown file is different from the malware file.
17. The method of claim 15, wherein, in the step of comparing further comprises comparing the unknown file to every file in a malware file collection comprising the known malware file.
18. The method of claim 17, wherein the step of outputting further comprises outputting the value indicating that the unknown file is different from every file in the malware file collection.
US17/652,285 2022-02-24 2022-02-24 Fast antimalware scan Active 2042-11-23 US12072978B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US17/652,285 US12072978B2 (en) 2022-02-24 2022-02-24 Fast antimalware scan

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US17/652,285 US12072978B2 (en) 2022-02-24 2022-02-24 Fast antimalware scan

Publications (2)

Publication Number Publication Date
US20230267202A1 US20230267202A1 (en) 2023-08-24
US12072978B2 true US12072978B2 (en) 2024-08-27

Family

ID=87574289

Family Applications (1)

Application Number Title Priority Date Filing Date
US17/652,285 Active 2042-11-23 US12072978B2 (en) 2022-02-24 2022-02-24 Fast antimalware scan

Country Status (1)

Country Link
US (1) US12072978B2 (en)

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080263669A1 (en) * 2007-04-23 2008-10-23 Secure Computing Corporation Systems, apparatus, and methods for detecting malware
US20080263665A1 (en) 2007-04-20 2008-10-23 Juniper Networks, Inc. Network attack detection using partial deterministic finite automaton pattern matching
US20120159631A1 (en) 2009-07-10 2012-06-21 Jarno Niemela Anti-Virus Scanning
US8375450B1 (en) 2009-10-05 2013-02-12 Trend Micro, Inc. Zero day malware scanner
CN104504333A (en) * 2014-11-25 2015-04-08 武汉安天信息技术有限责任公司 Malicious code detection method and device of ELF (executable and linkable format) file
US9239922B1 (en) 2013-03-11 2016-01-19 Trend Micro Inc. Document exploit detection using baseline comparison
US20160094565A1 (en) 2014-09-29 2016-03-31 Juniper Networks, Inc. Targeted attack discovery
CN106415582A (en) * 2014-06-27 2017-02-15 迈克菲股份有限公司 Mitigation of malware
WO2017213400A1 (en) 2016-06-06 2017-12-14 Samsung Electronics Co., Ltd. Malware detection by exploiting malware re-composition variations
US10073983B1 (en) 2015-12-11 2018-09-11 Symantec Corporation Systems and methods for identifying suspicious singleton files using correlational predictors
US10713361B2 (en) 2017-06-12 2020-07-14 Acronis International Gmbh Anti-malware protection using volume filters
US20210200866A1 (en) 2019-07-16 2021-07-01 Acronis International Gmbh System and method of inspecting archive slices for malware using empty sparse files
CN114417335A (en) * 2022-01-19 2022-04-29 杭州安恒信息技术股份有限公司 A malicious file detection method, device, electronic device and storage medium

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080263665A1 (en) 2007-04-20 2008-10-23 Juniper Networks, Inc. Network attack detection using partial deterministic finite automaton pattern matching
US20080263669A1 (en) * 2007-04-23 2008-10-23 Secure Computing Corporation Systems, apparatus, and methods for detecting malware
US20120159631A1 (en) 2009-07-10 2012-06-21 Jarno Niemela Anti-Virus Scanning
US8375450B1 (en) 2009-10-05 2013-02-12 Trend Micro, Inc. Zero day malware scanner
US9239922B1 (en) 2013-03-11 2016-01-19 Trend Micro Inc. Document exploit detection using baseline comparison
CN106415582A (en) * 2014-06-27 2017-02-15 迈克菲股份有限公司 Mitigation of malware
US20160094565A1 (en) 2014-09-29 2016-03-31 Juniper Networks, Inc. Targeted attack discovery
CN104504333A (en) * 2014-11-25 2015-04-08 武汉安天信息技术有限责任公司 Malicious code detection method and device of ELF (executable and linkable format) file
US10073983B1 (en) 2015-12-11 2018-09-11 Symantec Corporation Systems and methods for identifying suspicious singleton files using correlational predictors
WO2017213400A1 (en) 2016-06-06 2017-12-14 Samsung Electronics Co., Ltd. Malware detection by exploiting malware re-composition variations
US10713361B2 (en) 2017-06-12 2020-07-14 Acronis International Gmbh Anti-malware protection using volume filters
US20210200866A1 (en) 2019-07-16 2021-07-01 Acronis International Gmbh System and method of inspecting archive slices for malware using empty sparse files
CN114417335A (en) * 2022-01-19 2022-04-29 杭州安恒信息技术股份有限公司 A malicious file detection method, device, electronic device and storage medium

Also Published As

Publication number Publication date
US20230267202A1 (en) 2023-08-24

Similar Documents

Publication Publication Date Title
EP3899770B1 (en) System and method for detecting data anomalies by analysing morphologies of known and/or unknown cybersecurity threats
CN109145600B (en) System and method for detecting malicious files using static analysis elements
US8819835B2 (en) Silent-mode signature testing in anti-malware processing
RU2551820C2 (en) Method and apparatus for detecting viruses in file system
US9104872B2 (en) Memory whitelisting
US20070152854A1 (en) Forgery detection using entropy modeling
US20090133125A1 (en) Method and apparatus for malware detection
WO2020000743A1 (en) Webshell detection method and related device
Zhang et al. SaaS: A situational awareness and analysis system for massive android malware detection
US11288368B1 (en) Signature generation
US11068595B1 (en) Generation of file digests for cybersecurity applications
Naik et al. Fuzzy-Import Hashing: A malware analysis approach
US20120185939A1 (en) Malware detection
CN108256329B (en) Fine-grained RAT program detection method and system based on dynamic behavior and corresponding APT attack detection method
US10747879B2 (en) System, method, and computer program product for identifying a file used to automatically launch content as unwanted
US7367056B1 (en) Countering malicious code infections to computer files that have been infected more than once
US12072978B2 (en) Fast antimalware scan
CA3125101A1 (en) System and method for detecting data anomalies by analysing morphologies of known and/or unknown cybersecurity threats
US8918873B1 (en) Systems and methods for exonerating untrusted software components
CN112347479B (en) False alarm correction method, device, equipment and storage medium for malicious software detection
CN113486359A (en) Software vulnerability detection method and device, electronic device and storage medium
CN117951704B (en) Hash calculation method and device of executable file, electronic equipment and medium
Adegbehingbe et al. Assessing the Impact of Matched Fragments' Relative Locations on Application Artifact Inference
Moia et al. A study on approximate matching for similarity search: techniques, limitations and improvements for digital forensic investigations
WO2022102110A1 (en) Falsification detection device, falsification detection method, and falsification detection program

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

AS Assignment

Owner name: MIDCAP FINANCIAL TRUST, MARYLAND

Free format text: REAFFIRMATION AGREEMENT;ASSIGNORS:ACRONIS AG;ACRONIS INTERNATIONAL GMBH;ACRONIS SCS, INC.;AND OTHERS;REEL/FRAME:061330/0818

Effective date: 20220427

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

ZAAA Notice of allowance and fees due

Free format text: ORIGINAL CODE: NOA

ZAAB Notice of allowance mailed

Free format text: ORIGINAL CODE: MN/=.

AS Assignment

Owner name: ACRONIS INTERNATIONAL GMBH, SWITZERLAND

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KULAGA, ANDREY;BELOUSSOV, SERGUEI;PROTASOV, STANISLAV;REEL/FRAME:067902/0116

Effective date: 20240123

STPP Information on status: patent application and granting procedure in general

Free format text: AWAITING TC RESP, ISSUE FEE PAYMENT VERIFIED

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

OSZAR »