主权项 |
1. A computer-implemented method for detecting malicious content, the method comprising:
monitoring, by a monitoring module executed by a processor, behavior of a malicious content suspect executed within a sandboxed operating environment, the sandboxed operating environment comprises a virtual machine that operates in accordance with an operating environment targeted by the malicious content suspect; in response to detection of one or more predetermined events from the monitored behavior that are triggered by the malicious content suspect, generating, by a memory dump module, a memory dump associated with the malicious content suspect; storing, within a storage device, a portion of data associated with the virtual machine, which includes one or more of (i) contents of the memory dump and (ii) the one or more predetermined events, in a directory accessible to a controller that is part of a virtual machine monitor (VMM); retrieving at least the contents of the memory dump via the directory; and analyzing, by an analysis module, at least the contents of the memory dump to determine whether the malicious content suspect should be declared as malicious based on a set of one or more rules. |