| 发明名称 |
Automatic content inspection system for exploit detection |
| 摘要 |
A method of inspecting content intended for a workstation to detect content that performs malicious exploits, including receiving the content for inspection at an inspection server using a processor and memory, loading a virtual machine at the inspection server with an operating system and processes for activating the content, wherein the operating system and processes are similar to those executed at the intended workstation, activating the content in the virtual machine, tracing activity of the virtual machine to form trace data by using features of the processor, wherein upon occurrence of an exception control is transferred to an analyzer that analyzes the trace data based on a context of the exception; and a notification is provided if suspicious activity is detected. |
| 申请公布号 |
US9356945(B2) |
申请公布日期 |
2016.05.31 |
| 申请号 |
US201414333566 |
申请日期 |
2014.07.17 |
| 申请人 |
CHECK POINT ADVANCED THREAT PREVENTION LTD |
发明人 |
Gafni Aviv;Omelchenko Ben |
| 分类号 |
G06F9/455;H04L29/06;G06F21/56 |
主分类号 |
G06F9/455 |
| 代理机构 |
|
代理人 |
Friedman Mark M. |
| 主权项 |
1. A method of inspecting content intended for a workstation to inspect content that performs exploits, comprising:
receiving the content for inspection at an inspection server using a processor and memory; loading a virtual machine at the inspection server with an operating system and processes for inspecting the content, wherein the operating system and processes emulate those executed at the intended workstation; activating the content in the virtual machine; and, tracing the activity of the virtual machine to form trace data by using features of the processor, the tracing the activity including receiving a memory page marked as read/write/execute and changing the memory page permissions in a shadow page table to read/write; and,
if an attempt to execute code from the memory page occurs, then changing the memory page permissions in the shadow page table to read/execute and dumping the content of the memory page;then, if an attempt to write to the memory page occurs, changing the memory page permissions in the shadow page table to read/write; and, upon an occurrence of an exception, transferring control from the inspection server to an analyzer that analyzes the trace data based on a context of the exception, and, a notification is provided if suspicious activity is detected. |
| 地址 |
Tel Aviv IL |
