System and method for malware detection

摘要

According to one embodiment, a computer-implemented method for execution on one or more processors includes receiving a first file and determining a file type of the first file. The method also includes determining, according to a first policy, a plurality of malware detection schemes to apply to the first file based on the determined file type of the first file. In addition, the method includes scheduling the application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy. Further, the method includes determining, in response to determining the results of applying the plurality of malware detection schemes, that the first file is malware or determining that the first file is suspected malware according to a third policy.

主权项

1. A computer-implemented method for execution on one or more processors, the method comprising:
receiving a first file; determining a file type of the first file; determining, according to a first policy, a plurality of malware detection schemes to apply sequentially to the first file based on the determined file type of the first file; scheduling an application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy including scheduling a first malware detection scheme of the plurality of malware detection schemes at first time and scheduling a second malware detection scheme of the plurality of malware detection schemes at a second time after the first time, wherein each of the plurality of detection nodes includes a virtual machine configured to run at least one of the plurality of malware detection schemes, wherein each virtual machine is configured to run on at least one hypervisor; executing a first malware detection scheme of the plurality of malware detection schemes on the first file in a first virtual machine of the virtual machines at the first time, wherein the first virtual machine is configured to run the first malware detection scheme, wherein execution of processes of the first virtual machine associated with executing the first malware detection scheme comprise causing, using the hypervisor, the execution of the first malware detection scheme to skip a wait state associated with a guest operating system of the first virtual machine to speed up execution of the first malware detection scheme; monitoring, using the at least one hypervisor, the applying of the first malware detection scheme without running a process in the one or more virtual machines to thwart attempts by malware to detect if the first malware detection scheme is being applied to the malware; determining results of applying the first malware detection scheme; in response to determining the results of applying the first malware detection scheme, determining whether the first file is malware; in response to determining the first file is malware, indicating that the first file is malware and refraining from executing any more detection schemes of the plurality of detection schemes on the first file; in response to determining the first file is not malware, applying the second malware detection scheme of the plurality of malware detection schemes in a second virtual machine of the virtual machines at the second time; determining results of applying the second malware detection scheme; in response to determining the results of applying the first and second malware detection schemes, determining that the first file is suspected malware or determining that the first file is malware according to a third policy and based on the results of applying the first and second malware detection schemes; and wherein scheduling the application of the determined plurality of malware detection schemes includes prioritizing the application of the determined plurality of malware detection schemes to the first file when the first file is received as an e-mail attachment.