Detecting and remediating malware dropped by files

摘要

A security module detects and remediates malware from suspicious hosts. A file arrives at an endpoint from a host. The security module detects the arrival of the file and determines the host from which the file arrived. The security module also determines whether the host is suspicious. If the host is suspicious, the security module observes the operation of the file and identifies a set of files dropped by the received file. The security module monitors the files in the set using heuristics to detect whether any of the files engage in malicious behavior. If a file engages in malicious behavior, the security module responds to the malware detection by remediating the malware, which may include removing system changes caused by the set.

主权项

1. A computer-implemented method for detecting malicious software (malware) on an endpoint, comprising:
detecting arrival of a file at the endpoint from a host; observing network traffic at the endpoint to observe a network identifier of the host from which the file arrived; querying a security server as to whether the network identifier is associated with a suspicious host; receiving a response to the query from the security server, the response indicating whether the network identifier is associated with a suspicious host; identifying a set of files on the endpoint, the set comprising the arrived file and any files dropped by the arrived file; responsive to receiving an indication that the network identifier is associated with a suspicious host, applying a first set of resource-intensive heuristics to the files in the set to determine whether any of the files in the set are malware; and responsive to receiving an indication that the network identifier is not associated with a suspicious host, applying a second set of heuristics less resource-intensive than the first set of heuristics to the files in the set to determine whether any of the files in the set are malware.