摘要 |
According to a first aspect of the present invention there is provided a method of detecting potential malware. The method comprises, at a server, receiving a plurality of code samples, the code samples including at least one code sample known to be malware and at least one code sample known to be legitimate, executing each of the code samples in an emulated computer system, extracting bytestrings from any changes in the memory of the emulated computer system that result from the execution of each sample, using the extracted bytestrings to determine one or more rules for differentiating between malware and legitimate code, and sending the rule(s) to one or more client computers. At the or each client computer, for a given target code, executing the target code in an emulated computer system, extracting bytestrings from any changes in the memory of the emulated computer system that result from the execution of the target code, and applying the rule(s) received from the server to the extracted bytestrings to determine if the target code is potential malware.
|