摘要 |
A method and apparatus for detecting malware in network traffic is described. One embodiment executes, in an emulation environment, an executable file as it is being received serially over a network, execution beginning once a block of data including an entry point of the executable file has been received, execution halting whenever an instruction in the executable file references data not yet received and resuming once the data not yet received has been received, execution ceasing upon satisfaction of a termination condition; examining the emulation environment for indications that the executable file includes malware; and taking corrective action responsive to the results of examining the emulation environment for indications that the executable file includes malware.
|