Abstract: A device may receive a file that has been downloaded, or is to be downloaded, to a user device, and that is to be subject to a malware detection procedure. The device may obtain, based on one or more file identification properties of the file, metadata identifying user interactions associated with the file. The metadata may include a first group of user interactions performed when the file was accessed on the user device or a second group of user interactions performed when the file was accessed on one or more other user devices. The device may test the file in a sandbox environment to obtain a result by performing the user interactions identified by the metadata and executing the malware detection procedure to determine whether the file is malware. The device may provide a notification to cause the user device to perform actions when the file is malware.

Abstract: A device may receive a file that has been downloaded, or is to be downloaded, to a user device, and that is to be subject to a malware detection procedure. The device may obtain, based on one or more file identification properties of the file, metadata identifying user interactions associated with the file. The metadata may include a first group of user interactions performed when the file was accessed on the user device or a second group of user interactions performed when the file was accessed on one or more other user devices. The device may test the file in a sandbox environment to obtain a result by performing the user interactions identified by the metadata and executing the malware detection procedure to determine whether the file is malware. The device may provide a notification to cause the user device to perform actions when the file is malware.

Abstract: A device may load a process under test into virtual memory associated with the device. The virtual memory may include a plurality of memory pages. The device may insert a malware inspection element and a memory tracking element into the process under test and may provide a notification of an event associated with the process under test to a memory tracking element. The device may identify, using the memory tracking element, one or more memory pages of the plurality of memory pages. The one or more memory pages may be assigned to, and used by, the process under test. The device may generate, based on identifying the one or more memory pages, a memory map, associated with the process under test, that may include information identifying the one or more memory pages as being assigned to, and used by, the process under test.

Abstract: A device may load a process under test into virtual memory associated with the device. The virtual memory may include a plurality of memory pages. The device may insert a malware inspection element and a memory tracking element into the process under test and may provide a notification of an event associated with the process under test to a memory tracking element. The device may identify, using the memory tracking element, one or more memory pages of the plurality of memory pages. The one or more memory pages may be assigned to, and used by, the process under test. The device may generate, based on identifying the one or more memory pages, a memory map, associated with the process under test, that may include information identifying the one or more memory pages as being assigned to, and used by, the process under test.

Abstract: A network device may include a memory and one or more processors configured to analyze execution of suspicious data; detect one or more states of execution of the suspicious data; determine that the one or more states of execution are to be assigned a priority level; and extract at least a portion of the suspicious data from one or more locations based on determining that the one or more states of execution are to be assigned a priority level.

Abstract: A network device may include a memory and one or more processors configured to analyze execution of suspicious data; detect one or more states of execution of the suspicious data; determine that the one or more states of execution are to be assigned a priority level; and extract at least a portion of the suspicious data from one or more locations based on determining that the one or more states of execution are to be assigned a priority level.

Abstract: A device may receive a file that has been downloaded, or is to be downloaded, to a user device, and that is to be subject to a malware detection procedure. The device may obtain, based on one or more file identification properties of the file, metadata identifying user interactions associated with the file. The metadata may include a first group of user interactions performed when the file was accessed on the user device or a second group of user interactions performed when the file was accessed on one or more other user devices. The device may test the file in a sandbox environment to obtain a result by performing the user interactions identified by the metadata and executing the malware detection procedure to determine whether the file is malware. The device may provide a notification to cause the user device to perform actions when the file is malware.

Abstract: A device may receive a file that has been downloaded, or is to be downloaded, to a user device, and that is to be subject to a malware detection procedure. The device may obtain, based on one or more file identification properties of the file, metadata identifying user interactions associated with the file. The metadata may include a first group of user interactions performed when the file was accessed on the user device or a second group of user interactions performed when the file was accessed on one or more other user devices. The device may test the file in a sandbox environment to obtain a result by performing the user interactions identified by the metadata and executing the malware detection procedure to determine whether the file is malware. The device may provide a notification to cause the user device to perform actions when the file is malware.

Abstract: A device receives a software program, performs a dynamic malware analysis of the software program to generate dynamic malware analysis results, and generates a call graph based on the dynamic malware analysis of the software program. The device utilizes, during the dynamic malware analysis of the software program, the call graph to identify an exit of the software program and/or a forced kill of the software program, and performs a static malware analysis of the software program based on identifying the exit of the software program and/or the forced kill of the software program. The device generates static malware analysis results based on performing the static malware analysis of the software program, and combines the dynamic malware analysis results and the static malware analysis results to generate combined malware analysis results. The device performs one or more actions based on the combined malware analysis results.

Abstract: A device may load a process under test into virtual memory associated with the device. The virtual memory may include a plurality of memory pages. The device may insert a malware inspection element and a memory tracking element into the process under test and may provide a notification of an event associated with the process under test to a memory tracking element. The device may identify, using the memory tracking element, one or more memory pages of the plurality of memory pages. The one or more memory pages may be assigned to, and used by, the process under test. The device may generate, based on identifying the one or more memory pages, a memory map, associated with the process under test, that may include information identifying the one or more memory pages as being assigned to, and used by, the process under test.

Abstract: A device receives a software program with potential malware and a loop to conceal the potential malware, and processes the software program, with a loop identification technique, to identify the loop in the software program. The device modifies, with a loop exit technique and based on data from the loop identification technique, the software program to exit the loop, and processes the software program, with a malware detection technique and after modifying the software program to exit the loop, to determine whether the software program contains malware. The device causes one or more actions to be performed based on a result of processing the software program with the malware detection technique.

Abstract: A device may load a process under test into virtual memory associated with the device. The virtual memory may include a plurality of memory pages. The device may insert a malware inspection element and a memory tracking element into the process under test and may provide a notification of an event associated with the process under test to a memory tracking element. The device may identify, using the memory tracking element, one or more memory pages of the plurality of memory pages. The one or more memory pages may be assigned to, and used by, the process under test. The device may generate, based on identifying the one or more memory pages, a memory map, associated with the process under test, that may include information identifying the one or more memory pages as being assigned to, and used by, the process under test.

Abstract: A network device may include a memory and one or more processors configured to analyze execution of suspicious data; detect one or more states of execution of the suspicious data; determine that the one or more states of execution are to be assigned a priority level; and extract at least a portion of the suspicious data from one or more locations based on determining that the one or more states of execution are to be assigned a priority level.

Abstract: A device may generate versions of a first executable process that is associated with deterministically defined parameters. The device may run the versions of the first executable process, and may monitor device parameters of the device or the first executable process when running the versions of the first executable process. The device may determine, based on monitoring the device parameters of the device or the first executable process, a variance to a parameter of the deterministically defined parameters relative to an expected value for the parameter, and may provide information indicating a presence of malware in connection with the device based on determining the variance to the parameter.

Abstract: A network device may include a memory and one or more processors configured to analyze execution of suspicious data; detect one or more states of execution of the suspicious data; determine that the one or more states of execution are to be assigned a priority level; and extract at least a portion of the suspicious data from one or more locations based on determining that the one or more states of execution are to be assigned a priority level.

Abstract: A device may receive a file that has been downloaded, or is to be downloaded, to a user device, and that is to be subject to a malware detection procedure. The device may obtain, based on one or more file identification properties of the file, metadata identifying user interactions associated with the file. The metadata may include a first group of user interactions performed when the file was accessed on the user device or a second group of user interactions performed when the file was accessed on one or more other user devices. The device may test the file in a sandbox environment to obtain a result by performing the user interactions identified by the metadata and executing the malware detection procedure to determine whether the file is malware. The device may provide a notification to cause the user device to perform actions when the file is malware.

Abstract: A device receives a software program, performs a dynamic malware analysis of the software program to generate dynamic malware analysis results, and generates a call graph based on the dynamic malware analysis of the software program. The device utilizes, during the dynamic malware analysis of the software program, the call graph to identify an exit of the software program and/or a forced kill of the software program, and performs a static malware analysis of the software program based on identifying the exit of the software program and/or the forced kill of the software program. The device generates static malware analysis results based on performing the static malware analysis of the software program, and combines the dynamic malware analysis results and the static malware analysis results to generate combined malware analysis results. The device performs one or more actions based on the combined malware analysis results.

Abstract: A device may load a process under test into virtual memory associated with the device. The virtual memory may include a plurality of memory pages. The device may insert a malware inspection element and a memory tracking element into the process under test and may provide a notification of an event associated with the process under test to a memory tracking element. The device may identify, using the memory tracking element, one or more memory pages of the plurality of memory pages. The one or more memory pages may be assigned to, and used by, the process under test. The device may generate, based on identifying the one or more memory pages, a memory map, associated with the process under test, that may include information identifying the one or more memory pages as being assigned to, and used by, the process under test.

Abstract: A device may generate versions of a first executable process that is associated with deterministically defined parameters. The device may run the versions of the first executable process, and may monitor device parameters of the device or the first executable process when running the versions of the first executable process. The device may determine, based on monitoring the device parameters of the device or the first executable process, a variance to a parameter of the deterministically defined parameters relative to an expected value for the parameter, and may provide information indicating a presence of malware in connection with the device based on determining the variance to the parameter.

Abstract: A device receives a software program with potential malware and a loop to conceal the potential malware, and processes the software program, with a loop identification technique, to identify the loop in the software program. The device modifies, with a loop exit technique and based on data from the loop identification technique, the software program to exit the loop, and processes the software program, with a malware detection technique and after modifying the software program to exit the loop, to determine whether the software program contains malware. The device causes one or more actions to be performed based on a result of processing the software program with the malware detection technique.