Abstract: A set of virtual machines (VMs) with different guest operating systems installed is initially booted and prepared to facilitate rapid creation, or “forking,” of a child VM(s) for malware analysis of a software sample. Because malicious code may be packaged for a specific operating system version, subsets of the VMs may have different versions of the same guest operating system installed. Upon detection of a sample indicated for malware analysis, a child VM(s) running the appropriate guest operating system is created based on a corresponding one(s) of the set of VMs. A process in which the corresponding VM(s) has been booted is forked to create a child process. A child VM which is a copy of the VM booted in the parent process is then created in the child process. The sample is then sandboxed in the child VM for analysis to determine if the sample comprises malware.

Abstract: Generating an exception list by a service provider for use in behavior monitoring programs for malware detection is described. A feedback server controlled by a malware prevention service provider receives client process reports from client devices owned by the service provider's customers and others using the provider's behavior monitoring software. The process reports contain data on processes that were evaluated (on the client device) as being processes that require a significant amount of CPU resources (i.e., above a certain threshold) to monitor and that have previously executed on the client device and were considered safe or non-harmful to the device. The feedback server receives the process reports and creates a statistics summary report, which is used by the service provider in evaluating whether to include the processes in the provider's official exception list which is distributed to its customers for use in their behavior monitoring programs.

Abstract: A program installed on a computer system registers and is placed on an installed program list or an uninstall software list. A check of the uninstall software list (USL) is added as a secondary verification mechanism to a behavior monitoring engine. A signature-based malware scan engine may be used. If the scan engine does not flag the file as malware, then the behavior monitoring engine monitors the activities performed by the underlying application. When the behavior monitoring engine flags an activity as potentially suspicious, the USL is checked to determine if the application running the process is on the USL. If so, then the process is treated as legitimate and there is no need to alert the user. Only if both the behavior is flagged as suspicious and the application performing the behavior is not on the USL will the user receive an alert as to the potential malware.