Abstract: One embodiment of the described invention is directed to a computerized method for improving detection of cybersecurity threats initiated by a script. Herein, the method is configured to analyze the script provided as part of a script object by at least (i) determining whether any functional code blocks forming the script include a critical code statement, (ii) determining whether any of the functional code blocks include an evasive code statement, (iii) modifying the script to control processing of a subset of the functional code blocks by avoiding an execution code path including the evasive code statement and processing functional code blocks forming a code path including the critical code statement, and (iv) executing of the modified script and monitoring behaviors of a virtual environment. Thereafter, the method is configured to determine whether the script including cybersecurity threats based on the monitored behaviors.

Abstract: Selective virtualization of resources is provided, where the resources may be intercepted and services or the resources may be intercepted and redirected. Virtualization logic monitors for one or more activities that are performed in connection with one or more resources and conducted during processing of an object within the virtual machine. The first virtualization logic further selectively virtualizes resources associated with the one or more activities that are initiated during the processing of the object within the virtual machine by at least redirecting a first request of a plurality of requests to a different resource than requesting by a monitored activity of the one or more activities.

Abstract: A computerized method for analyzing an object is disclosed. The computerized method includes obtaining, by a cybersecurity system, an object and context information generated during a first malware analysis of the object conducted prior to obtaining the object. Thereafter, the cybersecurity system performs a second malware analysis of the object to determine a verdict indicating maliciousness of the object. The scrutiny of the second malware analysis is adjusted based, at least in part, the context information, which may include (i) activating additional or different monitors, (ii) adjusting thresholds for determining maliciousness, or (iii) applying a modified rule set during the second malware analysis based on the context information.

Abstract: A system for protecting public cloud-hosted virtual resources features cloud visibility logic. According to one embodiment, the cloud visibility logic includes credential evaluation logic, data collection logic, correlation logic, and reporting logic. The credential evaluation logic is configured to gain authorized access to a cloud account within a first public cloud network. The data collection logic is configured to retrieve account data from the cloud account, while the correlation logic is configured to conduct analytics on the account data to determine whether the cloud account is subject to a cybersecurity threat or misconfiguration. The reporting logic is configured to generate an alert when the cloud account is determined by the correlation logic to be subject to the cybersecurity threat or misconfiguration.

Abstract: A computerized method for analyzing an object is disclosed. The computerized method includes performing, by a first cybersecurity system, a first malware analysis of the object, wherein a first context information is generated by the first cybersecurity system based on the first malware analysis. The first context information includes at least origination information of the object. Additionally, a second cybersecurity system, obtains the object and the first context information and performs a second malware analysis of the object to determine a verdict indicating maliciousness of the object. The second malware analysis is based at least in part on the first context information. The second cybersecurity system generates and issues a report based on the second malware analysis, the report including the verdict.

Abstract: One embodiment of the described invention is directed to a computerized method for improving detection of cybersecurity threats initiated by a script. Herein, the method is configured to analyze the script provided as part of a script object by at least (i) determining whether any functional code blocks forming the script include a critical code statement, (ii) determining whether any of the functional code blocks include an evasive code statement, (iii) modifying the script to control processing of a subset of the functional code blocks by avoiding an execution code path including the evasive code statement and processing functional code blocks forming a code path including the critical code statement, and (iv) executing of the modified script and monitoring behaviors of a virtual environment. Thereafter, the method is configured to determine whether the script including cybersecurity threats based on the monitored behaviors.

Abstract: A system for protecting public cloud-hosted virtual resources features cloud visibility logic. According to one embodiment, the cloud visibility logic includes credential evaluation logic, data collection logic, correlation logic and reporting logic. The credential evaluation logic is configured to gain authorized access to a cloud account within a first public cloud network. The data collection logic is configured to retrieve account data from the cloud account, while the correlation logic is configured to conduct analytics on the account data to determine whether the cloud account is subject to a cybersecurity threat or misconfiguration. The reporting logic is configured to generate an alert when the cloud account is determined by the correlation logic to be subject to the cybersecurity threat or misconfiguration.

Abstract: Selective virtualization of resources is provided, where the resources may be intercepted and services or the resources may be intercepted and redirected. Virtualization logic monitors for one or more activities that are performed in connection with one or more resources and conducted during processing of an object within the virtual machine. The first virtualization logic further selectively virtualizes resources associated with the one or more activities that are initiated during the processing of the object within the virtual machine by at least redirecting a first request of a plurality of requests to a different resource than requesting by a monitored activity of the one or more activities.

Abstract: According to one embodiment, a computerized method features monitoring behaviors of an object during processing within a guest system of a virtual machine. Within a guest system, a rule-based analysis of data associated with the monitored behaviors is conducted. The rule-based analysis includes prioritizing data associated with the monitored behaviors that correspond to an exception, and thereafter, storing the data associated with the monitored behaviors that correspond to the exception into a prescribed area of a virtual image file. The prescribed area is accessible by (i) logic within the guest system and (ii) logic within a host system of the virtual machine.

Abstract: For one embodiment, a computerized method for detecting exploit attacks on an interpreter comprises configuring a virtual machine including a user mode and a kernel mode and processing an object by an application operating in the user mode of the virtual machine. Responsive to the processing of the object, detecting a loading of an interpreter. Furthermore, responsive to the loading of the interpreter, inserting one or more intercept points for detecting one or more types of software calls from the interpreter or for detecting a certain type or certain types of activities occurring within the interpreter. Thereafter, an exploit attack is detected as being conducted by the object in response to the interpreter invoking a software call that corresponds to the one or more types of software calls that is considered anomalous when invoked by the interpreter or an anomalous activity being conducted within the interpreter.

Abstract: A system and method for automatically analyzing an object for malware is described. Operating one or more virtual machines, the system and method provide an analysis environment variation framework to provide a more robust analysis of an object for malware. The multi-application, multi-plugin processing framework is configured within a virtual machine, where the framework for configuring a plurality of processes for analyzing the object for malware and each of plurality of processes is configured with a different application and plug-in combination selected based in part on a type of object being analyzed and operating concurrently with each other.

Abstract: According to one embodiment, a malware detection system is integrated with at least a static analysis engine and a dynamic analysis engine. The static analysis engine is configured to automatically determine an object type of a received object. The dynamic analysis engine is configured to automatically launch the object after selecting an action profile based on the object type. The dynamic analysis engine is further configured to, provide simulated user interaction to the object based on the selected action profile either in response to detecting a request for human interaction or as a result of a lapse of time since a previous simulated human interaction was provided.

Abstract: According to one embodiment, a computerized method comprises processing one or more objects by a first thread of execution that are part of a multi-thread process, monitoring events that occur during the processing of the one or more objects by the first thread, and storing information associated with the monitored events within an event log. The stored information comprises at least an identifier of the first thread to maintain an association between the monitored events and the first thread. Subsequently, the stored information within the event log is accessed for rendering a graphical display of the monitored events detected during processing of the one or more objects by the first thread on a display screen.

Abstract: A computerized method to identify malicious code generated by seemingly benign objects is described. The generated malware detection system described identifies generated objects (code) and analyzes each generated object to collect features which may be associated with maliciousness. The analysis may determine if an Abstract Syntax Tree (AST) representation of the generated object is correlated with known malware ASTs. Correlation of the features identified during processing of the generated objects, including the sequences of generated object, may be used in classifying the object as malicious. The malware detection system may communicate with the one or more endpoint devices to influence detection and reporting of behaviors and malware by those device(s).

Abstract: A method for updating a virtual machine disk snapshot for use in instantiating one or more virtual guest instances for malware detection is described. The method features (i) detecting a guest image update package that includes information for updating one or more software components included as part of the virtual machine disk snapshot, and (ii) determining whether the guest image update package is currently contained in a contiguous storage area that is part of the virtual machine disk snapshot. Responsive to determining that the guest image update package is more recent than content currently contained in the contiguous storage area, the guest image update package is inserted into the contiguous storage area that is part of the virtual machine disk snapshot to generate a revised virtual machine disk snapshot that includes the one or more updated software components.

Abstract: A computerized system and method is described for classifying objects as malicious by processing the objects in a virtual environment and monitoring behaviors during processing by one or more monitors, where the monitoring is conducted in an electronic device that is different than the electronic device within which an analysis of attributes of the objects is conducted beforehand. The monitors may monitor and record selected sets of process operations and capture associated process parameters, which describe the context in which the process operations were performed. By recording the context of process operations, the system and method described herein improves the intelligence of classifications and consequently reduces the likelihood of incorrectly identifying objects as malware or vice versa.

Abstract: A non-transitory storage medium including instructions that are executable by one or more processors to perform operations including instrumenting a VM is shown. The VM is used to process an object to determine whether the object is associated with malware. Logic within the VM analyzes memory allocated for a process within the VM for a point of interest (POI), the POI being an address of one of a set predetermined instructions likely to be associated with malware. The VMM detects a memory violation during processing of the object and responsive to detecting the memory violation, injects a transition event at the POI on the page on which the POI is located in memory. Further, responsive to detecting an attempted execution of the transition event, the VMM (i) emulates an instruction located at the POI, and (ii) the logic within the VM performs one or more malware detection routines.

Abstract: Selective virtualization of resources is provided, where the resources may be intercepted and services or the resources may be intercepted and redirected. Virtualization logic monitors for a first plurality of requests that are initiated during processing of an object within the virtual machine. Each of the first plurality of requests, such as system calls for example, is associated with an activity to be performed in connection with one or more resources. The virtualization logic selectively virtualizes resources associated with a second plurality of requests that are initiated during the processing of the object within the virtual machine, where the second plurality of requests is lesser in number than the first plurality of requests.

Abstract: According to one embodiment, a system comprises one or more counters; comparison logic; and one or more hardware processors communicatively coupled to the one or more counters and the comparison logic. The one or more hardware processors are configured to instantiate one or more virtual machines that are adapted to analyze received content, where the one or more virtual machines are configured to monitor a delay caused by one or more events conducted during processing of the content and identify the content as including malware if the delay exceed a first time period.

Abstract: A system and method for automatically analyzing an object for malware is described. Operating one or more virtual machines, the system and method provide an analysis environment variation framework to provide a more robust analysis of an object for malware. The multi-application, multi-plugin processing framework is configured within a virtual machine, where the framework generates a plurality of processes for analyzing the object for malware and each of plurality of processes is configured with a different application and plug-in combination selected based in part on a type of object being analyzed.