US 12,271,467 B2
Automated generation of a sandbox configuration for malware detection
Jason Neal Raber, Bellbrook, OH (US)
Assigned to Malwarebytes Corporate Holdco Inc., Santa Clara, CA (US)
Filed by Malwarebytes Corporate Holdco Inc., Santa Clara, CA (US)
Filed on Dec. 27, 2021, as Appl. No. 17/562,679.
Application 17/562,679 is a continuation of application No. 17/089,507, filed on Nov. 4, 2020, granted, now 11,232,193.
Prior Publication US 2022/0138314 A1, May 5, 2022
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/53 (2013.01); G06F 9/445 (2018.01); G06F 9/54 (2006.01); G06F 21/56 (2013.01)
CPC G06F 21/53 (2013.01) [G06F 9/44521 (2013.01); G06F 9/54 (2013.01); G06F 21/566 (2013.01); G06F 2221/033 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method for analyzing a sample file in a sandbox application, the method comprising:
obtaining, at the sandbox application, a blacklist of API functions, wherein the blacklist was generated by a process including:
identifying, based on operating system disassembled dynamic-link libraires, a set of API functions that causes kernel interrupts;
storing the set of API functions having instructions that cause kernel interrupts to an interrupt list;
identifying a plurality of API functions for the blacklist by:
selecting, for the blacklist, at least one API function that directly invokes one of the set of API functions,
selecting, for the blacklist, at least one API function that indirectly invokes one of the set of API functions,
selecting, for the blacklist, at least one API function that invokes one of the set of API functions via one or more nested API functions, and
iteratively selecting, for the blacklist, at least one API function not on the blacklist that calls one of the API functions on the blacklist;
forming the blacklist from the identified plurality of API functions; and
analyzing the sample file in the sandbox application by emulating API functions of the sample file that match the blacklist.