US 12,153,671 B2
Antimalware scan with decompilation
Andrey Kulaga, Moscow (RU); Serg Bell, Singapore (SG); and Stanislav Protasov, Singapore (SG)
Assigned to Acronis International GmbH, Schaffhausen (CH)
Filed by Acronis International GmbH, Schaffhausen (CH)
Filed on May 31, 2022, as Appl. No. 17/804,838.
Prior Publication US 2023/0385408 A1, Nov. 30, 2023
Int. Cl. G06F 21/55 (2013.01)
CPC G06F 21/554 (2013.01) 20 Claims
OG exemplary drawing
 
1. A method for detection of binary files containing a known malware code fragment in a computing environment with at least one processor, an unknown binary file (UBF), and a known malicious source code fragment (KMSCF), the method comprising:
decompiling the UBF into a text-based unknown source code (USC) by reconstructing software language constructs from a chain of assembly instructions using heuristics; and
identifying whether the KMSCF is contained within the USC including:
removing at least one comment from the USC and removing at least one format from the USC to create a standardized USC,
comparing the standardized USC against a list of known malicious source code fragments, and
determining at least one logical group of control structures within the USC that match at least one control structure within the known malicious code fragment by applying at least one of pre-compilation, compilation, dynamic execution, or debugging to the USC, wherein when the matching indicates that the KMSCF is found to be present within the USC, a corresponding UBF is considered malicious, and when the KMSCF is not found within the USC, then the corresponding UBF is considered not malicious, or a flag is generated for further analysis or processing.