< Back
Sign In to Follow Application
View All Documents & Correspondence
Login

System And Method For Detection And On Demand Disinfection Of Remote Machines

Abstract: ABSTRACT SYSTEM AND METHOD FOR DETECTION AND ON-DEMAND DISINFECTION OF REMOTE MACHINES The present invention discloses a system (100) and method (400) for detection and on-demand disinfection of remote machines. The system (100) comprises a computing machine (103), a server module (122), and a VM controller script module (124). The VM controller script module (124) is configured for evaluating if the executable file sample (112) received has been analyzed before. The VM controller script module (124) is further configured for running a virtual machine (VM) module (102) to check status of the executable file sample (112). The VM controller script module (124) is further configured for activating a driver register module (116). The VM controller script module (124) is further configured for generating a file sample analysis report based on the series of events. The VM controller script module (124) is further configured for classifying the executable file sample (112) based on the series of events and the file sample analysis report. <>

Get Free WhatsApp Updates!
Notices, Deadlines & Correspondence

Patent Information

Application #
Filing Date
27 July 2023
Publication Number
05/2025
Publication Type
INA
Invention Field
COMPUTER SCIENCE
Status
Email
Parent Application

Applicants

VEHERE INTERACTIVE PRIVATE LIMITED
Srijan Corporate Park, Block GP, Sector V, Bidhannagar, West Bengal 700091, Kolkata, India

Inventors

1. Naveen Jaiswal
19 Orphan Gung Road, Kolkata 700023, India
2. Winny M Thomas
C201, Gopalan Grandeur Hoodi Circle, Mahadevapura Bangalore 560048, India

Specification

Description:SYSTEM AND METHOD FOR DETECTION AND ON-DEMAND DISINFECTION OF REMOTE MACHINES

FIELD OF THE DISCLOSURE
[0001] This invention generally relates to a field of device security systems and methods, and more specifically relates to a system and a method for detection and on-demand disinfection of remote machines, using a multi-model approach.

BACKGROUND
[0002] The subject matter discussed in the background section should not be assumed to be prior art merely as a result of its mention in the background section. Similarly, a problem mentioned in the background section or associated with the subject matter of the background section should not be assumed to have been previously recognized in the prior art. The subject matter in the background section merely represents different approaches, which in and of themselves may also correspond to implementations of the claimed technology.
[0003] Antivirus software is a security program designed to prevent, detect, search, and remove viruses and other types of malware from computers, networks, and other devices. Often included as a part of a security package, the antivirus software can also be purchased as a standalone option. Typically installed on a computer as a proactive approach to cybersecurity, an antivirus program can help mitigate a variety of cyber threats, including keyloggers, browser hijackers, Trojan horses, worms, rootkits, spyware, adware, botnets, phishing attempts and ransomware attacks. The malware is a code that can harm the computers and laptops, and the data on them. User devices can become infected by inadvertently downloading malware that's in an attachment linked to a dubious email, or hidden on a Universal Serial Bus (USB) drive, or even by simply visiting a dodgy website. Once the malware is on any computing machine like a personal computer (PC) or a laptop, the malware steals user data, encrypt it so that the user cannot access it, or even erase it completely. In order to prevent this, the user uses the antivirus software, and keep it up to date to protect their data and devices
[0004] Even if corporate personal computers (PCs) have antivirus applications, computers are not 100% protected against possible malware infections from directly connected data storage devices. Such situations may arise, for example, when a user of a corporate PC has not updated antivirus databases of the antivirus software for a long time, and unbeknownst to the user connected to the PC a Flash drive containing a new type of malware, which may not be detected by the antivirus application using outdated antivirus databases. This malware may spread to other PCs in the corporate network causing significant damage or loss of information. There are many other scenarios in which oversight or inexperience of PC users can cause malware infections.
[0005] There have been many traditional systems developed in the recent past to perform the treatment of infections in the computing machine. One of the systems is a server-side system that detects and classifies malware and other types of undesirable processes and events operating on network connected devices, through the analysis of information collected from said network connected devices. The system receives information over a network connection and collects information that is identified as being anomalous. The collected information is analyzed by system process that can group data based on optimally suited cluster analysis methods. Upon clustering the information, the system can correlate an anomalous event to device status, interaction, and various elements that constitute environmental data in order to identify a pattern of behaviour associated with a known or unknown strain of malware. The system further interprets the clustered information to extrapolate propagation characteristics of the strain of malware and determine a potential response action.
[0006] However, there are numerous significant challenges inherent with the traditional server-side systems. Firstly, by the time the potential response action for the malware is determined, the computers of a company or organization gets infected by the malware and it becomes late for the company to realize that the malware has entered other computer systems. Second, after the action is determined the file which is suspected of having the malware is sent to the research lab, where the cause of the infection is identified and a fix is provided. But during this time window the sample would have caused significant damage or loss of business. Moreover, the traditional server-side systems are more time consuming.
[0007] Another example of the traditional system as described above is an antivirus engine installed in the personal computer to detect and clean the malware which has entered the personal computer or any other computing machine. The antivirus (AV) engine within the personal computer generates an antidote on-spot that runs on the PC to check if the PC is infected. However, the drawback of using the antivirus engine that the antivirus engine is only able to disinfect the machine if the virus or threat is known. Moreover, the AV engine takes a lot of time to clean the malware, as the malware causes significant damage to the personal computer or any other computing machines by the time any solution is determined by the AV engine.
[0008] Hence, considering the above mentioned drawbacks in the recently malware cleaning systems, there is an urgent need for an automated, efficient, accurate, less time consuming, on-demand, and easy to use malware detection and disinfection system and method which solves the aforementioned drawbacks, by extracting behavioural aspects of the malware and classify the malware under a specific category and perform cleaning, using a multi-model approach.

OBJECTIVES OF THE INVENTION
[0009] It is an objective of the invention to provide a system for detection and on-demand disinfection of remote machines, using a multi-model approach.
[0010] It is an objective of the invention to provide the system which is configured to analyze file samples in a virtualized environment, using the multi-model approach.
[0011] It is an objective of the invention to provide the system which is configured to determine nature of the analyzed file sample based on a proprietary classifier, using the multi-model approach.
[0012] It is an objective of the invention to provide the system which utilizes the multi-model approach for making execution of the process of the detection and the on-demand disinfection of the remote machines significantly faster and easier.
[0013] It is an objective of the invention to provide the system which is configured to collect enough evidence with respect to the file sample, to understand the malicious nature of the file sample under analysis.
[0014] It is an objective of the present invention to provide the system which is configured to remotely scan machines for signs of infections and clean the machines if infected by the file sample.
[0015] It is an objective of the present invention to provide the system which is configured to determine malicious nature of the file sample, and instantly scan the machine infected due to the file sample in order to fix the machine.
[0016] It is an objective of the invention to provide the system which is configured to perform dynamic analysis of the file sample to extract behavioural aspects of the file sample, using the multi-model approach.
[0017] It is an objective of the invention to provide the system which is configured to determine classification of the file sample upon dynamic analysis of the file sample, using the multi-model approach.
[0018] It is an objective of the invention to provide a method for the detection and the on-demand disinfection of the remote machines, using the multi-model approach.

SUMMARY
[0019] In accordance with some embodiments of present inventive concepts, a system for detection and on-demand disinfection of remote machines, using a multi-model approach is claimed, which is configured to analyze a file sample, classify the file sample, and performing on-demand cleaning if the file sample is detected as malicious without any hassles. The system mainly comprises of a computing machine, a server module, and a Vm controller script module. The computing machine is configured to receive an executable file sample. The server module is configured to extract the executable file sample from the computing machine, and analyze the executable file sample. The VM controller script module is communicably coupled with the server module, and configured for evaluating, through the server module, if the executable file sample received has been analyzed before. The VM controller script module is further configured for running a virtual machine (VM) module to check status of the executable file sample. The VM controller script module is further configured for activating a driver register module to enable a file monitoring module to monitor a series of events occurring on the VM module, due to running of the executable file sample. The VM controller script module is further configured for generating, through a file sample analysis report module, a file sample analysis report based on the series of events. The VM controller script module is further configured for classifying, through an event classifier module, the executable file sample based on the series of events and the file sample analysis report.
[0020] In an embodiment, if the executable file sample is classified as malicious in nature, a scanner module is activated to scan the computing machine or the remote machines over a remote internal network based on the file sample analysis report, to detect signs of infection in the computing machine or the remote machines due to the executable file sample.
[0021] In one embodiment, the scanner module is configured to further check on conditions related with the computing machine or the remote machines. The action of the further check on the conditions related with the computing machine or the remote machines further comprises checking, by the scanner module, if the computing machine or the remote machines have registry modifications or if the computing machine or the remote machines have the executable file sample in their respective file subsystems.
[0022] In accordance with some embodiments of present inventive concepts, a method for the detection and the on-demand disinfection of the remote machines, using the multi-model approach is claimed which comprises firstly receiving, through the computing machine, the executable file sample. Post receiving the executable file sample, the method further comprises extracting, through the server module, the executable file sample from the computing machine. The method further comprises evaluating, through the server module, if the executable file sample received has been analyzed before or not. Post evaluating the executable file sample, the method further comprises analyzing, through the server module, the executable file sample. The method further comprises running, through the VM controller script module, the VM module to check status of the executable file sample. Post running of the VM module, the method further comprises activating, through VM controller script module, the driver register module for enabling the file monitoring module to monitor a series of events occurring on the VM module, due to running of the executable file sample. The method further comprises generating, through the file sample analysis report module, the file sample analysis report based on the series of events. Lastly, after generation of the file sample analysis report, the method further comprises classifying, through the event classifier module, the executable file sample based on the series of events and the file sample analysis report.
[0023] In an embodiment, if the executable file sample is classified as malicious in nature, the scanner module is activated to scan the computing machine or the remote machines over the remote internal network based on the file sample analysis report, to detect the signs of infection in the computing machine or the remote machines due to the executable file sample, and further check on conditions related with the computing machine or the remote machines.
[0024] In another embodiment, the action of the further check on the conditions related with the computing machine or the remote machines further comprises checking, by the scanner module, if the computing machine or the remote machines have registry modifications or if the computing machine or the remote machines have the executable file sample in their respective file subsystems.
[0025] These and other aspects of the embodiments herein will be better appreciated and understood when considered in conjunction with the following description and the accompanying drawings. It should be understood, however, that the following descriptions, while indicating preferred embodiments and numerous specific details thereof, are given by way of illustration and not of limitation. Many changes and modifications may be made within the scope of the embodiments herein without departing from the spirit thereof, and the embodiments herein include all such modifications.

BRIEF DESCRIPTION OF THE DRAWINGS
[0026] The accompanying drawings illustrate various embodiments of systems, methods, and embodiments of various other aspects of the disclosure. Any person with ordinary skills in the art will appreciate that the illustrated element boundaries (e.g., boxes, groups of boxes, or other shapes) in the figures represent one example of the boundaries. It may be that in some examples one element may be designed as multiple elements or that multiple elements may be designed as one element. In some examples, an element shown as an internal component of one element may be implemented as an external component in another, and vice versa. Furthermore, elements may not be drawn to scale. Non-limiting and non-exhaustive descriptions are described with reference to the following drawings. The components in the figures are not necessarily to scale, emphasis instead being placed upon illustrating principles.
[0027] FIG. 1 is a block diagram illustrating a system for detection and on-demand disinfection of remote machines, using a multi-model approach, according to embodiments disclosed herein;
[0028] FIG. 2 is an exemplary embodiment illustrating a system for the detection and the on-demand disinfection of a computing machine, according to one embodiment disclosed herein;
[0029] FIG. 3 is an exemplary embodiment illustrating a system the detection and the on-demand disinfection of the computing machine, according to another embodiment disclosed herein;
[0030] FIG. 4 is a flowchart illustrating a method for the detection and the on-demand disinfection of the remote machines, using the multi-model approach, according to the embodiments disclosed herein;
[0031] FIG. 5 is a flowchart illustrating a method for operation of a driver register module during the detection and the on-demand disinfection of the computing machine, according to the embodiments disclosed herein;
[0032] FIG. 6 is a flowchart illustrating a method for operation of an event classifier module during the detection and the on-demand disinfection of the computing machine, according to the embodiments disclosed herein; and
[0033] FIG. 7 is a flowchart illustrating a method for operation of a scanner module during the detection and the on-demand disinfection of the computing machine, according to the embodiments disclosed herein.
DETAILED DESCRIPTION
[0034] Some embodiments of the disclosure, illustrating all its features, will now be discussed in detail. The words “comprising,” “having,” “containing,” and “including,” and other forms thereof, are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise. Although any systems and methods similar or equivalent to those described herein can be used in the practice or testing of embodiments of the present disclosure, the preferred, systems and methods are now described. Embodiments of the present disclosure will be described more fully hereinafter with reference to the accompanying drawings in which like numerals represent like elements throughout the several figures, and in which example embodiments are shown. Embodiments of the claims may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. The examples set forth herein are non-limiting examples and are merely examples among other possible examples.
[0035] While the present invention is described herein by way of example using embodiments, those skilled in the art will recognize that the invention is not limited to the embodiments described, and are not intended to represent the scale of the various components. It should be understood that the detailed description thereto is not intended to limit the invention to the particular form disclosed, but on the contrary, the invention is to cover all modifications, equivalents, and alternatives falling within the scope of the present invention as defined by the appended claim. As used throughout this description, the word "may" is used in a permissive sense (i.e. meaning having the potential to), rather than the mandatory sense, (i.e. meaning must). Further, the words "a" or "an" mean "at least one” and the word “plurality” means “one or more” unless otherwise mentioned. Furthermore, the terminology and phraseology used herein is solely used for descriptive purposes and should not be construed as limiting in scope. Language such as "including," "comprising," "having," "containing," or "involving," and variations thereof, is intended to be broad and encompass the subject matter listed thereafter, equivalents, and additional subject matter not recited, and is not intended to exclude other additives, components, integers, or steps. Likewise, the term "comprising" is considered synonymous with the terms "including" or "containing" for applicable legal purposes. Any discussion of documents, acts, materials, devices, articles, and the like is included in the specification solely for the purpose of providing a context for the present invention. It is not suggested or represented that any or all of these matters form part of the prior art base or were common general knowledge in the field relevant to the present invention.
[0036] The present invention is described hereinafter by various embodiments. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiment set forth herein. Rather, the embodiment is provided so that this disclosure will be thorough and complete and will fully convey the scope of the invention to those skilled in the art. In the following detailed description, numeric values and ranges are provided for various aspects of the implementations described. These values and ranges are to be treated as examples only, and are not intended to limit the scope of the claims. In addition, a number of materials are identified as suitable for various facets of the implementations. These materials are to be treated as exemplary, and are not intended to limit the scope of the invention.
[0037] The present invention discloses a system for detection and the on-demand disinfection of remote machines, using the multi-model approach. The remote machines are, but not restricted to virtual machines, physical machines, remote network machines, or any other machine The system mainly comprises of a computing machine, a server module, a virtual machine (VM) module, and a VM controller script module. The system is configured to analyze file samples in a virtualized environment, using the multi-model approach. The system is further configured to determine nature of the analyzed file sample based on a proprietary classifier, using the multi-model approach. The system is further configured to utilize the multi-model approach for making execution of the process of the detection and the on-demand disinfection of the remote machines significantly faster and easier.
[0038] FIG. 1 is a block diagram illustrating a system (100) for detection and on-demand disinfection of the remote machines, using a multi-model approach, according to embodiments disclosed herein. The system (100) comprises of a virtual machine (VM) module (102), a computing machine (103), an executable file sample (112), and a server module (122). The VM module (102) comprises of a memory module (104), a processing module (106), a communication module (108), a display interface module (110), a file monitoring module (114), a driver register module (116), and a file sample analysis report module (120). The VM module (102) is configured to be run by a VM controller script module (124) of the server module (122). The VM module (102) is further configured to check status of the executable file sample (112). The VM module (102) is further configured to be communicably coupled with the server module (122), to receive the executable file sample (112) in order to check the status of the executable file sample (112). The VM module (102) is further configured to be activated by the VM controller script module (124), to receive the executable file sample (112) for uploading. The VM module (102) is further configured to be shut down by the VM controller script module (126), after analysis timeout with respect to the executable file sample (112) is completed.
[0039] In an embodiment, the VM module (102) is for example, but not limited to, a virtual machine, a physical machine, a remote network machine, or any other machine.
[0040] The computing machine (103) is configured to receive the executable file sample (112). The computing machine (102) is further configured to get infected if it is detected that the executable file sample (112) received by the computing machine (103) is malicious in nature. The computing machine (103) is further configured to receive the data related with the executable file sample (112). The computing machine (103) is further configured to process data related to the executable file sample (112), through the processing module (106). The computing machine (103) is configured to store the data related with the executable file sample (112), through the memory module (104).
[0041] In one embodiment, the computing machine (102) is for example, but not limited to, a laptop, a personal computer, a personal digital assistant (PDA), a tablet computer, a laptop computer, a cellular phone, a mobile device, an Internet of Things (IoT) device, a smart watch, a virtual reality device, a multiple camera system, or any other handheld device.
[0042] The memory module (104) is configured to store the data related with the executable file sample (112). The memory module (104) is further configured to store data related with the information embedded inside the executable file sample (112). The memory module (104) is further configured to store the data related with the particulars of the executable file sample (112). These particulars include, but not limited to, a machine code, a source code, a program code or the like.
[0043] In one embodiment, the memory module (104) is configured to store instructions to be executed by the processing module (106). The memory module (104) may include non-volatile storage elements. Examples of such non-volatile storage elements may include magnetic hard discs, optical discs, floppy discs, flash memories, or forms of electrically programmable memories (EPROM) or electrically erasable and programmable memories (EEPROM). In addition, the memory (108) may, in some examples, be considered a non-transitory storage medium. The term “non-transitory” may indicate that the storage medium is not embodied in a carrier wave or a propagated signal. However, the term “non-transitory” should not be interpreted that the memory (108) is non-movable. In some examples, the memory (108) may be configured to store large amounts of data information. In certain examples, a non-transitory storage medium may store data that can, over time change in nature (e.g., in Random Access Memory (RAM) or Cached Memory).
[0044] The processing module (106) is coupled with the memory module (104), the communication module (108), and the display interface module (110). The processing module (106) is further configured to process the data related to the executable file sample (112). The processing module (106) is further configured to process the data related with the information embedded inside the executable file sample (112). The processing module (106) is further configured to process the data related with the particulars of the executable file sample (112).
[0045] The communication module (108) is configured to communicate with the computing machine (103), by sending the data related to the executable file sample (112). The communication module (108) is configured to communicate with the computing machine (103), by sending the data related with the information embedded inside the executable file sample (112). The communication module (108) is further configured to communicate with the computing machine (103), by sending the data related with the particulars of the executable file sample (112).
[0046] The display interface module (110) is configured to display to the user through the computing machine (103), the data related to the executable file sample (112) after the analysis of the executable file sample (112) is over. The display interface module (110) is configured to display to the user through the computing machine (103), the data related with the information embedded inside the executable file sample (112) after the analysis of the executable file sample (112) is over. The display interface module (110) is configured to display to the user through the computing machine (103), the data related with the particulars of the executable file sample (112) after the analysis of the executable file sample (112) is over.
[0047] The executable file sample (112) is a file sample configured to be received by the computing machine (103). The executable file sample (112) is further configured to be analyzed in a virtualized environment. The executable file sample (112) is further configured to be dynamically analyzed, in order to extract behavioural aspects of the executable file sample (112). The executable file sample (112) is further configured to be executed within the computing machine (103) in order to extract and analyze the particulars of the executable file sample (112). The particulars include, but not limited to, a machine code, a source code, a program code or the like.
[0048] The server module (122) is configured to extract the executable file sample (112) from the computing machine (103). The server module (122) is further configured to activate the VM controller script module (124). The server module (122) is further configured to analyze the executable file sample (112), upon receiving of the executable file sample (112) by the computing machine (103). The server module (122) comprises of the VM controller script module (124) and a scanner module (126).
[0049] The file monitoring module (114) is configured to be activated by the driver register module (116) to monitor a series of events occurring on the VM module (102), due to running of the executable file sample (112). The events comprises of monitor process, registry, filesystem, task scheduling, and network related activities.
[0050] The driver register module (116) is configured to collect and monitor all events related with the executable file sample (112). The driver register module (118) is further configured to send all the events related with the executable file sample (112) to an event classifier module (118). The driver register module (116) is further configured to register a series of kernel call backs to enable the, file monitoring module (114) to monitor the process, the registry, the filesystem and network related activities. The driver register module (116) is further configured to analyze the events to understand nature of each of the events. The driver register module (116) is further configured to analyze nature of parameters passed to application program interface (API) calls. The driver register module (116) is further configured to analyze nature of the event classifier module (118).
[0051] In an embodiment, the driver register module (116) is further configured to keep a track record of all the events from the executable file sample (112) in a file sample analysis report.
[0052] In another embodiment, the events includes, but not limited to, monitor process, registry, filesystem, task scheduling, network related activities, or any other event.
[0053] The event classifier module (118) is configured to receive all the events related with the executable file sample (112), from the driver register module (116). The event classifier module (118) is further configured to classify the executable file sample (112) as malicious, suspicious, or clean, based on all the events related with the executable file sample (112). The event classifier module (118) is further configured to monitor incoming events received by the driver register module (116). The event classifier module (118) is further configured to initiate classification process by assuming that the executable file sample (112) is clean.
[0054] In one embodiment, if at least one event is seen which is a high severity event, then the executable file sample (112) is immediately classified as “MALICIOUS”. If the no high severity events are seen, but two or more suspicious events are seen, then the executable file sample (112) is classified as “SUSPICIOUS”. If no events are seen, then the executable file sample (112) is automatically marked as “CLEAN”.
[0055] In another embodiment, if the executable file sample (112) is classified as malicious, the file sample analysis report containing a list of all the events related with the executable file sample (112) is generated.
[0056] The file sample analysis report module (120) is configured to generate a file sample analysis report containing the record of all the events which are identified with respect to the executable file sample (112), after the analysis of the executable file sample (112) is over. The file sample analysis report module (120) includes, but not limited to, record of monitor process event, record of registry event, record of filesystem event, and record of network related event. The file sample analysis report module (120) is further configured to be used by the scanner module (126) to generate the file sample analysis report upon scan of remote systems, in order to detect signs of infection in the remote systems due to the executable file sample (112).
[0057] The VM controller script module (124) is configured to be in communication with the VM module (102) and the server module (122). The VM controller script module (126) is further configured to activate the VM module (102) and the driver register module (116). The VM controller script module (124) is further configured to upload the executable file sample (112) onto the VM module (102). The VM controller script module (124) is further configured to download the file sample analysis report and shut down the VM module (102), upon completion of analysis timeout.
[0058] In one embodiment, the VM controller script module (124) is, but not limited to, a python script that receives the executable file sample (112) from the system (100) or the network detection and response (NDR) system. The VM controller script module (124) is configured to initiate starting of the VM module (102). The VM controller script module (124) is further configured to ensure that every time the VM module (102) is started for a new analysis, the computing machine (103) or the other machines come up in a clean state. The clean state is stored as a snapshot of a windows version without any trace of malware.
[0059] In another embodiment, the other machines are, but not limited to, virtual machines, physical machines, remote network machines, or any other machine.
[0060] The scanner module (126) is configured to scan the computing machine (103) or the remote machines, to detect signs of infection in the computing machine (103) or the remote machines. The scanner module (126) is configured to perform on-spot scanning of the computing machine (103) or the remote machines over a remote internal network to detect signs of infection in the computing machine (103) or the remote machines due to the executable file sample (112). The scanner module (126) is further configured to scan the computing machine (102) or the remote machines based on the generated file sample analysis report. The scanner module (126) is further configured to check on conditions related with the computing machine (103) or the remote machines.
[0061] In another embodiment, the scanner module (126) is further configured to check if the computing machine (103) or the other machines have registry modifications or if the computing machine (103) or the other machines have the executable file sample (112) in their respective file subsystems.
[0062] In yet another embodiment, the scanner module (126) is further configured to ingest the file sample analysis report, and perform remote scanning of the other machines over the remote internal network to detect signs of the events recorded in the file sample analysis report.
[0063] In yet another embodiment, the scanner module (126) is further configured to optionally disinfect the other machines by reversing sequence of the events seen in the file sample analysis report, if the infection in the other machines does not involve a ransomware.
[0064] In yet another embodiment, the scanner module (126) is further configured to remove newly added registry keys, delete dropped files, terminate processes created by the executable file sample (112) or more than one executable file sample (112), shut down network services started by the executable file sample (112), and remove scheduled tasks and associated files.

[0065] A file sample analysis database (128) or also referred herein as a database (128) is a storage entity which is configured to store data records related with the executable file sample (112). The file sample analysis database (128) is further configured to store data records related with the information embedded inside the executable file sample (112). The file sample analysis database (128) is further configured to store data records related with the particulars of the executable file sample (112). The file sample analysis database (128) is further configured to store data records related with the list of all the events related to the executable file sample (112).
[0066] In an embodiment, the VM module (102), the computing machine (103), the server module (122), and the file sample analysis database (128) are all connected to each other over a communications network (130).
[0067] The communications network (130) may facilitate a communication link among the components of the system (100). It can be noted that the communication network (130) may be a wired and/or a wireless network. The communication network (130), if wireless, may be implemented using communication techniques such as Visible Light Communication (VLC), Worldwide Interoperability for Microwave Access (WiMAX), Long Term Evolution (LTE), Wireless Local Area Network (WLAN), Infrared (IR) communication, Public Switched Telephone Network (PSTN), Radio waves, and other communication techniques, known in the art.
[0068] FIG. 2 is an exemplary embodiment illustrating a system (200) for the detection and the on-demand disinfection of a computing machine (204), according to one embodiment disclosed herein. The system (200) mainly comprises the VM module (102), the server module (122), a web application (202), and the computing machine (204). The computing machine (204) is configured to receive the executable file sample (112) through the web application (202). The executable file sample (112) is configured to be received by the server module (122). The VM module (102) is activated by the server module (122) to analyze the executable file sample (112). The VM controller script module (124) is communicably coupled with the VM module (116) and the server module (122) and configured for collecting and monitoring all events related with the executable file sample (112), through the driver register module (116). The VM controller script module (124) is further configured for sending all the events related with the executable file sample (112) to the event classifier module (118), through the driver register module (116). The event classifier module (118) upon receiving the executable file sample (112) is configured to classify the executable file sample (112), based on all the events related with the executable file sample (112). If the executable file sample (112) is classified under “MALICIOUS” category, the file sample analysis report module (120) generates the file sample analysis report of all the events related with the executable file sample (112). The file sample analysis report is stored within an operating system (115) which manages all the events listed in the file sample analysis report. Based on the generated file sample analysis report, the scanner module (126) scans the computing machine (204) or the remote machines as per the case or user requirements. During scanning of the computing machine (204) or the remote machines over the remote internal network, the signs of infections are detected in the computing machine (204) or the remote machines due to the executable file sample (112). A further check on the conditions related with the computing machine (204) or the remote machines is carried out by checking, if the computing machine (204) or the remote machines have registry modifications, or if the computing machine (204) or the remote machines have the executable file sample (112) in their respective file subsystems.
[0069] In an embodiment, the web application (115) is, but not limited to a software application, a website, a web link, or any other application based link. The file subsystems refer to data management systems or file management systems.
[0070] FIG. 3 is an exemplary embodiment illustrating a system (300) for the detection and the on-demand disinfection of the computing machine (204), according to another embodiment disclosed herein. The system (300) mainly comprises of the server module (122), the VM controller script module (124), the scanner module (126), and the computing device (204). The VM controller script module (124) is communicably coupled with the VM module (102) and the server module (122), and configured for collecting and monitoring all events related with the executable file sample (112), through the driver register module (116). The VM controller script module (124) is further configured for sending all the events related with the executable file sample (112) to the event classifier module (118), through the driver register module (116). The event classifier module (118) upon receiving the executable file sample (112) is configured to classify the executable file sample (112). The executable file sample (112) is classified into three different categories of events namely a “MALICIOUS” event (302), a ”SUSPICIOUS” event (304), and a “CLEAN” event (306). The “MALICIOUS” event (302) is an event classification which is applicable if at least one event is seen as a high severity event. The “SUSPICIOUS” event (304) is the event classification which is applicable if no high severity events are seen, but two or more suspicious events are seen. The “CLEAN” event (306) is the event classification which is applicable if no events are seen.
[0071] FIG. 4 is a flowchart illustrating a method (400) for the detection and the on-demand disinfection of the remote machines, using the multi-model approach, according to the embodiments disclosed herein. The method (400) starts initially at step (402) and ends at step (412). At step (402), the method (400) initially comprises receiving the executable file sample (112) through thecomputing machine (103). The method (400) further comprises extracting, through the server module (122), the executable file sample (112) from the computing machine (103), at step (404). The method (400) further comprises evaluating, through the server module (122), that if the executable file sample (112) received has been analyzed before or not, at step (406). The method further comprises analyzing, through the server module (122), the executable file sample (112), at step (408). The method further comprises running, through the VM controller script module (124), the VM module (102) to check status of the executable file sample (112), at step (410). The method (400) further comprises activating, through the VM controller script module (124), the driver register module (116) for enabling the file monitoring module (114) to monitor the series of events occurring on the VM module (102), due to running of the executable file sample (112), at step (412). The method (400) further comprises generating, through the file sample analysis report module (120), the file sample analysis report based on the series of events, at step (414). Lastly, upon generation of the file sample analysis report, the method (400) further comprises classifying through the event classifier module (118), the executable file sample (112) based on the series of events and the file sample analysis report, at step (414).
[0072] In an embodiment, if the executable file sample (112) is classified as malicious in nature, the scanner module (126) is activated to scan the computing machine (103) or the remote machines over a remote internal network based on the file sample analysis report, to detect signs of infection in the computing machine (103) or the remote machines due to the executable file sample (112), and further check on conditions related with the computing machine (103) or the remote machines.
[0073] In one embodiment, the action of the further check on the conditions related with the computing machine (103) or the remote machines further comprises checking, by the scanner module (126), if the computing machine (103) or the remote machines have registry modifications or if the computing machine (103) or the remote machines have the executable file sample (112) in their respective file subsystems.
[0074] In another embodiment, the step of activating, through the VM controller script module (124), the driver register module (116) for enabling the file monitoring module (114) to monitor a series of events occurring on the VM module (102), due to running of the executable file sample (112) further comprises registering, through the driver register module (116), a series of kernel callbacks to enable the file monitoring module (114) to monitor the process, the registry, the filesystem, and the network related activities.
[0075] In yet another embodiment, the method (400) further comprises analyzing, through the driver register module (116), the events to understand the nature of each of the events, the nature of parameters passed to API calls, and the nature of the event classifier module (118).
[0076] In yet another embodiment, the method (400) further comprises storing, through the driver register module (116), the record of all the events from the executable file sample (112) in the file sample analysis report.
[0077] The step of activation of the scanner module (126) to scan the computing machine (103) or the remote machines based on the file sample analysis report comprises firstly uploading, through the VM controller script module (124), the executable file sample (112) onto the VM module (102). Upon completion of analysis timeout, the method further comprises lastly causing the virtual machine module (102) to shut down.
[0078] The step of scanning, through the scanner module (126), the computing machine (103) or the remote machines over the remote internal network to detect the signs of the infection in the computing machine (103) or the remote machines due to the executable file sample (112) comprises firstly ingesting, through the scanner module (126), the file sample analysis report. The method further comprises lastly performing, through the scanner module (126), remote scanning of the computing machine (103) or the remote machines over the remote internal network, to detect signs of the events recorded in the file sample analysis report.
[0079] In an embodiment, the method (400) further comprises optionally disinfecting, through the scanner module (126), the remote machines by reversing sequence of the events seen in the file sample analysis report, if the infections in the remote machines does not involve a ransomware.
[0080] In another embodiment, the step of reversing sequence of the events further comprises firstly performing, through the scanner module (126), removal of newly added registry keys, deleting dropped files, termination of processes created by the samples, shutting down of network services started by the executable file sample (112). The method (400) further comprises performing, through the scanner module (126), removal of scheduled tasks and associated file.
[0081] In yet another embodiment, the action of further check on conditions related with the computing machine (103) or the other machines comprises checking, by the scanner module (126), if the computing machine (102) or the remote machines have registry modifications or if the computing machine (103) or the remote machines have the executable file sample (112) in their respective file subsystems.
[0082] In yet another embodiment, the step of generating, through the file sample analysis report module (120), the file sample analysis report based on the series of events further comprises downloading, through the file sample analysis report module (120), the file sample analysis report, before the VM module (102) is shut down by the VM controller script module (124), upon completion of analysis timeout.
[0083] FIG. 5 is a flowchart illustrating a method (500) for operation of the driver register module (116) during the detection and the on-demand disinfection of the computing machine (103), according to the embodiments disclosed herein. The driver register module (116) is an important component of the system (100) and is configured to register the series of kernel call backs, in order to enable the driver register module (116) to monitor process, registry, filesystem, and network related activities. Any such activity is intercepted by these call backs and the driver register module (116) is configured to analyze the event to understand the nature of the activity, the parameters passed to API calls, and the event classifier subsystem. The driver register module (116) is configured to keep the record of all events from the executable file sample (112) in the file sample analysis report. The file sample analysis report is sent as an input to the scanner module (126), which uses the file sample analysis report to scan the remote systems to detect the signs of infection due to the executable file sample (112). The virtual machine module (102) or the virtual machine inside which the analysis is performed and in turn the driver register module (116) are started by the virtual machine controller script module (124). The virtual machine controller script module (124) is basically a python script that receives samples from the system (100), starts the virtual machine module (102) and the driver register module (116). The VM controller script module (124) then uploads the executable file sample (112) onto the virtual machine module (102). Once the analysis timeout is over the VM controller script module (124) downloads the file sample analysis report and shuts down the virtual machine module (102). The VM controller script module (124) ensures that every time the virtual machine is started for the new analysis the virtual machine comes up in the clean state.
[0084] The method (500) of operation of the driver register module (116) starts at step (502) and ends at step (514). At step (502), the method (500) comprises initially activating the driver register module (116). The method (500) further comprises detecting if the executable file sample (112) is dropped in an analysis folder or not, at step (504). If the executable file sample (112) is not dropped in the analysis folder, the method (500) further comprises initiating action of waiting on filesystem call back signal, at step (506). If the executable file sample (112) is dropped in the analysis folder, the method (500) further comprises monitoring the events related with the executable file sample (112), at step (508). The method (500) further comprises initiating action of writing event records to the file sample analysis report, at step (510). The method (500) further comprises sending a shutdown signal through the VM controller script module (124) to the virtual machine module (102) inside which the analysis has been carried out, at step (512). The method (500) further comprises enabling the virtual machine module (102) to shut down, through the VM controller script module (124).
[0085] FIG. 6 is a flowchart illustrating a method (600) for operation of the event classifier module (118) during the detection and the on-demand disinfection of the computing machine (103), according to the embodiments disclosed herein. The event classifier module (118) is a part of the driver register module (116) within the system (100). The event classifier module (118) is configured to monitor the incoming events received by the driver register module (116), and classify the executable file sample (112) under analysis as “Malicious”, “Suspicious”, or “Clean”. The classification process is initiated by the event classifier module (118), by assuming that the executable file sample (112) received by the computing machine (103) is clean.
[0086] The following section of events listed below are treated as “MALICIOUS” or “SUSPICIOUS” by the event classifier module (118).
PROCESS events: These are events or activity monitored by a process monitoring subsystem of the event classifier module (118) within the driver register module (116), using registered kernel call backs. Examples of a malicious process event is connecting to a process with VM_WRITE permissions, launching a process from the TEMP folder, terminating a critical process like an Anti-Virus process etc. Examples of suspicious events are connecting to a process with VM_READ permissions, starting of a process from a standard windows path etc.
REGISTRY events: These are events monitored by a registry monitoring subsystem of the event classifier module (118) within the driver register module (116). Any registry related activity is monitored by this subsystem using registered kernel call backs. Examples of malicious registry events are creating a Run key, creating a Win logon key, creating Run Once key, modifying keys related to Antivirus engines or other security software etc. Examples of suspicious events are creating registry keys which does not affect overall system operation, modifying non-critical keys etc
FILESYSTEM events: These are events monitored by the registry monitoring subsystem within the driver register module (116). Any registry related activity is monitored by this subsystem using registered kernel call backs. Examples of malicious filesystem events are creating files under the TEMP folder, creating files under critical windows folder, creating files under the Startup folder etc. Examples of suspicious filesystem events are creating non executable files.
NETWORK events: These are events monitored by a network monitoring subsystem of the event classifier module (118) within the driver register module (116). The network monitoring subsystem registers with Windows Filtering Platform layer to obtain information on outgoing TCP/UDP sessions, the associated process and executable file path. It is common for applications to start services listening on a TCP/UDP port or start process that makes outgoing connections. All network activity is marked as suspicious except when any executable service or process runs from paths like the Desktop folder, etc.
TASKSCHEDULING events: These are events monitored by the process monitoring subsystem within the driver register module (116). Any task scheduling related activity is monitored by this subsystem using the registered kernel call backs. All task scheduling activity is treated as malicious.
[0087] The method (600) of FIG. 6 starts at step (602) and ends at step (616). At step (602), the method (600) comprises of detecting if the VM shutdown signal is received by the VM module (102). If the VM shutdown signal is received by the VM module (102), the event classifier module (118) is configured to enable an event monitor loop to monitor the events related with the executable file sample (112), at step (604). The method (600) further comprises detecting if the severity of the detected even is high or not, at step (606). If the severity of the detected event is high, the method (600) further comprises classifying the executable file sample (112) as “MALICIOUS”, at step (608). But if the severity of the detected event is not high, the method (600) further comprises detecting if the severity of the detected event is medium or not, at step (610). If the severity of the event is medium, the method (600) further comprises determining if there are two or more than two suspicious events seen, at step (612). If there are two or more suspicious events seen, the executable file sample (112) is classified as suspicious, at step (614). If in a condition where either the severity of the detected event is not medium, or even if the severity of the event is medium but there have been no two or more than two suspicious events seen, the operational flow of the method (600) again starts from the step (602). Lastly, if the VM shutdown signal is not received by the VM module (102) at step (602), the method (600) further comprises exiting the operation of the event classifier module (118).
[0088] FIG. 7 is a flowchart illustrating a method (700) for operation of the scanner module (124) during the detection and the on-demand disinfection of the computing machine (103), according to the embodiments disclosed herein. Upon completion of the analysis of the executable file sample (112) and the event classifier module (118) has marked the executable file sample (112) as malicious or suspicious, the file sample analysis report is generated which contains records of all the events generated by the executable file sample (112). These events could be a mix of the process, the network, the filesystem, the registry, and the task scheduling. The scanner module (126) is a python module which ingest this file sample analysis report, and configured to perform remote scanning of the systems over the remote internal network to detect the signs of the events as recorded in the file sample analysis report. The presence of any of these events recorded in the file sample analysis report is an indicator that the scanned system or the computing machine (102), or the remote machines have been infected. In most cases, if the infection does not involve the ransomware, the scanner module (126) is configured to optionally disinfect the system by reversing the sequence of the events as seen in the file sample analysis report.
[0089] The method (700) starts at step (702) and ends at step (730). At step (702), the scanner module (126) is initiated. The method (700) further comprises opening the file sample analysis report related to the executable file sample (112), at step (704). The method (700) further comprises detecting if there are any records related to the file sample analysis report available, at step (706). If it is determined that the records related to the file sample analysis report are available, then these records are extracted out from the file sample analysis report, at step (708). The scanner module (126) then goes through each record in the file sample analysis report and performs a remote scan. At step (710), the event classifier module (118) is configured to detect if the event is the “PROCESS” event. The method (700) further comprises utilizing, by the scanner module (126), Windows Management Instrumentation (WMI) protocol to enumerate processes on the scanned virtual machine, at step (712). The scanner module (126) then further checks that if any characteristic described by the parsed record is seen in the enumerated process. This could be a new process created, a process that was stopped or a process against which injection techniques were used. If at step (714), it is detected that the event is not the process event, but the “REGISTRY” event, then in that case the scanner module (126) is configured to utilize “Remote Registry DCOM service” to analyse the registry on the scanned VM to detect changes made to it, at step (716). At step (718), it is being assessed if the event is the “FILESYSTEM” event. If the event is the filesystem event, the method (700) further comprises using, by the scanner module (126), Server Message Block (SMB) protocol to check the filesystem on the scanned VM to detect changes made to it due to the executable file sample (112), at step (720). At step (722), it is being assessed if the event is the “NETWORK” event. If the event is the network event, the method (700) further comprises using, by the scanner module (126), the WMI protocol or Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port check protocol to check the network system on the scanned VM to detect changes made to it due to the executable file sample (112), at step (724). At step (726), it is being assessed if the event is the “TASK SCHEDULE” event. If the event is the task schedule event, the method (700) further comprises using, by the scanner module (126), the Microsoft Remote Procedure Call (MSRPC) protocol to check the task schedule on the scanned VM to detect changes made to it due to the executable file sample (112), at step (728). If at step (706), it is determined that there are no records available in the file sample analysis report, the operation of scanner module ends at step (730).
[0090] The system (100) of the present invention is configured to determine nature of the analyzed file sample based on a proprietary classifier, using the multi-model approach. The system (100) of the present invention is configured to utilize the multi-model approach for making execution of the process of the detection and the on-spot treatment of the infections caused due to the file sample significantly faster and easier. The system (100) of the present invention is configured to collect enough evidence with respect to the file sample, to understand the malicious nature of the file sample under analysis. The system (100) of the present invention is configured to remotely scan machines for signs of infections and clean the machines if infected by the file sample. The system (100) of the present invention is configured to determine malicious nature of the file sample, and instantly scan the machine infected due to the file sample in order to fix the machine. The system (100) of the present invention is configured to perform dynamic analysis of the file.
[0091] Several modifications and additions are introduced to make system (100) more tolerant to variance like change in attributes of the executable file sample, the attributes related with each determined event in a deployed virtualized environment. Moreover, entire pipeline of the system (100) comprises independent modules combined with each other in a manner, such that each independent module work seamlessly to perform detection and the on-spot treatment of the infections in the computing machine, using the multi-model approach that has not been achieved by past virus detection and treatment systems or methods or malware detection and treatment based technologies.
[0092] Various modifications to these embodiments are apparent to those skilled in the art from the description. The principles associated with the various embodiments described herein may be applied to other embodiments. Therefore, the description is not intended to be limited to the embodiments but is to be providing broadest scope of consistent with the principles and the novel and inventive features disclosed or suggested herein. Accordingly, the invention is anticipated to hold on to all other such alternatives, modifications, and variations that fall within the scope of the present invention and appended claims.
, Claims:CLAIMS
We Claim:
1. A system (100) for detection and on-demand disinfection of remote machines, the system (100) comprising:
a computing machine (103) configured to receive an executable file sample (112)
a server module (122) configured to extract the executable file sample (112) from the computing machine (103) and analyze the executable file sample (112); and
a VM controller script module (124) communicably coupled with the the server module (122), wherein the VM controller script module (124) is configured for:
evaluating, through the server module (122), if the executable file sample (112) received has been analyzed before;
running a virtual machine (VM) module (102) to check status of the executable file sample (112);
activating a driver register module (116) to enable a file monitoring module (114) to monitor a series of events occurring on the VM module (102), due to running of the executable file sample (112);
generating, through a file sample analysis report module (120), a file sample analysis report based on the series of events;
upon generation of the file sample analysis report, classifying, through an event classifier module (118), the executable file sample (112) based on the series of events and the file sample analysis report, wherein if the executable file sample (112) is classified as malicious in nature, a scanner module (126) is activated to scan the computing machine (103) or the remote machines over a remote internal network based on the file sample analysis report, to detect signs of infection in the computing machine (103) or the remote machines due to the executable file sample (112), and further check on conditions related with the computing machine (103) or the remote machines, wherein the action of the further check on the conditions related with the computing machine (103) or the remote machines further comprises checking, by the scanner module (126), if the computing machine (103) or the remote machines have registry modifications or if the computing machine (103) or the remote machines have the executable file sample (112) in their respective file subsystems.

2. The system (100) as claimed in claim 1, wherein the events comprises of monitor process, registry, filesystem, task scheduling, and network related activities.

3. The system (100) as claimed in claim 1, wherein the driver register module (116) is further configured to register a series of kernel call backs to enable the file monitoring module (114) to monitor the process, the registry, the filesystem and network related activities.

4. The system (100) as claimed in claim 1, wherein the driver register module (116) is further configured to analyze the events to understand the nature of each of the events, nature of parameters passed to API calls, and nature of the event classifier module (118).

5. The system (100) as claimed in claim 1, wherein the driver register module (116) is further configured to keep a record of all the events from the executable file sample (112) in the file sample analysis report.

6. The system (100) as claimed in claim 1, wherein the VM controller script module (124) is further configured to upload the executable file sample (112) onto the virtual machine module (102).

7. The system (100) as claimed in claim 1, wherein the file sample analysis report module (120) is further configured to download the file sample analysis report, before the virtual machine module (102) is shut down by the VM controller script module (124), upon completion of analysis timeout.

8. The system (100) as claimed in claim 1, wherein the remote machines are, but not restricted to virtual machines, physical machines, remote network machines, or any other machine.

9. The system (100) as claimed in claim 1, wherein the scanner module (126) is further configured to ingest the file sample analysis report, and perform remote scanning of the remote machines on an internal network, to detect signs of the events recorded in the file sample analysis report.

10. The system (100) as claimed in claim 1, the scanner module (126) is configured to optionally disinfect the remote machines by reversing sequence of the events seen in the file sample analysis report, if the infections in the remote machines does not involve a ransomware.

11. The system (100) as claimed in claim 10, wherein the reversing of the events comprises removing newly added registry keys, deleting dropped files, terminating processes created by the samples, shutting down network services started by the executable file sample (112), and removing scheduled tasks and associated file.

12. A method (400) for detection and on-demand disinfection of remote machines, the method (400) comprising:
receiving, through a computing machine (103) an executable file sample (112);
extracting, through a server module (122), the executable file sample (112) from the computing machine (103);
evaluating, through the server module (122), if the executable file sample (112) received has been analyzed before;
analyzing, through the server module (122), the executable file sample (112);
running, through a VM controller script module (124), a VM module (102) to check status of the executable file sample (112);
activating, through the VM controller script module (124), a driver register module (116) for enabling a file monitoring module (114) to monitor a series of events occurring on the VM module (102), due to running of the executable file sample (112);
generating, through a file sample analysis report module (120), a file sample analysis report based on the series of events; and
upon generation of the file sample analysis report, classifying, through an event classifier module (118), the executable file sample (112) based on the series of events and the file sample analysis report, wherein if the executable file sample (112) is classified as malicious in nature, a scanner module (126) is activated to scan the computing machine (103) or the remote machines over a remote internal network based on the file sample analysis report, to detect signs of infection in the computing machine (103) or the remote machines due to the executable file sample (112), and further check on conditions related with the computing machine (103) or the remote machines, wherein the action of the further check on the conditions related with the computing machine (103) or the remote machines further comprises checking, by the scanner module (126), if the computing machine (103) or the remote machines have registry modifications or if the computing machine (103) or the remote machines have the executable file sample (112) in their respective file subsystems.

13. The method (400) as claimed in claim 12, wherein the step of activating, through the VM controller script module (124), the driver register module (116) for enabling the file monitoring module (114) to monitor a series of events occurring on the VM module (102), due to the running of the executable file sample (112) comprises:
registering, through the driver register module (116), a series of kernel call backs to enable the file monitoring module (114) to monitor the process, the registry, the filesystem and the network related activities.

14. The method (400) as claimed in claim 13, further comprising:
analyzing, through the driver register module (116), the events to understand nature of each of the events, nature of parameters passed to API calls, and nature of the event classifier module (118).

15. The method (400) as claimed in claim 12, further comprising:
storing, through the driver register module (116), a record of all the events from the executable file sample (112) in the file sample analysis report.

16. The method (400) as claimed in claim 12, wherein the step of activation of the scanner module (124) to scan the computing machine (103) or the remote machines based on the file sample analysis report comprises:
uploading, through the VM controller script module (124), the executable file sample (112) onto the VM module (102) for analysis; and
upon completion of analysis timeout, causing the virtual machine module (102) to shut down.

17. The method (400) as claimed in claim 12, wherein the step of scanning, through the scanner module (126), the computing machine (103) or the remote machines over the remote internal network to detect signs of infection in the computing machine (103) or the remote machines due to the executable file sample (112) comprises:
ingesting, through the scanner module (126), the file sample analysis report; and
performing, through the scanner module (126), remote scanning of the computing machine (103) or the remote machines over the remote internal network, to detect signs of the events recorded in the file sample analysis report.

18. The method (400) as claimed in claim 17, further comprising:
optionally disinfecting, through the scanner module (126), the remote machines by reversing sequence of the events seen in the file sample analysis report, if the infections in the remote machines does not involve a ransomware.

19. The method (400) as claimed in claim 18, wherein the step of reversing sequence of the events further comprises:
performing, through the scanner module (126), removal of newly added registry keys, deleting dropped files, termination of processes created by the samples, shutting down of network services started by the executable file sample (112); and
performing, through the scanner module (126), removal of scheduled tasks and associated file.

20. The method (400) as claimed in claim 13, wherein the action of further check on conditions related with the computing machine (103) or the remote machines comprises:
checking, by the scanner module (126), if the computing machine (102) or the remote machines have registry modifications or if the computing machine (103) or the remote machines have the executable file sample (112) in their respective file subsystems.

21. The method (400) as claimed in claim 13, wherein the action of generating, through the file sample analysis report module (120), the file sample analysis report based on the series of events further comprises:
downloading, through the file sample analysis report module (120), the file sample analysis report, before the virtual machine module (102) is shut down by the VM controller script module (124), upon completion of analysis timeout.

Documents

Application Documents

# Name Date
1 202331050707-STATEMENT OF UNDERTAKING (FORM 3) [27-07-2023(online)].pdf 2023-07-27
2 202331050707-FORM FOR SMALL ENTITY(FORM-28) [27-07-2023(online)].pdf 2023-07-27
3 202331050707-FORM FOR SMALL ENTITY [27-07-2023(online)].pdf 2023-07-27
4 202331050707-FORM 1 [27-07-2023(online)].pdf 2023-07-27
5 202331050707-EVIDENCE FOR REGISTRATION UNDER SSI(FORM-28) [27-07-2023(online)].pdf 2023-07-27
6 202331050707-EVIDENCE FOR REGISTRATION UNDER SSI [27-07-2023(online)].pdf 2023-07-27
7 202331050707-DRAWINGS [27-07-2023(online)].pdf 2023-07-27
8 202331050707-DECLARATION OF INVENTORSHIP (FORM 5) [27-07-2023(online)].pdf 2023-07-27
9 202331050707-COMPLETE SPECIFICATION [27-07-2023(online)].pdf 2023-07-27
10 202331050707-FORM-26 [27-10-2023(online)].pdf 2023-10-27
11 202331050707-Proof of Right [21-11-2023(online)].pdf 2023-11-21
12 202331050707-Form 1 (Submitted on date of filing) [15-01-2024(online)].pdf 2024-01-15
13 202331050707-Covering Letter [15-01-2024(online)].pdf 2024-01-15