OPPORTUNISTIC HARDENING OF FILES TO REMEDIATE SECURITY THREATS POSED BY MALICIOUS APPLICATIONS

Abstract

A method for assigning permissions to files in a malware detection system, is provided. The method generally includes assigning a first subset of permissions to a first file classified as an unknown file, opening the first file in accordance with the first subset of permissions, determining a first verdict for the first file, the first verdict indicating the first file is benign, assigning a second subset of permissions to the first file based on determining the first verdict indicating the first file is benign, and executing the first file in accordance with the second subset of permissions.

Description

Claims

1. A method for assigning permissions to files in a malware detection system comprising: assigning a first subset of permissions to a first file classified as an unknown file;opening the first file in accordance with the first subset of permissions;determining a first verdict for the first file, the first verdict indicating the first file is benign;assigning a second subset of permissions to the first file based on determining the first verdict indicating the first file is benign; andexecuting the first file in accordance with the second subset of permissions.

2. The method of claim 1, wherein the first subset of permissions assigned to the first file comprises a minimum set of permissions to open the first file.

3. The method of claim 1, further comprising: determining a second verdict for the first file based on static analysis of the first file, wherein the first subset of permissions is based, at least in part, on the second verdict; andwherein the first verdict is determined based on dynamic analysis of the first file.

4. The method of claim 1, wherein at least one of the first subset of permissions or the second subset of permissions comprises permissions indicating an authorization given to the first file to at least one of: access central processing unit (CPU),access memory,access storage, orengage in lateral movement through the malware detection system.

5. The method of claim 1, wherein the first subset of permissions comprises less permissions than the second subset of permissions.

6. The method of claim 1, further comprising: determining a score for the first file, the score indicating: a confidence level of the first verdict for the first file, ora threat level of the first file, wherein the second subset of permissions is based on the score.

7. The method of claim 1, further comprising: assigning a third subset of permissions to a second file classified as an unknown file;capturing a snapshot of a machine prior to opening, at the machine, the second file;opening, at the machine, the second file in accordance with the third subset of permissions;determining a second verdict for the second file, the second verdict indicating the second file is malicious, wherein during a time between opening the second file and determining the second verdict, the second file carried out one or more malicious activities; andrestoring the machine to a point in time prior to the second file carrying out the one or more malicious activities using the snapshot.

8. A system comprising: one or more processors; andat least one memory, the one or more processors and the at least one memory configured to cause the system to: assign a first subset of permissions to a first file classified as an unknown file;open the first file in accordance with the first subset of permissions;determine a first verdict for the first file, the first verdict indicating the first file is benign;assign a second subset of permissions to the first file based on determining the first verdict indicating the first file is benign; andexecute the first file in accordance with the second subset of permissions.

9. The system of claim 8, wherein the first subset of permissions assigned to the first file comprises a minimum set of permissions to open the first file.

10. The system of claim 8, wherein the one or more processors and the at least one memory are further configured to cause the system to: determine a second verdict for the first file based on static analysis of the first file, wherein the first subset of permissions is based, at least in part, on the second verdict; andwherein the first verdict is determined based on dynamic analysis of the first file.

11. The system of claim 8, wherein at least one of the first subset of permissions or the second subset of permissions comprises permissions indicating an authorization given to the first file to at least one of: access central processing unit (CPU),access memory,access storage, orengage in lateral movement.

12. The system of claim 8, wherein the first subset of permissions comprises less permissions than the second subset of permissions.

13. The system of claim 8, wherein the one or more processors and the at least one memory are further configured to cause the system to: determine a score for the first file, the score indicating: a confidence level of the first verdict for the first file, ora threat level of the first file, wherein the second subset of permissions is based on the score.

14. The system of claim 8, wherein the one or more processors and the at least one memory are further configured to cause the system to: assign a third subset of permissions to a second file classified as an unknown file;capture a snapshot of a machine prior to opening, at the machine, the second file;open, at the machine, the second file in accordance with the third subset of permissions;determine a second verdict for the second file, the second verdict indicating the second file is malicious, wherein during a time between opening the second file and determining the second verdict, the second file carried out one or more malicious activities; andrestore the machine to a point in time prior to the second file carrying out the one or more malicious activities using the snapshot.

15. A non-transitory computer-readable medium comprising instructions that, when executed by one or more processors of a computing system, cause the computing system to perform operations for assigning permissions to files in a malware detection system, the operations comprising: assigning a first subset of permissions to a first file classified as an unknown file;opening the first file in accordance with the first subset of permissions;determining a first verdict for the first file, the first verdict indicating the first file is benign;assigning a second subset of permissions to the first file based on determining the first verdict indicating the first file is benign; andexecuting the first file in accordance with the second subset of permissions.

16. The non-transitory computer-readable medium of claim 15, wherein the first subset of permissions assigned to the first file comprises a minimum set of permissions to open the first file.

17. The non-transitory computer-readable medium of claim 15, wherein the operations further comprise: determining a second verdict for the first file based on static analysis of the first file, wherein the first subset of permissions is based, at least in part, on the second verdict; andwherein the first verdict is determined based on dynamic analysis of the first file.

18. The non-transitory computer-readable medium of claim 15, wherein at least one of the first subset of permissions or the second subset of permissions comprises permissions indicating an authorization given to the first file to at least one of: access central processing unit (CPU),access memory,access storage, orengage in lateral movement through the malware detection system.

19. The non-transitory computer-readable medium of claim 15, wherein the first subset of permissions comprises less permissions than the second subset of permissions.

20. The non-transitory computer-readable medium of claim 15, wherein the operations further comprise: determining a score for the first file, the score indicating: a confidence level of the first verdict for the first file, ora threat level of the first file, wherein the second subset of permissions is based on the score.