New US Patent Granted as Kaspersky Lab Accelerates Emulation of Suspicious Programs
16 Mar 2012
A faster way to emulate suspicious programs safely has earned another US Patent for Kaspersky Lab, a leading developer of secure content and threat management solutions. Patent № 8122509 covers a “Method to accelerate a hardware emulator used for malware detection and analysis”. Emulation is one of the most crucial technologies for an anti-malware product. It is used to record and analyze the actions of a potentially suspicious program without actually running it - and therefore with no consequences to the real system or the user’s data. The patented method speeds up the emulation, making program analysis more efficient. The technology was developed by Kaspersky Lab’s expert Sergey Belov.
Emulation is often a time-limited process, and that introduces limitations on how it can be used on a user’s PC. Typically emulators face restrictions on the number of instructions being emulated, the time allotted for the emulation, etc. Malware creators are aware of this and use various tricks to try to avoid detection. Padding their code with “junk” instructions before the “active” malicious instructions is a typical tactic to avoid being caught by emulators. As well as this, the speed of the traditional emulation process is too slow to analyze all the instructions in every suspicious file without serious and potentially annoying time lag.
Kaspersky Lab’s patented technology increases performance by introducing a new emulation accelerator, which executes certain instructions of a program on a real CPU (and not in the emulation layer). Certain precautions are taken to prevent malicious instructions from damaging the real system. This method allows all “junk” instructions to be executed quickly, but the accelerator stops as soon as any exception, time limit, or instruction count limit is reached. As a result, all suspicious programs containing “junk” instructions are emulated with greater speed, with no harm to the real system and user data.
Commenting on the research, Oleg Ishanov, Director of Anti-Malware Research at Kaspersky Lab, said: “Technological breakthroughs like this particular one are what allows Kaspersky Lab to provide clearly visible performance improvement in our corporate and consumer products. Moreover, the emulation accelerator also improves the detection of complex malware, making this security technology more efficient and enhancing overall protection”.
At present Kaspersky Lab has been granted 44 patents covering its advanced technologies in the US. Another 47 patent applications are currently being examined by the US patent office. The total number of patents granted to Kaspersky Lab worldwide has reached 96.