US-12625959-B2 - Instructions to process files in virtual machines

Abstract

An example storage medium includes instructions that, when executed, cause a processor of a computing device to encrypt a source file that has been identified as potentially malicious, place the encrypted file in a location accessible to a virtual machine, provide, to the virtual machine, information for decrypting the encrypted file, and cause the virtual machine to use the information to process the encrypted file.

Inventors

• James Edwin Garnett Wright
• Ratnesh Kumar Pandey
• David Jonathan Mansergh

Assignees

• HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.

Dates

Publication Date

20260512

Application Date

20210311

Claims (18)

1. 1 . A non-transitory computer-readable storage medium storing thereon instructions that, when executed, cause a processor of a computing device to: determine, via a detection engine, that a source file is potentially malicious; quarantine the source file in response to determining that the source file is potentially malicious, wherein, to quarantine the source file, the instructions cause the processor to: encrypt the source file that has been identified as potentially malicious; and place the encrypted file in a location accessible to a virtual machine; provide, to the virtual machine, information for decrypting the encrypted file; and cause the virtual machine to use the information to process the encrypted file.
2. 2 . The non-transitory computer readable storage medium of claim 1 , wherein the instructions, when executed, further cause the processor to: generate access control information of the encrypted file based on access control information of the source file.
3. 3 . The non-transitory computer readable storage medium of claim 1 , wherein the instructions, when executed, further cause the processor to: allow a request to unquarantine the source file in response to a determination that the request has an administrator privilege; wherein the instructions to place, provide and cause are executed in response to a request independently of whether the request has the administrator privilege.
4. 4 . The non-transitory computer readable storage medium of claim 1 , wherein the instructions, when executed, further cause the processor to quarantine the source file in place by setting a flag in metadata associated with the source file to indicate that the file is potentially malicious, wherein a filter-driver is to, in response to a determination that the flag is set, block an attempt to process the source file.
5. 5 . The non-transitory computer readable storage medium of claim 4 , wherein the instructions, when executed, further cause the processor to quarantine the source file in place in response to a determination that a first quarantine operation has failed, wherein the first quarantine operation is to make an encrypted copy of the source file in a quarantine folder and delete the source file.
6. 6 . A non-transitory computer readable storage medium comprising instructions that when executed cause a processor of a computing device to: initialize a virtual machine; receive, in the virtual machine, an encrypted version of a file, wherein the file was determined to be malicious by a detection engine; receive, in the virtual machine, decryption information to decrypt the encrypted version of the file; obtain a copy of the file in the virtual machine by using the decryption information to decrypt, in the virtual machine, the encrypted version of the file; and process, in the virtual machine, the copy of the file.
7. 7 . The non-transitory computer readable storage medium of claim 6 , wherein the instructions, when executed, further cause the processor to: in response to receiving an indication that the file is detected as potentially malicious, set metadata to indicate that the file is potentially malicious, the metadata to cause a filter driver to block processing of the file.
8. 8 . The non-transitory computer readable storage medium of claim 7 , wherein the instructions, when executed, further cause the processor to: in response to a determination that a quarantine operation on the file has failed, set the metadata to indicate that the file is potentially malicious, wherein the quarantine operation to include creation of an encrypted version of the file and deletion of the file.
9. 9 . The non-transitory computer readable storage medium of claim 6 , wherein the instructions when executed, cause the processor to quarantine the file, by causing the processor to: create a first encrypted version of the file, and delete the file; and wherein the instructions to cause the encrypted version of the file to be received in the virtual machine by causing the processor to: create a temporary file by copying the first encrypted version of the file, and create a link to the temporary file in a location accessible to the virtual machine.
10. 10 . The non-transitory computer readable storage medium of claim 6 , wherein the instructions, when executed, further cause the processor to set an access control list of the encrypted version of the file, wherein the access control list based on an access control list of the file.
11. 11 . A non-transitory computer-readable storage medium storing thereon instructions that, when executed cause a processor of a computing device to: obtain an indication, from a detection engine, that a first file is a file that has been determined to be malicious; hinder processing of the first file in response to the indication; initiate a virtual machine; provide the first file to the virtual machine in a state that hinders processing of the first file by a host operating system of the device; allow the virtual machine to process the first file; and process, in the virtual machine, the first file.
12. 12 . The non-transitory computer readable storage medium of claim 11 , wherein the instructions, when executed, further cause the processor to: set a metadata flag associated with the first file to indicate that the first file has been determined to be malicious; and in response to an attempt by a process executing on the processor to process the first file, check the metadata flag associated with the first file and, unless an exception has been granted to the process executing on the processor, block processing of the first file by the process executing on the processor when the metadata flag indicates that the first file has been determined to be malicious, and wherein the instructions to cause the processor to allow the virtual machine to process the first file include instructions to cause the processor to grant the exception to a process associated with the virtual machine.
13. 13 . The non-transitory computer readable storage medium of claim 12 , wherein the instructions to cause the processor to provide the first file to the virtual machine cause the processor to generate an encrypted copy of the first file in a location accessible to the virtual machine.
14. 14 . The non-transitory computer readable storage medium of claim 11 , wherein the instructions to hinder processing of the first file include instructions to create a quarantine file and delete the first file, wherein the quarantine file is an encrypted copy of the first file, and wherein the instructions to cause the processor to provide the first file to the virtual machine cause the processor to place a copy of the quarantine file in a location accessible by the virtual machine, and the instructions to cause the processor to allow the virtual machine to process the first file cause the processor to provide the virtual machine with information usable to decrypt the quarantine file.
15. 15 . The non-transitory computer readable storage medium of claim 11 , wherein the instructions, when executed, are further to cause the processor to: determine whether an attempt to process the first file is initiated by input via a keyboard, mouse or touchscreen and, in response to a determination that the attempt to process the first file is initiated by input via a keyboard, mouse or touchscreen, cause the processor to carry out the provide, allow and process operations.
16. 16 . The non-transitory computer-readable storage medium of claim 1 , wherein the detection engine comprises anti-malware or antivirus code.
17. 17 . The non-transitory computer-readable storage medium of claim 6 , wherein, to process, in the virtual machine, the copy of the file comprises opening, viewing, and executing the copy of the file in the virtual machine.
18. 18 . The non-transitory computer-readable storage medium of 17 , wherein the instructions, when executed, cause the processor to: provide a user interface for the computing device; allow a user to interact with the copy of the file via the user interface.

Description

BACKGROUND Malicious files can damage, disrupt or gain unauthorized access to a computer system. Examples of malicious files include computer viruses, worms, Trojan horses, spyware, adware, ransomware, etc. Anti-malware software, such as anti-virus software, may detect malicious files. BRIEF DESCRIPTION OF THE DRAWINGS Examples are further described hereinafter with reference to the accompanying drawings, in which FIG. 1 is an example schematic representation of a computer-readable storage medium storing instructions to cause a processor to process a potentially malicious file. FIG. 2 is an example schematic representation of another computer-readable storage medium storing instructions to cause a processor to decrypt and process an encrypted version of a potentially malicious file. FIG. 3 is an example schematic representation of a computer-readable storage medium storing instructions to cause a processor to process a potentially malicious file that is provided to the VM in a state that hinders processing. FIG. 4 illustrates an example workflow for handling a potentially malicious file. FIG. 5a illustrates another example workflow for handling a potentially malicious file. FIG. 5b illustrates an example workflow for handling a potentially malicious file that may be used instead of, or in conjunction with, the workflow of FIG. 5a. DETAILED DESCRIPTION Anti-malware or anti-virus code may detect potentially malicious files using various methods. For example, files may be checked for signatures of known malware. In other examples, potentially malicious behavior may be detected. In some examples Heuristic analysis may be used to analyze the structure, etc. of the file to assess whether the file is potentially malicious. A malicious file will not have any negative effect on a computer system until the file is processed (e.g. control is transferred to the file). Examples of processing a file include opening, executing or interpreting the file. Executing may include, for example, executing an executable file, a dynamic-link library (DLL) file, or a plug-in. Interpreting a file may include parsing, interpreting, or rendering an image, a web page, a document file, a spreadsheet file, etc. Allowing the malicious file to remain on the computer system in a state that permits processing of the file risks such processing occurring, e.g. by a user unintentionally or unwittingly attempting to access the file, or by an automated process (such as thumbnail generation). To prevent or hinder this, the file may be quarantined. As used herein, quarantining a file refers to placing the file in a state that prevents or hinders processing of the file, e.g. such that the file cannot be accessed directly. An example of a quarantine process includes copying an encrypted version of the file to a quarantine location and deleting the original file. The process may also include storing information about the original file in a quarantine database. The stored information may include one or more of the original location of the file, file access permissions associated with the original file, original file size, original file name, original file path, untrusted file metadata, etc. Herein, encrypting a file may refer to the use of cryptographically secure encryption or encryption that is not cryptographically secure Encryption may include symmetric or asymmetric encryption using an encryption key. Encryption may include scrambling bits of the file. In some examples of encryption, a bitwise XOR may be performed between the bits of the file and an encryption bit string. An attempt to process the encrypted file will fail, because any instructions in the original file (including malicious instructions) are obfuscated by the encryption process. Thus, the risk of unintentionally processing the file is reduced while the file is stored in an encrypted state. In some examples the encrypted file may have an unencrypted header. The header may provide information about the file, such as indicating that the file is encrypted, details of the encryption (e.g. information to assist in decrypting the file), staring location of encrypted data, etc. A second (or subsequent) instance of a malicious file (i.e. a duplicate of a previously detected first instance of the malicious file) may be detected, where the first instance of the malicious file has been quarantined previously and remains in quarantine. The quarantine code may respond to the second instance of the malicious file by repeating the same process as was carried out for the first instance. For example, an encrypted version of the second instance malicious file may be created in a quarantine folder and the second instance malicious file may be deleted. In other examples, the quarantine code may respond to the detection of the second instance of the malicious file by recording information describing the second instance (e.g. the location of the second instance, access permissions, etc.) and associating th