The present invention, in some embodiments thereof, relates to systems and methods for protection against malicious code and, more specifically, but not exclusively, to systems and methods for protecting against evasive malware.
Automated security mechanism systems, such as a Sandbox, test and monitor unverified programs that may contain malicious code in a safe environment in which the malicious code is unable to infect and damage or other computers, such as other computers in a network of an organization.
However, evasive malware is based on the assumption that the host computer will have such a security mechanism installed. The evasive malware issues a query to detect whether or not the host machine is running the security mechanism. When the response to the query indicates that the host machine is executing the security mechanism, the evasive malware attempts to evade detection, by not performing malicious activity inside the security mechanism. Malware might wait until the security mechanism times out before infecting the host computer, or might try to access and infect a computer without such a security mechanism. When the response to the query indicates the host machine is not executing the security mechanism, the malicious code activates and proceeds to damage the host computer, steal data from the host computer, and/or execute other malicious activities.