Headquartered in Sunnyvale, California, Proofpoint provides cybersecurity to many organizations, including Fortune 100 companies and educational institutions such as Michigan State University.

Analyzing malware is challenging. Viruses, spyware, ransomware and other malicious programs come in many complex forms. To protect its customers, Proofpoint uses tools called sandboxes, which are restricted computing environments where potentially harmful malware can be tested and analyzed safely.

Unfortunately, a new class of malware called “evasive malware” is rapidly emerging, thereby presenting a new, more dangerous class of cybersecurity threats.

Evasive malware has the ability to detect the presence of the sandbox environment. After doing so, it changes what it does, thereby evading analysis.

Our Improved Detonation of Evasive Malware system modifies evasive malware to block its ability to detect the sandbox environment, which causes it to execute. When the evasive malware does execute, its behavior is analyzed to determine precisely what it does so that Proofpoint can design countermeasures to protect against it.

Our web app, shown at the right, displays the results of processed malware. Users can check the status of the malware samples being tested as well as see the top evasive techniques being used. Both harmless and harmful evasive results are presented.

Our Improved Detonation of Evasive Malware system is implemented in Python, using the Cuckoo sandboxing framework and Suricata network monitor. Our web app is implemented using Python and Flask with the interface framed in Bootstrap and jQuery.