Patent attributes
Disclosed herein are embodiments of systems, methods, and products comprising an analytic server, which automatically detects malicious electronic files. The analytic server receives electronic files, runs a file extraction module to recursively scan the electronic files, and extracts all of the embedded and linked electronic files. The analytic server runs an exploit scanner against the extracted electronic files, and extracts code included in the electronic files. The analytic server deobfuscates the extracted code and examines the deobfuscated code by applying a set of malicious behavior rules against the deobfuscated rules. The analytic server identifies potentially malicious electronic files based on the examination. The analytic server applies a set of whitelist rules on the potentially malicious electronic files to eliminate false alarms. The analytic server transmits alert notifications to an analyst regarding the malicious electronic files and updates the whitelist rules based on analyst's feedback.
