Patent attributes
Creating a policy to be used by a malware prevention system uses multiple events triggered by malware. A sample of malicious computer code or malware is executed in a computer system having a kernel space and a user space. Event data relating to multiple events caused by the malicious code executing on the computer system are captured and stored. The event data is configured using a specific property that facilitates malware behavior analysis. A behavior list is then created utilizing the multiple events and associated event data. The behavior list, together with data in a malware behavior database, is used to derive a policy for use in a malware prevention system. The computer system is free of any malicious code, including viruses, Trojan horses, or any other unwanted software code. The malicious computer code executes without any constraints so that the execution behavior of the malicious code may be observed and captured. Critical events are selected based on the user's expertise and experience in dealing with malware and a sequential stream including the event as the events occur is created.
