INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) (19) World Intellectual Property -' Organization International Bureau res:0) (43) International Publication Date ..... .yoreol 15 June 2017(15.06.2017) WIPO I PCT ID Hit (10) 11111111111111111111 WO International 2017/098495 11111111111111HIE Publication ME Al Number IIIIRIIIIIIIIIIIIIII (51) International Patent Classification: (81) Designated States (unless otherwise indicated, for every GOOF 21/56 (2013.01) kind of national protection available): AE, AG, AL, AM, AO, AT, AU, AZ, BA, BB, BG, BH, BN, BR, BW, BY, (21) International Application Number: BZ, CA, CH, CL, CN, CO, CR, CU, CZ, DE, DK, DM, PCT/IL2016/050987 DO, DZ, EC, EE, EG, ES, FI, GB, GD, GE, GH, GM, GT, (22) International Filing Date: HN, HR, HU, ID, IL, IN, IR, IS, JP, KE, KG, KN, KP, KR, 7 September 2016 (07.09.2016) KZ, LA, LC, LK, LR, LS, LU, LY, MA, MD, ME, MG, MK, MN, MW, MX, MY, MZ, NA, NG, NI, NO, NZ, OM, (25) Filing Language: English PA, PE, PG, PH, PL, PT, QA, RO, RS, RU, RW, SA, SC, (26) Publication Language: English SD, SE, SG, SK, SL, SM, ST, SV, SY, TH, TJ, TM, TN, TR, TT, TZ, UA, UG, US, UZ, VC, VN, ZA, ZM, ZW. (30) Priority Data: 62/264,404 8 December 2015 (08.12.2015) US (84) Designated States (unless otherwise indicated, for every kind of regional protection available): ARIPO (BW, GH, (71) Applicant: ENSILO LTD. [IL/IL]; 6 Maskit Street, P.O. GM, KE, LR, LS, MW, MZ, NA, RW, SD, SL, ST, SZ, Box 12863, 4673332 Herzlia (IL). TZ, UG, ZM, ZW), Eurasian (AM, AZ, BY, KG, KZ, RU, (72) Inventor: YAVO, Udi; 6 Maskit Street, P.O. Box 12863, TJ, TM), European (AL, AT, BE, BG, CH, CY, CZ, DE, 4673332 Herzlia (IL). DK, EE, ES, FI, FR, GB, GR, HR, HU, IE, IS, IT, LT, LU, LV, MC, MK, MT, NL, NO, PL, PT, RO, RS, SE, SI, SK, (74) Agents: EHRLICH, Gal et al.; G. E. Ehrlich (1995) LTD., SM, TR), OAPI (BF, BJ, CF, CG, CI, CM, GA, GN, GQ, 11 Menachem Begin Road, 5268104 Ramat Gan (IL). GW, KM, ML, MR, NE, SN, TD, TG). [Continued on next page] (54) Title: SYSTEMS AND METHODS FOR DETECTION OF MALICIOUS CODE IN RUNTIME GENERATED CODE (57) : According to an aspect of some embodiments of the present invention there is provided a computer-imple- Receive indication of the creation mented method for detection of malicious code within and/or execution of runtime runtime generated code executing within a computer, com- generated code the the prising executing on a processor of computer acts of: 102 receiving an indication of at least one of the creation and the execution of runtime generated code in a memory of a com- puter; identifying a match between signature data associated Identify a match between signature with the runtime generated code and a template signature of a data associated with the runtime Generate plurality of templates representing authorized source creation generated code and a template Match indication of modifies that created the runtime generated code, the tem- * signature representing an found benign code in device; plates stored a repository on a storage and trigger - authorized source creation module 110 ing a security process to handle in the malicious code runtime 104 is found. generated code when no match No match found Generate indication of malicious code 106 Il .4t In Cr \ 71° pc CT\ C --..„ IN Il C ei V Trigger security process to handle the malicious code 108 no. i O WO 2017/098495 Al IMEDIMOMMIDIIMMENIIMMENIMEMOVOIS Declarations under Rule 4.17: Published: — of inventorship (Rule 4.17(iv)) — with international search report (Art. 21(3))