Abstract: In an example, there is disclosed a computing apparatus having one or more logic elements providing a security agent operable for: detecting that a first process has launch a second process and placed the second process in a suspended state; detecting that the first process has modified or attempted to modify the second process; classifying the modification as potentially malicious; and taking a remedial action. There is also disclosed one or more computer-readable storage mediums having stored thereon executable instructions for providing the security agent, and a computer-executable method of providing the security agent.

Abstract: In one respect, there is provided a system for training a neural network adapted for classifying one or more scripts. The system may include at least one processor and at least one memory. The memory may include program code that provides operations when executed by the at least one processor. The operations may include: reducing a dimensionality of a plurality of features representative of a file set; determining, based at least on a reduced dimensional representation of the file set, a distance between a file and the file set; and determining, based at least on the distance between the file and the file set, a classification for the file. Related methods and articles of manufacture, including computer program products, are also provided.

Abstract: Pairing of an external device using a random user action is disclosed herein. An example method includes restricting, the external device from accessing a resource. A user input receivable from the external device is identified based on a type of the external device, the user input not included in a list of previously generated user actions.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive untrusted input data at an enclave in an electronic device, isolate the untrusted input data from at least a portion of the enclave, communicate at least a portion of the untrusted data to an integrity verification module using an attestation channel, and receive data integrity verification of the untrusted input data from the integrity verification module. The integrity verification module can perform data integrity attestation functions to verify the untrusted data and the data integrity attestation functions include a data attestation policy and a whitelist.

Abstract: Certain embodiments herein relate to pairing an external device and a computer using a random user action. The random user action may be generated based on the type of device. After an external device is connected to the computer, the external device is segregated from one or more resources of the computer. A random user action based on the device type, and to be received from the external device, is generated and requested. If the random user action is received, the external device is paired with the computer and provided access to the one or more resources of the computer.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive untrusted input data at an enclave in an electronic device, isolate the untrusted input data from at least a portion of the enclave, communicate at least a portion of the untrusted data to an integrity verification module using an attestation channel, and receive data integrity verification of the untrusted input data from the integrity verification module. The integrity verification module can perform data integrity attestation functions to verify the untrusted data and the data integrity attestation functions include a data attestation policy and a whitelist.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to determine when a peripheral is connected to the electronic device, determine a peripheral identification for the peripheral, and monitor the data going to and from the peripheral. Based on the monitored data, a type for the peripheral can be determine. The peripheral identification can be compared with the determined type for the peripheral and if they do not match, then communication to and from the peripheral can be blocked.

Abstract: In an example, a system and method for outbreak pathology inference are described. In certain computational ecosystems, malware programs and other malicious objects may infect a machine, and then attempt to infect additional machines that are “networked” to the first machine. In some cases, the network may be a physical or logical network, such as an enterprise network. However, “social networking” may also connect one machine to another, because users may share files or data with one another over social networks. In that case, client devices may be equipped with a telemetry engine to gather and report data about the machine, while a system management server receives reported telemetry. The system management server may use both logical networks and social networks to infer potential outbreak paths and behaviors of malware.

Abstract: Technologies for securing an electronic device include trapping an attempt to access a secured system resource of the electronic device, determining a module associated with the attempt, determining a subsection of the module associated with the attempt, the subsection including a memory location associated with the attempt, accessing a security rule to determine whether to allow the attempted access based on the determination of the module and the determination of the subsection, and handling the attempt based on the security rule. The module includes a plurality of distinct subsections.

Abstract: In an example, there is disclosed a computing apparatus having one or more logic elements providing a security agent operable for: detecting that a first process has launch a second process and placed the second process in a suspended state; detecting that the first process has modified or attempted to modify the second process; classifying the modification as potentially malicious; and taking a remedial action. There is also disclosed one or more computer-readable storage mediums having stored thereon executable instructions for providing the security agent, and a computer-executable method of providing the security agent.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to monitor access to data in a secured area of memory at a hypervisor level, receive a request from a process to the data in the secured area, and deny the request if the process is not a trusted process. In an example, the electronic device is a point of sale device.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive a request from a process to access data is a system, determine if the data is in a virtualized protected area of memory in the system, and allow access to the data if the data is in the virtualized protected area of memory and the process is a trusted process. The electronic device can also be configured to determine if new data should be protected, store the new data in the virtualized protected area of memory in the system if the new data should be protected, and store the new data in an unprotected area of memory in the system if the new data should not be protected.

Abstract: A method for securing an electronic device includes, at a level below all of the operating systems of an electronic device, trapping a first attempt and second attempt to access sensitive system resources of the electronic device. The method also includes identifying the first attempt and second attempt as representing a potential malware attack, comparing the sequence of the first attempt and second attempt against a first anti-malware rule, and, based on the comparison of the sequence of the first attempt and second attempt against the first anti-malware rule, allowing the second attempt. The first attempt and second attempt originate from code of the same operating entity. The first anti-malware rule includes a requirement of a sequence of attempts including the first attempt followed by the second attempt.

Abstract: In an example, a system and method for outbreak pathology inference are described. In certain computational ecosystems, malware programs and other malicious objects may infect a machine, and then attempt to infect additional machines that are “networked” to the first machine. In some cases, the network may be a physical or logical network, such as an enterprise network. However, “social networking” may also connect one machine to another, because users may share files or data with one another over social networks. In that case, client devices may be equipped with a telemetry engine to gather and report data about the machine, while a system management server receives reported telemetry. The system management server may use both logical networks and social networks to infer potential outbreak paths and behaviors of malware.

Abstract: Certain embodiments herein relate to pairing an external device and a computer using a random user action. The random user action may be generated based on the type of device. After an external device is connected to the computer, the external device is segregated from one or more resources of the computer. A random user action based on the device type, and to be received from the external device, is generated and requested. If the random user action is received, the external device is paired with the computer and provided access to the one or more resources of the computer.

Abstract: Technologies for securing an electronic device include trapping an attempt to access a secured system resource of the electronic device, determining a module associated with the attempt, determining a subsection of the module associated with the attempt, the subsection including a memory location associated with the attempt, accessing a security rule to determine whether to allow the attempted access based on the determination of the module and the determination of the subsection, and handling the attempt based on the security rule. The module includes a plurality of distinct subsections.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to determine when a peripheral is connected to the electronic device, determine a peripheral identification for the peripheral, and monitor the data going to and from the peripheral. Based on the monitored data, a type for the peripheral can be determine. The peripheral identification can be compared with the determined type for the peripheral and if they do not match, then communication to and from the peripheral can be blocked.

Abstract: Provided in some embodiments are systems and methods for remediating malware. Embodiments include receiving (from a process) a request to access data, determining that the process is an unknown process, providing the process with access to one or more data tokens in response to determining that the process is an unknown process, determining whether the process is engaging in suspicious activity with the one or more data tokens, and inhibiting execution of the process in response to determining that the process is engaging in suspicious activity with the one or more data tokens.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to identifying a digital certificate associated with data and assigning a reputation to the digital certificate, where the digital certificate is classified as trusted if the digital certificate is included in an entry in a whitelist and the digital certificate is classified as untrusted if the digital certificate is included in an entry in a blacklist.

Abstract: A method for monitoring for malware includes, during a boot process on an electronic device, determining a portion of memory, determining that the portion of memory is reserved for exclusive access by an entity on the electronic device, and, based on the determination that a portion of memory is reserved for exclusive access during the boot process, determining that the reservation is indicative of malware.