Abstract: A system for operating system remediation intercepts input/output (I/O) requests to write to one or more files and stores, as file restore data, (i) a restore copy of the one or more files to the system cache prior to performing write operations of the I/O requests and (ii) identification information for one or more processes or entities making the corresponding I/O requests in the system cache. The system reverts to the restore copy of the one or more files using the file restore data and based at least on a later determination that one or more processes making the corresponding I/O requests was malware. A current version of the one or more files is thereby replaced with the restore copy of the one or more files with improved automatic remediation support and a greater likelihood that data can be restored from the cache in the case of malware attacks.

Abstract: Implementations described herein disclose a malware sequence detection system for detecting presence of malware in a plurality of events. An implementation of the malware sequence detection includes receiving a sequence of a plurality of events, and detecting presence of a sequence of malware commands within the sequence of a plurality of events by dividing the sequence of plurality of events into a plurality of subsequences, performing sequential subsequence learning on one or more of the plurality of subsequences, and generating a probability of one or more of the plurality of subsequences being a malware based on the output of the sequential subsequence.

Abstract: Enhanced neural network architectures that enable the determination and employment of association-based or attention-based “interrelatedness” of various portions of the input data are provided. A method of employing an architecture includes receiving a first input data element, a second input element, and a third input element. A first interrelated metric that indicates a degree of interrelatedness between the first input data element and the second input data element is determined. A second interrelated metric is determined. The second interrelated metric indicates a degree of interrelatedness between the first input data element and the third input data element. An interrelated vector is generated based on the first interrelated metric and the second interrelated metric. The neural network is employed to generate an output vector that corresponds to the first input vector and is based on a combination of the first input vector and the interrelated vector.

Abstract: Enhanced neural network architectures that enable the determination and employment of association-based or attention-based “interrelatedness” of various portions of the input data are provided. A method of employing an architecture includes receiving a first input data element, a second input element, and a third input element. A first interrelated metric that indicates a degree of interrelatedness between the first input data element and the second input data element is determined. A second interrelated metric is determined. The second interrelated metric indicates a degree of interrelatedness between the first input data element and the third input data element. An interrelated vector is generated based on the first interrelated metric and the second interrelated metric. The neural network is employed to generate an output vector that corresponds to the first input vector and is based on a combination of the first input vector and the interrelated vector.

Abstract: Described herein are various technologies pertaining detecting malware by monitoring execution of an instrumented process. An anti-malware engine can observe code obfuscation, suspicious patterns and/or behavior upon scanning a computer file. Based upon this observation, evidence can be submitted to a service (e.g., cloud-based service) and, in response, configuration setting(s) for restraining, containing and/or instrumenting a process for executing the file and/or instrumenting a process into which the file is loaded can be received. The configured process can be monitored. Based upon this monitoring, an action can be taken including determining the file to comprise malware and terminating the process. Upon detecting malware, a detection report, and a copy of the computer file, can be sent to a service (e.g., cloud-based). The service can independently verify that the reported file is malicious, and can protect other machines from executing or loading the same malicious file.

Abstract: Implementations described herein disclose a malware sequence detection system for detecting presence of malware in a plurality of events. An implementation of the malware sequence detection includes receiving a sequence of a plurality of events, and detecting presence of a sequence of malware commands within the sequence of a plurality of events by dividing the sequence of plurality of events into a plurality of subsequences, performing sequential subsequence learning on one or more of the plurality of subsequences, and generating a probability of one or more of the plurality of subsequences being a malware based on the output of the sequential subsequence.

Abstract: A system for operating system remediation intercepts input/output (I/O) requests to write to one or more files and stores, as file restore data, (i) a restore copy of the one or more files to the system cache prior to performing write operations of the I/O requests and (ii) identification information for one or more processes or entities making the corresponding I/O requests in the system cache. The system reverts to the restore copy of the one or more files using the file restore data and based at least on a later determination that one or more processes making the corresponding I/O requests was malware. A current version of the one or more files is thereby replaced with the restore copy of the one or more files with improved automatic remediation support and a greater likelihood that data can be restored from the cache in the case of malware attacks.

Abstract: The present invention extends to methods, systems, and computer program products for reverse replication to rollback corrupted files. When a computer system detects that a copy of a file includes inappropriate content, the computer system can coordinate with other computer systems (e.g., in replicated storage system) to determine that a viable (e.g., clean) copy of the file exists. The computer system can access the viable copy and replace the copy that includes the inappropriate content with the viable copy. As such, a computer system can “reverse replicate” a file rather than break a synchronization relationship. Reverse replication can be used to rollback a copy of an infected file to another (possibly earlier) copy of the file that is not infected. Embodiments of the invention can be used to rollback data files, such as, for example, pictures, videos, documents, etc.

Abstract: Described herein are various technologies pertaining detecting malware by monitoring execution of an instrumented process. An anti-malware engine can observe code obfuscation, suspicious patterns and/or behavior upon scanning a computer file. Based upon this observation, evidence can be submitted to a service (e.g., cloud-based service) and, in response, configuration setting(s) for restraining, containing and/or instrumenting a process for executing the file and/or instrumenting a process into which the file is loaded can be received. The configured process can be monitored. Based upon this monitoring, an action can be taken including determining the file to comprise malware and terminating the process. Upon detecting malware, a detection report, and a copy of the computer file, can be sent to a service (e.g., cloud-based). The service can independently verify that the reported file is malicious, and can protect other machines from executing or loading the same malicious file.

Abstract: The present invention extends to methods, systems, and computer program products for scanning files for inappropriate content during file synchronization. Embodiments of the invention are mindful of the order of operations when scanning files for inappropriate content and in subsequent file processing. In some embodiments, during synchronization, an intermediary server scans a file for inappropriate content. The file is not permitted to be fully downloaded to a client device until the scan determines that the file does not contain inappropriate content. In other embodiments, during synchronization, a client device scans a newer version of a file for inappropriate content. An older version of the file is not deleted until the scan determines that the newer version of the file does not contain inappropriate content. In further embodiments, server side scanning and client side scanning are both used to enhance capabilities for detecting inappropriate content.

Abstract: The present invention extends to methods, systems, and computer program products for reverse replication to rollback corrupted files. When a computer system detects that a copy of a file includes inappropriate content, the computer system can coordinate with other computer systems (e.g., in replicated storage system) to determine that a viable (e.g., clean) copy of the file exists. The computer system can access the viable copy and replace the copy that includes the inappropriate content with the viable copy. As such, a computer system can “reverse replicate” a file rather than break a synchronization relationship. Reverse replication can be used to rollback a copy of an infected file to another (possibly earlier) copy of the file that is not infected. Embodiments of the invention can be used to rollback data files, such as, for example, pictures, videos, documents, etc.

Abstract: The present invention extends to methods, systems, and computer program products for scanning files for inappropriate content during file synchronization. Embodiments of the invention are mindful of the order of operations when scanning files for inappropriate content and in subsequent file processing. In some embodiments, during synchronization, an intermediary server scans a file for inappropriate content. The file is not permitted to be fully downloaded to a client device until the scan determines that the file does not contain inappropriate content. In other embodiments, during synchronization, a client device scans a newer version of a file for inappropriate content. An older version of the file is not deleted until the scan determines that the newer version of the file does not contain inappropriate content. In further embodiments, server side scanning and client side scanning are both used to enhance capabilities for detecting inappropriate content.

Abstract: The subject disclosure is directed towards detecting malware or possible malware in an input file by allowing the input file to be opened, and by monitoring for one or more behaviors corresponding to the open file that likely indicate malware. Only certain executable files and/or file types opened thereby may be monitored, with various collected event data used for antimalware purposes when improper behavior is observed. Example behaviors include writing of a file to storage, generation of network traffic, injection of a process, running of script, and/or writing system registry data. Telemetry data and/or a sample of the file may be sent to an antimalware service, and malware remediation may be performed. Data (e.g., the collected events) may be distributed to other nodes for use in antimalware detection, e.g., to block execution of a similar file.

Abstract: The present invention extends to methods, systems, and computer program products for scanning files for inappropriate content during file synchronization. Embodiments of the invention are mindful of the order of operations when scanning files for inappropriate content and in subsequent file processing. In some embodiments, during synchronization, an intermediary server scans a file for inappropriate content. The file is not permitted to be fully downloaded to a client device until the scan determines that the file does not contain inappropriate content. In other embodiments, during synchronization, a client device scans a newer version of a file for inappropriate content. An older version of the file is not deleted until the scan determines that the newer version of the file does not contain inappropriate content. In further embodiments, server side scanning and client side scanning are both used to enhance capabilities for detecting inappropriate content.

Abstract: A system and method that facilitates and effectuates detection of malware secreted and/or hidden in plain sight on a machine. The system and method in order to achieve its aims generates a list of all loaded modules, identifies from the list a set of modules common to more than a threshold number of processes, and eliminates from the list those modules included in an authentication list. The resultant list is prioritized based, in one instance, on the number of occurrences a particular module makes in the resultant list, and thereafter the list is distributed analyst workstations.

Abstract: Techniques are described herein that are capable of selectively scanning objects for infection by malware (i.e., to determine whether one or more of the objects are infected by malware). For instance, metadata that is associated with the objects may be reviewed to determine whether update(s) have been made with regard to the objects since a determination was made that the objects were not infected by malware. An update may involve increasing a number of the objects, modifying one of the objects, etc. Objects that have been updated (e.g., added and/or modified) since the determination may be scanned. Objects that have not been updated since the determination need not necessarily be scanned. For instance, an allowance may be made to perform operations with respect to the objects that have not been updated since the determination without first scanning the objects for infection by malware.

Abstract: The subject disclosure is directed towards a technology by which antimalware detection logic is maintained and operated at a backend service, with which a customer frontend machine communicates (queries) for purposes of malware detection. In this way, some antimalware techniques are maintained at the backend service rather than revealed to antimalware authors. The backend antimalware detection logic may be based upon feature selection, and may be updated rapidly, in a manner that is faster than malware authors can track. Noise may be added to the results to make it difficult for malware authors to deduce the logic behind the results. The backend may return results indicating malware or not malware, or return inconclusive results. The backend service may also detect probing-related queries that are part of an attempt to deduce the unrevealed antimalware detection logic, with noisy results returned in response and/or other actions taken to foil the attempt.

Abstract: The present invention extends to methods, systems, and computer program products for reverse replication to rollback corrupted files. When a computer system detects that a copy of a file includes inappropriate content, the computer system can coordinate with other computer systems (e.g., in replicated storage system) to determine that a viable (e.g., clean) copy of the file exists. The computer system can access the viable copy and replace the copy that includes the inappropriate content with the viable copy. As such, a computer system can “reverse replicate” a file rather than break a synchronization relationship. Reverse replication can be used to rollback a copy of an infected file to another (possibly earlier) copy of the file that is not infected. Embodiments of the invention can be used to rollback data files, such as, for example, pictures, videos, documents, etc.

Abstract: The present invention extends to methods, systems, and computer program products for scanning files for inappropriate content during file synchronization. Embodiments of the invention are mindful of the order of operations when scanning files for inappropriate content and in subsequent file processing. In some embodiments, during synchronization, an intermediary server scans a file for inappropriate content. The file is not permitted to be fully downloaded to a client device until the scan determines that the file does not contain inappropriate content. In other embodiments, during synchronization, a client device scans a newer version of a file for inappropriate content. An older version of the file is not deleted until the scan determines that the newer version of the file does not contain inappropriate content. In further embodiments, server side scanning and client side scanning are both used to enhance capabilities for detecting inappropriate content.

Abstract: A reliable automated malware classification approach with substantially low false positive rates is provided. Graph-based local and/or global file relationships are used to improve malware classification along with a feature selection algorithm. File relationships such as containing, creating, copying, downloading, modifying, etc. are used to assign malware probabilities and simultaneously reduce the false positive and false negative rates on executable files.