Abstract: Techniques for generating a virtual private container (VPC) are disclosed. In one embodiment, the techniques may be realized as a virtual container defining a self-contained software environment, comprising one or more analytic components configured to carry out specified analytic functions on data within the container, wherein the one or more analytic components are isolated to run within the self-contained software environment of the container; an interface configured to identify and authenticate a particular user and provide analysis results generated by the one or more analytic components; and a gateway configured to receive data from one or more secure data sources external to the virtual container and associated with the particular user for use by the one or more analytic components.

Abstract: The disclosed computer-implemented method for determining that files found on client devices comprise sensitive information may include (1) maintaining, on a server, a set of representations of files that have been classified as sensitive according to a data loss prevention policy, (2) receiving, from a client device, a message that includes a representation of a file on the client device, (3) determining that the representation of the file on the client device matches the representation of a sensitive file from the set of representations of files, (4) concluding, based on the representation of the file on the client device matching the representation of the sensitive file, that the file on the client device includes sensitive information, and (5) performing a security action in response to concluding that the file on the client device includes the sensitive information. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The efficacy of security products and practices is quantified, based on monitored activities and conditions on multiple computers over time. A set of metrics is defined, specifying what criteria concerning computer security systems are to be quantified. Telemetry data concerning the defined metrics are collected from multiple computers, such as the customer base of a security product vendor. Security configuration information such as the deployments and settings of security systems on computing devices is monitored. This monitored information tracks what security products are deployed on which machines, and how these products are configured and used. Collected telemetry is correlated with monitored configuration information, enabling determination of what security product deployments and settings are in place when specific security incidents, operations and other types of actions occur.

Abstract: A cloud based system receives multiple types of security telemetry from multiple participating organizations. The received security telemetry can be pseudonymized by replacing fields containing sensitive information with corresponding pseudonyms. Two data stores can be maintained, a first for raw telemetry, and a second for pseudonymized telemetry. Each data store can comprise a directory structure organized according to factors such as originating organization, administrative unit, telemetry type, schema, format and/or version and receipt time. Raw telemetry is stored in directories of the first data store, and pseudonymized security telemetry is stored in directories of the second data store, both organized according to the above-described factors.

Abstract: Techniques for generating a virtual private container (VPC) are disclosed. In one embodiment, the techniques may be realized as a virtual container defining a self-contained software environment, comprising one or more analytic components configured to carry out specified analytic functions on data within the container, wherein the one or more analytic components are isolated to run within the self-contained software environment of the container; an interface configured to identify and authenticate a particular user and provide analysis results generated by the one or more analytic components; and a gateway configured to receive data from one or more secure data sources external to the virtual container and associated with the particular user for use by the one or more analytic components.

Abstract: Clients send telemetry data to a cloud server, where the telemetry data includes security-related information such as file creations, timestamps and malware detected at the clients. The cloud server analyzes the telemetry data to identify malware that is currently spreading among the clients. Based on the analysis of the telemetry data, the cloud server segments malware definitions in a cloud definition database into a set of local malware definitions and a set of cloud malware definitions. The cloud server provides the set of local malware definitions to the clients as a local malware definition update, and replies to cloud definition lookup requests from clients with an indication of whether a file identified in a request contains malware. If the file is malicious, the client remediates the malware using local malware definition update.

Abstract: The efficacy of security products and practices is quantified, based on monitored activities and conditions on multiple computers over time. A set of metrics is defined, specifying what criteria concerning computer security systems are to be quantified. Telemetry data concerning the defined metrics are collected from multiple computers, such as the customer base of a security product vendor. Security configuration information such as the deployments and settings of security systems on computing devices is monitored. This monitored information tracks what security products are deployed on which machines, and how these products are configured and used. Collected telemetry is correlated with monitored configuration information, enabling determination of what security product deployments and settings are in place when specific security incidents, operations and other types of actions occur.

Abstract: A reputation server is coupled to multiple clients via a network. Each client has a security module that detect malware at the client. The security module computes a hygiene score based on detected malware and provides it to the reputation server. The security module monitors client encounters with entities such as files, programs, and websites. When a client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The security module evaluates the reputation score and optionally cancels an activity involving the entity. The reputation server computes reputation scores for the entities based on the clients' hygiene scores and operations performed in response to the evaluations. The reputation server prioritizes malware submissions from the client security modules based on the reputation scores.

Abstract: A communication between an entity and a host is identified. Reputation information associated with a set of other entities that communicate with the host is identified. A reputation score associated with the host is generated based on the reputation information associated with a set of other entities. A reputation score associated with the entity is generated based on the reputation score associated with the host.

Abstract: A communication between an entity and a host is identified. Reputation information associated with a set of other entities that communicate with the host is identified. A reputation score associated with the host is generated based on the reputation information associated with a set of other entities. A reputation score associated with the entity is generated based on the reputation score associated with the host.

Abstract: Clients send telemetry data to a cloud server, where the telemetry data includes security-related information such as file creations, timestamps and malware detected at the clients. The cloud server analyzes the telemetry data to identify malware that is currently spreading among the clients. Based on the analysis of the telemetry data, the cloud server segments malware definitions in a cloud definition database into a set of local malware definitions and a set of cloud malware definitions. The cloud server provides the set of local malware definitions to the clients as a local malware definition update, and replies to cloud definition lookup requests from clients with an indication of whether a file identified in a request contains malware. If the file is malicious, the client remediates the malware using local malware definition update.

Abstract: Clients send telemetry data to a cloud server, where the telemetry data includes security-related information such as file creations, timestamps and malware detected at the clients. The cloud server analyzes the telemetry data to identify malware that is currently spreading among the clients. Based on the analysis of the telemetry data, the cloud server segments malware definitions in a cloud definition database into a set of local malware definitions and a set of cloud malware definitions. The cloud server provides the set of local malware definitions to the clients as a local malware definition update, and replies to cloud definition lookup requests from clients with an indication of whether a file identified in a request contains malware. If the file is malicious, the client remediates the malware using local malware definition update.

Abstract: A security module on a client monitors file download activities at the client and reports hosting website data to a security server. A download analysis module at the security server receives a hosting website data report from the client, where the hosting website data report describes a domain name and an IP address of a website hosting a file the client is attempting to download. The download analysis module analyzes the domain name and IP address of the website to generate file download control data indicating whether to allow downloading of the file to the client. The download analysis module reports the file download control data to the security module of the client. The security module uses the file download control data to selectively block downloading of the file.

Abstract: A computer-implemented method for identifying potential malware may include (1) identifying a file that is subject to a reputation evaluation, (2) identifying at least one client submission received from at least one computing system that identifies (a) an instance of the file created on the computing system and (b) at least one additional file created on the computing system at substantially the same time as the instance of the file and within the same file path as the instance of the file, (3) identifying a reputation associated with the additional file(s), and then (4) generating a reputation rating for the file based at least in part on the reputation associated with the additional file(s). Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A reputation server is coupled to multiple clients via a network. Each client has a security module that detects malware at the client. The security module computes a hygiene score based on detected malware. The security module provides the hygiene score and an identifier of a visited web site to a reputation server. The security module also provides identifiers of files encountered at specified web sites to the reputation server. The reputation server computes secondary hygiene scores for web sites based on the hygiene scores of the clients that visit the web sites. The reputation server further computes reputation scores for files based on the secondary hygiene scores of sites that host the files. The reputation server provides the reputation scores to the clients. A reputation score represents an assessment of whether the associated file is malicious.

Abstract: A reputation server is coupled to multiple clients via a network. A security module in each client monitors client encounters with entities such as files, programs, and websites, and then computes a hygiene score based on the monitoring. The hygiene scores are then provided to the reputation server, which computes reputation scores for the entities based on the clients' hygiene scores and the interactions between the clients and the entity. When a particular client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The reputation score may comprises a statistical measure based on a number of other trustworthy or “good hygiene” clients that have a hygiene score above a threshold. The client communicates this reputation score to a user with a message indicating that the reputation score is based on other clients deemed trustworthy.

Abstract: Methods and systems for aiding in the detection of false positives generated by security systems are disclosed. One exemplary server-side method may comprise: 1) building a database containing a copy of, and metadata for, each file within an enterprise that is capable of posing a security risk, 2) identifying a determination by a security system that at least one of the files within the enterprise poses a security risk, and then 3) assisting a user to evaluate whether the security system has generated any false positives by presenting to the user both a list of each file within the enterprise that the security system determined poses a security risk and metadata for each file on the list. Corresponding client-side methods and systems are also disclosed.

Abstract: Techniques for classifying unknown files taking into account temporal proximity between unknown files and files with known classifications are disclosed. In response to a classification request for a target file, client systems hosting (or hosted) instances of the target file are identified. For each system, files created around the time the target file was created on the system are identified. Within the identified files, files with known classifications are identified, and a score is determined for each such file to measure temporal proximity between the creation of the file and the creation of the target file. Local temporal proximity scores aggregate the scores for the client system. Global temporal proximity scores measures an aspect of the local temporal proximity scores for all identified client systems. The global temporal proximity scores are fed into a classifier to determine a classification, which is returned in response to the classification request.

Abstract: A computer generates a reputation score for a file based at least in part on the lineage of the file. A security module on a client monitors file creations on the client and identifies a parent file creating a child file. The security module provides a lineage report describing the lineage relationship to a security server. The security server uses lineage reports from the client to generate one or more lineage scores for the files identified by the reports. The security server aggregates the lineage scores for files reported by multiple clients. The aggregated lineage scores are used by the security server to generate reputation scores for files. The reputation score for a file indicates a likelihood that the file is malicious. The security server reports the reputation scores to the clients, and the clients use the reputation scores to determine whether files detected at the clients are malicious.

Abstract: A security module on a client detects a signed file at the client and reports signing information identifying a certificate used to sign the file and a file identifier identifying the file to a security server. The security server uses the signing information to determine whether the certificate is compromised. If the certificate is compromised, the security server compares a discovery date of the file with a compromise date of the certificate. The security server generates trust data assigning a trust level to the file responsive to the comparison. The trust data assign a low trust level to the file if the comparison indicates that the file discovery date is after the compromise date and assign a high trust level to the file if the comparison indicates that the file discovery date is not after the compromise date. The security server provides the trust data to the client.