Abstract: Techniques for classifying unknown files taking into account temporal proximity between unknown files and files with known classifications are disclosed. In response to a classification request for a target file, client systems hosting (or hosted) instances of the target file are identified. For each system, files created around the time the target file was created on the system are identified. Within the identified files, files with known classifications are identified, and a score is determined for each such file to measure temporal proximity between the creation of the file and the creation of the target file. Local temporal proximity scores aggregate the scores for the client system. Global temporal proximity scores measures an aspect of the local temporal proximity scores for all identified client systems. The global temporal proximity scores are fed into a classifier to determine a classification, which is returned in response to the classification request.

Abstract: A reputation server is coupled to multiple clients via a network. Each client has a security module that detect malware at the client. The security module computes a hygiene score based on detected malware and provides it to the reputation server. The security module monitors client encounters with entities such as files, programs, and websites. When a client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The security module evaluates the reputation score and optionally cancels an activity involving the entity. The reputation server computes reputation scores for the entities based on the clients' hygiene scores and operations performed in response to the evaluations. The reputation server prioritizes malware submissions from the client security modules based on the reputation scores.

Abstract: A user-assisted security software program alerts a user when a new pop-up is displayed from a suspicious source application. If the source application may be suspicious if it has a low reputation. Displayed in connection with the pop-up, the alert prompts the user to indicate whether the source application that generated the pop-up should be trusted. If the user indicates that the source application is not trusted, the security software declares the source application to be malicious. The malicious code can then be dealt with, such as by removing it from the computing system, blocking it from generating new pop-ups, and preventing further network communications. The user's feedback about the source application may also be used to adjust the application's reputation.

Abstract: A signature is identified in association with an entity at a client. A reputation score associated with the entity is identified, the reputation score indicating a likelihood that the entity will compromise the client. Whether the signature detection event is a false positive signature detection event is evaluated based on the reputation score and reported.

Abstract: A security module detects attempted exploitations of vulnerabilities of applications executing on a computer. The security module hooks an application on the computer. The hook transfers control flow to the security module if execution reaches a hooked location. When a hook is followed, the security module saves the state of the computer and activates an analysis environment. A virtual machine within the analysis environment executes signatures that programmatically analyze the state of the computer to determine whether a vulnerability in the application is being exploited. If a signature detects an exploit, the security module blocks the exploit by skipping over the one or more instructions that constitute the exploit, terminating the application, or performing a different action. The security module reports the detected exploit attempt to the user of the client. The security module returns control flow back to the application if it does not detect an exploit.

Abstract: A reputation server is coupled to multiple clients via a network. Each client has a security module that detects malware at the client. The security module computes a hygiene score based on detected malware. The security module provides the hygiene score and an identifier of a visited web site to a reputation server. The security module also provides identifiers of files encountered at specified web sites to the reputation server. The reputation server computes secondary hygiene scores for web sites based on the hygiene scores of the clients that visit the web sites. The reputation server further computes reputation scores for files based on the secondary hygiene scores of sites that host the files. The reputation server provides the reputation scores to the clients. A reputation score represents an assessment of whether the associated file is malicious.

Abstract: A server provides a reduced set of malware signatures to clients. The reduced set of malware signatures has the same scope of coverage as a comprehensive set of malware signatures stored on the server, but with a higher rate of false positive detections. The server receives signature detection event reports from the clients. A signature detection event report identifies the signature in the reduced set that was detected, and includes information describing the suspicious entity in which the signature was detected. Upon receiving a signature detection event report from a client, the server evaluates the information describing the suspicious entity using one or more signatures in the comprehensive set to determine whether the signature detection event is a false positive or a legitimate malware detection. The security server provides the result of the evaluation to the client from which the report was received.

Abstract: Computer-implemented methods and systems for using reputation data to detect shared-object-based security threats are disclosed. In one example, an exemplary method for performing such a task may comprise: 1) identifying a process, 2) identifying an executable file associated with the process, 3) identifying at least one shared object loaded by the process, 4) obtaining reputation data for both the executable file and the shared object from a reputation service, 5) determining that the shared object represents a potential security risk by comparing the reputation data for the executable file with the reputation data for the shared object and determining that the reputation data for the shared object is significantly different from the reputation data for the executable file, and then 6) performing a security operation on the shared object. Corresponding server-side methods and systems for identifying malicious shared objects based on reputation data are also disclosed.

Abstract: A categorization server is coupled to multiple clients via a network. Each client has a security module that monitors web browsing performed on the client and reports a web site browsing stream to the categorization server. The categorization server identifies a site from the browsing stream of a client that is of a known category. The categorization server uses content-temporal locality to determine whether other sites in the browsing stream belong to the same category as the site having the known category. This determination can be performed by assigning probabilities to other sites in the browsing stream, and by considering probabilities assigned to sites in browsing streams of other clients. The categorization server provides categories of sites to the clients, and the client security modules can implement category-based security policies.

Abstract: A security module on a client monitors file download activities at the client and reports hosting website data to a security server. A download analysis module at the security server receives a hosting website data report from the client, where the hosting website data report describes a domain name and an IP address of a website hosting a file the client is attempting to download. The download analysis module analyzes the domain name and IP address of the website to generate file download control data indicating whether to allow downloading of the file to the client. The download analysis module reports the file download control data to the security module of the client. The security module uses the file download control data to selectively block downloading of the file.

Abstract: A reputation server is coupled to multiple clients. Each client has a security module that detects submissions of personally identifiable information (PII) from the client to a web site. The security module reports the identity of the web site and the type of submitted PII to the reputation server. The reputation server computes a reputation score for the web site based on the number and type of PII submissions to it. The reputation score represents an assessment of whether the web site is trustworthy. The reputation server provides the reputation scores for the web site to a client. The security module at the client evaluates the reputation score of the web site and optionally generates an alert advising the user not to submit PII to the web site because the site is untrustworthy.

Abstract: A computer-implemented method for encouraging the renewal of security-software subscriptions may comprise: 1) determining that a security-software subscription for a computing system has expired, 2) after determining that the security-software subscription has expired, continuing to at least periodically retrieve vendor-supplied security updates and to monitor the computing system for potential security threats, 3) detecting at least one security threat to the computing system, 4) notifying a user of the computing system of the security threat, and then 5) prompting the user to renew the security-software subscription. Corresponding systems and computer-readable media are also disclosed.

Abstract: A virus detection system (VDS) (400) operates under the control of P-code to detect the presence of a virus in a file (100) having multiple entry points. P-code is an intermediate instruction format that uses primitives to perform certain functions related to the file (100). The VDS (400) executes the P-code, which provides Turing-equivalent capability to the VDS. The VDS (400) has a P-code data file (410) for holding the P-code, a virus definition file (VDF) (412) for holding signatures of known viruses, and an engine (414) for controlling the VDS. The engine (414) contains a P-code interpreter (418) for interpreting the P-code, a scanning module (424) for scanning regions of the file (100) for the virus signatures in the VDF (412), and an emulating module (426) for emulating entry points of the file. When executed, the P-code examines the file (100), posts (514) regions that may be infected by a virus for scanning, and posts (518) entry points that may be infected by a virus for emulating.

Abstract: An access control system (200) enables a computer network (1) to prevent execution of computer code that may contain computer viruses. An access control console (201) generates an access control message (260) including control parameters such as a time limit (255). Said time limit (255) is disseminated to computers (2, 3) on the network (1). Said computers (2, 3) use the time limit (255) to determine the executability of computer code. Access control system (200) also enables blocking data communications with suspicious or susceptible programs in network (1) during virus outbreaks.

Abstract: Methods, apparatuses, and computer-readable media for detecting bulk electronic messages using header similarity analysis. Bulk electronic messages can be detected by parsing (115) header fields of an electronic message; associating (120) at least one constituent unit with each header field defining a set of constituent units for each header field; ascertaining (230) a feature vector for each set of constituent units; forming (240) a collection of feature vectors; and computing (250) an inner product from a set of constituent units from an additional electronic message and the collection of feature vectors from the initial electronic message resulting in a measure of similarity between the initial electronic message and the additional electronic message.

Abstract: A load balancing server system includes a plurality of servers. A server has a dispatcher module, a request handler module, a cache and a local database. A load balancer receives requests for information from clients and distributes the requests among dispatcher modules of the plurality of servers in a balanced manner. The dispatcher module receives a request for information, calculates an identifier of a server from a subset of a hash result responsive to the request, routes the request to the server identified by the identifier, and provides information in the response to the client that requested it. The request handler module receives the request routed by the dispatcher module, determines the requested information by searching the cache and/or the local database, and provides the determined information to the dispatcher module.

Abstract: Virus detection modules (120) execute virus detection techniques on clients (110) to check for the presence of computer viruses in data and also communicate with a software server (116). A constraints module (320) specifies constraints on the application of certain virus detection techniques. An administrator uses the software server (116) to release (514) a virus detection technique and an associated constraint to the clients (110). The clients (110) execute the technique subject to the constraint, and report the results to the software server (116). The administrator uses the constraint and reported results to determine (518) whether the technique is causing false positive virus detections. If necessary, the administrator modifies (520) the technique to reduce the false positives and/or modifies (524) the constraint to cause the technique to execute more frequently. The constraints allow the administrator to detect false positives without inconveniencing most clients (110).

Abstract: A firewall dynamically adapts to changes in a utility computing system. The utility computing system has multiple nodes that are dynamically provisioned in different roles. The different roles are best served by different security and/or Quality-of-Service (QoS) policies. The firewall selects and applies security and/or QoS policies to a node or group of nodes based on the roles provisioned to the node or group. The firewall detects when the provisioning of a node changes, and dynamically applies a new security and/or QoS policy to the node based on the new provisioning. The firewall thus provides adaptive network-level security and QoS functionality to a utility computing system.

Abstract: A software development system (SDS) (228) digitally signs software (230) developed on the system. The SDS (228) executes on a computer system (112) having a trusted computing platform. The platform includes protected areas (220, 226) that store data and cannot be accessed by unauthorized modules. A code signing module (232) executing in a protected area (226) obtains a private/public key pair and a corresponding digital certificate. The SDS (228) is configured to automatically and transparently utilize the code signing module (232) to sign software (230) produced by the system. End-user systems (114) receive the certificate with the software and can use it to verify the signature. This verification will fail if a parasitic virus or other malicious code has altered the software (230). Accordingly, the SDS (228) greatly reduces the risk of malicious code executing on the end-user computer system (114).

Abstract: A reputation server is coupled to multiple clients via a network. A security module in each client monitors client encounters with entities such as files, programs, and websites, and then computes a hygiene score based on the monitoring. The hygiene scores are then provided to the reputation server, which computes reputation scores for the entities based on the clients' hygiene scores and the interactions between the clients and the entity. When a particular client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The reputation score may comprises a statistical measure based on a number of other trustworthy or “good hygiene” clients that have a hygiene score above a threshold. The client communicates this reputation score to a user with a message indicating that the reputation score is based on other clients deemed trustworthy.