Abstract: A pop-up blocker application detects and remediates malicious pop-up loops. The pop-up blocker application intercepts a call from a web page for initiating a pop-up browser window in a web browser. The pop-up blocker application updates a count of pop-up initiating calls associated with the web page occurring within a pre-defined time window. The updated count is compared to a threshold to determine whether the count meets a threshold indicative of a malicious pop-up loop. Responsive to the count meeting the threshold, the pop-up blocker applications takes a remedial action, such as navigating away from the web page.

Abstract: A pop-up blocker application detects and remediates malicious pop-up loops. The pop-up blocker application intercepts a call from a web page for initiating a pop-up browser window in a web browser. The pop-up blocker application updates a count of pop-up initiating calls associated with the web page occurring within a pre-defined time window. The updated count is compared to a threshold to determine whether the count meets a threshold indicative of a malicious pop-up loop. Responsive to the count meeting the threshold, the pop-up blocker applications takes a remedial action, such as navigating away from the web page.

Abstract: A security server receives a full hash and a set of subhashes from a client. The security server determines that the full hash is blacklisted. The security server updates, for each subhash in the set of subhashes, an associated malicious count. The security server adds a subhash to a subhash blacklist responsive to an associated malicious count exceeding a threshold. The security server receives a second set of subhashes. The security server determines whether at least one of the subhashes in the second set of subhashes is included in the subhash blacklist. The security server reports to the client based on the determination.

Abstract: A security server receives a full hash and a set of subhashes from a client. The security server determines that the full hash is whitelisted. The security server updates, for each subhash in the set of subhashes, an associated clean count. The security server adds a subhash to a subhash whitelist responsive to an associated clean count exceeding a threshold. The security server receives a second set of subhashes. The security server determines whether at least one of the subhashes in the second set of subhashes is included in the subhash whitelist. The security server reports to the client based on the determination.

Abstract: An anti-malware application detects and remediates malware. The anti-malware application detects an event associated with a process and determines if the event matches an entry in an exclusions list. If the event is absent from the exclusions list, the anti-malware application monitors the operation of the process, logs the event data in an event log, and sends the event to a server to determine whether the process corresponds to malware. The anti-malware application updates the exclusions list based on the logged event if the process does not correspond to malware. The anti-malware application restores a file edited by the process to the saved copy of the original file prior to the file being edited by the process if the process corresponds to malware.

Abstract: An anti-malware application detects and remediates malware. The anti-malware application detects an event associated with a process and determines if the event matches an entry in an exclusions list. If the event is absent from the exclusions list, the anti-malware application monitors the operation of the process, logs the event data in an event log, and sends the event to a server to determine whether the process corresponds to malware. The anti-malware application updates the exclusions list based on the logged event if the process does not correspond to malware. The anti-malware application restores a file edited by the process to the saved copy of the original file prior to the file being edited by the process if the process corresponds to malware.

Abstract: A protection application detects and remediates malicious files on a client. The protection application trains models using known samples of static clean files, and the models characterize features of the clean files. A model may be selected based on metadata obtained from a target file. By processing features of the clean files and features of the target file, the model may generate an anomaly score indicating a level of dissimilarity between the target file and the sample. The protection application compares the anomaly score to one or more threshold scores to classify the target file. Additionally, the target file may be provided to a security server to check against a whitelist or blacklist for classification. Responsive to a classification as malicious, the protection application remediates the target file on the client.

Abstract: A security server receives a full hash and a set of subhashes from a client. The security server determines that the full hash is whitelisted. The security server updates, for each subhash in the set of subhashes, an associated clean count. The security server adds a subhash to a subhash whitelist responsive to an associated clean count exceeding a threshold. The security server receives a second set of subhashes. The security server determines whether at least one of the subhashes in the second set of subhashes is included in the subhash whitelist. The security server reports to the client based on the determination.

Abstract: A pop-up blocker application detects and remediates malicious pop-up loops. The pop-up blocker application intercepts a call from a web page for initiating a pop-up browser window in a web browser. The pop-up blocker application updates a count of pop-up initiating calls associated with the web page occurring within a pre-defined time window. The updated count is compared to a threshold to determine whether the count meets a threshold indicative of a malicious pop-up loop. Responsive to the count meeting the threshold, the pop-up blocker applications takes a remedial action, such as navigating away from the web page.

Abstract: An anti-malware application detects and remediates malware. The anti-malware application detects an event associated with a process and determines if the event matches an entry in an exclusions list. If the event is absent from the exclusions list, the anti-malware application monitors the operation of the process, logs the event data in an event log, and sends the event to a server to determine whether the process corresponds to malware. The anti-malware application updates the exclusions list based on the logged event if the process does not correspond to malware. The anti-malware application restores a file edited by the process to the saved copy of the original file prior to the file being edited by the process if the process corresponds to malware.

Abstract: An anti-malware application detects and remediates malware. The anti-malware application detects an event associated with a process and determines if the event matches an entry in an exclusions list. If the event is absent from the exclusions list, the anti-malware application monitors the operation of the process, logs the event data in an event log, and sends the event to a server to determine whether the process corresponds to malware. The anti-malware application updates the exclusions list based on the logged event if the process does not correspond to malware. The anti-malware application restores a file edited by the process to the saved copy of the original file prior to the file being edited by the process if the process corresponds to malware.

Abstract: A protection application detects and remediates malicious files on a client. The protection application trains models using known samples of static clean files, and the models characterize features of the clean files. A model may be selected based on metadata obtained from a target file. By processing features of the clean files and features of the target file, the model may generate an anomaly score indicating a level of dissimilarity between the target file and the sample. The protection application compares the anomaly score to one or more threshold scores to classify the target file. Additionally, the target file may be provided to a security server to check against a whitelist or blacklist for classification. Responsive to a classification as malicious, the protection application remediates the target file on the client.

Abstract: A protection application detects and remediates malicious files on a client. The protection application trains models using known samples of static clean files, and the models characterize features of the clean files. A model may be selected based on metadata obtained from a target file. By processing features of the clean files and features of the target file, the model may generate an anomaly score indicating a level of dissimilarity between the target file and the sample. The protection application compares the anomaly score to one or more threshold scores to classify the target file. Additionally, the target file may be provided to a security server to check against a whitelist or blacklist for classification. Responsive to a classification as malicious, the protection application remediates the target file on the client.

Abstract: A network access manager controls access to a network interface according to a set of access control instructions specifying permissible and impermissible addresses and domains on a network. The network access manager establishes a graylist of addresses based on a domain request that is associated with a whitelisted domain that is accessed via a blacklisted address. When a request to establish a connection is received directed to a graylisted address, the connection is permitted to establish and the connection is added to a session graylist. When a session data transfer packet is received, if the session corresponds to a session on the session graylist, the session data transfer packet is examined to determine if it matches a whitelisted domain, in which case the session is associated with a session whitelist and permitted access to the network. The access control instructions may be automatically updated from a trusted access control management system.

Abstract: A self-protection application executes in kernel mode and manages access to processes and files related to an associated anti-malware application. The self-protection application monitors executing processes on the client device and detects the processes that are attempting to access files/processes related to the anti-malware software. These processes and files are verified by the self-protection application using digital signature authentication. Trusted processes such as those originating from the anti-malware software or other authorized programs are allowed access while other processes are restricted access.

Abstract: A network access manager controls access to a network interface according to a set of access control instructions specifying permissible and impermissible addresses and domains on a network. The network access manager establishes a graylist of addresses based on a domain request that is associated with a whitelisted domain that is accessed via a blacklisted address. When a request to establish a connection is received directed to a graylisted address, the connection is permitted to establish and the connection is added to a session graylist. When a session data transfer packet is received, if the session corresponds to a session on the session graylist, the session data transfer packet is examined to determine if it matches a whitelisted domain, in which case the session is associated with a session whitelist and permitted access to the network. The access control instructions may be automatically updated from a trusted access control management system.