Abstract: An apparatus includes a memory that stores instructions; and a processing unit that executes the instructions to identify a created process, to receive a notification of a first event for an ancestor process and a notification for a second event for the created process, the notification of the first event indicating a first ActivityID and a first ID, the notification of the second event indicating a second ActivityID and a second ID, the first ID being different from the second ID, to perform a first determination that the created process was created by a component object model (COM) call, at least in part based on the second ID, and to perform a second determination that the ancestor process indirectly created the created process, at least in part based on the first and second ActivityIDs and the first determination.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and instructions encoded within the memory to instruct the processor to: trace, for a plurality of actions having different direct parent actors, a common responsible parent actor, wherein the instructions determine that the common responsible parent actor caused or directed the plurality of actions; compile a report of the plurality of actions, wherein the actions are grouped by the common responsible parent actor; send the report to a machine or human analysis agent; responsive to the report, receive from the analysis agent a remedial action; and execute the remedial action.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; and instructions encoded within the memory to instruct the processor to provide a security agent to: identify a malicious process; construct a genealogical process tree of the malicious process, the genealogical process tree including both vertical direct inheritance and horizontal indirect inheritance relationships; and terminate the malicious process and at least some related processes in the genealogical process tree.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; and instructions encoded within the memory to instruct the processor to provide a security agent to: identify a malicious process; construct a genealogical process tree of the malicious process, the genealogical process tree including both vertical direct inheritance and horizontal indirect inheritance relationships; and terminate the malicious process and at least some related processes in the genealogical process tree.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to monitor access to data in a secured area of memory at a hypervisor level, receive a request from a process to the data in the secured area, and deny the request if the process is not a trusted process. In an example, the electronic device is a point of sale device.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive a request from a process to access data is a system, determine if the data is in a virtualized protected area of memory in the system, and allow access to the data if the data is in the virtualized protected area of memory and the process is a trusted process. The electronic device can also be configured to determine if new data should be protected, store the new data in the virtualized protected area of memory in the system if the new data should be protected, and store the new data in an unprotected area of memory in the system if the new data should not be protected.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive a request from a process to access data is a system, determine if the data is in a virtualized protected area of memory in the system, and allow access to the data if the data is in the virtualized protected area of memory and the process is a trusted process. The electronic device can also be configured to determine if new data should be protected, store the new data in the virtualized protected area of memory in the system if the new data should be protected, and store the new data in an unprotected area of memory in the system if the new data should not be protected.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive a request from a process to access data is a system, determine if the data is in a virtualized protected area of memory in the system, and allow access to the data if the data is in the virtualized protected area of memory and the process is a trusted process. The electronic device can also be configured to determine if new data should be protected, store the new data in the virtualized protected area of memory in the system if the new data should be protected, and store the new data in an unprotected area of memory in the system if the new data should not be protected.

Abstract: In an example, there is disclosed a computing apparatus having one or more logic elements providing a security agent operable for: detecting that a first process has launch a second process and placed the second process in a suspended state; detecting that the first process has modified or attempted to modify the second process; classifying the modification as potentially malicious; and taking a remedial action. There is also disclosed one or more computer-readable storage mediums having stored thereon executable instructions for providing the security agent, and a computer-executable method of providing the security agent.

Abstract: A method is provided in one example embodiment that includes receiving in an external handler an event notification associated with an event in a virtual partition. A thread in the process in the virtual partition that caused the event can be parked. Other threads and processes may be allowed to resume while a security handler evaluates the event for potential threats. A helper agent within the virtual partition may be instructed to execute a task, such as collecting and assembling event context within the virtual partition, and results based on the task can be returned to the external handler. A policy action can be taken based on the results returned by the helper agent, which may include, for example, instructing the helper agent to terminate the process that caused the event.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to determine when a peripheral is connected to the electronic device, determine a peripheral identification for the peripheral, and monitor the data going to and from the peripheral. Based on the monitored data, a type for the peripheral can be determine. The peripheral identification can be compared with the determined type for the peripheral and if they do not match, then communication to and from the peripheral can be blocked.

Abstract: Technologies for securing an electronic device include trapping an attempt to access a secured system resource of the electronic device, determining a module associated with the attempt, determining a subsection of the module associated with the attempt, the subsection including a memory location associated with the attempt, accessing a security rule to determine whether to allow the attempted access based on the determination of the module and the determination of the subsection, and handling the attempt based on the security rule. The module includes a plurality of distinct subsections.

Abstract: In an example, there is disclosed a computing apparatus having one or more logic elements providing a security agent operable for: detecting that a first process has launch a second process and placed the second process in a suspended state; detecting that the first process has modified or attempted to modify the second process; classifying the modification as potentially malicious; and taking a remedial action. There is also disclosed one or more computer-readable storage mediums having stored thereon executable instructions for providing the security agent, and a computer-executable method of providing the security agent.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to monitor a process, determine if the process is parsing to look for one or more system functions, and flag the process if the process is parsing to look for one or more system system functions. In an example, the process can be determined to be parsing to look for one or more system functions if the process parses portable executable headers to find and interpret dynamic link library tables. In another example, the process can be determined to be parsing to look for one or more system functions if the process calls GetProcAddress.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive a request from a process to access data is a system, determine if the data is in a virtualized protected area of memory in the system, and allow access to the data if the data is in the virtualized protected area of memory and the process is a trusted process. The electronic device can also be configured to determine if new data should be protected, store the new data in the virtualized protected area of memory in the system if the new data should be protected, and store the new data in an unprotected area of memory in the system if the new data should not be protected.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to monitor access to data in a secured area of memory at a hypervisor level, receive a request from a process to the data in the secured area, and deny the request if the process is not a trusted process. In an example, the electronic device is a point of sale device.

Abstract: A method is provided in one example embodiment that includes receiving in an external handler an event notification associated with an event in a virtual partition. A thread in the process in the virtual partition that caused the event can be parked. Other threads and processes may be allowed to resume while a security handler evaluates the event for potential threats. A helper agent within the virtual partition may be instructed to execute a task, such as collecting and assembling event context within the virtual partition, and results based on the task can be returned to the external handler. A policy action can be taken based on the results returned by the helper agent, which may include, for example, instructing the helper agent to terminate the process that caused the event.

Abstract: Technologies for securing an electronic device include trapping an attempt to access a secured system resource of the electronic device, determining a module associated with the attempt, determining a subsection of the module associated with the attempt, the subsection including a memory location associated with the attempt, accessing a security rule to determine whether to allow the attempted access based on the determination of the module and the determination of the subsection, and handling the attempt based on the security rule. The module includes a plurality of distinct subsections.

Abstract: Provided in some embodiments are systems and methods for remediating malware. Embodiments include receiving (from a process) a request to access data, determining that the process is an unknown process, providing the process with access to one or more data tokens in response to determining that the process is an unknown process, determining whether the process is engaging in suspicious activity with the one or more data tokens, and inhibiting execution of the process in response to determining that the process is engaging in suspicious activity with the one or more data tokens.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to determine when a peripheral is connected to the electronic device, determine a peripheral identification for the peripheral, and monitor the data going to and from the peripheral. Based on the monitored data, a type for the peripheral can be determine. The peripheral identification can be compared with the determined type for the peripheral and if they do not match, then communication to and from the peripheral can be blocked.