Abstract: Systems and methods receiving an indication that a domain has been blocked. A temporary web server is created that has network address that is different from the network address associated with the blocked domain. Content is created that indicates the blocked domain, and optionally, a reason for the blocking. The network address of the temporary web server is returned to a requesting browser application, which can display the content without providing a security warning.

Abstract: Data relating to attacks is collected in honeypots, including network address of attacks and time of attacks. The attack data is analyzed to generate a predicted likelihood of future attacks from network addresses in the activity data, and a network address blacklist is constructed including network addresses predicted likely to be a source of a future attack. The process is repeated over time, such that network addresses with no recent honeypot activity are removed from the blacklist.

Abstract: A file similarity vector for an executable file or executable object can be determined using function lengths of functions in the executable file or data object. The executable file or data object can be scanned, and lengths of functions can be determined. Various statistics such as number of functions, maximum function length, minimum function length, and average function length can be used to create a file similarity vector. The file similarity vector can be used to compare files.

Abstract: Detecting a Domain Name Service (DNS) hijacking includes resolving names in a hijack target group list to their respective Internet Protocol (IP) addresses. In response to determining that two names in the hijack target group list resolved to a common IP address, a determination is made whether a legitimate reason exists for the two names in the hijack target group list to resolve to the common IP address. In response to determining that a legitimate reason does not exist for the two names in the hijack target group list to resolve to a common IP address, a DNS hijacking is indicated.

Abstract: A computing device can initiate a pairing operation with mobile computing device. The computing device encodes a pairing secret into a displayable code for presentation. The size of the displayable code can be determined in accordance with a threshold distance and display parameters. The mobile computing device is positioned such that an image of the displayable code substantially fills a boundary whose size is determined according to a desired threshold distance, a focal length, and parameters of a sensor chip. The displayable code is decoded to reveal the pairing secret to the mobile computing device. The pairing secret is used to complete the pairing process with the computing device. Once pairing has been completed, the computing device can measure a signal strength between the computing device and the mobile computing device. The signal strength can be stored to be used for later authorization purposes.

Abstract: A system and method for prefix fingerprints for a first file or a first data object. A prefix fingerprint comprises a plurality of hash values. The hash values of the prefix fingerprints are typically generated starting at the same offset within the file or data object, but are generated based on different data sizes. Later, a second file or second data object can be compared with the first file or first data object to determine if the second file or data object is a prefix of the first file or data object. A hash value is selected from the previously determined prefix fingerprint of the first file based on the size of the second file. A hash is generated for the second file using the same offset value and size as was used to generate the selected hash value from the prefix fingerprint. The hash values are then compared.

Abstract: A method and system for an automated classification rating of browser extensions is provided. One embodiments of the present invention can track the behavior of a large number of users in order to determine the reputation of browser extensions such as toolbars. The rating can be determined based on similarity analysis of previously rated browser extension attributes, and can be adjusted in response to a determination of the user's choice on the browser extension removal and reinstallation.

Abstract: Systems and methods normalize an executable script. A file can be received that potentially contains an executable script. The characters in the file are translated to a single case (either upper case or lower case). Duplicate whitespace can be removed. A script is identified within the file. Tokens in the script are processed to create normalized output. The normalized output can include tokens that are retained keywords, control flow characters or data characters from the script file.

Abstract: A location anomaly for a mobile device can be detected using non-location information from the mobile device. The non-location information does not include data from a location based device, such as a GPS. A probabilistic model is created using historical non-location information accumulated from the mobile device. Current non-location data is compared with the probabilistic model to determine a probability associated with the current non-location information. If the probability is less than a predetermined or configurable threshold, a location anomaly is detected. A notification of the location anomaly may be displayed and/or transmitted in response to detecting the location anomaly.

Abstract: Systems and methods are described which integrate file properties that in conventional systems has been considered weaker evidence of malware and analyzes the information to produce reliable results. Properties such as file paths, file names, source domains, IP protocol ASNs, section checksums, digital signatures that are not always present and not always reliable can be integrated into the classification process using a graph. A 1-neighborhood of object values in the graph may be created and analyzed to suggest a malware family label based on files having similar properties.

Abstract: Systems and methods index and search log files created after execution of binaries. A plurality of log files each have one or more sequences. An index tree is created for the log files. A first log file is placed into a bucket of the index tree according to the lengths of the one or more sequences of the first log file. Remaining logs files are placed the index tree according to their respective sequence lengths. Each log becomes a representative in the bucket or associated with a representative in the bucket. The index tree can be searched, where an incurred distance and a remaining distance is maintained during the search. Nodes are pruned based, at least in part, on the incurred distance and the remaining distance.

Abstract: Systems and methods monitor a system including a remote desktop, a trusted mobile instance, and a delivery handler. The delivery handler can determine if the system is overloaded and to take the appropriate measures to maintain a negotiated minimal QoS and adapt as necessary when the conditions vary. Additionally, the systems and method can address security issues by separating privileges that are typically bundled together in conventional systems, and by applying isolation mechanisms to exposed areas of the system.

Abstract: A method and apparatus for an automated classification and reset of browser settings is provided. A set of disreputable browser setting values is maintained based on statistics associated with the browser setting values. In response to determining that an attempt is made to set a browser setting to a value in the set of disreputable browser setting values, a notification can be presented to the user. The notification can include options in a set of reputable browser settings.

Abstract: A password manager injects credentials into a web browser request. A user can browse to a form provided by a server that includes a password field. A plug-in requests a password for the field from a password manager. The actual password is not provided to the plug-in or the browser. The password manager provides a proxy password that is not the actual password for the field. A request interceptor in a separate process from the browser intercepts the completed request as it is sent to the server and replaces the proxy password with the actual password.

Abstract: Systems and methods authenticate with application extensions. An application extension requests a token from a local application. The local application generates a token and either inserts the token into a protected storage accessible only by the application extension being run by the current user or returns the token back to the application extension after being confirmed by the legitimate user. The application extension uses the token to authenticate itself with the local application.

Abstract: Systems and methods automatically determine rules for detecting malware. A fingerprint representing a file is received. A set of nearest neighbor fingerprints from at least a set of malware fingerprints that are nearest neighbors are determined. The set of malware fingerprints are analyzed to determine a representative fingerprint. A malicious file detection rule is generated based, at least in part, on the representative fingerprint.

Abstract: Systems and method classify a file using filters. A file event can be determined for the file. In response to the file event, metadata is received for the file. In response to receiving the metadata, a filter of a plurality of filters is selected based on the metadata. One or more rules in the selected filter can classify the file to determine an action to be performed with respect to the file.

Abstract: Systems and method identify potentially mislabeled file samples. A graph is created from a plurality of sample files. The graph includes nodes associated with the sample files and behavior nodes associated with behavior signatures. Phantom nodes are created in the graph for those sample files having a known label. During a label propagation operation, a node receives data indicating a label distribution of a neighbor node in the graph. In response to determining that the current label for the node is known, a neighborhood opinion is determined for the associated phantom node, based at least in part on the label distribution of the neighboring nodes. After the label propagation operation has completed, differences between the neighborhood opinion and the current label distribution for nodes are determined. If the difference exceeds a threshold, then the current label may be incorrect.

Abstract: Systems and methods analyze input files to automatically determine malware signatures. A set of input files known to contain a particular type of malware can be provided to a file analyzer. The file analyzer can analyze the file using a sliding window to create vectors from values that are provided by multiple filters that process each window. The vectors created for a file define a response matrix. The response matrices for a set of input files can be analyzed by a classifier to determine useful vector components that can define a signature for the malware.

Abstract: Loading a guest virtual machine from a snapshot includes determining a plurality of executable modules loaded in a guest operating system. Hash values for pages of guest physical memory in the snapshot file are determined. Hash values for pages of the executable modules executing in the guest operating system are determined. Matches to the pages in the guest physical memory and the pages of the executable modules are searched for using the hash values. Context information associated with the matching pages in the guest physical memory and the pages of the executable modules is written to the snapshot. The snapshot is modified to link the guest physical memory to the pages of the executable modules.