Abstract: A malware infection prediction method predicts a likelihood that a client device is to be infected with in a period of time based on state and behavior telemetry data. A malware infection prediction system receives telemetry data associated with use (i.e. behavior data) and configuration (i.e. state data) of a client device. By using a trained model, the system predicts a likelihood of the client device becoming infected within a given time frame. Based on the predicted likelihood, the system generates recommendations including recommended actions for reducing the likelihood of the client device becoming infected. The system then generates notifications including the recommendations and sends the notifications to the client device or to an administrative account associated with the client device.

Abstract: An anti-malware system monitors the emulation of a suspicious program in a sandbox environment. The anti-malware system determines that the suspicious program is attempting to access a restricted area of memory (e.g., an executable instruction in the restricted area). Rather than stop the emulation, the anti-malware system can temporarily pause the emulation of the suspicious program. During this pause, the anti-malware system can determine whether the suspicious program is containable within the sandbox environment. If the anti-malware system determines that the emulation of the executable instruction is safe (e.g., that the program is containable), the anti-malware system will resume emulation. If the anti-malware system determines that the emulation of the executable instruction is not safe, the anti-malware system may shut down emulation.

Abstract: An anti-malware application can emulate a suspicious program in a sandbox environment and retrieve any exception handlers the suspicious program attempts to register with the operation system. When the suspicious program triggers an exception, the anti-malware application can save a current context of the suspicious program being emulated. To emulate the handling of the exception, the anti-malware application can validate an exception handler chain including one or more exception handlers added by the suspicious program. The anti-malware application can then select and emulate an exception handler based on the saved context of the suspicious program at the time the exception was triggered. If the first exception handler is successful at resolving the exception, the anti-malware application can then save an updated post-exception context and continue emulation of the suspicious program based on the result of the first exception handler.

Abstract: A computer security system includes a test management system and associated communication architecture that enables creation of customized tests of computer security application features. A server stores a test script in a custom scripting language. The test script includes a set of control statements that may be organized in a decision tree to control facilitation of the test. Clients poll the server to independently obtain and execute the control statements. Execution of the control statements control which clients participate in a test, which feature will be tested in the test, and what telemetry data will be collected from the clients to evaluate the test. The server evaluates the telemetry data to determine an outcome of the test and determines whether to further distribute or roll back the tested feature based on the test outcome. The testing can be utilized to rapidly and robustly deploy features that will enhance computer security.

Abstract: A computing device determines, for a first time period, a usage-based file list identifying one or more executable files. The computing device determines, for each of the one or more executable files identified by the usage-based file list, whether to perform a malware scan upon the executable file based on a cached record for the executable file. The computing device schedules, for execution during a preceding time period before the first time period, a malware scan for at least one of the one or more executable files based on the corresponding determination of whether to perform a malware scan. Each scheduled malware scan is initiated as a low priority thread for execution. The computing device performs each scheduled malware scan during the preceding time period.

Abstract: Client devices detect malware based on a ruleset received from a security server. To evaluate a current ruleset, an administrative client device initiates a ruleset evaluation of the malware detection ruleset. A security server partitions stored malware samples into a group of evaluation lists based on an evaluation policy. The security server then creates scanning nodes on an evaluation server according to the evaluation policy. The scanning nodes scan the malware samples of the evaluation lists using the rulesets and associate each malware sample with a rule of the ruleset based on the detections, if any. The security server analyzes the associations and optimizes the ruleset and stored malware samples. The security server sends the optimized ruleset to client devices such that they more efficiently detect malware samples.

Abstract: A test management system utilizes an adaptive cohort selection technique to dynamically select and update a cohort of clients for testing a feature of a computer security application. The test management system selects an initial cohort based on high level parameters of the test including the feature to be evaluated and the statistical confidence level for the outcome. During the test, the test management system obtains real-time telemetry data relevant to evaluating the test. Depending on how the test is tracking relative to the test objectives, test management system may dynamically modify the cohort by expanding the size of the cohort or changing the cohort membership.

Abstract: A method that automatically generates blacklists for a sandbox application. The method first obtains a set of disassembled operating system (OS) dynamic-link libraries (DLLs) and then identifies application programming interfaces (API) functions that have respective kernel interruptions. The identified API functions that have kernel instructions are saved to an interrupt list. Based on the interrupt list, a processor generates a blacklist that includes for each of the DLLs, the identified API functions in the interrupt list, all API functions that directly or indirectly invoke one of the identified API functions in the interrupt list via one or more nested API functions. The method outputs the blacklist to the sandbox application that operates on a sample file to emulate API functions of the sample file that match the blacklist. All other APIs not identified as being blacklisted, are then considered whitelisted and are allowed to run natively.

Abstract: A security server assigns users sessions to a provider that provides virtual private networks. The security server trains a machine-learned model to identify a provider from a set of providers. The security server obtains connection parameters associated with a requested VPN connection. Connection parameters comprise a location of a computing device that requested the VPN connection, a time of the requested VPN connection, a current and/or historical state of VPN performance data, and user preferences. The security server applies the machine-learned model to the connection parameters to identify a provider. The security server provisions a user session based on the provider and establishes a connection through the provider.

Abstract: A pop-up blocker application detects and remediates malicious pop-up loops. The pop-up blocker application intercepts a call from a web page for initiating a pop-up browser window in a web browser. The pop-up blocker application updates a count of pop-up initiating calls associated with the web page occurring within a pre-defined time window. The updated count is compared to a threshold to determine whether the count meets a threshold indicative of a malicious pop-up loop. Responsive to the count meeting the threshold, the pop-up blocker applications takes a remedial action, such as navigating away from the web page.

Abstract: A system manages the rate of false positive detections of malware by controlling release of malware definition updates. The system determines a cohort of target devices for distributing an initial release of an update of malware definitions and sends the update exclusively to the target devices. The system then obtains telemetry data which include information associated with usage of the target devices following the update. The system analyzes the telemetry data for instances of false positive detections of malware arising from the update to the malware definitions. Based on the analysis of the telemetry data, the system determines whether to further distribute the update outside of the cohort of target client devices or to roll back the update provided to the cohort. The system executes the decision to further distribute the update or to roll back the update.

Abstract: An anti-malware application can emulate a suspicious program in a sandbox environment and retrieve any exception handlers the suspicious program attempts to register with the operation system. When the suspicious program triggers an exception, the anti-malware application can save a current context of the suspicious program being emulated. To emulate the handling of the exception, the anti-malware application can validate an exception handler chain including one or more exception handlers added by the suspicious program. The anti-malware application can then select and emulate an exception handler based on the saved context of the suspicious program at the time the exception was triggered. If the first exception handler is successful at resolving the exception, the anti-malware application can then save an updated post-exception context and continue emulation of the suspicious program based on the result of the first exception handler.

Abstract: A computer security system includes a test management system and associated communication architecture that enables creation of customized tests of computer security application features. A server stores a test script in a custom scripting language. The test script includes a set of control statements that may be organized in a decision tree to control facilitation of the test. Clients poll the server to independently obtain and execute the control statements. Execution of the control statements control which clients participate in a test, which feature will be tested in the test, and what telemetry data will be collected from the clients to evaluate the test. The server evaluates the telemetry data to determine an outcome of the test and determines whether to further distribute or roll back the tested feature based on the test outcome. The testing can be utilized to rapidly and robustly deploy features that will enhance computer security.

Abstract: A malware infection prediction method predicts a likelihood that a client device is to be infected with in a period of time based on state and behavior telemetry data. A malware infection prediction system receives telemetry data associated with use (i.e. behavior data) and configuration (i.e. state data) of a client device. By using a trained model, the system predicts a likelihood of the client device becoming infected within a given time frame. Based on the predicted likelihood, the system generates recommendations including recommended actions for reducing the likelihood of the client device becoming infected. The system then generates notifications including the recommendations and sends the notifications to the client device or to an administrative account associated with the client device.

Abstract: A computing device determines, for a first time period, a usage-based file list identifying one or more executable files. The computing device determines, for each of the one or more executable files identified by the usage-based file list, whether to perform a malware scan upon the executable file based on a cached record for the executable file. The computing device schedules, for execution during a preceding time period before the first time period, a malware scan for at least one of the one or more executable files based on the corresponding determination of whether to perform a malware scan. Each scheduled malware scan is initiated as a low priority thread for execution. The computing device performs each scheduled malware scan during the preceding time period.

Abstract: A security server receives a full hash and a set of subhashes from a client. The security server determines that the full hash is whitelisted. The security server updates, for each subhash in the set of subhashes, an associated clean count. The security server adds a subhash to a subhash whitelist responsive to an associated clean count exceeding a threshold. The security server receives a second set of subhashes. The security server determines whether at least one of the subhashes in the second set of subhashes is included in the subhash whitelist. The security server reports to the client based on the determination.

Abstract: An anti-malware application detects and remediates malware. The anti-malware application detects an event associated with a process and determines if the event matches an entry in an exclusions list. If the event is absent from the exclusions list, the anti-malware application monitors the operation of the process, logs the event data in an event log, and sends the event to a server to determine whether the process corresponds to malware. The anti-malware application updates the exclusions list based on the logged event if the process does not correspond to malware. The anti-malware application restores a file edited by the process to the saved copy of the original file prior to the file being edited by the process if the process corresponds to malware.

Abstract: An anti-malware application detects and remediates malware. The anti-malware application detects an event associated with a process and determines if the event matches an entry in an exclusions list. If the event is absent from the exclusions list, the anti-malware application monitors the operation of the process, logs the event data in an event log, and sends the event to a server to determine whether the process corresponds to malware. The anti-malware application updates the exclusions list based on the logged event if the process does not correspond to malware. The anti-malware application restores a file edited by the process to the saved copy of the original file prior to the file being edited by the process if the process corresponds to malware.

Abstract: A protection application detects and remediates malicious files on a client. The protection application trains models using known samples of static clean files, and the models characterize features of the clean files. A model may be selected based on metadata obtained from a target file. By processing features of the clean files and features of the target file, the model may generate an anomaly score indicating a level of dissimilarity between the target file and the sample. The protection application compares the anomaly score to one or more threshold scores to classify the target file. Additionally, the target file may be provided to a security server to check against a whitelist or blacklist for classification. Responsive to a classification as malicious, the protection application remediates the target file on the client.

Abstract: Client devices detect malware based on a ruleset received from a security server. To evaluate a current ruleset, an administrative client device initiates a ruleset evaluation of the malware detection ruleset. A security server partitions stored malware samples into a group of evaluation lists based on an evaluation policy. The security server then creates scanning nodes on an evaluation server according to the evaluation policy. The scanning nodes scan the malware samples of the evaluation lists using the rulesets and associate each malware sample with a rule of the ruleset based on the detections, if any. The security server analyzes the associations and optimizes the ruleset and stored malware samples. The security server sends the optimized ruleset to client devices such that they more efficiently detect malware samples.