Abstract: Methods, apparatus, systems and articles of manufacture for detecting malware via analysis of a screen capture are disclosed. An example apparatus includes at least one memory, instructions, and processor circuitry to execute the instructions. The processor circuitry is to detect execution of a process, capture a portion of a screen buffer as a captured image, after the execution of the process is detected, analyze the captured image to determine an image similarity to a stored image in a database, the database to at least store malicious images, and perform a responsive action when the image similarity satisfies a similarity threshold.

Abstract: There is disclosed in one example a mobile telephone, including: a hardware platform including a processor and a memory; a telecommunication transceiver; and instructions encoded within the memory to instruct the processor to: identify a call made via the telecommunication transceiver; analyze the call and assign the call a predicted local reputation according to the analysis, including a legitimacy confidence score; if the legitimacy confidence score is less than a first threshold, terminate the call; if the legitimacy confidence score is greater than a second threshold, cease analysis of the call; and if the legitimacy confidence score is between the first and second thresholds, continue analysis of the call.

Abstract: There is disclosed in one example an enrollment over secure transport (EST)-capable gateway device, including: a hardware platform including a processor and a memory; a first network interface to communicatively couple to an external network, including an external DNS server; a second network interface to communicatively couple to a home network; a caching DNS server including a local DNS cache, and logic to provide DNS services to the home network; and an EST proxy to authenticate to a local endpoint on the home network, provision a DNS server certificate on the local endpoint, provision an authentication domain name (ADN) on the local endpoint, and provide encrypted domain name system (DNS) services to the local endpoint.

Abstract: Security risk evaluation across user devices is disclosed herein. An example method includes identifying a user and one or more devices associated with the user, collecting information identifying applications used by the user on the one or more devices, determining respective security sub-scores for each item of the one or more devices, computing an overall security score for the user based, at least in part, on an aggregation of the security sub-scores, and creating a user profile based on the overall security score, the user profile to enable the at least one of the one or more devices to exchange data with an external device when the overall security score meets a security score threshold, the user profile to prevent the at least one of the one or more devices from exchanging data with the external device when the overall security score does not meet the security score threshold.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed. An example apparatus includes at least one memory, instructions in the apparatus, at least one processor to execute the instructions to, in response to identifying malicious data: a) in response to determining that the at least one processor is controlled by the first operating system type, block a download from being executed, and b) in response to determining a switch from the first operating system type to the second operating system type, remove, from the at least one memory, an object downloaded in the download.

Abstract: There is disclosed a method of providing passive phishing remediation for an enterprise, including: displaying, to a user of a mobile device, an email; receiving from the user a one-click request to perform additional analysis of the email; providing the email to a phishing mitigation service; assigning the email a reputation score, generating a human-readable reputation display for the email, wherein the human-readable reputation display includes at least three grades comprising safe, unknown or unreliable, and unsafe or malicious; and providing the human-readable reputation display as a push notification to the mobile device.

Abstract: There is disclosed a computer-implemented system and method of analyzing a batch of objects, including bucketizing the batch of objects into a plurality of buckets according to a feature of the objects; for objects within a batch, performing malware analysis on the objects to assign a malware analysis score, and adjusting the malware analysis score based on the batch; and performing respective security actions on the objects within the batch, based on the adjusted malware analysis score.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; a user-space application including instructions to interact with a web site via a uniform resource locator (URL); and a security agent including instructions to: intercept an interaction of the user-space application with the web site; determine that the intercepted interaction is to send sensitive information to the web site; suspend the interaction; and assign a reputation to the URL.

Abstract: Methods, apparatus, systems, and articles of manufacture for orchestrating personal protection across digital assets are disclosed. An example apparatus includes at least one memory, instructions in the apparatus, and processor circuitry to execute the instructions to monitor digital assets associated with a protection threat surface to detect a protection event, determine one or more protection vectors associated with the digital assets in response to detecting the protection event, the one or more protection vectors including one or more values corresponding to an impact of the protection event on an overall protection posture associated with the protection threat surface, and determine protection remediation action for the digital assets based on the one or more protection vectors.

Abstract: Apparatus, systems, articles of manufacture, and methods for improving anti-malware scan responsiveness and effectiveness using user symptoms feedback are disclosed. An example method includes detecting a performance issue on a computing device, presenting a user interface on a display of the computing device requesting user feedback regarding the performance issue, and synthesizing user input related to the performance issue to identify, on the computing device, a scan parameter associated with the performance issue. The example method further includes, in response to failing to identify the scan parameter on the computing device, transmitting the user input to a symptom analysis server to identify the scan parameter based on anti-malware scans from other computing devices, and, in response to determining the scan parameter, performing a targeted anti-malware scan on the computing device.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to improve the inspection of network data flows. An example apparatus includes memory, and processor circuitry to execute machine readable instructions to at least identify network domains accessible by at least one client device in a geographic location of interest, associate the identified network domains with Autonomous System Numbers (ASNs), create a list of respective ones of the ASNs that include a non-malicious status corresponding to Internet protocol (IP) addresses associated with respective ones of the identified network domains, and in response to receiving a reputation request corresponding to a destination IP address, cause inspection of a data flow to be skipped when the destination IP address is associated with the list of non-malicious ASNs.

Abstract: Methods and apparatus are disclosed to detect malware using micro-forests with customer trust seeds. A false positive correction apparatus includes processor circuitry to perform at least one of the first operations, the second operations or the third operations to instantiate classifier circuitry to access a malicious sample, the malicious sample having a first feature vector, sample comparison circuitry to compare the malicious sample to a known sample, the known sample collected from customer data, the known sample having a second feature vector, calculator circuitry to calculate a distance value between the first feature vector and the second feature vector, threshold comparator circuitry to compare the distance value to a threshold, and change the classification of the malicious sample to clean in response to the distance value satisfying the threshold.

Abstract: Particular embodiments described herein provide for modular device assemblies and methods for enabling maintenance and servicing, particularly by an unmanned aerial vehicle. A device assembly comprises a plurality of modules, each module having control circuitry, a communications port and contact points to couple the modules. When the modules are coupled, the communications ports are connected to create a bus for communications between the modules. The modular device structure where modules are removable and replaceable allows for an unmanned aerial vehicle to perform maintenance on the device.

Abstract: There is disclosed in an example a gateway device, including a hardware computing platform, and a secure domain name system (DNS) engine having circuitry and stored instructions to-program the circuitry, the secure DNS engine to communicatively couple to an endpoint via a local network, begin a secure DNS transaction with the endpoint, determine whether the endpoint supports delegated credentials, and after determining that the endpoint supports delegated credentials, establish a secure DNS session with the endpoint using a delegated credential.

Abstract: A computing apparatus includes a hardware platform having a processor and a memory; an operating system (OS) having a GUI with a user-initiatable share function, and an interface to register a share target for the share function; and instructions encoded within the memory to provide a security agent, the instructions to instruct the processor to: receive from the OS a notification that an object has been shared to the security agent via the share function; responsive to the notification, initiate a security scan or reputation action for the shared object; receive a security or reputation response from the security scan or reputation action; and based at least in part on the security scan or reputation response, display a security or reputation notification via the GUI.

Abstract: This disclosure describes systems and methods related to utilizing hardware assisted protection for media content. In some embodiments, a provided method comprises: receiving, from a content server and by a computing device processor of a secure enclave of a device, first encrypted media content; decrypting, by the computing device processor, the first encrypted media content using a first decryption key; generating, by the computing device processor, a second decryption key; encrypting, by the computing device processor, the first decrypted media content using the second key, thereby resulting in second encrypted media content; and sending, by the computing device processor and to one or more graphical processing units (GPUs) comprised in a graphics component of the device, the second encrypted media content and the second decryption key.

Abstract: Methods, apparatus, systems, and articles of manufacture for comprehensive user-centric protection of digital assets are disclosed. An example apparatus includes at least one memory, instructions in the apparatus, and processor circuitry to execute the instructions to identify digital assets associated with a protection threat surface, detect protection events corresponding to threats associated with the digital assets, and determine protection vectors associated with the digital assets based on the protection events, the protection vectors corresponding to protection capabilities associated with the digital assets.

Abstract: An apparatus, related devices and methods, having a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to monitor software and hardware parameters on an electronic device that includes an application designated as a preferred application; determine whether the preferred application is running; detect a change in software or hardware parameters that indicates to reallocate resources to the preferred application; and apply, based on detecting the change in software or hardware parameters, an optimization policy that reallocates resources to a process associated with the preferred application.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed that augment classification for low prevalence samples. An example non-transitory computer readable medium comprises instructions that, when executed, causes a machine to at least classify a data sample using a first classifier, classify the data sample using a second classifier different from the first classifier, the second classifier using a plurality of sensitive hashing (LSH) forests to analyze a sorted plurality of neighbor samples, determine whether a first classification result of the first classifier meets or exceeds a confidence threshold, in response to the first classification result of the first classifier meeting or exceeding the confidence threshold, output the first classification result, and in response to the first classification result of the first classifier not meeting or exceeding the confidence threshold, output a second classification result of the second classifier.

Abstract: An apparatus for detecting a phishing website based on website icons is disclosed. A disclosed example apparatus includes parser circuitry to parse code of a first website, detector circuitry to detect, based on the parsed code, a first website icon and a first Uniform Resource Locator (URL) corresponding to the first website, and hash generator circuitry to generate a first hash of the first website icon, and store the first hash in association with the first URL in a hash entry of an icon hash database, the hash entry to be used for determining that a second website is a phishing website when (a) the first hash matches a second hash of a second website icon corresponding to the second website, and (b) a first portion of the first URL matches a second portion of a second URL corresponding to the second website.