Abstract: Apparatus, systems, articles of manufacture, and methods for improving anti-malware scan responsiveness and effectiveness using user symptoms feedback. An example method includes detecting a performance issue on a computing device, presenting a user interface on a display of the computing device requesting user feedback regarding the performance issue, and synthesizing user input related to the performance issue to identify, on the computing device, a scan parameter associated with the performance issue. The example method further includes, in response to failing to identify the scan parameter on the computing device, transmitting the user input to a symptom analysis server to identify the scan parameter based on anti-malware scans from other computing devices, and, in response to determining the scan parameter, performing a targeted anti-malware scan on the computing device.

Abstract: There is disclosed in one example a social media server, including: a processor; a trusted input/output (IO) interface to communicatively couple to a consumer device; a network interface to communicatively couple to an enterprise; and a memory having stored thereon executable instructions to instruct the processor to provide a data loss prevention (DLP) engine to: receive via the trusted IO interface a signed and encrypted user posting for the social media service, the user posting including a signed user state report verifying that the user has passed a biometric screening; transmit content of the user posting to the enterprise via the network interface for DLP analysis; receive from the enterprise a notification that the user posting has passed DLP analysis; and accept the user posting.

Abstract: Automatic detection of software that performs unauthorized privilege escalation is disclosed. The techniques cause a programmable device to obtain a trace event of a program from an event logger, parse the trace event to determine a privilege level for an event, compare the privilege level for the event to an expected privilege level, and block execution of the program based on the comparison.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to identify a binary file, identify strings in the binary file, determine that at least one string in the binary file is larger than one kilobytes of data, identify at least one substring from each of the at least one strings in the binary file is larger than one kilobytes of data, and analyze each of the at least one substrings to determine if each of the at least one substrings are suspicious and related to malware.

Abstract: A query is received from a particular endpoint device identifying a particular wireless access point encountered by the particular endpoint device. Pre-existing risk assessment data is identified for the identified particular wireless access point and query result data is sent to the particular endpoint device characterizing pre-assessed risk associated with the particular wireless access point. In some instances, the query result data is generated based on the pre-existing risk assessment data. In some instances, pre-existing risk assessment data can be the result of an earlier risk assessment carried-out at least in part by an endpoint device interfacing with and testing the particular wireless access point.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive a broadcast query from a network element, receive information from a plurality of devices, process the information, and generate an integrated group response, wherein the integrated group response summarizes the information about the plurality of devices and removes identification information that could allow data to be linked to a specific device from the plurality of devices. The integrated group response can be communicated back to the network element in response to the query.

Abstract: In an example, there is disclosed an efficient request/response routing over a publish/subscribe messaging framework. Upon receiving a request for a service, a DXL broker may identify zero or more DXL domain masters providing the service. If no DXL domain masters are available to provide the service, the DXL broker may send a response message, or publish a DXL message, indicating that the service is not available. If more than one DXL domain master provides the service, then the DXL broker may identify the best DXL domain master to service the request, and forward the request to that DXL domain master.

Abstract: A device, system, and method for defending a computer network are described. network communications are received by a traffic filter, which dynamically determines whether the communications include an anomaly (i.e., are “anomalous” communications), or whether the communications are normal, and do not include an anomaly. The traffic filter routes normal communications to the correct device within its network for servicing he service requested by the communications. The traffic filter routes any anomalous communications to a virtual space engine, which is configured to fake a requested service (e.g., to entice deployment of a malicious payload). Anomalous communications are analyzed using an analytical engine, which can dynamically develop rules for handling anomalous communications in-line, and the rules developed by the analytical engine can be employed by the traffic filter against future received communications.

Abstract: Managed devices containing a Trusted Platform Module (TPM) to provide a trusted environment generate a device certificate at initialization of the TPM and send the device certificate to a management console for storing in a certificate database. Upon detecting a file of interest, the TPM signs the file, adding to a signature list created by previous managed devices. The signature list can be used to analyze the spread of the file across the system of managed devices, including tracking the file to the first managed device to have had a copy, without requiring real-time access to the managed devices during the spread of the file. In some embodiments, additional security measures may be taken responsive to determining the first managed device and the path the file has taken across the system of managed devices.

Abstract: Examples for device-driven auto-recovery using multiple recovery sources are disclosed herein. At least one storage device or storage disk includes instructions that, when executed, cause at least one processor to at least detect a flaw in a first configuration of a program to be installed on a programmable device, the first configuration recorded on a first chain of a distributed ledger of a blockchain; correct the flaw in the first configuration to generate a corrected configuration; commit the corrected configuration to the distributed ledger, the corrected configuration to create a second chain of the distributed ledger; detect an update of the first configuration to a first updated configuration and an update to the corrected configuration to an updated corrected configuration; and prevent the first updated configuration from being installed on the programmable device by replacing the first updated configuration with the updated corrected configuration on the second chain.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including at least a processor and a memory; and a security agent including instructions encoded in the memory to instruct the processor to: monitor a user's operation of the computing apparatus over time, including determining whether a selected behavior is a security risk; provide a risk analysis of the user's operation based at least in part on the monitoring; select a scan sensitivity based at least in part on the risk analysis; and scan, with the selected sensitivity, one or more objects on the computing apparatus to determine if the one or more objects are a threat.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to monitor code as it executes. The code can include self-modifying code. The system can log an event if the self-modifying code occurred in a GetPC address region.

Abstract: Embodiments of this disclosure are directed to an execution profiling handler configured for intercepting an invocation of memory allocation library and observing memory allocation for an executable application process. The observed memory allocation can be used to update memory allocation meta-data for tracking purposes. The execution profiling handler can also intercept indirect branch calls to prevent heap allocation from converting to execution and intercept exploitation of heap memory to block execution.

Abstract: A set of attributes of a particular asset of a computing environment is identified that are determined from data collected by one or more utilities in the computing environment. A criticality rating is automatically determined for the particular asset based at least in part on the set of attributes. A security activity is caused to be performed relating to the particular asset based on the automatically determined criticality rating of the particular asset.

Abstract: There is disclosed in one example a gateway apparatus to operate on an intranet, including: a hardware platform; and an access proxy engine to operate on the hardware platform and configured to: intercept an incoming packet; determine that the incoming packet is an access request directed to an access interface of a resource of the intranet; present an access checkpoint interface; receive an authentication input response; validate the authentication input response; and provide a redirection to the access interface of the device.

Abstract: There is disclosed in one example a ransomware mitigation engine, including: a processor; a convolutional neural network configured to provide file type identification (FTI) services including: identifying an access operation of a file as a write to the file or newly creating the file; computing a byte correlation factor for the file; classifying the file as belonging to a file type; determining with a screening confidence that the file type is correct for the file; determining that the screening confidence is below a screening confidence threshold; and circuitry and logic to provide heuristic analysis including: receiving notification that the confidence is below the confidence threshold; performing a statistical analysis of the file to determine a difference between an expected value and a computed value; determining from the difference, with a detection confidence, that the file has been compromised; and identifying the file as having been compromised by a ransomware attack.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a contextual reputation store; and instructions encoded within the memory to provision a security agent configured to: create a user persona in the contextual reputation store based at least in part on the user's interaction with the computing apparatus; compute a persona-weighted reputation for an action and store the persona-weighted reputation action to the contextual reputation store; intercept a user action on the computing apparatus; determine a current user persona; determine from the contextual reputation store a persona-weighted reputation for the user action; and take a security action based at least in part on the persona-weighted reputation for the user action.

Abstract: There is disclosed in one example a computing apparatus, including: a network interface; a hardware platform, including at least a processor and a memory; and instructions encoded in the memory to instruct the processor to: identify an executable object to be run on the apparatus, the executable object to provision a plurality of local files or objects with unknown local reputations; query via the network interface a remote service with an identification of the executable object; responsive to the query, receive from the remote service a reputation batch for the local files or object; and selectively permit installation of the executable object and/or the plurality of local files or objects based at least in part on individual reputations within the reputation batch.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform, including a processor and a memory; and executable instructions encoded in the memory to provide a client-only virtual private network (VPN) including a VPN client and a VPN server on a single physical device, wherein the VPN client is configured to communicatively couple to the VPN server and to provide proxied Internet protocol (IP) communication services via the VPN server.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform, including a processor and a memory; and executable instructions encoded in the memory to provide a client-only virtual private network (VPN) including a VPN client and a VPN server implementation on a single physical device, wherein the VPN client is configured to communicatively couple to the VPN server and to provide proxied Internet protocol (IP) communication services.