Abstract: Behavior report generation monitors the behavior of unknown sample files executing in a sandbox. Behaviors are encoded and feature vectors created based upon a q-gram for each sample. Prototypes extraction includes extracting prototypes from the training set of feature vectors using a clustering algorithm. Once prototypes are identified in this training process, the prototypes with unknown labels are reviewed by domain experts who add a label to each prototype. A K-Nearest Neighbor Graph is used to merge prototypes into fewer prototypes without using a fixed distance threshold and then assigning a malware family name to each remaining prototype. An input unknown sample can be classified using the remaining prototypes and using a fixed distance. For the case that no such prototype is close enough, the behavior report of a sample is rejected and tagged as an unknown sample or that of an emerging malware family.

Abstract: An attachment to an e-mail message received at an e-mail gateway is scanned by a scan server and then is converted into an HTML file. The HTML file includes preview data of the attachment (minus any macro scripts), the entire original data of the attachment, scan functionality enabling a user to send the attachment back to a scan server for a second scan, or extract functionality enabling a user to extract the original attachment data for saving or opening in an application. The recipient is able to open or save the attachment directly if he or she believes it comes from a trusted sender. If the attachment seems suspicious, the recipient previews the attachment first before performing a scan, opening the attachment or deleting it. The recipient performs a scan of the attachment by clicking a “scan” button to send the attachment to a backend server for a second scan where an updated virus pattern file may be available to detect any zero-day malware.

Abstract: A database of known graphical user interface layouts is generated using samples of known executable files. An executable file having an unknown function is obtained; it is executed within a safe environment and its graphical user interface is identified. Layout analysis enumerates all of the windows within the interface and extracts the position values of each window and the dimension values of each window to form a set of layout information. If the layout database contains this layout information set then it is determined that the layout information is of the same type of software corresponding to the type of software contained within the database (or of the type of software to which the layout information is matched within the database). A match may occur if all the windows match, if only some percentage of the windows match, or if the windows do not match exactly but the dimensions of the corresponding window in the database are within a certain percentage.

Abstract: A security virtual machine is provided in a network including a resource shared among two or more virtual machines. All data traffic from each virtual machine to or from the shared resource is transmitted over an encrypted channel to the security virtual machine. Each connection between a virtual machine and the security virtual machine is maintained as a separate encrypted channel, preventing one virtual machine from accessing data sent to or from another virtual machine, even though the virtual machines are all sharing the same resource.

Abstract: A security virtual machine inspects all data traffic between other virtual machines on a virtualization platform in order to prevent an inter-VM attack. Data traffic between the machines is intercepted at the privileged domain and directed to the security virtual machine via a hook mechanism and a shared memory location. The traffic is read by the security machine and analyzed for malicious software. After analysis, the security machine sends back a verdict for each data packet to the privileged machine which then drops each data packet or passes each data packet on to its intended destination. The privileged domain keeps a copy of each packet or relies upon the security machine to send back each packet. The security machine also substitutes legitimate or warning data packets into a malicious data package instead of blocking data packets. The shared memory location is a circular buffer for greater performance. Traffic is intercepted on a single host computer or between host computers.

Abstract: The behavior of an installed application within the Android device is modified. The program code is modified to allow a security application to load and run the application within its own context. The modified program code is repacked into a modified APK file, executed within the context of the security application. A component within a target application includes APIs for starting other components. These APIs are modified to use a new intent object which points to a proxy component. A modified target application is executed. The security application loads the target application into memory without installing it. The security application includes a component of each type and creates a proxy component instance for each component in the target application. A proxy component under control of the security application is created for each component within the target application. The target application is executed under the control of the security application.

Abstract: Critical resources are identified within a computer system such as operating system files, drivers, modules and registry keys that are used to bootstrap the computer. During a successful bootstrap, these resources are saved into persistent storage during the bootstrap phase. Changes to critical resources are monitored and these resources are backed up if they are changed. Upon computer system failure, steps of identifying the type of failure and an analysis of its root cause are optionally performed. A user is presented with a bootstrap menu and critical resources necessary to bootstrap the computer are retrieved from persistent storage and saved into their appropriate locations. A successful bootstrap is then performed of the computer system in order to recover from the failure.

Abstract: A computing device capable of instant messaging (IM) contains IM anti-malware software for preventing the transmission of malware-created IMs and opening potentially harmful IMs that it receives. When transmitting an IM, the software checks to ensure that the message being sent was created by the user (a human being) and not by IM malware, such as an IM BOT. This is done by copying details of a message as it is being typed by a user into a database and searching for that data before an IM is transmitted from the device. The software also ensures that when it receives an IM from an outside source, that the message contains a special encrypted signal that was inserted into the message by the source when the source has determined that the message was created by a human being. If the special signal is not found, it is presumed that the message was created by malware and may be discarded.

Abstract: Unauthorized URL requests are detected based on individual user's access map(s). An access map describes legitimate paths that a user may be led from one URL to another URL. Additional information on individual URLs forming the paths, such as whether a particular URL is a start URL or a critical URL, is also included in the access map. The access map may be updated based on the most currently available information. When a URL request is made from a client device associated with a user, and it if is determined that the requested URL may potentially suffer from CSRF attacks, then the requested URL and its referral URL are compared against the URL paths in the user's access map to determine whether the URL request is unauthorized. If so, then an alert may be raised.

Abstract: A data access policy is configured and stored on a computing device, including a list of secure gateway IP addresses and optionally secure geographic regions. A time parameter defines how long a digital file will remain not in use before deletion and a degree parameter defines how fast the file will be deleted. Once a digital file is downloaded to the computing device the device is checked periodically to determine whether or not it is in a secure location. If not in a secure location then a data deletion process is initiated which begins by checking whether or not the digital file is currently being used on the computing device. If the file is being used, then no deletion is performed. If the file is not in use (or has not been used after a certain amount of time) then the file is deleted. The file may be deleted gradually.

Abstract: Any number of mobile devices each execute an application allowing them to subscribe to a group. Alternatively, the devices subscribe at a Web server. A percentage of the group and a distance threshold from a target device are defined. Each device sends its GPS data to a Web server or to one of the designated mobile devices. Alternatively, the target device calculates its distance to the other devices using wireless signals. The designated device or the Web server calculates the distance from the target device to the other devices. If the distance is over the threshold then an alert is generated and sent from the Web server to designated recipients, or sent from the designated device to the recipients. Distance from the target device to the group members may be calculated based upon a majority, a percentage of the group, or a special cluster of the group.

Abstract: A Web browser or operating system of a computer maintains a historical URL list of Web sites and Web pages that have been accessed in the past. When a prescan module of antivirus software performs an initial prescan of a computer before the antivirus software is installed, it queries this historical URL list to obtain the URLs that have been accessed in the past. These URLs are sent to a URL online query service located remotely over the Internet in order to determine the status of any of these URLs. Each URL is attempted to be matched with a database of known malicious URLs including associated malicious files and associated cleanup patterns. The query service then informs the requesting computer of the status of a particular URL sent, sending back any related malicious files and any appropriate cleanup pattern. A time period associated with each URL in the database indicates when it is known that the URL was malicious.

Abstract: A server access log includes data records each describing a previous query regarding a suspect computer file of a client computer. Each record includes the CRC code for the suspect computer file, the result of the malware analysis performed on the backend server and other attributes and values. The log is analyzed to retrieve relevant attributes and values from each record. Key attributes and values are generated such as region and continuous query. All CRC codes are grouped according to attribute values. Each group is analyzed to determine the network traffic associated with downloading the entire group to all user computers and the network traffic associated with not downloading the group but responding to future malware queries regarding CRC codes in the group. CRC codes are removed from each group if necessary. CRC code-result pairs for each group are downloaded to all user computers as a pre-fetch cache.

Abstract: A dummy debugger program is installed within the user computer system. The dummy program is registered with the operating system as a debugger and may also be registered as a system service as if it is a kernel mode debugger. The dummy debugger program may have the name of a popular debugging program. Dummy registry keys are created that are typically used by a debugger to make it appear as if a debugger is present within the operating system of the user computer. Dummy program folders or dummy program names are created to make it appear as if a debugger is present within the operating system of the user computer. API calls are intercepted by using API hooks and modified to always return a meaningful value indicating that a debugger is present. Malware performing any checks to see if a debugger is present will be informed that a debugger is present and will then shutdown, sleep, terminate, etc.

Abstract: A computing device is capable of automatically detecting malware execution and cleaning the effects of malware execution using a malware repair module that is customized to the operating features and characteristics of the computing device. The computing device has software modules, hardware components, and network interfaces for accessing remote sources which, collectively, enable the device to restore itself after malware has executed on it. These modules, components, and interfaces may also enable the apparatus to delete the malware, if not entirely, at least partially so that it can no longer execute and cause further harm. The malware repair module is created from a detailed malware behavior data set retrieved from a remote malware behavior database and then modified to take into account specific operating features of the computing device. The repair module executes on a repair module execution engine and the effects of the malware on the device are minimized.

Abstract: A virtualization platform includes a number of virtual machines, one of which is configured as a driver domain and includes the network service control for routing network traffic between the other virtual machines. The privileged domain does not include the network service control. The network service control includes network backend interfaces and a virtual switch or bridge. The driver domain includes a PCI driver for direct communication with a network interface card. The driver domain includes hooking software and an inspection agent. Packets passing between the other virtual machines pass through the driver domain, are hooked, and are inspected by inspection agent to determine if they are malicious or not. Malicious packets are blocked. The driver domain may also utilize a PCI driver of the privileged domain for access to the network interface card. Platforms with or without pass-through mode may be used.

Abstract: Building a kernel hook module (KHM) on a build machine in an automated manner uses a script file to control the process. A user requests a KHM for a particular Linux kernel of a Linux distribution. The build machine is rebooted if necessary to run the target Linux distribution. Kernel source files for the Linux distribution are loaded and installed on the build machine. Various parameters are set and source code representing the functionality of the KHM (or that of a related software product) are loaded onto the build machine. The KHM is then built automatically under direction of the script file. A control machine receives the user request for a particular KHM over the Internet and directs operation of the build machine. A test machine tests the KHM once built. The KHM works in conjunction with anti-virus software or other software.

Abstract: Detection and prevention of botnet behavior is accomplished by monitoring access request in a network. Each request includes a domain of content to access and a path of content to access, and each path includes a file name and query string. Once obtained, the query strings for each of these requests are normalized. A signature is then created for each of the normalized query strings. The obtained requests can then be grouped by signature. Once the requests have been grouped by signature, each grouping is examined to identify suspicious signatures based on common botnet behavior. Suspicious requests are used in back-end and front-end defenses against botnets.

Abstract: Daily query counts for e-mail messages sent from a number of IP addresses having unknown reputations are collected and logged, and optionally plotted. The logged query count data may optionally be normalized. The normalized query count data may also be plotted. The normalized data is divided into regions (numerically or graphically). Next, the divided regions are tagged (symbolically or graphically) with unique, symbolic identifiers such as letters, numbers, symbols or colors. Patterns for each unknown IP address are formed based upon the tagged regions. Common good and bad patterns are also identified for known good and bad IP addresses. The reputation of these unknown IP addresses are then predicted using these identified good and bad patterns using a suffix tree (for example). Finally, an output identifying the determined reputations of these unknown IP addresses is generated and output.

Abstract: A Web site reputation service automatically redirects a browsing request for analysis by a rating server. On the browsing request, a proxy autoconfiguration (PAC) file is downloaded from a PAC server to a Web browser of a user computer. The function of the PAC file is executed, sending a request to a rating server along with a host name of a target Web site. The function does not immediately return a proxy server, but first requests a rating of the Web site. A rating result associated with the Web site is produced by the rating server. The rating server returns the rating result and the function returns an address of a proxy server to the Web browser based upon the rating result. A user can enable the Web Proxy Autodiscovery Protocol to use the service. Access control may be implemented by applying an HTTP authentication mechanism on the Web server that hosts the PAC file.