Abstract: Behavior report generation monitors the behavior of unknown sample files executing in a sandbox. Behaviors are encoded and feature vectors created based upon a q-gram for each sample. Prototypes extraction includes extracting prototypes from the training set of feature vectors using a clustering algorithm. Once prototypes are identified in this training process, the prototypes with unknown labels are reviewed by domain experts who add a label to each prototype. A K-Nearest Neighbor Graph is used to merge prototypes into fewer prototypes without using a fixed distance threshold and then assigning a malware family name to each remaining prototype. An input unknown sample can be classified using the remaining prototypes and using a fixed distance. For the case that no such prototype is close enough, the behavior report of a sample is rejected and tagged as an unknown sample or that of an emerging malware family.

Abstract: A locality-sensitive hash value is calculated for a suspect file in an endpoint computer. A similarity score is calculated for the suspect hash value by comparing it to similarly-calculated hash values in a cluster of known benign files. A suspiciousness score is calculated for the suspect hash value based upon similar matches in a cluster of benign files and a cluster of known malicious files. These similarity score and the suspiciousness score or combined in order to determine if the suspect file is malicious or not. Feature extraction and a set of features for the suspect file may be used instead of the hash value; the classes would contain sets of features rather than hash values. The clusters may reside in a cloud service database. The suspiciousness score is a modified Tarantula technique. Matching of locality-sensitive hashes may be performed by traversing tree structures of hash values.

Abstract: A method protects a daemon in an operating system of a host computer. The operating system detects that there is an access of a plist file of a daemon by a process in the computer. If so, then it executes a callback function registered for the plist file. The callback function sends to a kernel extension a notification of the attempted access. The kernel extension returns a value to the operating system indicating that the access should be denied. The operating system denies access to the plist file of the daemon by the process. The extension may also notify an application which prompts the user for instruction. The kernel extension also protects itself by executing its exit function when a command is given to unload the extension, and the exit function determines whether or not the command is invoked by an authorized application, such as by checking a flag.

Abstract: An agent on an endpoint computer computes a locality-sensitive hash value for an API call sequence of an executing process. This value is sent to a cloud computer which includes an API call sequence blacklist database of locality-sensitive hash values. A search is performed using a balanced tree structure of the database using the received hash value and a match is determined based upon whether or not a metric distance is under or above a distance threshold. The received value may also be compared to a white list of locality-sensitive hash values. Attribute values of the executing process are also received from the endpoint computer and may be used to inform whether or not the executing process is deemed to be malicious. An indication of malicious or not is returned to the endpoint computer and if malicious, the process may be terminated and its subject file deleted.

Abstract: The system executes online on corporate premises or in a cloud service, or offline. An e-mail message is received at a server within a corporate network or cloud service. A header of the e-mail message is parsed to determine locations of server computers through which the e-mail message has traveled. Geographic locations are placed into a routing map. A banner is inserted into the e-mail message that includes the routing map or a link to the routing map. The routing map is stored by the e-mail gateway server at a storage location identified by the link. The modified e-mail message is delivered or downloaded from the e-mail server to a user computer in real time. The sender Web site is parsed to identify sender domain information to be inserted into the banner. If offline, a product fetches and modifies the e-mail message using an API of the e-mail server.

Abstract: A system is implemented in browser plug-in software or in endpoint agent software on a user computer. The user accesses a Web site and fills in a login request form and submits it to the Web site. The system triggers a “forgot password” feature and detects a phishing Web site by determining that it does not send a reset link to a valid user e-mail address, or, the system detects a phishing Web site by determining that it does send a reset link to an invalid e-mail address. Or, the system detects a phishing Web site by determining that it sends a reset link to a user e-mail address from a domain different from the domain of a login request form. Or, the system fills in an incorrect account name or password in a login request form and detects a phishing Web site by determining that the Web site does not indicate that the incorrect user name or incorrect password are incorrect.

Abstract: An e-mail message is sent from a public e-mail address via the e-mail account of a user and delivered to an e-mail gateway. The message is destined for the e-mail account of a recipient. The gateway determines that the public e-mail address is on a list of users desiring two-factor authentication. The gateway determines that the message contains an anomaly indicating fraud or possible forgery. The gateway sends a two-factor authentication message to a hidden e-mail account of the user. The user reviews the message and responds with a confirmation message either confirming that the message is legitimate or indicating that it is a forgery. If the message is legitimate the gateway allows the message to be delivered to the recipient; if not, the message remains in quarantine and is not delivered. The gateway exists at the user's corporation, the recipient's corporation or is hosted at a third-party cloud service.

Abstract: An attachment to an e-mail message is replaced with a URL before that message is delivered to an end user, thus providing more time to perform a better scan at a cloud server computer. The attachment is removed from the e-mail message and sent to the cloud server computer for a dynamic scan and a static scan which will likely include updates better able to detect malicious software. The e-mail message with the URL is delivered to the end user and there is a delay before the end user reads the message or attempts to open the attachment. An artificial delay may be introduced at an e-mail gateway before the message is delivered to the end-user. If the attachment is benign then the end user is allowed to download it via the URL; if the attachment is malicious then the end user is only given a warning message.

Abstract: An attachment to an e-mail message received at an e-mail gateway is scanned by a scan server and then is converted into an HTML file. The HTML file includes preview data of the attachment (minus any macro scripts), the entire original data of the attachment, scan functionality enabling a user to send the attachment back to a scan server for a second scan, or extract functionality enabling a user to extract the original attachment data for saving or opening in an application. The recipient is able to open or save the attachment directly if he or she believes it comes from a trusted sender. If the attachment seems suspicious, the recipient previews the attachment first before performing a scan, opening the attachment or deleting it. The recipient performs a scan of the attachment by clicking a “scan” button to send the attachment to a backend server for a second scan where an updated virus pattern file may be available to detect any zero-day malware.

Abstract: A method protects a daemon in an operating system of a host computer. The operating system detects that there is an access of a plist file of a daemon by a process in the computer. If so, then it executes a callback function registered for the plist file. The callback function sends to a kernel extension a notification of the attempted access. The kernel extension returns a value to the operating system indicating that the access should be denied. The operating system denies access to the plist file of the daemon by the process. The extension may also notify an application which prompts the user for instruction. The kernel extension also protects itself by executing its exit function when a command is given to unload the extension, and the exit function determines whether or not the command is invoked by an authorized application, such as by checking a flag.

Abstract: A mobile virtualization application allows a VR application user to access mobile telephone basic functions in a third-party VR application. This virtualization application may be a virtualization plugin or an independent application which virtualizes mobile functions and creates VR models. The virtualization plugin bridges between the VR application and the mobile telephone operating system allowing the user to use directly mobile telephone basic functions in the VR application. VR application users can read directly their incoming text messages, e-mail messages, application notifications, etc., in the form of VR model, and, they can use a VR application input device to control their mobile telephone basic functions in order to send messages, control a camera, etc.

Abstract: A proxy server is implemented between a user computer and the Web. The user accesses an IAM service and selects a cloud service. The proxy server intercepts the login form from the user, stores the identifier and password, and replaces the identifier and password. The proxy server allows the form to continue to the IAM service which registers the cloud service. Later, the user accesses the IAM service and selects the cloud service. The IAM service returns a login form for the cloud service with the identifier and password and redirects the user's computer to the cloud service. The proxy server intercepts the form and replaces the identifier and password with the correct identifier and password. The proxy server then allows the form to continue to the cloud service. The user is then authenticated by the cloud service and receives a Web page from the cloud service indicating logged in.

Abstract: Applications running in an API-proxy-based emulator are prevented from infecting a PC's hard disk when executing file I/O commands. Such commands are redirected to an I/O redirection engine instead of going directly to the PC's normal operating system where it can potentially harm files in on the hard disk. The redirection engine executes the file I/O command using a private storage area in the hard disk that is not accessible by the PC's normal operating system. If a file that is the subject of a file I/O command from an emulated application is not in the private storage area, a copy is made from the original that is presumed to exist in the public storage area. This copy is then acted on by the command and is stored in the private storage area, which can be described as a controlled, quarantined storage space on the hard disk. In this manner the PC's (or any computing device's) hard disk is defended from potential malware that may originate from applications running in emulated environments.

Abstract: A service virtual machine provides service to any number of virtual machines on a hypervisor over a first communication channel. When an anomaly is detected within the provided service, any virtual machine using the first communication channel switches to a second communication channel and receives service from a second virtual machine. The second virtual machine may execute upon the same computer or on a different computer. Hooking points within the hypervisor provide a means for the service virtual machines to monitor traffic and provide service to the protected virtual machines. When a service virtual machine is suspended, it is repopulated, upgraded or rebooted, and then restored to service. Once restored, any protected virtual machine may be switched back to the restored service virtual machine. Virtual machines may be switched to a different communication channel by modifying a configuration file. Both communication channels may be in use at the same time.

Abstract: A user is provisioned for a Web service by supplying a user name and password. A digital certificate and VPN identifier are generated and downloaded to the user's computer. The VPN identifier and user identifier are stored into a database. The user accesses the Web service and establishes a VPN using the certificate and VPN identifier. A user identifier, user name or user password is not required. A gateway computer uses the VPN identifier to access the database previously established during the provisioning session to retrieve the user identifier. Retrieval of the user identifier validates that the computing device is authorized to use the Web service. The gateway computer stores the client IP address and a mapping to the user identifier into a database. A proxy server retrieves the user identifier from the database using the IP address and includes the user identifier in Web traffic for a remote computer.

Abstract: A virus detection engine determines that a file is suspected of being malware. A property is retrieved, along with the same file property of other executable files within the same folder. If the property value is similar to property values of the other files then the suspect file is benign. If the number of matches is greater than a threshold then the suspect file is benign. Other file properties of the suspect file are compared. If no file properties are similar to properties of the other files then the suspect file is malware and an alert is generated. The longest common subsequence compares property values. The same property value may be added to files within the same folder after these files are installed on the computer but before any detection takes place. A comparison of the same property values concludes that files are not malware, even if they are suspect.

Abstract: A computer analyzes a message attachment protected by a password. The message is intercepted from a sender before the message reaches the recipient. The computer cannot open, decrypt, unpack or decompress the attachment because the computer cannot parse the password. The message is modified to render the attachment unusable by the recipient and a URL is added. After the modified message is sent to the recipient, the computer receives the correct password from the recipient allowing the computer to open the attachment and perform anti-malware scanning. If malicious, the attachment is quarantined, deleted or blocked. If not malicious, the attachment (password-protected or not) is downloaded to the recipient, sent by e-mail or text message, or made available on a Web site. The recipient may be a mobile device or computer. Software may be part of an e-mail server, part of a mail transfer agent, or part of a separate computer.

Abstract: A virtual machine is used to perform a raw scan for evasive malware on a host computer without requiring an interrupt or restart of a host operating system. An antivirus program installs a raw scanner virtual machine. The raw scanner virtual machine is triggered to scan files and memory for malware. The raw scan results are collected by the antivirus program for analysis, such as for use in generating a report or for removal of malware. The memory and files of the host are mapped to a guest space of the virtual machine.

Abstract: Host name raw data from access logs of computers is grouped into distinct groups. At least one feature, an alphanumeric or alphabetic-only digest, is extracted from each group and its characters are ordered depending upon their frequency of use. Sampling is performed upon host names from a database of known normal host names to generate groups of randomly selected host names. Similar digests are also extracted from these groups. The digest from the raw data is compared to each of the digests from the normal host names using a string matching algorithm to determine a value. If the value is above a threshold then it is likely that the host names from the raw data group are domain-generated. The suspect host names are used to reference the raw data access log in order to determine which user computers have accessed these host names and these user computers are alerted.

Abstract: A service virtual machine provides service to any number of virtual machines on a hypervisor over a first communication channel. When an anomaly is detected within the provided service, any virtual machine using the first communication channel switches to a second communication channel and receives service from a second virtual machine. The second virtual machine may execute upon the same computer or on a different computer. Hooking points within the hypervisor provide a means for the service virtual machines to monitor traffic and provide service to the protected virtual machines. When a service virtual machine is suspended, it is repopulated, upgraded or rebooted, and then restored to service. Once restored, any protected virtual machine may be switched back to the restored service virtual machine. Virtual machines may be switched to a different communication channel by modifying a configuration file. Both communication channels may be in use at the same time.