Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; a user-space application including instructions to interact with a web site via a uniform resource locator (URL); and a security agent including instructions to: intercept an interaction of the user-space application with the web site; determine that the intercepted interaction is to send sensitive information to the web site; suspend the interaction; and assign a reputation to the URL.

Abstract: An apparatus for detecting a phishing website based on website icons is disclosed. A disclosed example apparatus includes parser circuitry to parse code of a first website, detector circuitry to detect, based on the parsed code, a first website icon and a first Uniform Resource Locator (URL) corresponding to the first website, and hash generator circuitry to generate a first hash of the first website icon, and store the first hash in association with the first URL in a hash entry of an icon hash database, the hash entry to be used for determining that a second website is a phishing website when (a) the first hash matches a second hash of a second website icon corresponding to the second website, and (b) a first portion of the first URL matches a second portion of a second URL corresponding to the second website.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to disable select processes for malware prevention, an apparatus comprising: at least one memory; instructions; and at least one processor to execute the instructions to cause the at least one processor to at least: identify execution of a computer process on a computing device; determine whether the identified computer process is in a list of computer processes to be monitored; in response to the identified computer process being listed in the list of computer processes to be monitored, determine an amount of time since last execution of the identified computer process; and suspend, in response to the amount of time since last execution meeting or exceeding a threshold time, execution of the identified computer process.

Abstract: A method includes determining first data stored in a clipboard of an operating system, determining second data is stored in the clipboard, performing a comparison of the second data against malicious data, at least in part based on a determination that the first data has changed to the second data, and performing a first security operation, at least in part based on the comparison.

Abstract: An apparatus, including systems and methods, for detecting ransomware is disclosed herein. For example, in some embodiments, an apparatus includes a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to receive data identifying a process and a plurality of files accessed by the process; identify an access indicator associated with each of the plurality of files accessed by the process, wherein the access indicator includes file type; determine whether the access indicator exceeds a threshold; interrupt, based on a determination that the access indicator exceeds a threshold, the process; and prompt a user to allow or disallow the process to proceed.

Abstract: An apparatus for detecting a phishing website based on website icons is disclosed. A disclosed example apparatus includes parser circuitry to parse code of a first website, detector circuitry to detect, based on the parsed code, a first website icon and a first Uniform Resource Locator (URL) corresponding to the first website, and hash generator circuitry to generate a first hash of the first website icon, and store the first hash in association with the first URL in a hash entry of an icon hash database, the hash entry to be used for determining that a second website is a phishing website when (a) the first hash matches a second hash of a second website icon corresponding to the second website, and (b) a first portion of the first URL matches a second portion of a second URL corresponding to the second website.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and memory; and instructions encoded within the memory to instruct the processor to: identify a scripted process for security analysis; hook application programming interface (API) calls of the scripted process to determine a plurality of pre-execution parameters and runtime parameters; assign individual scores to the pre-execution parameters and runtime parameters; compute a sum of the individual scores; compare the sum to a threshold; and detect malicious or suspicious activity if the sum is above the threshold.

Abstract: An apparatus for detecting a phishing website based on website icons is disclosed. A disclosed example apparatus includes a parser to locate a first website icon corresponding to a first website, an icon hasher to generate a first hash of the first website icon, and a hash checker to determine whether the first hash matches a second hash of a second website icon corresponding to a second website in an icon hash database, the hash checker to, in response to the first hash matching the second hash, determine whether a first portion of a first Uniform Resource Locator (URL) corresponding to the first website matches a second portion of a second URL corresponding to the second website, the hash checker to, in response to the first portion not matching the second portion, identify the first website as a phishing website.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a system profile store; and a ransomware detection engine including instructions encoded within the memory to instruct the processor to: detect an operation, by a process, that results in an operation on a file, wherein the operation includes newly creating the file including a file type identifier, or where the file is an existing file, changing a file type identifier for the file; querying the system profile store with a combination of the file type identifier and metadata about the file; based at least in part on the querying, determining that the process is a suspected ransomware attack; and taking a remedial action.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; a user-space application including instructions to interact with a web site via a uniform resource locator (URL); and a security agent including instructions to: intercept an interaction of the user-space application with the web site; determine that the intercepted interaction is to send sensitive information to the web site; suspend the interaction; and assign a reputation to the URL.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed. An example apparatus includes at least one memory, instructions; and processor circuitry to execute the instructions to train a neural network with a plurality of raw byte data samples, perform feature extraction on ones of the plurality of raw byte data samples, determine whether ones of the plurality of raw byte data samples are clean or malicious using the extracted features, and determine a family of malware to which an identified malicious sample belongs.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; a user-space application including instructions to interact with a web site via a uniform resource locator (URL); and a security agent including instructions to: intercept an interaction of the user-space application with the web site; determine that the intercepted interaction is to send sensitive information to the web site; suspend the interaction; and assign a reputation to the URL.

Abstract: An apparatus, including systems and methods, for detecting ransomware is disclosed herein. For example, in some embodiments, an apparatus includes a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to receive data identifying a process and a plurality of files accessed by the process; identify an access indicator associated with each of the plurality of files accessed by the process, wherein the access indicator includes file type; determine whether the access indicator exceeds a threshold; interrupt, based on a determination that the access indicator exceeds a threshold, the process; and prompt a user to allow or disallow the process to proceed.

Abstract: An apparatus for detecting a phishing website based on website icons is disclosed. A disclosed example apparatus includes a parser to locate a first website icon corresponding to a first website, an icon hasher to generate a first hash of the first website icon, and a hash checker to determine whether the first hash matches a second hash of a second website icon corresponding to a second website in an icon hash database, the hash checker to, in response to the first hash matching the second hash, determine whether a first portion of a first Uniform Resource Locator (URL) corresponding to the first website matches a second portion of a second URL corresponding to the second website, the hash checker to, in response to the first portion not matching the second portion, identify the first website as a phishing website.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a system profile store; and a ransomware detection engine including instructions encoded within the memory to instruct the processor to: detect an operation, by a process, that results in an operation on a file, wherein the operation includes newly creating the file including a file type identifier, or where the file is an existing file, changing a file type identifier for the file; querying the system profile store with a combination of the file type identifier and metadata about the file; based at least in part on the querying, determining that the process is a suspected ransomware attack; and taking a remedial action.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and memory; and instructions encoded within the memory to instruct the processor to: identify a scripted process for security analysis; hook application programming interface (API) calls of the scripted process to determine a plurality of pre-execution parameters and runtime parameters; assign individual scores to the pre-execution parameters and runtime parameters; compute a sum of the individual scores; compare the sum to a threshold; and detect malicious or suspicious activity if the sum is above the threshold.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; a user-space application including instructions to interact with a web site via a uniform resource locator (URL); and a security agent including instructions to: intercept an interaction of the user-space application with the web site; determine that the intercepted interaction is to send sensitive information to the web site; suspend the interaction; and assign a reputation to the URL.