Abstract: A current selection of previously identified malicious files is identified. The selection includes identified malicious files in multiple formats that are tested by a malware analysis environment. Each specific malicious file is opened multiple times, using multiple versions of one or more corresponding program(s). The behavior of each malicious file is analyzed as it is opened with each version of the corresponding program(s). Based on observed behavior of malicious files as they are opened, the exploitability of each version of each program is determined and ranked. The malware analysis environment uses a specific number of versions of each program to test submitted files for maliciousness, in order from more exploitable to less so, based on the ranking. The specific number of versions of a given program to use is generally less than the total available number of versions, thereby reducing the time and computing resources spent per file.

Abstract: A cloud based system receives multiple types of security telemetry from multiple participating organizations. The received security telemetry can be pseudonymized by replacing fields containing sensitive information with corresponding pseudonyms. Two data stores can be maintained, a first for raw telemetry, and a second for pseudonymized telemetry. Each data store can comprise a directory structure organized according to factors such as originating organization, administrative unit, telemetry type, schema, format and/or version and receipt time. Raw telemetry is stored in directories of the first data store, and pseudonymized security telemetry is stored in directories of the second data store, both organized according to the above-described factors.

Abstract: The disclosed computer-implemented method for categorizing virtual-machine-aware applications for further analysis may include (1) identifying a plurality of virtual-machine-aware applications, where each of the plurality of virtual-machine-aware applications exhibits different behavior when the virtual-machine-aware application detects that the virtual-machine-aware application is executing in a physical computing environment rather than in a virtual computing environment, (2) identifying a plurality of non-virtual-machine-aware applications that do not exhibit different behavior when executed in the physical computing environment rather than in the virtual computing environment, (3) determining at least one characteristic that differentiates the virtual-machine-aware applications from the non-virtual-machine-aware applications, (4) analyzing an uncategorized application to determine whether the uncategorized application includes the characteristic, and (5) preventing the uncategorized application from evadi

Abstract: The disclosed computer-implemented method for identifying detection-evasion behaviors of files undergoing malware analyzes may include (1) monitoring, by a plurality of monitor components related to an automated execution environment, a file that is undergoing a malware analysis in the automated execution environment, (2) detecting a suspicious discrepancy among the monitor components with respect to computing activity observed in connection with the malware analysis by (A) identifying a monitor component that has observed the computing activity in connection with the malware analysis and (B) identifying another monitor component that has not observed the computing activity in connection with the malware analysis, and then (3) determining, based at least in part on the suspicious discrepancy, that the file demonstrates a detection-evasion behavior that led to the other monitor component not observing the computing activity in connection with the malware analysis.

Abstract: The disclosed computer-implemented method for analyzing suspected malware may include (1) identifying a file suspected of including malware, (2) performing a static analysis of the file to identify at least one indication of an attack vector that the file uses to attack computing systems, (3) obtaining, from at least one computing system, telemetry data that identifies at least one indication of an attack vector that the file uses to attack computing systems, (4) constructing, using the indications obtained from the static analysis and the telemetry data, an execution profile that describes an execution environment that provides the attack vectors indicated by the static analysis and the telemetry data, and (5) configuring the execution environment described in the execution profile to test the file for maliciousness. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for determining whether transmission of sensitive data is expected may include (1) identifying a computer program that is to be analyzed to determine whether the computer program unexpectedly transmits sensitive data, (2) simulating user input to the computer program while the computer program is executing, (3) identifying a context of the simulated user input, (4) identifying transmission of sensitive data that occurs after the user input is simulated, (5) determining, based on the context of the simulated user input, whether the transmission of sensitive data would be an expected result of the user input, and (6) performing a security action with respect to the computer program based on whether the transmission of sensitive data is expected. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for classifying package files as Trojans may include (1) detecting a resemblance between an unclassified package file and a known legitimate package file, (2) determining that the unclassified package file is signed by a different signatory than a signatory that signed the known legitimate package file, (3) determining that a feature of the unclassified package file is suspicious, the feature being absent from the known legitimate package file, and (4) classifying the unclassified package file as a Trojan version of the known legitimate package file based on the unclassified package file being signed by the different signatory and having the suspicious feature. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Telemetry data concerning web pages that users attempt to access containing fields prompting entry of personal information is received from many client computers over time. Based on the telemetry data, it is determined which fields prompting entry of personal information are expected to be present on specific web pages. The fields prompting entry of personal information on web pages users attempt to access are compared to the fields expected to be present. When a specific user attempts to access a specific web page in real-time, it can be adjudicated on-the-fly that the web page is suspicious, based on the web page containing at least one unexpected field. Correlations between web pages containing specific unexpected fields and the hygiene ratings of the users attempting to access the web pages when the unexpected fields are encountered can be tracked and taken into account in the adjudication of web pages.

Abstract: The disclosed computer-implemented method for replicating computing system environments may include (1) identifying each application installed on a plurality of computing systems, (2) creating, within a virtual machine image, virtual containers that store each application installed on the plurality of computing systems, (3) determining that a potentially malicious file is directed to a target computing system within the plurality of computing systems, (4) identifying each application installed on the target computing system, (5) in response to determining that the file is directed to the target computing system, replicating a configuration of the target computing system within the virtual machine image by, for each application installed on the target computing system, activating a virtual container that stores the application, and (6) determining how the file would affect the target computing system by sending the file to the virtual machine image and analyzing how the file impacts the virtual machine image.

Abstract: A computer-implemented method for identifying private keys that have been compromised may include (1) identifying a private key that enables a signatory to digitally sign applications, (2) collecting information about the private key from at least one public source, (3) determining, based on the information collected from the public source, that the private key has been compromised and is accessible to unauthorized signatories, and (4) performing a security action in response to determining that the private key has been compromised and is accessible to the unauthorized signatories. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method and apparatus for identifying an application source from which an application is installed on a non-rooted computing device. An application source identifier of a security application that does not have root access to an operating system monitors for an application installation. The application source identifier extracts a process identifier (PID) of the application being installed from a log message associated with the application installation and determines a package name from the PID. The PID identifies an application source from which the application is installed. The application source identifier receives, based on the package name, a confidence level for the application source from a security service over a network.

Abstract: A computer-implemented method for directing application updates may include (1) identifying information that indicates a rate at which an earlier version of an application is exploited in attacks on computing system security, (2) identifying additional information that indicates a rate at which a later version of the application is exploited in attacks on computing system security, (3) determining how updating the application from the earlier version to the later version will impact computing system security by comparing the rate the earlier version of the application is exploited with the rate at which the later version of the application is exploited, and (4) directing a computing system with a determination about updating an installation of the earlier version of the application to the later version of the application based on determining how updating the application will impact computing system security. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for identifying malware is described. Event data is received from a mobile device. The event data including events performed on the mobile device and a list of one or more applications. The list of the one or more applications is compared with at least one additional list of applications received from at least one additional mobile device. An application in common across the lists of applications is identified. The identification of the application in common to is transmitted to the mobile device.

Abstract: A computer-implemented method for identifying private keys that have been compromised may include (1) identifying a private key that enables a signatory to digitally sign applications, (2) collecting information about the private key from at least one public source, (3) determining, based on the information collected from the public source, that the private key has been compromised and is accessible to unauthorized signatories, and (4) performing a security action in response to determining that the private key has been compromised and is accessible to the unauthorized signatories. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for directing application updates may include (1) identifying information that indicates a rate at which an earlier version of an application is exploited in attacks on computing system security, (2) identifying additional information that indicates a rate at which a later version of the application is exploited in attacks on computing system security, (3) determining how updating the application from the earlier version to the later version will impact computing system security by comparing the rate the earlier version of the application is exploited with the rate at which the later version of the application is exploited, and (4) directing a computing system with a determination about updating an installation of the earlier version of the application to the later version of the application based on determining how updating the application will impact computing system security. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method and apparatus for automatically excluding false positives from detection as malware is described. In one embodiments, a method for using one or more processors to provide false positive reduction for heuristic-based malware detection of a plurality of files in memory includes accessing global first appearance information associated with a plurality of files, accessing global malware information comprising heuristics and an emergence date associated with each malware group of a plurality of malware groups, comparing the global malware information with the global first appearance information to identify at least one false positive amongst the plurality of files and preventing detection of the at least one false positive as malware.

Abstract: A computer-implemented method for detecting illegitimate applications may include 1) identifying an installation of an application on a computing system, 2) determining, in response to identifying the installation of the application, that at least one system file with privileged access on the computing system has changed prior to the installation of the application, 3) determining that the application is illegitimate based at least in part on a time of the installation of the application relative to a time of a change to the system file, and 4) performing a remediation action on the application in response to determining that the application is illegitimate. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Installer package information is presented to a user in response to an attempted installation of an application on an endpoint. The attempted installation is detected and the installer package is identified to an information server. The installer package may be identified using a hash key or other unique identifier. In response, the information server provides to the endpoint information associated with the identified installer package based on information received from a plurality of other endpoints. The endpoint may also provide installation and application information related to the installer package to the information server. In one embodiment, when the information server obtains more than the threshold amount of information for an installer package, the information server may analyze the information and provide the analysis to requesting endpoints. The analysis may include the risk or performance impact of the installer package, or the category or functionality of the application.

Abstract: A computer-implemented method for detecting illegitimate applications may include 1) identifying an installation of an application on a computing system, 2) determining, in response to identifying the installation of the application, that at least one system file with privileged access on the computing system has changed prior to the installation of the application, 3) determining that the application is illegitimate based at least in part on a time of the installation of the application relative to a time of a change to the system file, and 4) performing a remediation action on the application in response to determining that the application is illegitimate. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system and method of automatic suggested application identification includes accessing a profile of a device, wherein the profile represents information specific to the device. From said profile, a determined pattern of use determined by the device is accessed, wherein the determined pattern is unique to the device. The profile including the determined pattern and a geo-specific data of the device and configuration information of the device and applications resident on the device is compared to similar profiles and similar determined patterns of other devices. A suggested application is identified based on said comparing.