Abstract: A computer-implemented method for controlling access to credentials may include (i) maintaining, by a computing device, a set of applications for which attempting to access digital credentials comprises anomalous behavior, (ii) monitoring, by the computing device, each application within the set of applications for attempts to access digital credentials, (iii) automatically detecting, while monitoring for attempts to access digital credentials, an attempt of an application in the set of applications to access a digital credential, and (iv) performing, in response to detecting the attempt to access the digital credential, a security action to secure the digital credential. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for behavioral analysis of scripting utility usage in an enterprise is described. In one embodiment, the method describes receiving, by a processor, data associated with execution of a scripting utility operating on a plurality of computing devices; executing a clustering algorithm on the received data; identifying at least one cluster based at least in part on executing the clustering algorithm; identifying an existence of an anomalous event associated with the scripting utility based at least in part on executing the clustering algorithm; and transmitting an indication of the anomalous event to an administrator.

Abstract: A method for detecting name resolution spoofing is described. In one embodiment, the method includes identifying a request to resolve a host name, identifying a hostname specified in a response to the request, identifying an actual hostname associated with the response, analyzing the hostname specified in relation to the actual hostname, and performing a security action based at least in part on the analysis.

Abstract: A computer-implemented method for automatically blocking Web Proxy Auto-Discovery Protocol (WPAD) attacks may include (i) automatically detecting, by a computing device, a WPAD request for a configuration file, (ii) identifying, by the computing device, a server attempting to fulfill the WPAD request for the configuration file, (iii) determining, by the computing device, that the server is not included in a whitelist of WPAD servers for the configuration file, and (iv) automatically performing, by the computing device and based on the determination that the server is not included in the whitelist, a security action to secure the WPAD request for the configuration file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system and method for detecting potential system vulnerabilities to malicious attacks. A list of routes between computing devices and associated threat levels is maintained as network events occur between computing devices. The routes include bad hygiene endpoints, high value targets which are a variety of server types controlling access to sensitive data, and network connections. A list of routes connecting high value targets and bad hygiene endpoints are sorted by a priority level and used to identify potential routes. When a network event corresponding to a given route is detected, the list is searched to identify potential routes. Potential routes are monitored routes with no network events detected yet between the source and destination.

Abstract: The disclosed computer-implemented method for responding to electronic security incidents may include (i) identifying a plurality of security incidents that each occurred within a computing environment and call for a security response, (ii) establishing relationships among the plurality of security incidents by, for each security incident, (a) calculating a feature vector indicating at least one feature of the security incident, (b) using the feature vector to calculate a degree of similarity between the security incident and an additional security and (c) creating an association between the security incident and the additional security incident that reflects the degree of similarity between the security incident and the additional security incident, and (iii) triggering, based on the relationships among the plurality of security incidents, a security action that responds to at least the security incident and the additional security incident.

Abstract: The disclosed computer-implemented method for detecting credential theft may include (i) monitoring a secured computing system's credential store that may include at least one sensitive credential that may be used to facilitate authentication of a user that is attempting to access the secured computing system, (ii) gathering, while monitoring the credential store, primary evidence of an attempted theft of the sensitive credential from the credential store, (iii) gathering corroborating evidence of the attempted theft of the sensitive credential, and (iv) performing a security action in response to gathering the primary evidence and the corroborating evidence of the attempted theft. The primary evidence of the attempted theft of the sensitive credential may include evidence of any suspicious access of the sensitive credential from the credential store that occurs outside of a procedure of authenticating the user. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for restoring applications may include: 1) identifying an installation file that includes an application; 2) monitoring the installation file to identify a set of application files generated as a result of installing the application from the installation file; 3) assigning, to each application file in the set of application files, an application identifier that associates each application file in the set of application files with the application; 4) backing up the application by copying each application file in the set of application files to a backup storage system; 5) receiving a request to restore each application file in the set of application files; and 6) restoring the application by using the application identifier to locate each application file in the set of application files within the backup storage system. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for using reputation information to evaluate the trustworthiness of files obtained via torrent transactions may include (1) identifying a torrent file that includes metadata for facilitating a torrent transaction for obtaining a target file via a peer-to-peer file-sharing protocol, (2) identifying at least one entity involved in the torrent transaction, (3) obtaining reputation information associated with the entity involved in the torrent transaction, wherein the reputation information identifies a community's opinion on the trustworthiness of the entity, (4) determining, based at least in part on the reputation information associated with the entity involved in the torrent transaction, that the target file represents a potential security risk, and then (5) performing a security action on the target file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for protecting purpose-built appliances on local networks may include (1) identifying a purpose-built appliance that is installed at a physical site to enhance the physical site with a pre-programmed functionality and that is connected to a local network that operates at the physical site, (2) intercepting, by a router of the local network, a request from a requesting device to access the pre-programmed functionality of the purpose-built appliance via the local network, (3) querying, from the router, via an authorization channel that is separate from a communication channel used to transmit the request, an owner of the physical site for authorization for the requesting device to access the purpose-built appliance, (4) receiving, by the router, the authorization from the owner, and (5) forwarding, by the router, the request from the requesting device to the purpose-built appliance. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting fraudulent software applications that generate misleading notifications is disclosed. In one example, such a method may comprise: 1) detecting a notification generated by an application installed on the computing device, 2) accessing criteria for determining, based at least in part on characteristics of the notification, whether the application is trustworthy, 3) determining, by applying the criteria, that the application is untrustworthy, and then 4) performing a security operation on the application. Corresponding systems and computer-readable media are also disclosed.

Abstract: A computer-implemented method for classifying an unclassified process as a potentially trusted process based on dependencies of the unclassified process is described. A component loaded by the unclassified process is identified. A determination is made as to whether a hard dependency exists between the unclassified process and the loaded component. A hard dependency exists if the unclassified process depends on the loaded component in order to execute. The unclassified process is classified as a potentially trusted process if a hard dependency exists between the unclassified process and the loaded component.

Abstract: A computer-implemented method for user-directed malware remediation may include 1) identifying a window within a graphical user interface of a computing environment, 2) identifying a user-directed interface event directed at the window, 3) determining, based at least in part on the user-directed interface event, that a process represented by the window poses a security risk, and 4) performing a remediation action on the process based on determining that the process poses the security risk. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Computer-implemented methods and systems for using tiered signing certificates to manage the behavior of executables are disclosed. In one example, a method for performing such a task may include: 1) identifying an executable file, 2) identifying a signing certificate associated with the executable file, 3) identifying, within the signing certificate, a privilege level associated with the executable file, and then 4) managing behavior of the executable file in accordance with the privilege level associated with the executable file. Corresponding methods and systems for generating tiered signing certificates for executable files are also disclosed.

Abstract: An endpoint on a network uses detection data to detect a malicious software attack. The endpoint identifies content associated with the attack, such as a component of a web page, and generates a description of the content. The endpoint sends the description to a security server. The security server analyzes the content and identifies characteristics of the content that are present when the content is carried by network traffic. The security server generates a traffic signature that specifies the identified characteristics and provides the traffic signature to inspection points. The inspection points, in turn, use the traffic signature to examine network traffic passing through the inspection points to detect network traffic carrying the content. The attack detection at the endpoint thus informs the traffic signature-based detection at the inspection points and reduces the spread of malicious software.

Abstract: A computer-implemented method for automatically detecting and preventing phishing attacks may include (1) maintaining a credentials store for a user of the computing device that identifies both at least one known-legitimate website and credentials associated with the known-legitimate website, (2) detecting an attempt by the user to enter the same credentials that are associated with the known-legitimate website into a new website that is not associated with the credentials in the credentials store, and then, prior to allowing the credentials to pass to the new website, (3) automatically warning the user that the new website potentially represents an attempt to phish the credentials associated with the known-legitimate website from the user. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Behavior based signatures for identifying applications are generated. An application is monitored as it runs. Specific behaviors concerning the execution of the application are detected, and a behavior based signature representing detected behaviors is created, such that the behavior based signature can be used subsequently to identify instances of the application. Behavior based signatures identifying known malicious and/or non-malicious applications can be used to determine whether other applications comprise malware. To do so, a running application is monitored, and specific behaviors concerning the execution of the application are detected. The detected behaviors are compared to one or more behavior based signatures. Responsive to whether the detected behaviors match, a behavior based signature, it can be determined whether the application comprises malware.

Abstract: A method and apparatus for accelerating a load point scanning process. In one embodiment, the method and apparatus comprise creating, at an initial scan, a detection area map identifying files referenced by detection areas. Upon a subsequent scan, determining whether the detection area has changed with respect to the detection area map. If the detection area map has changed, re-evaluating the detection area and repopulating the detection area map entry. In another embodiment, the method and apparatus avoid rescanning files as allowed using information in a file attribute cache.

Abstract: A computer-implemented method for using reputation information to evaluate the trustworthiness of files obtained via torrent transactions may include (1) identifying a torrent file that includes metadata for facilitating a torrent transaction for obtaining a target file via a peer-to-peer file-sharing protocol, (2) identifying at least one entity involved in the torrent transaction, (3) obtaining reputation information associated with the entity involved in the torrent transaction, wherein the reputation information identifies a community's opinion on the trustworthiness of the entity, (4) determining, based at least in part on the reputation information associated with the entity involved in the torrent transaction, that the target file represents a potential security risk, and then (5) performing a security action on the target file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for locating malware may include identifying a malicious behavior in a computing system. The computer-implemented method may also include determining that the malicious behavior arises from a set of interrelated executable objects. The computer-implemented method may further include identifying an executable object recently added to the set of interrelated executable objects. The computer-implemented method may additionally include attributing the malicious behavior to the recently added executable object based on when the recently added executable object was added to the set of interrelated executable objects. The computer-implemented method may also include performing a security action on the recently added executable object. Various other methods, systems, and computer-readable media are also disclosed.