Abstract: A computer-implemented method for enforcing data-loss-prevention policies using mobile sensors may include (1) detecting an attempt by a user to access sensitive data on a mobile computing device, (2) collecting, via at least one sensor of the mobile computing device, sensor data that indicates an environment in which the user is attempting to access the sensitive data, (3) determining, based at least in part on the sensor data, a privacy level of the environment, and (4) restricting, based at least in part on the privacy level of the environment, the attempt by the user to access the sensitive data according to a DLP policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method to identify candidate duplicate memory pages in a virtual environment is described. At least one memory page in memory is analyzed. The at least one memory page is associated with an application executing in a virtual machine. Information for the at least one memory page in memory is collected when the at least one memory page is identified as being a candidate duplicate memory page. The information identifies the application associated with the at least one memory page. A report is generated that includes the collected information for the at least one memory page.

Abstract: A method for inserting endpoint management agents into virtual machines. The method may include 1) identifying a process space of a virtual machine, the process space comprising at least one process of the virtual machine, 2) interrupting the process of the virtual machine by causing execution to transfer from the process of the virtual machine to an agent-insertion module that executes outside the process space of the virtual machine, 3) injecting, via the agent-insertion module, an endpoint management agent into the virtual machine, and 4) performing one or more endpoint management tasks on the virtual machine by causing the endpoint management agent to execute within the process space of the virtual machine. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Method and apparatus managing calls for call-related calendar entries stored on a device is described. In some examples, calendar entries stored in the device are parsed to detect call-related calendar entries. A telephone number associated with each of the call-related calendar entries is extracted. An invocator is provided in the device that is configured to cause the device to dial the telephone number associated with a first call-related calendar entry of the call-related calendar entries that is within a temporal threshold of a current time maintained by the device.

Abstract: Threat emergence dates as well as file modification and scanning history are tracked to determine which files need to be scanned for possible infection by various attacking agents. Information concerning which scan engines are used to scan for the presence of different attacking agents is also tracked. Where given files only need to be scanned for a subset of all possible threats and the relevant scanning code resides in only a subset of all the scan engines, only the required scan engines are initialized, loaded or called in order to scan those files.

Abstract: A method and apparatus for aggregating notices and alerts (alerts) into an aggregate machine readable feed wherein the alerts are retrieved from various information sources. One embodiment of the invention is a method and apparatus providing an alert via an aggregate machine readable feed, comprising receiving an alert from various information sources, converting the retrieved alert into an aggregate machine readable format, and placing the aggregate machine readable formatted alert into an aggregate machine readable feed.

Abstract: An application is analyzed, thereby detecting behaviors of the application. Data indicative of the functionality of the application is mined from a plurality of sources. The application is categorized based on the mined data. The categorization of the application indicates expected application behaviors. Multiple categories can be assigned to the application, wherein each assigned category correlates with at least one expected application behavior. Measures of consistency between the detected behaviors of the application and the expected behaviors of the application are determined. Determining the measures of consistency comprises quantifying differences between detected behaviors of the application and expected behaviors of the application. Responsive to the determined measures of consistency, it is adjudicated whether the application is suspect of being malicious.

Abstract: A parental policy is enforced for online purchases. A parent enters a parental policy indicating items that are prohibited for a child. When the child attempts to add an item to a wish list, it is determined whether the item is permitted according to the policy. If so, the addition of the item to the wish list is allowed to proceed. If the policy prohibits the item, the addition of the item to the wish list is blocked. Additionally, the parent can be informed (via email, telephone, etc.) of the attempt to add the item to the wish list. The same logic can be applied to attempts to purchase items for children, or attempts to purchase items by children.

Abstract: A computer-implemented method for processing web content may comprise receiving web content encoded with malicious steganographic code. Before presenting the web content, the method may comprise modifying the web content to create modified content such that information conveyed by the malicious steganographic code is at least partially corrupted in the modified content. Additionally, a functionality of the modified content may be at least substantially similar to a functionality of the web content following modification of the web content to create the modified content. Various other methods, computer-readable media, and systems are also disclosed.

Abstract: A computer-implemented method for detecting illegitimate applications may include 1) identifying an installation of an application on a computing system, 2) determining, in response to identifying the installation of the application, that at least one system file with privileged access on the computing system has changed prior to the installation of the application, 3) determining that the application is illegitimate based at least in part on a time of the installation of the application relative to a time of a change to the system file, and 4) performing a remediation action on the application in response to determining that the application is illegitimate. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for combining static and dynamic code analysis may include 1) identifying executable code that is to be analyzed to determine whether the executable code is capable of leaking sensitive data, 2) performing a static analysis of the executable code to identify one or more objects which the executable code may use to transfer sensitive data, the static analysis being performed by analyzing the executable code without executing the executable code, 3) using a result of the static analysis to tune a dynamic analysis to track the one or more objects identified during the static analysis, and 4) performing the dynamic analysis by, while the executable code is being executed, tracking the one or more objects identified during the static analysis to determine whether the executable code leaks sensitive data via the one or more objects. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting malware may include 1) identifying an application configured to use a permission on a mobile computing platform, the permission enabling the application to access a feature of the mobile computing platform, 2) determining that the application is configured to use the permission while executing as a background application on the mobile computing platform, 3) determining that the use of the permission is suspect based on the application being configured to use the permission while executing as the background application, and 4) performing a remediation action in response to determining that the use of the permission is suspect. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods, apparati, and computer-readable media for updating proxy executable code. An apparatus embodiment of the present invention comprises generic universal proxy executable code that can be instantiated multiple times, with each instance being driven by a different set of files comprising a protocol specification file and a proxy activity code file, to control protocol decomposition and proxy functions, respectively. In a method embodiment of the present invention, a protocol specification is created or updated; proxy activity code, separate from the protocol specification, is created or updated; and the proxy executable code is executed using the protocol specification and the proxy activity code.

Abstract: A computer-implemented method for determining a file set may include identifying a file set and identifying a key file for the file set. The method may also include transmitting a key-file identifier to a second computing system. A first computing system may receive first and second file identifiers from a second computing system. The first computing system may determine whether the file set comprises a file identified by the first file identifier, and whether the file set comprises a file identified by the second file identifier. The method also includes transmitting a result of the determination to the second computing system. A method for determining a file set on a second computing device is also disclosed. Corresponding systems and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting illegitimate applications may include 1) identifying an installation of an application on a computing system, 2) determining, in response to identifying the installation of the application, that at least one system file with privileged access on the computing system has changed prior to the installation of the application, 3) determining that the application is illegitimate based at least in part on a time of the installation of the application relative to a time of a change to the system file, and 4) performing a remediation action on the application in response to determining that the application is illegitimate. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Multiple apps of an ecosystem on a computer securely exchange encrypted data according to an information control policy of an enterprise, without allowing unauthorized access from outside of the ecosystem. An ecosystem agent creates an ecosystem directory, which contains policy information and identification information concerning each specific app in the ecosystem, including the ecosystem agent. Each ecosystem app generates an asymmetric key pair, the public key of which it shares only with apps in the ecosystem through the directory. The ecosystem agent's private key is used to encrypt the directory. Data is securely communicated between apps in the ecosystem, by encrypting and decrypting messages and data objects with the appropriate ecosystem app keys. Each specific app in the ecosystem complies with enterprise information control policy. Ecosystem apps can read a policy from the directory, and receive policy updates from the enterprise.

Abstract: A computer-implemented method may include performing a first analysis on at least one file of a master virtual machine and inserting, into the master virtual machine, information that indicates at least one result of the first analysis. The computer-implemented method may also include maintaining at least one additional virtual machine that is based on the master virtual machine. The computer-implemented method may further include directing the additional virtual machine to reference the information in the master virtual machine instead of performing a second analysis on at least one file of the additional virtual machine. Various other systems, methods, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for classifying files may include identifying data to be written to a file on a storage system. The method may also include, before the data is written to the storage system, 1) identifying a characteristic of the data, 2) determining, based on the characteristic of the data, a classification for the file, and 3) using the classification of the file to select a location within the storage system where the file should be stored. The method may further include writing the data to the file at the selected location within the storage system. Various other methods, systems, and computer-readable media are also disclosed herein.

Abstract: When a program is loaded for execution, all code pages of the program except the one containing the entry point are set to be non-executable. When the executing program attempts to jump between code pages, an exception is thrown. Responsive to such an exception, a control flow graph of the program is examined, to determine if the attempted jump between code pages is expected. If the attempted jump is not expected, it is determined that the program is attempting a malicious activity. If the attempted jump is expected, the code page to which the program is attempting to jump is set to be executable, and control is returned to the program such that the jump executes.

Abstract: The role of a user within an organization is automatically determined based on the classification of applications and content on the user's computer. Applications and files installed on a user's computer are identified. Identified applications and files that are not indicative of the role of the user within the organization are filtered out. The non-filtered out applications are functionally classified according to associated roles within the organization, based on predetermined functional classification information. The non-filtered out files are also functionally classified, based on predetermined functional classification information concerning types of files associated with specific organizational roles. The content of files that are of types not indicative of the user's organizational role can be analyzed, and these files can be functionally classified based on their content. The functional classifications are used in determining the role of the user.