Abstract: A known-deployed file metadata repository (KDFMR) and analysis engine enumerates reference lists of files stored on a software delivery point (SDP) and compares the enumerated list of files and associated metadata to previously stored values in the KDFMR. If newly stored or modified files are identified, the analysis engine acquires the files from the SDP. Each file is analyzed to determine whether the file is an atomic file or a container file and metadata is generated or extracted. Each file stored in a container file is recursively extracted and analyzed, where metadata is generated for each extracted file and each container file. The KDFMR periodically analyzes the files stored on the SDP for differences to maintain the currency of the KDFMR data with respect to files stored on the SDP. Storage or modification of files on the SDP triggers analysis of the associated file. KDFMR data is updated with metadata determined based on sandbox detonation of files and/or identified artifacts of known-deployed files.

Abstract: A known-deployed file metadata repository (KDFMR) and analysis engine enumerates reference lists of files stored on a software delivery point (SDP) and compares the enumerated list of files and associated metadata to previously stored values in the KDFMR. If newly stored or modified files are identified, the analysis engine acquires the files from the SDP. Each file is analyzed to determine whether the file is an atomic file or a container file and metadata is generated or extracted. Each file stored in a container file is recursively extracted and analyzed, where metadata is generated for each extracted file and each container file. The KDFMR periodically analyzes the files stored on the SDP for differences to maintain the currency of the KDFMR data with respect to files stored on the SDP. Storage or modification of files on the SDP triggers analysis of the associated file. KDFMR data is updated with metadata determined based on sandbox detonation of files and/or identified artifacts of known-deployed files.

Abstract: A known-deployed file metadata repository (KDFMR) and analysis engine enumerates reference lists of files stored on a software delivery point (SDP) and compares the enumerated list of files and associated metadata to previously stored values in the KDFMR. If newly stored or modified files are identified, the analysis engine acquires the files from the SDP. Each file is analyzed to determine whether the file is an atomic file or a container file and metadata is generated or extracted. Each file stored in a container file is recursively extracted and analyzed, where metadata is generated for each extracted file and each container file. The KDFMR periodically analyzes the files stored on the SDP for differences to maintain the currency of the KDFMR data with respect to files stored on the SDP. Storage or modification of files on the SDP triggers analysis of the associated file. KDFMR data is updated with metadata determined based on sandbox detonation of files and/or identified artifacts of known-deployed files.

Abstract: A known-deployed file metadata repository (KDFMR) and analysis engine enumerates reference lists of files stored on a software delivery point (SDP) and compares the enumerated list of files and associated metadata to previously stored values in the KDFMR. If newly stored or modified files are identified, the analysis engine acquires the files from the SDP. Each file is analyzed to determine whether the file is an atomic file or a container file and metadata is generated or extracted. Each file stored in a container file is recursively extracted and analyzed, where metadata is generated for each extracted file and each container file. The KDFMR periodically analyzes the files stored on the SDP for differences to maintain the currency of the KDFMR data with respect to files stored on the SDP. Storage or modification of files on the SDP triggers analysis of the associated file. KDFMR data is updated with metadata determined based on sandbox detonation of files and/or identified artifacts of known-deployed files.

Abstract: A known-deployed file metadata repository (KDFMR) and analysis engine enumerates reference lists of files stored on a software delivery point (SDP) and compares the enumerated list of files and associated metadata to previously stored values in the KDFMR. If newly stored or modified files are identified, the analysis engine acquires the files from the SDP. Each file is analyzed to determine whether the file is an atomic file or a container file and metadata is generated or extracted. Each file stored in a container file is recursively extracted and analyzed, where metadata is generated for each extracted file and each container file. The KDFMR periodically analyzes the files stored on the SDP for differences to maintain the currency of the KDFMR data with respect to files stored on the SDP. Storage or modification of files on the SDP triggers analysis of the associated file. KDFMR data is updated with metadata determined based on sandbox detonation of files and/or identified artifacts of known-deployed files.

Abstract: The system collects startup commands associated with network-attached computing devices. A startup command is automatically executed by a device on which the startup command is stored upon startup of the device and is associated with a device identifier for the device. For each startup command, a corresponding command tag is determined for the startup command. Using the device identifier associated with each startup command and the command tag determined for each startup command, a proportion of the plurality of devices is determined that are associated with each command tag. Based on the determined proportion of the plurality of devices that are associated with each command tag, a suspicious command tag is determined. A report is stored that includes the suspicious command tag, suspicious startup command(s) associated with the suspicious command tag, and the device identifier associated with each suspicious startup command.

Abstract: The system collects startup commands associated with network-attached computing devices. A startup command is automatically executed by a device on which the startup command is stored upon startup of the device and is associated with a device identifier for the device. For each startup command, a corresponding command tag is determined for the startup command using a verb list. Using the device identifier associated with each startup command and the command tag determined for each startup command, a proportion of the plurality of devices is determined that are associated with each command tag. Based on the determined proportion of the plurality of devices that are associated with each command tag, a suspicious command tag is determined. A report is stored that includes the suspicious command tag, suspicious startup command(s) associated with the suspicious command tag, and the device identifier associated with each suspicious startup command.

Abstract: The system collects startup commands associated with network-attached computing devices. A startup command is automatically executed by a device on which the startup command is stored upon startup of the device and is associated with a device identifier for the device. For each startup command, a corresponding command tag is determined for the startup command using a verb list. Using the device identifier associated with each startup command and the command tag determined for each startup command, a proportion of the plurality of devices is determined that are associated with each command tag. Based on the determined proportion of the plurality of devices that are associated with each command tag, a suspicious command tag is determined. A report is stored that includes the suspicious command tag, suspicious startup command(s) associated with the suspicious command tag, and the device identifier associated with each suspicious startup command.