Abstract: A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

Abstract: Trampoline and return-oriented programming attacks employ a variety of techniques to maliciously execute instructions on a device in a manner different from a legitimate programmer's original intent. By instrumenting a device to detect deviations from predicted behavior, these exploits can be identified and mitigated.

Abstract: Malware uses various techniques to detect a sandbox environment so that malicious code can avoid execution in closely monitored contexts that might otherwise trigger detection and remediation. A security system is dynamically updated to exploit these anti-sandbox techniques, e.g., by causing endpoints to mimic sandbox environments in a manner that discourages malware execution on the endpoint, and by updating sandboxes to alter or hide sandbox detection triggers.

Abstract: A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

Abstract: Malware uses various techniques to detect a sandbox environment so that malicious code can avoid execution in closely monitored contexts that might otherwise trigger detection and remediation. A security system is dynamically updated to exploit these anti-sandbox techniques, e.g., by causing endpoints to mimic sandbox environments in a manner that discourages malware execution on the endpoint, and by updating sandboxes to alter or hide sandbox detection triggers.

Abstract: Trampoline and return-oriented programming attacks employ a variety of techniques to maliciously execute instructions on a device in a manner different from a legitimate programmer's original intent. By instrumenting a device to detect deviations from predicted behavior, these exploits can be identified and mitigated.

Abstract: Trampoline and return-oriented programming attacks employ a variety of techniques to maliciously execute instructions on a device in a manner different from a legitimate programmer's original intent. By instrumenting a device to detect deviations from predicted behavior, these exploits can be identified and mitigated.

Abstract: Trampoline and return-oriented programming attacks employ a variety of techniques to maliciously execute instructions on a device in a manner different from a legitimate programmer's original intent. By instrumenting a device to detect deviations from predicted behavior, these exploits can be identified and mitigated.

Abstract: Trampoline and return-oriented programming attacks employ a variety of techniques to maliciously execute instructions on a device in a manner different from a legitimate programmer's original intent. By instrumenting a device to detect deviations from predicted behavior, these exploits can be identified and mitigated.

Abstract: A method for determining whether web content intended for transmission from a second device to a first device via a routing device comprises malware is proposed. The method, to be carried out by the routing device, includes receiving at least a part of the web content from the second device, providing to an antivirus service a representation of N bits of the received part of the web content, and receiving, from the antivirus service, test information based on the representation of the N bits provided by the router and indicating whether the web content may comprise malware. An appropriate representation of the N bits of web content serves as a “fingerprint,” sufficiently identifying the entire piece of the web content for the purpose of determining whether or not this piece of web content may contain malware.