Abstract: It is provided a method, comprising monitoring if a firewall receives a first packet and a second packet, wherein the first packet is directed to a IP address and a first port number; the second packet is directed to the IP address and a second port number; a hole through a firewall is punched for the IP address a hole port number different from the first port number and the second port number; the first packet has a first payload; the second packet has a second payload; and the method comprises checking if the first payload is substantially the same as the second payload; causing the firewall to block the first packet and the second packet if the firewall receives the first packet and the second packet and the first payload is substantially the same as the second payload.

Abstract: An arrangement and a method of privilege escalation detection in a computer or computer network.

Abstract: A method of scanning files for malware on a computer system. The method comprises detecting a file to be scanned for malware in the computer system, determining the file being a partial file that comprises only a part of the file content, searching for an original clean file associated with the partial file, wherein the original clean file is a full copy of the partial file, based on finding a candidate original clean file associated with the partial file, calculating a partial hash of the same length as the partial file for the candidate original clean file, and based on determining that partial hashes of the candidate original clean file and the partial file match, signalling a false alarm.

Abstract: A method comprising: monitoring events collected from a plurality of network nodes; detecting a first suspicious event among the monitored events by a detection mechanism; monitoring the behaviour of the first suspicious event and any related events; in case the monitored first suspicious event and/or a related event is detected to perform an activity triggering an IOC (indicator of compromise, generating a new IOC; monitoring new events when the activity ends; comparing the behaviour of the new events with the behaviour of the generated IOC; in case a matching behaviour is found, merging the new event with the first suspicious event and/or related events related to the generated IOC; and generating a security related decision on the basis of the IOC.

Abstract: Method of detecting an attack against a function on a client computer including generating a first hash value having a weak collision resistance; sending the first hash value to a server computer for storing to a database of known hash value pairs, a hash value pair including the first hash value and a second hash value calculated for the entity, the second hash value having a strong collision resistance, receiving a request for the entity with an object including a first hash value and a second hash value; accepting the received object and transmitting data relating to the received object to the server computer for a validity check when the first hash value of the received object is identical with the first hash value stored in the local database, and detecting a hash collision attempt when the hash value pairs do not match.

Abstract: There are provided measures for enabling dynamic remote malware scanning. Such measures could exemplarily include identification of an electronic file to be scanned for malware, generation of at least one scanning object of the identified electronic file on the basis of a dynamic configuration by a remote entity, said at least one scanning object being generated by using malware-susceptible data of the identified electronic file and neglecting malware-insusceptible data of the identified electronic file, transfer of the at least one scanning object of the identified electronic file for remote malware scanning to the remote entity, and execution of a malware scan of the at least one scanning object of the electronic file at the remote entity by a malware scanning engine or application.

Abstract: There is provided a method of detecting a threat against a computer system. The method comprises: creating a modular representation of behavior of known applications on the basis of sub-components of a set of known applications; entering the modular representation to an evolutionary analysis system for generating previously unknown combinations of the procedures; storing the generated previously unknown combinations as candidate descendants of known applications to a future threat candidate database; monitoring the behavior of the computer system to detect one or more procedures matching the behavior of a stored candidate descendant in the future threat candidate database; and upon detection of one or more procedures matching the behavior of the stored candidate descendant and if the stored candidate descendant is determined to be malicious or suspicious, identifying the running application as malicious or suspicious.

Abstract: A method of scanning files for malware on a computer system. The method comprises detecting a file to be scanned for malware in the computer system, determining the file being a partial file that comprises only a part of the file content, searching for an original clean file associated with the partial file, wherein the original clean file is a full copy of the partial file, based on finding a candidate original clean file associated with the partial file, calculating a partial hash of the same length as the partial file for the candidate original clean file, and based on determining that partial hashes of the candidate original clean file and the partial file match, signalling a false alarm.

Abstract: It is provided a method, comprising monitoring if a firewall receives a first packet and a second packet, wherein the first packet is directed to a IP address and a first port number; the second packet is directed to the IP address and a second port number; a hole through a firewall is punched for the IP address a hole port number different from the first port number and the second port number; the first packet has a first payload; the second packet has a second payload; and the method comprises checking if the first payload is substantially the same as the second payload; causing the firewall to block the first packet and the second packet if the firewall receives the first packet and the second packet and the first payload is substantially the same as the second payload.

Abstract: There is provided a method for improving security of computer resources, including obtaining raw memory snapshots of a computer memory of one or more computing systems during runtime of identical processes relating to a predetermined application or a service; forming a map of expected memory behaviour relating to the application or the service based on the obtained raw memory snapshots; monitoring the memory behaviour of a computing system during the execution of the same application or the service; comparing the monitored memory behaviour of the computing system with the formed map of expected memory behaviour; and in the event that a deviation from the expected memory behaviour is detected based on the comparison, triggering an alert.

Abstract: A method including: monitoring events collected from a plurality of network nodes; detecting a first suspicious event among the monitored events by a detection mechanism; monitoring the behaviour of the first suspicious event and any related events; in case the monitored first suspicious event and/or a related event is detected to perform an activity triggering an incident of compromise (IOC), generating a new IOC; monitoring new events when the activity ends; comparing the behaviour of the new events with the behaviour of the generated IOC; in case a matching behaviour is found, merging the new event with the first suspicious event and/or related events related to the generated IOC; and generating a security related decision on the basis of the IOC.

Abstract: There are provided measures for enabling advanced local-network threat response. Such measures could exemplarily comprise receiving, at a local-network honeypot entity, a username/password related authentication data in relation to a login attempt to the honeypot entity, triggering a threat response operation at a local-network backend entity upon detection of the username/password related authentication data, the threat response operation comprising testing validity of the username/password related authentication data in one or more local accounts of the local-network, and in case the username/password related authentication data is detected to be valid for any account in the local-network, determining that said account is compromised and locking the compromised account.

Abstract: There is provided a method of detecting a threat against a computer system. The method includes creating a modular representation of behavior of known applications on the basis of sub-components of a set of known applications; entering the modular representation to an evolutionary analysis system for generating previously unknown combinations of the procedures; storing the generated previously unknown combinations as candidate descendants of known applications to a future threat candidate database; monitoring the behavior of the computer system to detect one or more procedures matching the behavior of a stored candidate descendant in the future threat candidate database; and upon detection of one or more procedures matching the behavior of the stored candidate descendant and if the stored candidate descendant is determined to be malicious or suspicious, identifying the running application as malicious or suspicious.

Abstract: There are provided measures for enabling the detection of a malware-usable clean file or, stated differently, the detection of malware using a clean file. Such measures could exemplarily include identifying a vulnerable clean file in a computer system, which does not constitute malware but is vulnerable for usage by malware, checking the vulnerable clean file for its threat of usage by malware, and detecting the vulnerable clean file as malware-usable clean file on the basis of a result of said checking of its threat of usage by malware.

Abstract: A method of detecting unauthorized use of a webcam or a microphone on a computer system, the method including, at the computer, identifying a process that is using the webcam or the microphone, determining whether information is visibly displayed by the computer system to indicate to a user the use of the webcam or the microphone by the process; and using a result of the step of determining to identify said process as malware or potential malware.

Abstract: A method of authenticating or controlling a software application on an end user device. The method includes selecting a code signing certificate related to an application developer; selecting one or more clean files from a database of known clean files signed with the selected code signing certificate; generating an application developer identification for the application developer on the basis of data extracted from the selected one or more clean files; adding the generated application developer identification to a database of trusted application developer certificates; comparing a signature related to a software application to be installed on an end user device with the application developer identification for authenticating said signature; and in the event that authentication is successful, performing authentication of the software application code and/or controlling installation and/or operation of the software application.

Abstract: A method of detecting malware on a client computer, the method including generating a hash of an entity at the client computer, whereby the entity is suspected to be malware, sending the hash to a network server, considering the reputation of the hash at the network server by comparing the hash to a database of hashes of known reputation, returning the results of said considering to the client computer, and, if the reputation is not known at the server, sending instructions to the client computer for obtaining further information about the entity at the client computer, wherein said further information is obtained by executing code at the client computer sent by the server to the client computer after said considering the reputation if said code is not stored at the client computer before said generating a hash.

Abstract: Method of detecting an attack against a function on a client computer including generating a first hash value having a weak collision resistance; sending the first hash value to a server computer for storing to a database of known hash value pairs, a hash value pair including the first hash value and a second hash value calculated for the entity, the second hash value having a strong collision resistance, receiving a request for the entity with an object including a first hash value and a second hash value; accepting the received object and transmitting data relating to the received object to the server computer for a validity check when the first hash value of the received object is identical with the first hash value stored in the local database, and detecting a hash collision attempt when the hash value pairs do not match.

Abstract: A method of authenticating or controlling a software application on an end user device. The method includes, at the end user device, downloading software application data from a remote server, the data including application code, a cryptographically derived signature obtained using said application code, and an identity of an application developer. The identity is then used as a look-up key to obtain or authenticate a public key of the application data, and to obtain one or more associated installation and/or operation conditions. The cryptographically derived signature is authenticated using said application code and said public key, and, in the event that authentication is successful, authentication of the application code is performed and/or installation and/or operation of the application controlled using said conditions.

Abstract: Methods, apparatus, systems are provided for use in detecting unauthorized changes to websites of web operators. Authorized content policy sets for each of a multiplicity of websites from web operators are collected and stored. In addition, content information obtained in respect web content downloaded from said websites by a multiplicity of client devices, client proxy devices, and/or client gateway devices is used to identify websites that do not conform to respective policy sets. Alerts are sent to the web operator of any non-conforming website. Optionally, alerts may be sent to client devices, client gateway devices, and/or client proxy devices for use in scanning or blocking the web content from non-conforming websites.