Abstract: One or more identifiers respectively corresponding to a one or more logical blocks in an electronic file system volume is selected. One or more logical blocks respectively corresponding to the selected one or more identifiers is analyzed according to one or more criteria. A value is assigned to one or more indicators associated with each of the one or more logical blocks and corresponding to the one or more criteria, in response to the analyses of the corresponding one or more logical blocks. A representation of the one or more indicators, and their respective assigned values, associated with each of the one or more logical blocks that was analyzed according to the one or more criteria, is generated. In some embodiments, an action to be performed on or with an electronic file mapped to the logical blocks is controlled based on one or more of the values assigned to the one or more indicators associated with the one or more logical blocks.

Abstract: A creation of a first process is detected in a kernel space of the operating system executing on a computing device. An exec parent of the first process is determined. The exec parent identifies a second process within an ancestry of the first process that last performed an exec operation prior to the creation of the first process. A unique process identifier (UPID) associated with a process identifier (PID) of the first process is generated. The UPID is associated with the exec parent in a first mapping store that maps the PID to the UPID. Process activity of the first process executing in the operating system is tracked to generate process activity data that comprises the exec parent.

Abstract: A method to predict that a text file contains source code written in one or more of a plurality of source code programming languages involves creating a feature vector comprising a plurality of values, wherein each value represents a corresponding piece of text found in the text file. Then, during an inference workflow with a neural network model, embedding representation values identified for each value in the feature vector. An overall embedding representation value is calculated for the feature vector based on the obtained embedding representation values. A plurality of class label prediction values is then created, based on the overall embedding representation value and a plurality of class labels corresponding to the plurality of source code programming languages. Finally, a prediction is made as to the source code programming language in which the source code is written in the text file based on the plurality of class label prediction values.

Abstract: One or more identifiers respectively corresponding to a one or more logical blocks in an electronic file system volume is selected. One or more logical blocks respectively corresponding to the selected one or more identifiers is analyzed according to one or more criteria. A value is assigned to one or more indicators associated with each of the one or more logical blocks and corresponding to the one or more criteria, in response to the analyses of the corresponding one or more logical blocks. A representation of the one or more indicators, and their respective assigned values, associated with each of the one or more logical blocks that was analyzed according to the one or more criteria, is generated. In some embodiments, an action to be performed on or with an electronic file mapped to the logical blocks is controlled based on one or more of the values assigned to the one or more indicators associated with the one or more logical blocks.

Abstract: A combination of shim and back-end server applications may be used to identify and block the installation of malicious applications on mobile devices. In practice, a shim application registers with a mobile device's operating system to intercept application installation operations. Upon intercepting an attempted installation operation, the shim application identifies the application seeking to be installed, generates a key uniquely identifying the application, and transmits the key over a network connection to a back-end server. The back-end server may be configured to crawl the Internet to identify malicious applications and compile and maintain a database of such applications. Upon receiving a key from the shim application, the back-end server can search its database to locate a matching application and, if found, respond to the mobile device with the application's status (e.g., malicious or not). The shim application can utilize this information to allow or block installation of the application.

Abstract: This disclosure relates generally to systems, apparatuses, methods, and computer readable media for intercepting a virtual machine boot process. More particularly, but not by way of limitation, this disclosure relates to systems, apparatuses, methods, and computer readable media to intercept a boot process of a virtual machine that can include intercepting a boot process of the virtual machine and calculating identifying information about the operating system. The identifying information is verified and the boot process of the virtual machine may or may not be allowed complete based upon verification of the identifying information.

Abstract: A combination of shim and back-end server applications may be used to identify and block the installation of malicious applications on mobile devices. In practice, a shim application registers with a mobile device's operating system to intercept application installation operations. Upon intercepting an attempted installation operation, the shim application identifies the application seeking to be installed, generates a key uniquely identifying the application, and transmits the key over a network connection to a back-end server. The back-end server may be configured to crawl the Internet to identify malicious applications and compile and maintain a database of such applications. Upon receiving a key from the shim application, the back-end server can search its database to locate a matching application and, if found, respond to the mobile device with the application's status (e.g., malicious or not). The shim application can utilize this information to allow or block installation of the application.

Abstract: A combination of shim and back-end server applications may be used to identify and block the installation of malicious applications on mobile devices. In practice, a shim application registers with a mobile device's operating system to intercept application installation operations. Upon intercepting an attempted installation operation, the shim application identifies the application seeking to be installed, generates a key uniquely identifying the application, and transmits the key over a network connection to a back-end server. The back-end server may be configured to crawl the Internet to identify malicious applications and compile and maintain a database of such applications. Upon receiving a key from the shim application, the back-end server can search its database to locate a matching application and, if found, respond to the mobile device with the application's status (e.g., malicious or not). The shim application can utilize this information to allow or block installation of the application.

Abstract: A query from a particular mobile device is identified that indicates an attempt, by the particular mobile device, to access a particular application. It is determined whether the particular application has been assessed for inclusion in one or more of the plurality of whitelists and, based on the determination, an assessment of the particular application can be performed, which can include accessing a copy of the particular application and assessing the copy of the particular application to identify one or more attributes of the particular application. For each of a plurality of whitelists, a determination is made whether the particular application should be included in the whitelist based on the attributes. Each whitelist can be associated with a respective one of a plurality of entities and based on a policy corresponding to the respective entity, each entity is associated with a respective plurality of mobile devices.

Abstract: A combination of shim and back-end server applications may be used to identify and block the installation of malicious applications on mobile devices. In practice, a shim application registers with a mobile device's operating system to intercept application installation operations. Upon intercepting an attempted installation operation, the shim application identifies the application seeking to be installed, generates a key uniquely identifying the application, and transmits the key over a network connection to a back-end server. The back-end server may be configured to crawl the Internet to identify malicious applications and compile and maintain a database of such applications. Upon receiving a key from the shim application, the back-end server can search its database to locate a matching application and, if found, respond to the mobile device with the application's status (e.g., malicious or not). The shim application can utilize this information to allow or block installation of the application.

Abstract: An application is identified as installed on a particular mobile device. An action involving the application is identified, the action to be performed using the particular mobile device. It is determined whether the action is an approved action based on at least one policy associated with the particular mobile device. A determination that the action is unapproved can results in an attempt to prevent the action. Further, in certain instances, a whitelist or blacklist can be generated based on determinations of whether identified application actions conform to one or more policies associated with the particular mobile device.

Abstract: One or more attributes of an application in a plurality of applications is identified. A reputation score of the application is determined based at least in part on the identified attributes to determining whether the application should be included in a whitelist. The whitelist can be applied against a request to download the application on a mobile device. In some aspects, the whitelist can be generated through automated collection and analysis of applications available for download by one or more different types of mobile devices in one or more networks. In some aspects, the whitelist can be applied by blocking attempts to download applications determined not to be included in the whitelist.