Abstract: Methods, apparatus, systems and articles of manufacture are disclosed for defending against exploitation of vulnerable software. An example apparatus comprises an inventory controller to identify a vulnerable application corresponding to one or more files including a security defect, an origination identifying generator to identify an origination source of incoming data, the origination source tagged as suspicious, a workload analyzing controller to query, in response to the suspicious origination source, an inventory datastore to determine if the incoming data is to be accessed by the vulnerable application, and a policy application executor to, in response to determining the incoming data is to be accessed by the vulnerable application, apply a policy action to the vulnerable application to protect the vulnerable application from exposing the security defect to malicious data in the incoming data.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to defend against dynamic-link library (DLL) side-loading attacks. An example apparatus includes a fingerprint generator to determine a first DLL fingerprint of a first DLL stored at a first OS path referenced by an operating system (OS) event generated by a computing device, and, in response to determining that a second DLL having the same name as the first DLL is stored at a second OS path superseding the first OS path, determine a second DLL fingerprint of the second DLL, a fingerprint comparator to determine whether at least one of the first or the second DLL fingerprint satisfies a deviation threshold based on a comparison of the first and the second DLL fingerprint to a reference DLL fingerprint, and a security action enforcer to execute a security action to protect a computing device from an attack.

Abstract: There is disclosed in one example a computing apparatus, including: a network interface; a hardware platform, including at least a processor and a memory; and instructions encoded in the memory to instruct the processor to: identify an executable object to be run on the apparatus, the executable object to provision a plurality of local files or objects with unknown local reputations; query via the network interface a remote service with an identification of the executable object; responsive to the query, receive from the remote service a reputation batch for the local files or object; and selectively permit installation of the executable object and/or the plurality of local files or objects based at least in part on individual reputations within the reputation batch.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to defend against dynamic-link library (DLL) side-loading attacks. An example apparatus includes a fingerprint generator to determine a first DLL fingerprint of a first DLL stored at a first OS path referenced by an operating system (OS) event generated by a computing device, and, in response to determining that a second DLL having the same name as the first DLL is stored at a second OS path superseding the first OS path, determine a second DLL fingerprint of the second DLL, a fingerprint comparator to determine whether at least one of the first or the second DLL fingerprint satisfies a deviation threshold based on a comparison of the first and the second DLL fingerprint to a reference DLL fingerprint, and a security action enforcer to execute a security action to protect a computing device from an attack.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed for defending against exploitation of vulnerable software. An example apparatus comprises an inventory controller to identify a vulnerable application corresponding to one or more files including a security defect, an origination identifying generator to identify an origination source of incoming data, the origination source tagged as suspicious, a workload analyzing controller to query, in response to the suspicious origination source, an inventory datastore to determine if the incoming data is to be accessed by the vulnerable application, and a policy application executor to, in response to determining the incoming data is to be accessed by the vulnerable application, apply a policy action to the vulnerable application to protect the vulnerable application from exposing the security defect to malicious data in the incoming data.

Abstract: There is disclosed in one example a computing apparatus, including: a network interface; a hardware platform, including at least a processor and a memory; and instructions encoded in the memory to instruct the processor to: identify an executable object to be run on the apparatus, the executable object to provision a plurality of local files or objects with unknown local reputations; query via the network interface a remote service with an identification of the executable object; responsive to the query, receive from the remote service a reputation batch for the local files or object; and selectively permit installation of the executable object and/or the plurality of local files or objects based at least in part on individual reputations within the reputation batch.