Abstract: An exemplary method for reducing false positives produced by heuristics may include: 1) training a heuristic using a set of training data, 2) deploying the heuristic, 3) identifying false positives produced by the heuristic during deployment, and then 4) tuning the heuristic by: a) duplicating at least a portion of the false positives, b) modifying the training data to include the duplicate false positives, and c) re-training the heuristic using the modified training data. Corresponding systems and computer-readable media are also disclosed.

Abstract: The launch of an installer or uninstaller is detected. A process lineage tree is created representing the detected launched installer/uninstaller process, and all processes launched directly and indirectly thereby. The detected installer/uninstaller process is represented by the root node in the process lineage tree. Launches of child processes by the installer/uninstaller process and by any subsequently launched child processes are detected. The launched child processes are represented by child nodes in the tree. As long as the installer/uninstaller process represented by the root node in the tree is running, the processes represented by nodes in tree are exempted from anti-malware analysis. The termination of the installer/uninstaller process is detected, after which the processes represented by nodes in the process lineage tree are no longer exempted from anti-malware analysis.

Abstract: An exemplary method for translating non-comparable values into comparable values for use in heuristics may include: 1) identifying a data object, 2) identifying a non-comparable value associated with the data object, 3) translating the non-comparable value into a comparable value, and then 4) processing the comparable value in a heuristic. In some examples, the heuristic may include a malware-detection heuristic, such as a decision tree.

Abstract: A configuration information manager monitors attempts by processes to update non-structured storage of system configuration information, such as plain text files which contain system configuration information. When such an attempt is made, the configuration information manager makes a copy of the target file, and redirects the write operation to this copy. The configuration information manager then analyzes the process that did the writing, as well as the content that was written. If the process and/or the content is deemed to be suspicious, the changes will be logged and discarded, thus protecting the system. Should the changes be deemed legitimate, then the configuration information manager folds them into the real file, typically in an annotated manner, so as enable subsequent reversion of the changes as desired.

Abstract: A method for contextual evaluation of files for use in file restoration. The method may include receiving a request to replace a damaged file on a computing system with a clean instance of the damaged file and identifying a clean file that corresponds to the damaged file. The method may also include identifying at least one file set that includes the clean file. The method may further include evaluating the suitability of the clean file for use as a replacement for the damaged file by: 1) determining whether the computing system includes an instance of each file in the file set and 2) deciding, based on the determination of whether the computing system includes an instance of each file in the file set, whether to replace the damaged file with the clean file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method includes identifying a file and calculating a first identifier for the file. The method may also include identifying a first malware identifier that is associated with a first malware program. The method may further include comparing the first file identifier with the first malware identifier to determine whether the file comprises the first malware program. The method may include saving the first file identifier in a manner that allows the first file identifier to be retrieved for comparison with a second malware identifier. The second malware identifier may be associated with a second malware program. Various other methods and systems are also disclosed herein.

Abstract: An exemplary method for using multiple in-line heuristics to reduce false positives may include: 1) training a first heuristic using a set of training data, 2) deploying the first heuristic, 3) identifying false positives produced by the first heuristic during deployment, 4) modifying the training data to include the false positives produced by the first heuristic, 5) creating a second heuristic using the modified training data, 6) deploying both the first heuristic and the second heuristic, and then 7) applying both the first heuristic and the second heuristic, in sequence, to a set of field data.

Abstract: A computer-implemented method for detecting rootkits. The method may include identifying, from a control platform, a first directory listing. The first directory listing may be associated with a file system. The method may include identifying, from a target platform, a second directory listing. The second directory listing may be associated with the file system. The target platform and the control platform may be running concurrently on a computing device. The method may also include detecting a discrepancy between the first directory listing and the second directory listing and determining that the discrepancy is a result of the target platform being infected with a rootkit. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method includes creating an intercept function for a tracked DLL function of a DLL being loaded into a suspicious module. Upon a determination that the tracked DLL function is invoked, a determination is made as to whether a return address of a caller of the tracked DLL function is within a legitimate return address range. The legitimate return address range includes an address range of the intercept function and excludes an address range of the suspicious module. If the return address is within the suspicious module, the suspicious module called the tracked DLL function directly. This indicates that the suspicious module is malicious and so protective action is taken.

Abstract: Systems and methods for configuring a specific-use computing system are disclosed. A computing system may comprise a first set of predetermined application programs and a processor limited to executing the first set of predetermined application programs and pre-approved application programs received from a pre-approved computing device. The computing system may also include a communication interface configured to enable communication between the first computing system and the pre-approved computing device. Exemplary methods and computer-readable media are also enclosed.

Abstract: A method for analyzing an unverified executable file within an antivirus engine in order to identify the executable file as being obfuscated by an unknown obfuscator program is described. An unverified executable file comprising obfuscated library strings is received. A list of pre-verified library strings is accessed. A determination is made as to whether the unverified executable file comprises one or more of the pre-verified library strings. The unverified executable file is identified as being obfuscated by an unknown obfuscator program if the file does not comprise one or more of the pre-verified library strings.

Abstract: A method for detecting malware is disclosed. The method may include examining a plurality of metadata fields of a plurality of known-clean-executable files. The method may also include examining a plurality of metadata fields of a plurality of known-malicious-executable files. The method may further include deducing, based on information obtained from examining the plurality of metadata fields of the plurality of known-clean- and known-malicious-executable files, metadata-field attributes indicative of malware. Corresponding systems and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting a malicious process using file-name heuristics may comprise: 1) identifying a process, 2) identifying a process name for the process, 3) identifying a list of process names for non-malicious processes, and 4) determining, by comparing the process name for the process with the list of process names for non-malicious processes, whether to allow the process to execute. A method for maintaining a database containing information about non-malicious processes is also disclosed. Corresponding systems and computer-readable media are also disclosed.

Abstract: A security module identifies symbols within an executable file. The security module compares these identified symbols to a set of symbols expected to be present in a legitimate executable file. Based at least in part on an identified symbol not being within the set of expected symbols, the security module determines that the executable file poses a heightened security risk. In one embodiment, a remediation module takes an appropriate response to prevent potential malware exploits by the executable file.

Abstract: Methods, apparati, and computer-readable media for detecting the presence of malicious computer code in a computer. In a method embodiment, persistence points in an operating system of the computer are examined (31). When a pointer to a temporary directory is found (32) at a persistence point, a declaration is made (34) of a suspicion of malicious code being present in the computer. Second and third method embodiments are used when the computer has a native operating system (14) controlling hardware (11) functions and a user-interface operating system (12) built on top of the native operating system (14). A fourth method embodiment is used when the computer has an operating system comprising a kernel (20) and a user interface (21).

Abstract: A method includes creating an intercept function for a tracked Dynamic Link Library (DLL) function of a Dynamic Link Library (DLL) being loaded into a suspicious module. Further, the import address table entry for the tracked DLL function is replaced with the respective address of the intercept function. In this manner, a call from the suspicious module to the tracked DLL function is intercepted by the intercept function. The suspicious module is associated with the thread presently executing and the call is passed to the tracked DLL function. Accordingly, any actions associated with the thread are attributed to the suspicious module instead of to a process containing the suspicious module.

Abstract: An exemplary method for providing recommendations to improve boot performance based on community data is disclosed. In one embodiment, such a method may comprise: 1) identifying at least one startup item on a computing device that is scheduled to run at boot time, 2) requesting startup-recommendation information for the startup item from a server, 3) receiving the startup-recommendation information for the startup item from the server, the startup-recommendation information being based on data gathered from a community of users, and then 4) presenting the startup-recommendation information for the startup item to a user. Corresponding systems and computer-readable media are also disclosed.

Abstract: A secure browsing manager intercepts load calls, and determines whether intercepted load calls are attempting to load code into the browser. When the secure browsing manager detects that a load call is attempting to load code into the browser, it determines whether that code is trusted. The secure browsing manager processes the attempt to load the code into the browser according to whether or not the code is trusted. If the secure browsing manager determines that the code is trusted, it allows the code to be loaded into the browser, thereby securely allowing the benefits of loaded code. If the secure browsing manager determines that the code is not trusted, it blocks the attempt to load the code into the browser, or alternatively takes other actions, such as allowing the code to be loaded into the browser, but blocking certain user initiated activity.

Abstract: Bait files and signatures allow security software vendors to track both authorized and unauthorized usage of the security vendor's signatures/products by third party security vendors. A bait file providing module anonymously provides a bait file to a third party security vendor for security detection, where the bait file is a non-malware file. A signature providing module provides a bait signature corresponding to the bait file that is included in a signature database which is made publicly available. A scanner monitoring module monitors security detections made over a period of time by a security scanner operated by the third party vendor. A determination module determines whether the scanner positively detected the bait file following the release of the bait signature for the bait file. A use detection module detects, in response to a positive determination, that the third party vendor used the bait signature provided to detect the bait file.

Abstract: The file context of a target file to be scanned is determined and the scan level for the file context is determined. Generally, the security risk for each file context is assessed, and the scan level appropriate for the security risk is associated with the file context. The target file is scanned at the scan level. Accordingly, a target file having a file context indicating that the file is a high security risk is scanned at a high scan level, i.e., is subject to a maximum-security scan. In this manner, high-level security is maintained. Conversely, a target file having a file context indicating that the file is a low security risk is scanned at a low scan level, i.e., is subject to a minimum-security scan or no scan at all. In this manner, high security is maintained while at the same time maximum performance is achieved.