Abstract: A computer-implemented method for recognizing behavioral attributes of software in real-time is described. An executable file is executed. One or more runtime events associated with a behavior of the executable file are traced. The one or more traced runtime events are translated to a high level language. A recognizable pattern of the translated traced runtime events is produced. The pattern is a unique behavioral set of the translated traced runtime events.

Abstract: A method and system for detecting a compressed pestware executable object is described. In an illustrative embodiment, while a computer is booting up, an attempt by a running process to exit is detected. The running process is prevented from exiting until a pestware detection procedure has been performed. In one embodiment, the pestware detection procedure includes scanning for pestware signatures the portion of executable program memory associated with the suspended running process. In a different embodiment, the pestware detection procedure includes writing to a file at least the portion of executable program memory associated with the running process, after which the running process is permitted to exit. The file can then be scanned for pestware signatures at a convenient time.

Abstract: A system and method for researching a source of pestware on a computer is described. In one embodiment, the method includes identifying pestware on the computer, accessing recorded information on the computer relating to a history of the pestware and traversing at least a subset of the recorded information, wherein the traversing includes accessing data within the recorded information that provides a reference to an identity of a source of the pestware.

Abstract: A system and method for identifying an origin of suspected pestware activity on a computer is described. One embodiment includes establishing a time of interest relating to a suspicion of pestware on the computer, identifying, based upon the time of interest, indicia of pestware and accessing at least a portion of a recorded history of sources that the computer received files from so as to identify, based at least in part upon the identified indicia of pestware, a reference to an identity of a source that is suspected of originating pestware.

Abstract: A system and method for researching an identity of a source of activity that is indicative of pestware is described. In one embodiment the method comprises monitoring the computer for activity that is indicative of pestware, identifying, based upon the activity, an object residing on the computer that is a suspected pestware object; and accessing at least a portion of a recorded history of sources that the computer received files from so as to identify a reference to an identity of a particular source that the suspected pestware object originated from.

Abstract: A system and method for managing malware is described. One embodiment is designed to receive an initial URL associated with a Web site; download content from that Web site; identify any obfuscation techniques used to hide malware or pointers to malware; interpret those obfuscation techniques; identify a new URL as a result of interpreting the obfuscation techniques; and add the new URL to a URL database.

Abstract: A system and method for managing malware is described. One embodiment includes the steps of recording the original configuration information for an active browser system; operating potential malware on the active browser system; recording changes to the original configuration information; determining whether the changes to the original configuration information indicate that the potential malware is malware; and generating a definition for the malware.

Abstract: A system and method for managing malware is described. One embodiment includes a downloader for downloading portion of a Web site, a parser for parsing the downloaded portion of the Web site; an active browser for identifying changes to the known configuration of the active browser, wherein the changes are caused by the downloaded portion of the Web site; and a definition module for generating a definition for the potential malware based on the changes to the known configuration.

Abstract: A system and method for generating a definition for malware and/or detecting malware. is described. One exemplary embodiment includes a downloader for downloading a portion of a Web site; a parser for parsing the downloaded portion of the Web site; a statistical analysis engine for determining if the downloaded portions of the Web site should be evaluated by the active browser; an active browser for identifying changes to the known configuration of the active browser, wherein the changes are caused by the downloaded portion of the Web site; and a definition module for generating a definition for the potential malware based on the changes to the known configuration.