Abstract: Generally discussed herein are systems, devices, and methods for malware nullification. A system can include a detect module to identify a file type of an attachment of the email, compare the identified file type to a list of unsafe file types, and in response to determining the identified file type is on the list of unsafe file types, remove the attachment from the email and forward the attachment to a database, a file converter module to receive the attachment from the detect module and convert the file to a safe file type so as to nullify malware in the attachment, an insert module to receive the file with the safe file type and replace the attachment of the email with the file with the safe file type, and a mail transfer agent to forward the email with the file with the safe file type to the client.

Abstract: Generally discussed herein are systems, devices, and methods for malware analysis. In one or more embodiments, a method can include copying application layer data traffic to create copied application layer data traffic, forwarding at least a portion of the application layer data traffic to a destination client prior to a malware analysis of corresponding copied application layer data traffic, determining whether the copied application layer data traffic includes a specified property, and in response to a determination that the copied application layer data traffic includes the specified property, storing the copied application layer data traffic determined to include the specified property for subsequent malware analysis, the stored copied application layer data traffic including context data of the copied application layer data traffic.

Abstract: Generally discussed herein are systems, devices, and methods for malware analysis lab isolation. A system can include a malware analysis zone LAN in which malware analysis is performed, a separation zone LAN communicatively connected to the malware analysis zone LAN, the separation zone LAN providing access control to manage communication of data between other LANs of the plurality of LANs, an analyst zone LAN communicatively connected to the separation zone LAN, and a remote access zone LAN communicatively connected to the separation zone LAN, the remote access zone LAN providing a user LAN with results from the malware analysis zone LAN and the analyst zone LAN and providing an item for malware analysis by the malware analysis zone LAN.

Abstract: Generally discussed herein are systems, apparatuses, and methods for secure transfer of content across a security boundary. A system can include a high side domain communicatively coupled to a transfer guard module, the high side domain comprising a high side data repository, a first review module executable by processing circuitry to determine whether a permission level of first content violates a permission level of the high side domain, a second review module executable by the processing circuitry to determine whether second content from the high side data repository includes a permission level that violates a permission level of a low side domain, a first data diode module communicatively coupled between the first review module and the high side data repository, and a second data diode module communicatively coupled between the second review module and the high side data repository.

Abstract: Generally discussed herein are systems, apparatuses, and methods for internet traffic analysis. In one or more embodiments, a system can include a web proxy server to receive, from a client, a request to download content from an internet, produce a request to the internet for the content, receive the content from the internet, and produce a malware analysis request in response to receiving the requested content and a malware server communicatively connected to the web proxy server, the malware server to receive the malware analysis request and the content from the web proxy server, and issue a response to the malware analysis request indicating whether to allow the content to be downloaded to the client.

Abstract: Generally discussed herein are systems, devices, and methods for malware analysis lab isolation. A system can include a malware analysis zone LAN in which malware analysis is performed, a separation zone LAN communicatively connected to the malware analysis zone LAN, the separation zone LAN providing access control to manage communication of data between other LANs of the plurality of LANs, an analyst zone LAN communicatively connected to the separation zone LAN, and a remote access zone LAN communicatively connected to the separation zone LAN, the remote access zone LAN providing a user LAN with results from the malware analysis zone LAN and the analyst zone LAN and providing an item for malware analysis by the malware analysis zone LAN.

Abstract: Generally discussed herein are systems, apparatuses, and methods for secure transfer of content across a security boundary. A system can include a high side domain communicatively coupled to a transfer guard module, the high side domain comprising a high side data repository, a first review module executable by processing circuitry to determine whether a permission level of first content violates a permission level of the high side domain, a second review module executable by the processing circuitry to determine whether second content from the high side data repository includes a permission level that violates a permission level of a low side domain, a first data diode module communicatively coupled between the first review module and the high side data repository, and a second data diode module communicatively coupled between the second review module and the high side data repository.

Abstract: Generally discussed herein are systems, apparatuses, and methods for internet traffic analysis. In one or more embodiments, a system can include a web proxy server to receive, from a client, a request to download content from an internet, produce a request to the internet for the content, receive the content from the internet, and produce a malware analysis request in response to receiving the requested content and a malware server communicatively connected to the web proxy server, the malware server to receive the malware analysis request and the content from the web proxy server, and issue a response to the malware analysis request indicating whether to allow the content to be downloaded to the client.

Abstract: Generally discussed herein are systems, devices, and methods for malware analysis. In one or more embodiments, a method can include copying application layer data traffic to create copied application layer data traffic, forwarding at least a portion of the application layer data traffic to a destination client prior to a malware analysis of corresponding copied application layer data traffic, determining whether the copied application layer data traffic includes a specified property, and in response to a determination that the copied application layer data traffic includes the specified property, storing the copied application layer data traffic determined to include the specified property for subsequent malware analysis, the stored copied application layer data traffic including context data of the copied application layer data traffic.

Abstract: Generally discussed herein are systems, devices, and methods for malware nullification. A system can include a detect module to identify a file type of an attachment of the email, compare the identified file type to a list of unsafe file types, and in response to determining the identified file type is on the list of unsafe file types, remove the attachment from the email and forward the attachment to a database, a file converter module to receive the attachment from the detect module and convert the file to a safe file type so as to nullify malware in the attachment, an insert module to receive the file with the safe file type and replace the attachment of the email with the file with the safe file type, and a mail transfer agent to forward the email with the file with the safe file type to the client.

Abstract: In one embodiment, a method includes identifying, using one or more processors, a plurality of characteristics of a Portable Document Format (PDF) file. The method also includes determining, using the one or more processors, for each of the plurality of characteristics, a score corresponding to the characteristic. In addition, the method includes comparing, using the one or more processors, the determined scores to a first threshold. Based at least on the comparison of the determined scores to the first threshold, the method includes determining, using the one or more processors, that the PDF file is potential malware.

Abstract: In certain embodiments, a method includes receiving, at a first malware detection node, from a malware detection system a request to apply a first malware detection technique to a file. The malware detection system is configured to determine whether the file is suspected malware by analyzing a plurality of predefined result states received in response to the first malware detection node applying the first malware detection technique to the file and a second malware detection node applying a second malware detection technique to the file. The method includes receiving at least one result from a malware detection engine of applying the first malware detection technique to the file and determining at least one predefined result state based on the received at least one result. The method includes reporting, by the first malware detection node, the at least one predefined result state to the malware detection system.

Abstract: In certain embodiments, a computer-implemented method comprises receiving, via a computer network and from a first computer system, a first malware analysis request. The first malware analysis request comprises a file to be analyzed for malware by a malware analysis system. The method includes initiating a malware analysis by the malware analysis system of the first file for malware. The method includes communicating to the first computer system a response for the first file determined by the malware analysis system to the first computer system. The response comprises an indication of whether the first file comprises malware.

Abstract: Intrusion prevention system (IPS) mode is provided for a malware detection system. At least one staging server is provided for intercepting an incoming electronic message, making a copy of the intercepted incoming electronic message, and holding the intercepted incoming electronic message until an analysis of the copy of the intercepted incoming electronic message has been completed or until a timeout threshold has been exceeded. A malware detection system is coupled to the at least one staging server. The at least one malware detection system includes at least one decomposition server for receiving the copy of the intercepted incoming electronic message and processing the copy of the intercepted incoming electronic message to detect malware. Multiple mail queues, e.g., incoming, timeout, jail, decomposition, and outgoing, are used to manage message flows and delay messages while malware analysis is performed.

Abstract: In accordance with particular embodiments, a method includes intercepting a communication and extracting metadata associated with the communication. The extracted metadata comprises a plurality of different fields from communication metadata and file metadata. The method further includes determining a score, based on previous communications, for each field of the extracted metadata. The score is indicative of a likelihood that the communication is a malicious communication. The method additionally includes combining the scores to generate a combined score for the communication based on an algorithm developed from the previous communications. The method also includes generating, based on the combined score at a first time, a predicted classification as to whether the communication is a malicious communication.

Abstract: In certain embodiments, a method includes receiving, at a proxy, a request for access to a network from an application on an endpoint. The method also includes determining, by the proxy, information about the application on the endpoint by examining one or more headers of the request received at the proxy from the application. The method further includes determining, by the proxy, whether the one or more headers comprise expected information based on the determined information about the application. In response to determining that the one or more headers do not comprise the expected information, the method includes denying, by the proxy, the request for access to the network. In addition, in response to determining that the one or more headers comprise the expected information, the method includes forwarding, by the proxy, the request to the network on behalf of the application.

Abstract: According to one embodiment, a computer-implemented method for execution on one or more processors includes receiving a first file and determining a file type of the first file. The method also includes determining, according to a first policy, a plurality of malware detection schemes to apply to the first file based on the determined file type of the first file. In addition, the method includes scheduling the application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy. Further, the method includes determining, in response to determining the results of applying the plurality of malware detection schemes, that the first file is malware or determining that the first file is suspected malware according to a third policy.

Abstract: A computer-implemented method includes accessing, by an analysis console, information related to a first file received at a first host of a plurality of hosts. Each host is capable of running a corresponding set of malware detection processes. The information includes: an identifier of the first file; and data indicating a first result of the first host applying the set of malware detection processes to the first file. The identifier is generated by the first host and is usable by each of the hosts to determine whether a second file comprises content substantially equivalent to content of the first file. The analysis console generates a first output including: the identifier of the first file; and a second result indicating whether the first file comprises malware. The second result is usable by each of the hosts to determine whether the second file comprises malware. The first output is propagated to the hosts.

Abstract: In accordance with particular embodiments, a computer-implemented method for execution by one or more processors includes intercepting a communication comprising a message. The method also includes identifying words from within the message. The method further includes storing in a dictionary words from within the message of the communication and one or more parameters of the communication for each of the words. The dictionary comprises a plurality of words from a plurality of intercepted text-based communications. The method also includes receiving an encrypted file that is configured to be decrypted using a password. The method additionally includes identifying words from the dictionary to be used to attempt to decrypt the encrypted file. The identified words are identified based on at least one parameter associated with the encrypted file and the one or more parameters stored in the dictionary.

Abstract: In certain embodiments, a computer-implemented system comprises a boundary controller and a first malware detection agent. The boundary controller is operable to implement a security boundary between a first computer network environment and a second computer network environment. The second computer network environment has a security classification level that is more restrictive than a security classification level of the first computer network environment. The boundary controller is operable to receive from the first computer network environment a file. The first malware detection agent is positioned in the second computer network environment and is operable to receive via the boundary controller the file and apply a first malware detection process on the file. The first malware detection process is subject to the security classification level of the second computer network environment.