Abstract: A system and method for .Net PE files malware detection is provided. The method may include accessing two or more portable executable (PE) files and detecting at least one identical global user identifier (GUID) attribute. In response to finding identical GUID attributes, the method may include clustering a group of files into family clusters each having the same GUID attribute. The method may generate and release a signature for the family cluster. An exoneration criteria level may be set in accordance with matching characteristics associated with an acceptable software standard for the computing system or network, such that when the exoneration criteria level is reached, the PE file is exonerated from being associated with PUA or malware. Until this criterion is met, the PE file will be identified as PUA or malware. Additional GUID attributes may be identified as further proof that the PE file is polymorphic.

Abstract: The disclosed computer-implemented method for automated generation of generic signatures used to detect polymorphic malware may include (1) clustering a set of polymorphic file samples that share a set of static attributes in common with one another, (2) computing a distance of the polymorphic file samples from a centroid that represents a reference data point with respect to the set of polymorphic file samples, (3) determining that the distance of the polymorphic file samples from the centroid is below a certain threshold, and then upon determining that the distance is below the certain threshold, (4) identifying, within the set of static attributes shared in common by the polymorphic file samples, a subset of static attributes whose values are identical across all of the polymorphic file samples and (5) generating a generic file-classification signature from the subset of static attributes. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for automated generation of generic signatures used to detect polymorphic malware may include (1) clustering a set of polymorphic file samples that share a set of static attributes in common with one another, (2) computing a distance of the polymorphic file samples from a centroid that represents a reference data point with respect to the set of polymorphic file samples, (3) determining that the distance of the polymorphic file samples from the centroid is below a certain threshold, and then upon determining that the distance is below the certain threshold, (4) identifying, within the set of static attributes shared in common by the polymorphic file samples, a subset of static attributes whose values are identical across all of the polymorphic file samples and (5) generating a generic file-classification signature from the subset of static attributes. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting malicious files may include (1) identifying a length of at least one line within a textual file, (2) assessing, based at least in part on the length of the line within the textual file, a likelihood that at least a portion of the textual file has been encrypted, (3) determining, based on the likelihood that at least a portion of the textual file has been encrypted, a likelihood that the textual file is malicious, and (4) performing a remediation action based at least in part on determining the likelihood that the textual file is malicious. Various other methods, systems, and computer-readable media are also disclosed.