Abstract: In one set of embodiments, the techniques of the present disclosure involve leveraging the concept of software enclaves to deploy and run an endpoint detection and response (EDR) security agent for a VM within the VM's associated software enclave, rather than within the VM itself. The enclave security agent can then cooperate with a central EDR manager, as well as with a minimal in-guest helper agent, to detect and remediate malware in the VM. Because the enclave security agent is isolated from and thus inaccessible by potentially malicious guest processes, this solution is significantly more secure than current EDR systems.

Abstract: A method of protecting an endpoint against a security threat detected at the endpoint, wherein the endpoint includes, in memory pages of the endpoint, an operating system (OS), a separate software entity, and remediation code, includes the steps of: transferring control of virtual CPUs (vCPUs) of the endpoint from the OS to the separate software entity; and while the separate software entity controls the vCPUs, storing, in an interrupt dispatch table, an instruction address corresponding to an interrupt, wherein the remediation code is stored at the instruction address, and replacing a next instruction to be executed by the OS, with an interrupt instruction, wherein the interrupt is raised when the OS executes the interrupt instruction, and the remediation code is executed as a result of handling of the interrupt that is raised.

Abstract: Example methods are provided to identify unused memory regions in pages that are allocated for storing executable code. One or more of the unused memory regions are usable as a secure location to store confidential information shared between a hypervisor on the host and a guest (such as a guest virtual computing instance) that runs on the host. The one or more unused memory regions may also be used to store executable code (such as valid executable code of antivirus software or other security program) that has been prevented/delayed in its execution by malicious code that has occupied the pages, thereby providing the executable code with sufficient memory resources to enable the executable code to at least partially complete execution.

Abstract: A method of performing diagnostics in a hierarchical diagnostics electrical architecture of a vehicle, the vehicle comprising a plurality of on-board computing devices for hosting the hierarchical diagnostics electrical architecture. The hierarchical diagnostics electrical architecture comprising: a component diagnostic layer having a plurality of electronic control units each comprising a diagnostics server module; and at least one supervisory diagnostic layer.

Abstract: Example methods and systems for a computer system to perform security threat detection during service query handling are described. In one example, a process running on a virtualized computing instance supported by the computer system may generate and send a first service query specifying a query input according to a service protocol. The first service query may be detected by a security agent configured to operate in a secure enclave that is isolated from the process. Next, the security agent may generate and send a second service query specifying the query input in the first service query. It is then determined whether there is a potential security threat based on a comparison between (a) a first reply received responsive to the first service query and (b) a second reply received responsive to the second service query.

Abstract: The present disclosure relates to a diagnostics system (2) for a vehicle (1). The diagnostics system (2) comprises a plurality of application functions (10) for controlling functions of the vehicle, a plurality of I/O interface modules (30) hosting drivers for I/O devices associated with the application functions (10), and a vehicle diagnostics manager or VDM (20). The I/O interface modules (30) are configured to transmit output signals pertaining to operation of their associated I/O devices to the application functions (10) together with a signal tag identifying the I/O interface module that generated the output signal. Each I/O interface module (30) is also configured to run physical fault monitors in order to detect physical faults for its associated I/O devices, and to maintain a fault record of detected physical faults. Each application function (10) is configured to run strategic fault monitors in order to detect strategic faults for its associated vehicle function.

Abstract: An example method may include determining, by a first program running on a first compute node, that a shared datastore connected to the first compute node includes address information for downloading an agent installer and proxy information for accessing a proxy server. The address information and the proxy information may be stored in the shared datastore by a second program running on a second compute node based on a user-configured input. Further, the method may include reading, by the first program, the proxy information and the address information from the shared datastore. Furthermore, the method may include downloading, by the first program, the agent installer from a destination server corresponding to the address information via a proxy server associated with the proxy information. Further, the method may include executing, by the first program, the agent installer to install the agent on the first compute node.

Abstract: The present invention relates to a diagnostics system for a vehicle. The diagnostics system comprises a plurality of application functions for controlling functions of the vehicle, a plurality of I/O interface modules hosting drivers for I/O devices associated with the application functions, and an off-board remote diagnostics manager. Each I/O interface module is configured to run physical fault monitors in order to detect physical faults for its associated I/O devices, and to maintain an on-board record of detected physical faults. Each application function is configured to run strategic fault monitors in order to detect strategic faults for its associated vehicle function, and to maintain an on-board record of detected strategic faults.

Abstract: The current document is directed to automated methods and systems that monitor system-call execution by operating systems in order to detect operating-system corruption. A disclosed implementation of the currently disclosed automated system-call-integrity monitor generate operational system-call fingerprints for randomly selected system calls executed by guest operating systems of randomly selected virtual machines and compares the operational system-call fingerprints to reference system-call fingerprints in order to detect operational anomalies of guest operating systems that are likely to represent guest-operating-system corruption. In disclosed implementations, a system-call fingerprint includes a system-call execution time, the number of instructions executed during execution of the system call, and a snapshot of the call stack taken during execution of the system call.

Abstract: Methods and apparatus to validate and restore machine configurations are disclosed herein. An example apparatus includes a context identifier to obtain first context information for a first set of configuration update events occurring on a computing device, a guest agent interface to transmit the first set of configuration update events to a security manager for generation of a policy, the policy including allowable configuration update events and responses to unallowable configuration update events, an event comparator to compare second context information of a subsequent configuration update event obtained by the context identifier to the policy received from the security manager, and an event handler to determine, when the subsequent configuration update event is not included in the policy, that the subsequent configuration update event is to be transmitted to the security manager for generation of an updated policy.

Abstract: A method of protecting an endpoint against a security threat detected at the endpoint, wherein the endpoint includes, in memory pages of the endpoint, an operating system (OS), a separate software entity, and remediation code, includes the steps of: transferring control of virtual CPUs (vCPUs) of the endpoint from the OS to the separate software entity; and while the separate software entity controls the vCPUs, storing, in an interrupt dispatch table, an instruction address corresponding to an interrupt, wherein the remediation code is stored at the instruction address, and replacing a next instruction to be executed by the OS, with an interrupt instruction, wherein the interrupt is raised when the OS executes the interrupt instruction, and the remediation code is executed as a result of handling of the interrupt that is raised.

Abstract: The current document is directed to automated methods and systems that monitor system-call execution by operating systems in order to detect operating-system corruption. A disclosed implementation of the currently disclosed automated system-call-integrity monitor generate operational system-call fingerprints for randomly selected system calls executed by guest operating systems of randomly selected virtual machines and compares the operational system-call fingerprints to reference system-call fingerprints in order to detect operational anomalies of guest operating systems that are likely to represent guest-operating-system corruption. In disclosed implementations, a system-call fingerprint includes a system-call execution time, the number of instructions executed during execution of the system call, and a snapshot of the call stack taken during execution of the system call.

Abstract: An example method may include determining, by a first program running on a first compute node, that a shared datastore connected to the first compute node includes address information for downloading an agent installer and proxy information for accessing a proxy server. The address information and the proxy information may be stored in the shared datastore by a second program running on a second compute node based on a user-configured input. Further, the method may include reading, by the first program, the proxy information and the address information from the shared datastore. Furthermore, the method may include downloading, by the first program, the agent installer from a destination server corresponding to the address information via a proxy server associated with the proxy information. Further, the method may include executing, by the first program, the agent installer to install the agent on the first compute node.

Abstract: In some embodiments, a method stores domain name system (DNS) resolution mappings from a domain name to an address in a first table. The DNS resolution mappings are intercepted from DNS responses being sent by a DNS server. The first table is sent to a manager for validation of the DNS resolution mappings. Then, a second table is received from the manager that contains validated DNS resolution mappings. The method intercepts a DNS response that includes a domain name to address resolution mapping from the DNS server and validates the domain name to address resolution mapping using a validated DNS resolution mapping in the second table.

Abstract: Example methods are provided to identify unused memory regions in pages that are allocated for storing executable code. One or more of the unused memory regions are usable as a secure location to store confidential information shared between a hypervisor on the host and a guest (such as a guest virtual computing instance) that runs on the host. The one or more unused memory regions may also be used to store executable code (such as valid executable code of antivirus software or other security program) that has been prevented/delayed in its execution by malicious code that has occupied the pages, thereby providing the executable code with sufficient memory resources to enable the executable code to at least partially complete execution.

Abstract: A method of performing diagnostics in a hierarchical diagnostics electrical architecture of a vehicle, the vehicle comprising a plurality of on-board computing devices for hosting the hierarchical diagnostics electrical architecture. The hierarchical diagnostics electrical architecture comprising: a component diagnostic layer having a plurality of electronic control units each comprising a diagnostics server module; and at least one supervisory diagnostic layer.

Abstract: System and method for executing scan operations on computing systems use a sparse file that represents a storage device of a computing system to scan a file stored in the storage device. The sparse file is created and mounted to a scanner appliance such that the sparse file appears to a scan engine of the scanner appliance as a local storage device. When a read request for the file stored in the storage device is issued from the scan engine that results in an implicit read request to the sparse file, the implicit read request is trapped. While the implicit read request is trapped, data of the file is retrieved from the storage device of the computing system to the scanner appliance using a communication transport. The retrieved data of the file is then scanned using the scan engine at the scanner appliance.

Abstract: A method of performing diagnostics in a hierarchical diagnostics electrical architecture of a vehicle, the vehicle comprising a plurality of on-board computing devices for hosting the hierarchical diagnostics electrical architecture. The hierarchical diagnostics electrical architecture comprising: a component diagnostic layer having a plurality of electronic control units each comprising a diagnostics server module; and at least one supervisory diagnostic layer.

Abstract: A method of protecting an endpoint against a security threat, wherein the endpoint includes an OS and a separate software entity included in memory pages of the endpoint, includes the steps of: preventing the OS from scheduling any tasks on vCPUs of the endpoint by transferring control of the vCPUs from the OS to the separate software entity; while the OS is prevented from scheduling any tasks on the vCPUs, scanning, by the separate software entity, at least one of a list of processes of the endpoint and a subset of the memory pages of the endpoint, and upon receiving an identification of a malicious process, terminating, by the separate software entity, the malicious process; and after the separate software entity terminates the malicious process, allowing the OS to schedule tasks on the vCPUs by transferring control of the vCPUs from the separate software entity to the OS.

Abstract: In some embodiments, a method stores domain name system (DNS) resolution mappings from a domain name to an address in a first table. The DNS resolution mappings are intercepted from DNS responses being sent by a DNS server. The first table is sent to a manager for validation of the DNS resolution mappings. Then, a second table is received from the manager that contains validated DNS resolution mappings. The method intercepts a DNS response that includes a domain name to address resolution mapping from the DNS server and validates the domain name to address resolution mapping using a validated DNS resolution mapping in the second table.