Abstract: Techniques are disclosed for identifying legitimate files using a hash-based cloud reputation using parts of a file to generate a hash value for reputation score lookup. A reputation service receives a request for a reputation score associated with a file. The request specifies a hash value for the file. The hash value is generated based on one or more parts of the file. The service identifies one of a plurality of file clusters that includes one or more files that matches to the specified hash value. The service determines a reputation score for the file based on the identified file cluster. The reputation score indicates a rating of the file based on a distribution of the file in a user base. The service returns the reputation score in response to the request.

Abstract: The disclosed computer-implemented method for determining reputations of digital certificate signers may include (i) identifying a group of endpoint devices that have accessed files to which a digital certificate signer has attached digital certificates that assert the files are legitimate, (ii) determining, for each endpoint device, whether a security state of the endpoint device is compromised or uncompromised based on a security analysis of computing events detected on the endpoint device, (iii) classifying the digital certificate signer as potentially malicious by determining that the files were accessed more frequently by endpoint devices with compromised security states than by endpoint devices with uncompromised security states, and (iv) protecting a security state of an additional endpoint device by preventing the additional endpoint device from accessing a file with a digital certificate signed by the digital certificate signer.