Abstract: A computer-implemented method for looking up anti-malware metadata may include identifying a plurality of executable objects to be scanned for malware before execution. The computer-implemented method may also include, for each executable object within the plurality of executable objects, assessing an imminence of execution of the executable object. The computer-implemented method may further include prioritizing, based on the assessments, a retrieval order for anti-malware metadata corresponding to the plurality of executable objects. The computer-implemented method may additionally include retrieving anti-malware metadata corresponding to an executable object within the plurality of executable objects based on the retrieval order. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: When a program is loaded for execution, all code pages of the program except the one containing the entry point are set to be non-executable. When the executing program attempts to jump between code pages, an exception is thrown. Responsive to such an exception, a control flow graph of the program is examined, to determine if the attempted jump between code pages is expected. If the attempted jump is not expected, it is determined that the program is attempting a malicious activity. If the attempted jump is expected, the code page to which the program is attempting to jump is set to be executable, and control is returned to the program such that the jump executes.

Abstract: A computer-implemented method for user-specific tuning of classification heuristics may include: 1) identifying a trusted software component on the computing device that has been excluded from analysis by a classification heuristic, 2) applying the classification heuristic to the trusted software component, 3) determining that the classification heuristic incorrectly classified the trusted software component, and then 4) lowering a confidence score associated with the classification heuristic.

Abstract: Incoming network traffic is monitored, and content-based files in the monitored incoming network traffic originating from remote sources are identified. When a specific content-based file originating from a remote source is identified, security information concerning that file is gleaned. This security information comprises at least a security reputation of the remote source from which the file originates. An attempt to open the file is identified, and a security risk rating is determined based on the security information concerning the file. In response to the security risk rating exceeding a given threshold, behavior associated with the attempt to open the file is altered. This altering of behavior can comprise, for example, disabling a scripting engine for the instance of the content processing application attempting to open the file, or altering file system and/or operating system resource access privileges.

Abstract: A computer-implemented method for preventing modification of network resources in the absence of a user's consent is disclosed. The method may comprise: 1) identifying an attempt to modify a network resource, 2) administering a human-verification test, and 3) determining, based on the outcome of the human-verification test, whether to prevent modification of the network resource. In addition, a computer-implemented method for preventing unauthorized communication with network resources may comprise: 1) identifying a communication attempt between a network resource and an untrusted resource, 2) determining whether communication between the network resource and the untrusted resource is authorized, and 3) determining, based on whether communication between the network resource and the untrusted resource is authorized, whether to allow communication between the network resource and the untrusted resource. Corresponding systems and computer-readable media are also disclosed.

Abstract: A system, method, and computer program product for detecting malware in a software package on a computer having an operating system is disclosed. A software package can include various files and processes. A process monitoring module monitors a process associated with the software package and detects when the monitored process requests access to a system process or other operating system object. A constrained process manager provides a constrained object to the monitored process in response to the request. The constrained object generally has less access to computer system resources than the system process. A malware detection module then observes interactions between the monitored process and the constrained object and determines whether the monitored process contains malware based on these interactions.

Abstract: The role of a user within an organization is automatically determined based on the classification of applications and content on the user's computer. Applications and files installed on a user's computer are identified. Identified applications and files that are not indicative of the role of the user within the organization are filtered out. The non-filtered out applications are functionally classified according to associated roles within the organization, based on predetermined functional classification information. The non-filtered out files are also functionally classified, based on predetermined functional classification information concerning types of files associated with specific organizational roles. The content of files that are of types not indicative of the user's organizational role can be analyzed, and these files can be functionally classified based on their content. The functional classifications are used in determining the role of the user.

Abstract: Techniques for managing search engine results may include, for example, a method for managing search engine results comprising receiving a search engine result and associated summary content, receiving requested content associated with the search engine result, comparing, using a computer processor, the summary content and the received requested content, and performing one or more actions in the event the summary content does not match the received requested content.

Abstract: A security module on a computing device applies security rules to examine content in a network cache and identify suspicious cache content. Cache content is identified as suspicious according to security rules, such as a rule determining whether the cache content is associated with modified-time set into the future, and a rule determining whether the cache content was created in a low-security environment. The security module may establish an out-of-band connection with the websites from which the cache content originated through a high security access network to receive responses from the websites, and use the responses to determine whether the cache content is suspicious cache content. Suspicious cache content is removed from the network cache to prevent the suspicious cache content from carrying out malicious activities.

Abstract: A request to send a JIT component to a streaming client is received. A network capability rating of the network over which the JIT component is to be sent to the streaming client is determined, and a client capability rating of the streaming client is determined. A transmission language format in which to send the JIT component to the streaming client is determined based on at least the network capability rating and the client capability rating. The JIT component is obtained in the transmission language format and sent to the streaming client over the network. In some embodiments, a transmission language format is determined for each sub-component of the component based on the network capability rating, the streaming client rating, and a sub-component characteristic rating.

Abstract: The launch of an installer or uninstaller is detected. A process lineage tree is created representing the detected launched installer/uninstaller process, and all processes launched directly and indirectly thereby. The detected installer/uninstaller process is represented by the root node in the process lineage tree. Launches of child processes by the installer/uninstaller process and by any subsequently launched child processes are detected. The launched child processes are represented by child nodes in the tree. As long as the installer/uninstaller process represented by the root node in the tree is running, the processes represented by nodes in tree are exempted from anti-malware analysis. The termination of the installer/uninstaller process is detected, after which the processes represented by nodes in the process lineage tree are no longer exempted from anti-malware analysis.

Abstract: A computer-implemented method for revoking digital signatures may include (1) identifying an executable file signed with a digital signature, (2) determining that the executable file is subject to a revocation check used to determine whether the digital signature has been revoked, (3) classifying the executable file based on at least one attribute of the executable file, (4) determining, based on the classification of the executable file, that the executable file is a member of a revocation group, wherein a status identifier associated with the revocation group indicates whether any member of the revocation group has a digital signature revocation, (5) determining, based on the status identifier associated with the revocation group, that the digital signature of the executable file has potentially been revoked, and then (6) performing the revocation check on the executable file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Method and apparatus for identifying a web server is described. In some examples, an initial request by a client to an intended web server is identified. A fingerprint for the intended web server is determined responsive to the initial request. A subsequent request by the client to the intended web server is detected. A response to the subsequent request is received from a responding web server. Verification of the responding web server as the intended web server is performed using the fingerprint.

Abstract: A method and apparatus for enabling e-mail routing and filtering based on dynamic identities is presented. In one embodiment, the method includes provisioning a new e-mail address, and notifying an e-mail backend of the provisioned address wherein the provisioned address includes a list of authorized senders.

Abstract: A method for assessing network safety using a computer health metric comprises processing internet resource information, wherein a portion of the internet resource information comprises one or more internet resources that were accessed during a period of network activity associated with an impact on a computer health and analyzing one or more internet resource to determine a candidate internet resource, wherein a candidate internet resource is related to the impact on computer health.

Abstract: A computer-implemented method for alternating malware classifiers in an attempt to frustrate brute-force malware testing may include (1) providing a group of heuristic-based classifiers for detecting malware, wherein each classifier within the group differs from all other classifiers within the group but has an accuracy rate that is substantially similar to all other classifiers within the group, (2) including the group of classifiers within a security-software product, and (3) alternating the security-software product's use of the classifiers within the group in an attempt to frustrate brute-force malware testing by (a) randomly selecting and activating an initial classifier from within the group and then, upon completion of a select interval, (b) replacing the initial classifier with an additional classifier randomly selected from within the group. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An attempted exploit of a vulnerability of an application executed by a computer is detected. The exploit attempts to call an application programming interface (API) and abuse application data through a malicious parameter of the call. The API of the application is hooked and monitored for a call made to the hooked API. A parameter of the call is analyzed to determine whether the parameter has a malicious characteristic indicating an attempt to use data within an address space of the application to execute malicious software. A remediation action is taken responsive to determining that the parameter has a malicious characteristic.

Abstract: A file on a computer system is evaluated against trust criteria to determine whether the file is compatible with the trust criteria. Responsive to the file being incompatible with the trust criteria, the file is assigned to a package. Files assigned to the package are tracked to determine whether the files collectively perform malicious behavior. The package is convicted as malware responsive to the files in the package collectively performing malicious behavior.

Abstract: Installation events associated with a software application are received from a plurality of clients. A rate at which the software application was uninstalled on the plurality of clients is determined based on the installation events. A reputation score is generated based on the rate at which the software application was uninstalled on the plurality of clients. A reputation score is generated for the software application responsive to the installation event and the performance data. The reputation score storied in association with the software application.

Abstract: A decision tree for classifying computer files is constructed. Computational complexities of a set of candidate attributes are determined. A set of attribute vectors are created for a set of training files with known classification. A node is created to represent the set. A weighted impurity reduction score is calculated for each candidate attribute based on the computational complexity of the attribute. If a stopping criterion is satisfied then the node is set as a leaf node. Otherwise the node is set as a branch node and the attribute with the highest weighted impurity reduction score is selected as the splitting attribute for the branch node. The set of attribute vectors are split into subsets based on their attribute values of the splitting attribute. The above process is repeated for each subset. The tree is then pruned based on the computational complexities of the splitting attributes.