Abstract: A computer-implemented method for identifying URLs that link to potentially malicious resources may include (1) compiling a set of URLs that link to at least one potentially malicious resource, (2) identifying a common pattern of characters included in the set of URLs that link to the potentially malicious resource, (3) deriving a regular expression capable of being used to identify additional URLs that link to one or more potentially malicious resources based at least in part on the common pattern of characters, and then (4) identifying at least one additional URL that links to at least one potentially malicious resource by (i) applying the regular expression to the additional URL and then (ii) determining that the additional URL links to the potentially malicious resource based at least in part on applying the regular expression to the additional URL. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for enabling community-tested security features for legacy applications may include: 1) identifying a plurality of client systems, 2) identifying a legacy application on a client system within the plurality of client systems, 3) identifying a security-feature-enablement rule for the legacy application, 4) enabling at least one security feature for the legacy application by executing the security-feature-enablement rule, 5) determining the impact of the security-feature-enablement rule on the health of the legacy application, and then 6) relaying the impact of the security-feature-enablement rule on the health of the legacy application to a server. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A disclosed method may include (1) tracking the health of a computing system over time by calculating, for each of several time periods, a health metric that indicates the computing system's health during the time period, (2) evaluating the health metrics of the time periods to identify an anomalous time period during which the health of the computing system changed, (3) locating one or more files that were present on the computing system during the anomalous time period and absent from the computing system during one or more other time periods, and (4) basing a reputation for the file(s) on an association between the file(s) and the computing system that includes the anomalous time period and excludes the other time period. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for reporting security vulnerabilities may include (1) detecting that a malware application is present on an endpoint computing system, (2) determining a window of time during which the malware application was present in a specified condition on the endpoint computing system, (3) logging a list of sensitive data items accessed during the window of time, and (4) conditioning performance of a security action to report the list of sensitive data items on a determination that both (A) a length of the window of time is longer than a security threshold length and is indicative of the malware application being located on the endpoint computing system long enough to potentially compromise a sensitive data item and (B) the malware application was accessed during the window of time. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A query is received from a client device regarding an object. The query includes an identifier of the object and a set of associated usage attributes describing a usage of the object on the client device. A set of usage facts associated with the identified object is identified. The set of usage facts describe typical usages of the object on a plurality of client devices. A determination is made whether the usage of the object on the client device is suspicious based on the set of usage facts associated with the object and the set of usage attributes included in the query. A report is provided to the client device based on the determination.

Abstract: A communication between an entity and a host is identified. Reputation information associated with a set of other entities that communicate with the host is identified. A reputation score associated with the host is generated based on the reputation information associated with a set of other entities. A reputation score associated with the entity is generated based on the reputation score associated with the host.

Abstract: Method and apparatus for securing confidential data related to a user in a computer is described. In one example, rules are obtained that provide a representation of the confidential data. A storage system in the computer is searched using the rules to detect a file having at least a portion of the confidential data. The file is encrypted the in-place within the storage system using symmetric encryption based on a secret associated with the user.

Abstract: The disclosed computer-implemented method for identifying malicious files may include (1) identifying different instances of a file that is subject to a security evaluation, (2) identifying, within a field for each of the different instances, an attribute of the different instance that associates the different instance with a respective application, (3) determining that the respective applications to which the different instances of the file are associated are distinct applications and are known to be safe, (4) adjusting a security policy for the file, by increasing an estimation that the file is malicious, based on the determination that the respective applications are distinct applications and are known to be safe, and (5) classifying, in a software security system, the file as malicious based on the adjusted security policy that increased the estimation that the file is malicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The popularity of various application features is tracked, and applications are compiled or otherwise configured for optimization based on the use of the more popular features. More specifically, application features are mapped to corresponding sections of underlying code, and compiler directives are generated to direct a compiler to optimize the application for the performance of specific, application features, based on their popularity. This way, the application is compiled for use at an application feature level, rather than for size or speed generally. In another embodiment, the optimization is performed after compile time, by rearranging object code pages of an executable image, based on corresponding application feature popularity.

Abstract: Attacks are simulated to a user, by performing the steps of the attacks without actually performing any malicious activity. Educational security information is displayed to the user, based on the user's response to simulated attacks. If the user responds to a simulated attack in a manner indicating that the user is vulnerable, educational security information can be displayed that educates the user as to how to avoid being victimized. One or more security settings for protecting the user's computer from malware can be adjusted, based on the user's response to the simulating of attacks. Additionally, other factors can be adjusted based on the user's response to the simulating of attacks, such as a security hygiene rating and/or a level of monitoring activity concerning the user.

Abstract: Telemetry data concerning web pages that users attempt to access containing fields prompting entry of personal information is received from many client computers over time. Based on the telemetry data, it is determined which fields prompting entry of personal information are expected to be present on specific web pages. The fields prompting entry of personal information on web pages users attempt to access are compared to the fields expected to be present. When a specific user attempts to access a specific web page in real-time, it can be adjudicated on-the-fly that the web page is suspicious, based on the web page containing at least one unexpected field. Correlations between web pages containing specific unexpected fields and the hygiene ratings of the users attempting to access the web pages when the unexpected fields are encountered can be tracked and taken into account in the adjudication of web pages.

Abstract: The creations of objects by files that have not been previously identified as malware are tracked. The security reputations of specific created objects are determined. Based on the determined security reputations of specific created objects, the security risks concerning the specific files that created the objects are determined. Responsive to whether a determined security risk concerning a specific creating file meets a given threshold, it is determined whether the specific creating file comprises malware. Responsive to determining that a specific creating file comprises malware, the creating file is blocked from performing the activity associated with the creation of the associated object. Responsive to determining that a creating file comprises malware, the creating file can be disabled, and an alert concerning the creating file can be transmitted to a central security server.

Abstract: The disclosed computer-implemented method for replicating computing system environments may include (1) identifying each application installed on a plurality of computing systems, (2) creating, within a virtual machine image, virtual containers that store each application installed on the plurality of computing systems, (3) determining that a potentially malicious file is directed to a target computing system within the plurality of computing systems, (4) identifying each application installed on the target computing system, (5) in response to determining that the file is directed to the target computing system, replicating a configuration of the target computing system within the virtual machine image by, for each application installed on the target computing system, activating a virtual container that stores the application, and (6) determining how the file would affect the target computing system by sending the file to the virtual machine image and analyzing how the file impacts the virtual machine image.

Abstract: A plurality of classifiers is identified. A set of test cases is selected based on time. The set of test cases are grouped into a plurality of datasets based on time where each of the plurality of datasets is associated with a corresponding interval of time. Each of the plurality of classifiers is applied to each of the plurality of datasets to generate classifications for test cases in each of the plurality of datasets. For each of the plurality of classifiers, a classification performance score is determined for each of the plurality of datasets based on the classifications generated for the test cases of each dataset. A classifier is selected from among the plurality of classifiers for production based on the classification performance scores of each of the plurality of classifiers across the plurality of datasets.

Abstract: A computer-implemented method for clustering data samples may include (1) identifying a plurality of samples, (2) identifying a plurality of candidate features, (3) identifying a plurality of candidate distance functions, (4) selecting a distance function by (i) selecting a set of features based on determining that a result of clustering a training set of samples using the set of features and the distance function fits an expected clustering of the training set of samples more closely than results from using an alternative set of features and (ii) determining that the result of clustering the training set using the set of features and the distance function fits the expected clustering of the training set of samples more closely than a best result of any other distance function, and (5) clustering the plurality of samples using the set of features and the distance function. Various other methods and systems are also disclosed.

Abstract: A query is received from a client device regarding an object. The query includes an identifier of the object and a set of associated usage attributes describing a usage of the object on the client device. A set of usage facts associated with the identified object is identified. The set of usage facts describe typical usages of the object on a plurality of client devices. A determination is made whether the usage of the object on the client device is suspicious based on the set of usage facts associated with the object and the set of usage attributes included in the query. A report is provided to the client device based on the determination.

Abstract: Techniques for detecting malicious activity are disclosed. In one particular embodiment, the techniques may be realized as a method for detecting malicious activity including receiving information indicating a first process being executed, the first process including a plurality of first process components, receiving information specific to at least one of the plurality of first process components, determining whether the first process exhibits malicious behavior; and identifying which of the plurality of first process components is responsible for the malicious behavior based on the received information.

Abstract: Reputations of domain registrars are calculated based on the hosting of risky domains. The more undesirable domains a registrar hosts, the lower is its reputation. The risk level of the hosted domains is also a factor in determining the reputation. When a user attempts to access a hosted domain, the calculated reputation of the hosting domain registrar is used in determining what security steps to apply to the access attempt. The worse the reputation of the hosting registrar, the more security is applied, all else being equal.

Abstract: A computer-implemented method for determining that uniform resource locators are malicious may include identifying a uniform resource locator that may be posted on a social networking platform and that may be subject to a security assessment, gathering contextual data from the social networking platform that describes at least one instance of the uniform resource locator within the social networking platform, generating, based on the contextual data, a social fingerprint of the uniform resource locator and classifying the uniform resource locator as malicious based at least in part on the social fingerprint. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A query is received from a client device regarding an object. The query includes an identifier of the object and a set of associated usage attributes describing a usage of the object on the client device. A set of usage facts associated with the identified object is identified. The set of usage facts describe typical usages of the object on a plurality of client devices. A determination is made whether the usage of the object on the client device is suspicious based on the set of usage facts associated with the object and the set of usage attributes included in the query. A report is provided to the client device based on the determination.