Abstract: A computer-implemented method for protecting files from malicious encryption attempts may include (1) detecting an attempt to alter a file, (2) identifying at least one characteristic of the attempt to alter the file, (3) determining, based on the characteristic of the attempt to alter the file, that the attempt to alter the file represents a malicious attempt by a third party to encrypt the file, and (4) performing a security action in response to determining that the attempt to alter the file represents a malicious attempt by the third party to encrypt the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for protecting files from malicious encryption attempts may include (1) detecting an attempt to alter a file, (2) identifying at least one characteristic of the attempt to alter the file, (3) determining, based on the characteristic of the attempt to alter the file, that the attempt to alter the file represents a malicious attempt by a third party to encrypt the file, and (4) performing a security action in response to determining that the attempt to alter the file represents a malicious attempt by the third party to encrypt the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for preventing heap-spray attacks may include identifying an object-oriented program. The computer-implemented method may also include identifying, within the object-oriented program, a request to allocate memory for a polymorphic object. The polymorphic object may include a pointer to a virtual method table that supports dynamic dispatch for at least one method of the polymorphic object. The computer-implemented method may further include identifying an area of memory reserved for polymorphic objects. The computer-implemented method may additionally include allocating memory for the polymorphic object from the reserved area of memory. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Fake exception handlers resulting from malicious stack buffer overflows that overwrite an exception handling record on the stack are detected. The operating system exception processing logic is monitored. Responsive to an exception occurring, an exception handler to be called by the monitored operating system exception processing logic is identified. A specific number of the first bytes of the identified exception handler are scanned to determine whether a return instruction is present therein. Instructions of the identified exception handler that are positioned prior to the return instruction are analyzed to determine whether they modify the value of the stack pointer so as to shrink the stack. The identified exception handler is adjudicated as being fake, responsive to determining that a return instruction is present in the first specific number of bytes of the exception handler and/or that the instructions positioned prior to the return instruction shrink the stack.

Abstract: A computer-implemented method for preventing threats originating from a non-process based component hosted by a trusted process is described. The loading activity of the trusted process is monitored. A trust level associated with the trusted process is altered when an unverified component is loaded into the trusted process. Events performed by the trusted process are monitored. An unverified component that originated the event is identified. The trusted process is terminated based on a security risk associated with the unverified component that originated the event.