Abstract: Systems and methods are described for tailoring shareable content object reference model (SCORM)-compliant content to one or more users. A learning management system (LMS), configured to be SCORM-compliant, initiates shareable content object (SCO) to provide content to users. The LMS implements an instance of application programming interface (API) comprising a plurality of functions to be called by SCO during runtime to access data model elements accessible via LMS. The LMS is configured to support one or more data model elements undefined by SCORM. Further, LMS receives a call to a function of the plurality of functions of the API from SCO to access information about users. The call references a name of a data model element undefined by SCORM. The data model element identifies information about users. The LMS provides information about the users to SCO and the SCO tailors the content to the users based on the information.

Abstract: Systems and methods are described for verifying whether simulated phishing communications are allowed to pass by a security system of an email system to email account of users. One or more email accounts of the email system with the security system may be identified to use for a delivery verification campaign. Further, one or more types of simulated phishing communications may be selected from a plurality of types of simulated phishing communications. The delivery verification campaign may be configured to include the selection of the one or more types of simulated phishing communications from the plurality of types of simulated phishing communications. The selected one or more types of simulated phishing communications of the delivery verification campaign may be communicated to the one or more email accounts. Further, whether or not each of the one or more types of simulated phishing communications was allowed by the security system to be received unchanged at the one or more email accounts.

Abstract: Systems and methods are described for tailoring shareable content object reference model (SCORM)-compliant content to one or more users. A learning management system (LMS), configured to be SCORM-compliant, initiates shareable content object (SCO) to provide content to users. The LMS implements an instance of application programming interface (API) comprising a plurality of functions to be called by SCO during runtime to access data model elements accessible via LMS. The LMS is configured to support one or more data model elements undefined by SCORM. Further, LMS receives a call to a function of the plurality of functions of the API from SCO to access information about users. The call references a name of a data model element undefined by SCORM. The data model element identifies information about users. The LMS provides information about the users to SCO and the SCO tailors the content to the users based on the information.

Abstract: Systems and methods are described for tailoring shareable content object reference model (SCORM)-compliant content to one or more users. A learning management system (LMS), configured to be SCORM-compliant, initiates shareable content object (SCO) to provide content to users. The LMS implements an instance of application programming interface (API) comprising a plurality of functions to be called by SCO during runtime to access data model elements accessible via LMS. The LMS is configured to support one or more data model elements undefined by SCORM. Further, LMS receives a call to a function of the plurality of functions of the API from SCO to access information about users. The call references a name of a data model element undefined by SCORM. The data model element identifies information about users. The LMS provides information about the users to SCO and the SCO tailors the content to the users based on the information.

Abstract: Systems and methods are disclosed for analysis of user behavior data to improve security awareness. User behavior data of an organization is received from one or more agents on endpoint devices accessed by the users and using the user behavior data, one or more risk scores representative of the severity of risk associated with the user behavior of the users are determined. Based on the one or more risk scores representative of the severity of risk associated with the user behavior of the users, the behavior of the is determined to pose a security risk to the organization, In response to the determination that the user behavior of the users of the organization poses a security risk to the organization, electronic security awareness training is delivered to the users.

Abstract: Systems and methods are described for verifying whether simulated phishing communications are allowed to pass by a security system of an email system to email account of users. One or more email accounts of the email system with the security system may be identified to use for a delivery verification campaign. Further, one or more types of simulated phishing communications may be selected from a plurality of types of simulated phishing communications. The delivery verification campaign may be configured to include the selection of the one or more types of simulated phishing communications from the plurality of types of simulated phishing communications. The selected one or more types of simulated phishing communications of the delivery verification campaign may be communicated to the one or more email accounts. Further, whether or not each of the one or more types of simulated phishing communications was allowed by the security system to be received unchanged at the one or more email accounts.

Abstract: Systems and methods are described for identifying other instances of messages corresponding to a reported malicious message. A report of a malicious message from a user of a plurality users using a messaging system is received. Responsive to the report of the malicious message, plain text of content selected from the malicious message is provided. Thereafter, one or more segments of the plain text are selected as key content for construction of a search. A search is then executed in the messaging system for one or more other malicious messages corresponding to the reported malicious message using the selected one or more segments of the plain text with one or more match criteria or no criteria. The one or more other malicious messages corresponding to the reported malicious message are identified in the messaging system.

Abstract: Systems and methods are described for tailoring shareable content object reference model (SCORM)-compliant content to one or more users. A learning management system (LMS), configured to be SCORM-compliant, initiates shareable content object (SCO) to provide content to users. The LMS implements an instance of application programming interface (API) comprising a plurality of functions to be called by SCO during runtime to access data model elements accessible via LMS. The LMS is configured to support one or more data model elements undefined by SCORM. Further, LMS receives a call to a function of the plurality of functions of the API from SCO to access information about users. The call references a name of a data model element undefined by SCORM. The data model element identifies information about users. The LMS provides information about the users to SCO and the SCO tailors the content to the users based on the information.

Abstract: Systems and methods are described for verifying whether simulated phishing communications are allowed to pass by a security system of an email system to email account of users. One or more email accounts of the email system with the security system may be identified to use for a delivery verification campaign. Further, one or more types of simulated phishing communications may be selected from a plurality of types of simulated phishing communications. The delivery verification campaign may be configured to include the selection of the one or more types of simulated phishing communications from the plurality of types of simulated phishing communications. The selected one or more types of simulated phishing communications of the delivery verification campaign may be communicated to the one or more email accounts. Further, whether or not each of the one or more types of simulated phishing communications was allowed by the security system to be received unchanged at the one or more email accounts.

Abstract: Systems and methods are described for verifying whether simulated phishing communications are allowed to pass by a security system of an email system to email account of users. The delivery verification campaign may be configured to include the selection of the one or more types of simulated phishing communications from the plurality of types of simulated phishing communications. The selected one or more types of simulated phishing communications of the delivery verification campaign may be communicated to one or more email accounts. It is determined whether or not each of the one or more types of simulated phishing communications was allowed by the security system to be received unchanged at the one or more email accounts.

Abstract: Systems and methods are described for tailoring shareable content object reference model (SCORM)-compliant content to one or more users. A learning management system (LMS), configured to be SCORM-compliant, initiates shareable content object (SCO) to provide content to users. The LMS implements an instance of application programming interface (API) comprising a plurality of functions to be called by SCO during runtime to access data model elements accessible via LMS. The LMS is configured to support one or more data model elements undefined by SCORM. Further, LMS receives a call to a function of the plurality of functions of the API from SCO to access information about users. The call references a name of a data model element undefined by SCORM. The data model element identifies information about users. The LMS provides information about the users to SCO and the SCO tailors the content to the users based on the information.

Abstract: Systems and methods are described for verifying whether simulated phishing communications are allowed to pass by a security system of an email system to email account of users. The delivery verification campaign may be configured to include the selection of the one or more types of simulated phishing communications from the plurality of types of simulated phishing communications. The selected one or more types of simulated phishing communications of the delivery verification campaign may be communicated to one or more email accounts. It is determined whether or not each of the one or more types of simulated phishing communications was allowed by the security system to be received unchanged at the one or more email accounts.

Abstract: An endpoint security agent facilitates a security policy on an endpoint computing device. The endpoint agent comprises an engine and one or more plugins that each provide a particular security feature. The endpoint agent receives a policy from a cloud server specifying one or more plug-ins used by the policy and configuration of those plug-ins. The endpoint agent retrieves, installs, and configures the one or more plugins. The endpoint agent updates a communication table with command subscription information obtained from each installed plugin indicating command types subscribed to by each plug-in. When a command is received, a lookup of the command type is performed in the table, and the command is sent to the subscribing plugin.

Abstract: A security server tracks malicious objects detected by malware detection applications that scan for malicious objects on clients. The security server also receives client information from the clients indicating client states. The client state describes one or more protection applications executing on the client that seek to identify and prevent malicious objects from taking malicious actions based on real-time monitoring. Thus, the security server may identify when the protection application fails to detect a malicious object. In addition, the security server maps detection events of malicious objects with corresponding client states to generate aggregate detection information for a population of clients. Analytical data can be derived from the aggregate detection information to identify trends useful for evaluating different types of protection applications.

Abstract: An endpoint security agent facilitates a security policy on an endpoint computing device. The endpoint agent comprises an engine and one or more plugins that each provide a particular security feature. The endpoint agent receives a policy from a cloud server specifying one or more plug-ins used by the policy and configuration of those plug-ins. The endpoint agent retrieves, installs, and configures the one or more plugins. The endpoint agent updates a communication table with command subscription information obtained from each installed plugin indicating command types subscribed to by each plug-in. When a command is received, a lookup of the command type is performed in the table, and the command is sent to the subscribing plugin.

Abstract: An anti-malware application detects and remediates ransomware. The anti-malware application monitors processes executing on a computing device and detects that a process is opening a file for editing. A portion of the original file is saved prior to being edited by the process. Once the edited file is saved, the anti-malware application compares a portion of the edited file to the portion of the original file to determine if the edited file is encrypted. The anti-malware application may determine the process is associated with ransomware based on whether the edited file is encrypted.

Abstract: An anti-malware application analyzes behavior of an executing process to identify ransomware. The anti-malware application detects an untrusted process requesting enumeration of a directory of user files and causes the untrusted process to initially operate on a decoy file that mimics the user files. If the behavior of the untrusted process with respect to the decoy file is indicative of ransomware, the process can be terminated without loss of the user files. The decoy file may be deployed in a way that is undetectable to the user.

Abstract: An anti-malware application detects, stops, and quarantines ransomware. The anti-malware application monitors threads executing on a computing device and detects behaviors that conform to a predefined set of behaviors indicative of ransomware. Responsive to detecting these behaviors, indicators are stored to a log in a storage device. Each of the indicators in the log is associated with respective scores. A running score for each thread is generated by combining the respective scores of the indicators in the log. Responsive to determining that the running score exceeds a predefined threshold score, execution of the thread is terminated. The source ransomware file is then identified and quarantined.

Abstract: An anti-malware application detects, stops, and quarantines ransomware. The anti-malware application monitors threads executing on a computing device and detects behaviors that conform to a predefined set of behaviors indicative of ransomware. Responsive to detecting these behaviors, indicators are stored to a log in a storage device. Each of the indicators in the log is associated with respective scores. A running score for each thread is generated by combining the respective scores of the indicators in the log. Responsive to determining that the running score exceeds a predefined threshold score, execution of the thread is terminated. The source ransomware file is then identified and quarantined.

Abstract: An anti-malware application detects, stops, and quarantines ransomware. The anti-malware application monitors threads executing on a computing device and detects behaviors that conform to a predefined set of behaviors indicative of ransomware. Responsive to detecting these behaviors, indicators are stored to a log in a storage device. Each of the indicators in the log is associated with respective scores. A running score for each thread is generated by combining the respective scores of the indicators in the log. Responsive to determining that the running score exceeds a predefined threshold score, execution of the thread is terminated. The source ransomware file is then identified and quarantined.