Abstract: In one embodiment, a method includes identifying, using one or more processors, a plurality of characteristics of a Portable Document Format (PDF) file. The method also includes determining, using the one or more processors, for each of the plurality of characteristics, a score corresponding to the characteristic. In addition, the method includes comparing, using the one or more processors, the determined scores to a first threshold. Based at least on the comparison of the determined scores to the first threshold, the method includes determining, using the one or more processors, that the PDF file is potential malware.

Abstract: In certain embodiments, a method includes receiving, at a first malware detection node, from a malware detection system a request to apply a first malware detection technique to a file. The malware detection system is configured to determine whether the file is suspected malware by analyzing a plurality of predefined result states received in response to the first malware detection node applying the first malware detection technique to the file and a second malware detection node applying a second malware detection technique to the file. The method includes receiving at least one result from a malware detection engine of applying the first malware detection technique to the file and determining at least one predefined result state based on the received at least one result. The method includes reporting, by the first malware detection node, the at least one predefined result state to the malware detection system.

Abstract: In certain embodiments, a computer-implemented method comprises receiving, via a computer network and from a first computer system, a first malware analysis request. The first malware analysis request comprises a file to be analyzed for malware by a malware analysis system. The method includes initiating a malware analysis by the malware analysis system of the first file for malware. The method includes communicating to the first computer system a response for the first file determined by the malware analysis system to the first computer system. The response comprises an indication of whether the first file comprises malware.

Abstract: In accordance with particular embodiments, a method includes intercepting a communication and extracting metadata associated with the communication. The extracted metadata comprises a plurality of different fields from communication metadata and file metadata. The method further includes determining a score, based on previous communications, for each field of the extracted metadata. The score is indicative of a likelihood that the communication is a malicious communication. The method additionally includes combining the scores to generate a combined score for the communication based on an algorithm developed from the previous communications. The method also includes generating, based on the combined score at a first time, a predicted classification as to whether the communication is a malicious communication.

Abstract: According to one embodiment, a computer-implemented method for execution on one or more processors includes receiving a first file and determining a file type of the first file. The method also includes determining, according to a first policy, a plurality of malware detection schemes to apply to the first file based on the determined file type of the first file. In addition, the method includes scheduling the application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy. Further, the method includes determining, in response to determining the results of applying the plurality of malware detection schemes, that the first file is malware or determining that the first file is suspected malware according to a third policy.

Abstract: A computer-implemented method includes accessing, by an analysis console, information related to a first file received at a first host of a plurality of hosts. Each host is capable of running a corresponding set of malware detection processes. The information includes: an identifier of the first file; and data indicating a first result of the first host applying the set of malware detection processes to the first file. The identifier is generated by the first host and is usable by each of the hosts to determine whether a second file comprises content substantially equivalent to content of the first file. The analysis console generates a first output including: the identifier of the first file; and a second result indicating whether the first file comprises malware. The second result is usable by each of the hosts to determine whether the second file comprises malware. The first output is propagated to the hosts.

Abstract: In accordance with particular embodiments, a computer-implemented method for execution by one or more processors includes intercepting a communication comprising a message. The method also includes identifying words from within the message. The method further includes storing in a dictionary words from within the message of the communication and one or more parameters of the communication for each of the words. The dictionary comprises a plurality of words from a plurality of intercepted text-based communications. The method also includes receiving an encrypted file that is configured to be decrypted using a password. The method additionally includes identifying words from the dictionary to be used to attempt to decrypt the encrypted file. The identified words are identified based on at least one parameter associated with the encrypted file and the one or more parameters stored in the dictionary.

Abstract: According to one embodiment, a computer-implemented method includes accessing, using one or more processing units, a first file of a plurality of files requested to be analyzed for malware. Each of the plurality of files corresponds to a respective remote client of a plurality of remote clients. Further, the method includes: processing, using the one or more processing units, an analysis of the first file for malware; and generating an output comprising an indication of whether the first file comprises malware. The method also includes accessing, using the one or more processing units, an address for a first remote client of the plurality of remote clients. The first remote client is the respective remote client corresponding to the first file. In addition, the method includes: sending, using the one or more processing units, the output in a communication addressed to the first remote client corresponding to the first file.

Abstract: In one embodiment, a method includes identifying a plurality of portions of a file and comparing the plurality of portions of the file to a plurality of stored patterns. The plurality of stored patterns include portions of known malware. The method also includes determining, from the plurality of portions of the file and based on the comparing of the plurality of portions of the file to the plurality of stored patterns, a set of matching portions. The set of matching portions include one or more of the plurality of portions of the file. In addition, the method includes determining a score for each portion in the set of matching portions and providing information regarding the set of matching portions. The information includes the scores determined for each portion of the set of matching portions.

Abstract: In certain embodiments, a computer-implemented method includes accessing information related to a first file determined to satisfy at least one of a plurality of suspected malware conditions. A first of a number of manager consoles may access the information, each manager console being communicatively coupled to a respective network of a number of networks. A request may be generated for a determination of whether the first file comprises malware. The determination may be conducted at a master manager console. Data may be accessed indicating a result, outputted by the master manager console, of the determination of whether the first file comprises malware. A sharing policy may be accessed and used to determine whether the result is sharable with a second one of the manager consoles. If the result is sharable, a message comprising the result may be generated to be sent to the second manager console.

Abstract: According to one embodiment, a computer-implemented method includes: accessing a set of configuration parameters, accessing a set of identifiers of files known not to be malware, and accessing a set of identifiers of files known to be malware. Further, the method includes: comparing a first file to the set of configuration parameters, determining that a first hash of the first file is not in the set of identifiers of files known not to be malware and that the first hash is not in the set of identifiers of files known to be malware, and sending the at least one file and information related to the at least one file to be analyzed for malware. The method includes deleting the set of configuration parameters, the set of identifiers of files known not to be malware, and the set of identifiers of files known to be malware after sending the first file.

Abstract: In one embodiment, a method includes identifying, using one or more processors, a plurality of characteristics of a Portable Document Format (PDF) file. The method also includes determining, using the one or more processors, for each of the plurality of characteristics, a score corresponding to the characteristic. In addition, the method includes comparing, using the one or more processors, the determined scores to a first threshold. Based at least on the comparison of the determined scores to the first threshold, the method includes determining, using the one or more processors, that the PDF file is potential malware.

Abstract: In one embodiment, a method includes identifying a plurality of portions of a file and comparing the plurality of portions of the file to a plurality of stored patterns. The plurality of stored patterns include portions of known malware. The method also includes determining, from the plurality of portions of the file and based on the comparing of the plurality of portions of the file to the plurality of stored patterns, a set of matching portions. The set of matching portions include one or more of the plurality of portions of the file. In addition, the method includes determining a score for each portion in the set of matching portions and providing information regarding the set of matching portions. The information includes the scores determined for each portion of the set of matching portions.

Abstract: In accordance with particular embodiments, a method includes intercepting a communication and extracting metadata associated with the communication. The extracted metadata comprises a plurality of different fields from communication metadata and file metadata. The method further includes determining a score, based on previous communications, for each field of the extracted metadata. The score is indicative of a likelihood that the communication is a malicious communication. The method additionally includes combining the scores to generate a combined score for the communication based on an algorithm developed from the previous communications. The method also includes generating, based on the combined score at a first time, a predicted classification as to whether the communication is a malicious communication.

Abstract: In certain embodiments, a computer-implemented method comprises receiving, via a computer network and from a first computer system, a first malware analysis request. The first malware analysis request comprises a file to be analyzed for malware by a malware analysis system. The method includes initiating a malware analysis by the malware analysis system of the first file for malware. The method includes communicating to the first computer system a response for the first file determined by the malware analysis system to the first computer system. The response comprises an indication of whether the first file comprises malware.

Abstract: According to one embodiment, a computer-implemented method includes accessing, using one or more processing units, a first file of a plurality of files requested to be analyzed for malware. Each of the plurality of files corresponds to a respective remote client of a plurality of remote clients. Further, the method includes: processing, using the one or more processing units, an analysis of the first file for malware; and generating an output comprising an indication of whether the first file comprises malware. The method also includes accessing, using the one or more processing units, an address for a first remote client of the plurality of remote clients. The first remote client is the respective remote client corresponding to the first file. In addition, the method includes: sending, using the one or more processing units, the output in a communication addressed to the first remote client corresponding to the first file.

Abstract: In certain embodiments, a computer-implemented method includes accessing information related to a first file determined to satisfy at least one of a plurality of suspected malware conditions. A first of a number of manager consoles may access the information, each manager console being communicatively coupled to a respective network of a number of networks. A request may be generated for a determination of whether the first file comprises malware. The determination may be conducted at a master manager console. Data may be accessed indicating a result, outputted by the master manager console, of the determination of whether the first file comprises malware. A sharing policy may be accessed and used to determine whether the result is sharable with a second one of the manager consoles. If the result is sharable, a message comprising the result may be generated to be sent to the second manager console.

Abstract: A computer-implemented method includes accessing, by an analysis console, information related to a first file received at a first host of a plurality of hosts. Each host is capable of running a corresponding set of malware detection processes. The information includes: an identifier of the first file; and data indicating a first result of the first host applying the set of malware detection processes to the first file. The identifier is generated by the first host and is usable by each of the hosts to determine whether a second file comprises content substantially equivalent to content of the first file. The analysis console generates a first output including: the identifier of the first file; and a second result indicating whether the first file comprises malware. The second result is usable by each of the hosts to determine whether the second file comprises malware. The first output is propagated to the hosts.

Abstract: In accordance with particular embodiments, a computer-implemented method for execution by one or more processors includes intercepting a communication comprising a message. The method also includes identifying words from within the message. The method further includes storing in a dictionary words from within the message of the communication and one or more parameters of the communication for each of the words. The dictionary comprises a plurality of words from a plurality of intercepted text-based communications. The method also includes receiving an encrypted file that is configured to be decrypted using a password. The method additionally includes identifying words from the dictionary to be used to attempt to decrypt the encrypted file. The identified words are identified based on at least one parameter associated with the encrypted file and the one or more parameters stored in the dictionary.

Abstract: According to one embodiment, a computer-implemented method for execution on one or more processors includes receiving a first file and determining a file type of the first file. The method also includes determining, according to a first policy, a plurality of malware detection schemes to apply to the first file based on the determined file type of the first file. In addition, the method includes scheduling the application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy. Further, the method includes determining, in response to determining the results of applying the plurality of malware detection schemes, that the first file is malware or determining that the first file is suspected malware according to a third policy.