Abstract: A host-based antimalware client can interface with a server-based antimalware support server. A file is identified at a host device. It is determined whether local reputation data for the file is available at the host device for the file. A query is sent to an antimalware support system relating to the file. Particular reputation data is received from the antimalware support system corresponding to the query. It is determined whether to allow the file to be loaded on the host device based at least in part on the particular reputation data.

Abstract: An anti-malware program monitors the behavior of a system after a system restore to determine the likelihood of a hidden infection of malicious code still existing after the system restore. The anti-malware program observes the dynamic behavior of the system by monitoring conditions that are likely to signify the possibility of an infection thereby necessitating the need to initiate anti-malware detection. The anti-malware program may observe the restoration history, system settings, malware infection history, to determine the likelihood of an existing hidden infection after a system restore.

Abstract: Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or data isolation. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a rootkit defense mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it), inter alia, for detection and/or prevention of malicious code, for example, in a manner/context that is isolated and not able to be corrupted, detected, prevented, bypassed, and/or otherwise affected by the malicious code.

Abstract: Virtual machines are made lightweight by substituting a library operating system for a full-fledged operating system. Consequently, physical machines can include substantially more virtual machines than otherwise possible. Moreover, a hibernation technique can be employed with respect to lightweight virtual machines to further increase the capacity of physical machines. More specifically, virtual machines can be loaded onto physical machines on-demand and removed from physical machines to make computational resources available as needed. Still further yet, since the virtual machines are lightweight, they can be hibernated and restored at a rate substantially imperceptible to users.

Abstract: Some examples of security cloud computing environments can be implemented as methods. A processor of a first computer system that lacks permission to store data in a cloud computing environment receives data to be stored in the cloud computing environment. The data is received from a second computer system implementing the cloud computing environment and having permissions to store data in the cloud computing environment. The processor of the first computer system determines that the received data is safe for storage in the cloud computing environment. The processor of the first computer system determines that the received data is safe for storage in the cloud computing environment. The processor of the first computer system provides a notification to the second computer system indicating that the received data is safe for storage in the cloud computing environment, and an identifier that points to the stored data at the computer-readable storage medium.

Abstract: A combination of shim and back-end server applications may be used to identify and block the installation of malicious applications on mobile devices. In practice, a shim application registers with a mobile device's operating system to intercept application installation operations. Upon intercepting an attempted installation operation, the shim application identifies the application seeking to be installed, generates a key uniquely identifying the application, and transmits the key over a network connection to a back-end server. The back-end server may be configured to crawl the Internet to identify malicious applications and compile and maintain a database of such applications. Upon receiving a key from the shim application, the back-end server can search its database to locate a matching application and, if found, respond to the mobile device with the application's status (e.g., malicious or not). The shim application can utilize this information to allow or block installation of the application.

Abstract: A power charger includes a first storage area to store control software, a charging circuit to send power through an interface, and a processor to generate at least one control signal based on the control software. The power to be sent through the interface is to charge a battery of a device coupled to the interface, and the at least one control signal includes information to cause a monitoring operation to be performed to determine a status of the device.

Abstract: A security system and method efficiently monitors and secures a computer to defend against malicious intrusions, and includes an in-band software monitor disposed within a kernel in communication with an operating system (OS) of the computer. The monitor intercepts system calls made from an MSR (Model Specific Register), to execute monitoring operations, and subsequently returns execution to the OS. An out-of-band hypervisor communicably coupled to the OS, has read shadow means for trapping read requests to the MSR, and write mask means for trapping write requests to the MSR. The hypervisor includes means for responding to the trapped read and write requests so that presence of the monitor is obscured.

Abstract: Examples of extracting a message format are disclosed. Extracting the message format may include capturing an execution trace of a malicious program client and identifying and analyzing a processing procedure of a message in the execution trace. An input message format is identified based on the analysis, where the input message format is of a communication protocol used by a malicious program. The examples of identifying the message format provide increase extraction efficiency, accurate analysis and positioning, and a reduced rate of false positives.

Abstract: Systems and techniques are provided for creating sensor based rules for detecting and responding to malicious activity. Evidence corresponding to a malicious activity is received. The evidence corresponding to malicious activity is analyzed. Indicators are identified from the evidence. The indicators are extracted from the evidence. It is determined that an action to mitigate or detect a threat needs to be taken based on the indicators and evidence. A sensor to employ the prescribed action is identified. Whether a sensor based rule meets a threshold requirement is validated. A configuration file used to task the sensor based rule to the identified sensor is created. The number of sensor based rule triggers is tracked.

Abstract: Various techniques for exploit detection based on heap spray detection are disclosed. In some embodiments, exploit detection based on heap spray detection includes executing a program in a virtual environment; and detecting heap spray in memory while executing the program in the virtual environment. In some embodiments, exploit detection based on heap spray detection includes executing a program in a virtual environment; and detecting heap spray related malware in response to a modification of an execution environment in the virtual environment.

Abstract: A computer system receives input of a search term for a query. The search term is related to equipment. The computer system identifies a key that corresponds to the search term and dynamically obtains content that is associated with the key from data sources. The data sources include structured data that is associated with the equipment and unstructured data that is associated with the equipment. The computer system automatically populates a results page template that is associated with the key with the content from the data sources to create a results page that includes the equipment related results for the query.

Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

Abstract: A method for preventing malware attacks includes the steps of detecting an attempt on an electronic device to access a task scheduler, determining an entity associated with the attempt to access the task scheduler, determining a malware status of the entity, and, based on the malware status of the entity, allowing or denying the attempted access to the task scheduler. The task scheduler is configured to launch one or more applications at a specified time or interval.

Abstract: A method and system for detecting tampering of authenticated memory blocks that are accessible by an untrusted host processor. by (1) periodically re-authenticating the memory blocks from a trusted computing environment, and (2) disabling accessing of the memory blocks by the untrusted host processor when the re-authenticating fails. In one implementation, each of the memory blocks has an authentication code, and the accessing of the memory blocks is disabled by disabling the untrusted host processor. The memory blocks may be re-authenticated sequentially or randomly, e.g., based on a random block selection based on the block location, or based on temporal randomness. The re-authenticating is preferably effected by an authentication module in the trusted computing environment.

Abstract: A decryption scheme for recover of a decrypted object without a cryptographic key is described. First, logical operation(s) are conducted on data associated with a first data string expected at a first location within an object having the predetermined format and data within the encrypted object at the first location to recover data associated with a portion of a cryptographic key from the encrypted object. Thereafter, logical operation(s) are conducted on that data and a first portion of the encrypted object at a second location to produce a result. Responsive to the result including data associated with the plaintext version of the second data string, logical operation(s) are conducted on a second portion of the encrypted object and the data associated with the plaintext version of the second data string to recover data associated with the cryptographic key. Thereafter, the encrypted object may be decrypted using the cryptographic key.

Abstract: Some embodiments of cloud-based gateway security scanning have been presented. In one embodiment, some data packets are received sequentially at a gateway device. The data packets constitute at least a part of a file being addressed to a client machine coupled to the gateway device. The gateway device forwards an identification of the file to a remote datacenter in parallel with forwarding the data packets to the client machine. The datacenter performs signature matching on the identification and returns a result of the signature matching to the gateway device. The gateway device determining whether to block the file from the client machine based on the result of the signature matching from the datacenter.

Abstract: Disclosed are system, method and computer program product for detecting malicious files on mobile devices. An example method includes: analyzing a file to identify classes and methods contained in said classes; identifying a bytecode array for each identified method; determining instructions contained in each method by identifying a corresponding operation code from the bytecode array of each method; dividing the determined instructions for each method into a plurality of groups based on similarity of functionality among said instructions; forming a vector for each method on the basis of the results of the division of the instructions into the plurality of groups; comparing the formed vectors with a plurality of vectors of known malicious files to determine a degree of similarity between the compared vectors; and determining whether the analyzed file is malicious or clean based on the degree of similarity between the compared vectors.

Abstract: Detecting duplicate malware samples is disclosed. A first guest clock is set to a first value in a first virtual machine instance. A first malware sample is executed in the first virtual machine instance. A second guest clock value is set to the first value in a second virtual machine instance. A second malware sample is executed in the second virtual machine instance. A determination is made as to whether the first malware sample and the second malware sample are the same, based at least in part on performing a comparison of attempted external contacts generated by executing each of the respective first and second malware samples.

Abstract: A plurality of user terminals or sensors transmit data encrypted by individual cryptographic key, a server receives the encrypted data items, and executes a data process according to a program defining a decryption process sequence. Bit slice expression data is generated by performing a bit slice process with respect to the plurality of encrypted data items which are decryption target, bit slice expression key based on the cryptographic key of each encrypted data item is generated, round key is generated based on a bit slice expression key, a decryption process including operation and movement processes of a block unit of the bit slice expression data, and an operation using the round key is executed, and a plurality of plain text data items corresponding to the plurality of encrypted data items are generated by a reverse conversion of the data with respect to the decryption process results.

Abstract: A system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access of a resource of the electronic device, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device accessing the memory. The attempted access includes attempting to write instructions to the memory and attempting to execute the instructions.

Abstract: An apparatus for diagnosing malicious applications includes: a signature storage unit which stores malicious application executable files, which can be run in a mobile operating system, and common feature information of variant files derived from said malicious application executable files as signature data for diagnosing maliciousness; an information collection unit which collects information corresponding to common feature information from executable files which are targeted for diagnosis and are diagnosed as malicious or not; a diagnosis determination unit which compares the corresponding information collected by the information collection unit with the common feature information stored in the signature storage unit in order to determine whether the application executable files are malicious; and a result provision unit which provides the results of the determination of whether the application executable files are malicious from the diagnosis determination unit.

Abstract: A system and method for adapting a security tool for performing security analysis on a software application. In one embodiment, a method includes maintaining a registry of security tools; receiving code for a software application; and comparing component criteria for each security tool against each component of the software application, wherein the component criteria for each respective security tool indicate which components the respective security tool is designed to analyze for security vulnerabilities. The method also includes generating a tool-specific package for each component of the software application, wherein the tool-specific package comprises one or more security tools that are designed to analyze the respective component for security vulnerabilities.

Abstract: Assessment of selectivity of categorization rules. One or more categorization rules are applied to a set of un-categorized objects to produce a categorization result set representing assignment of objects the set into at least two categories. A selectivity score for the at least one categorization rule is obtained based on statistical information. The numerical selectivity score represents an estimation of accuracy of the at least one categorization rule, and is produced as a result of application of at least one trained selectivity determination algorithm, which is based on application of a plurality of specially-selected categorization rules to a set of pre-categorized training data, with the application of each one producing a uniform grouping of objects.

Abstract: Embodiments of the invention provide methods and systems for enforcing system self integrity validation policies. The method includes accessing, by a policy enforcer, a plurality of policies configured to enforce system integrity, monitoring system performance to determine actions executed by the system, and based on at least one of the plurality of policies, comparing the system performance with system performance required by the at least one or the plurality of policies. The method further includes, based on the comparison, determining that the system has performed in a manner contrary to the requirements of the at least one policy, and in response, prohibiting access of the system to services provided by a service provider.

Abstract: A method for the performance of a function by a microcircuit, includes: at least one step of determining (205) whether an anomaly is detected or whether the operation of the microcircuit is normal; when it is determined that an anomaly is detected, a step of performing (210) a protection function; when it is determined that the operation of the microcircuit is normal, a step of performing (215) a decoy function simulating the protection function by being perceptible, from the outside of the microcircuit, in a manner more or less identical to the protection function; the method being characterized in that it includes an interruption (250) of the performance of the decoy function by a timer.

Abstract: A computer system may be employed to verify program execution integrity by receiving a request to launch a program that has been instrumented to include at least one integrity marker, instantiating the program with an integrity marker value, and verifying the execution integrity of the program based on the integrity marker value and information received from the program during execution. A computer system may also be employed for program instrumentation by modifying the program to include at least one instruction for passing an integrity marker value to an operating system kernel during execution of the instruction.

Abstract: A particular method includes detecting, at a detection module, an indicator corresponding to a suspicious software component, where the indicator is detected based on monitored network data of a network system and based on a plurality of network behavior profiles. At least one of the network behavior profiles includes an ordered sequence of network actions. The method further includes determining, at an identification module, whether the indicator corresponds to any of the plurality of network behavior profiles. The method further includes generating output data in response to a determination that the indicator corresponds to a particular network behavior profile of the plurality of network behavior profiles.

Abstract: A signature rule processing method, a server, and an intrusion prevention system is provided. The method includes: performing, by a cloud server, correlation analysis on signature rule usage status information of each security device connected to the cloud server and a latest signature rule set published by the cloud server, to obtain a most active threat signature rule identification list, and sending, by the cloud server, update information to each security device to update a signature rule after generating the update information according to the most active threat signature rule identification list. The present invention is applicable to the field of network security systems.

Abstract: Systems, products and methods for enabling symptom verification. Verifying a symptom may include eliminating repeated symptom definitions or eliminating symptoms having low accuracy. A computer system enables verification of a symptom including a rule for detecting a set of events related to a given problem. The computer system includes a symptom database which stores the symptom, a specimen database which stores a specimen including a set of events detected according to a rule of a certain symptom, and an analysis unit which analyzes the specimen stored in the specimen database using a new symptom in order to determine whether to add the new symptom to the symptom database. The present disclosure also includes a method and a computer program for enabling verification of a symptom including a rule for detecting a set of events related to a given problem.

Abstract: A file scanning method and a file scanning system, a client and a server are disclosed. The server may determine a property indicator of a file, that represents probability of the file being a malicious program. The server may make this determination based on a comprehensive consideration of attribute information of the file. The attribute information may be reported by a plurality of clients. The server may send the property indicator to the clients. The clients may determine, according to the property indicator, a scanning strategy on whether to scan the file. Alternatively, the server may determine, according to the property indicator, a scanning strategy on whether to scan the file, and may send the scanning strategy to the clients. The clients may scan the file in accordance with the scanning strategy. Accordingly, only the file with higher probability of being a malicious program may be selectively scanned.

Abstract: Each time a version of a virus pattern is downloaded to a local computer a scanned file cache is generated including all files scanned by that version. A modified file cache is also generated including all files modified while that version is present. After a minimum time interval or after a minimum number of virus pattern versions, a white list is generated by combining the existing white list, versions of the scanned file cache and the modified file cache. The white list (and the other caches) is represented by a single binary digit per file that is indexed by the i-node number of the file's i-node. A bundle of files (or their unique identifiers) on the white list is created and uploaded to a cloud storage service. A local computer sends a request to the storage service for the white list for a particular bundle which is then downloaded to the local computer.

Abstract: A system and method operable to programmatically perform runtime de-obfuscation of obfuscated software via virtual machine introspection and manipulation of virtual machine guest memory permissions.

Abstract: Disclosed herein are systems and methods that allow for secure access to websites and web-based applications and other resources available through the browser. Also described are systems and methods for secure use and retention of user credentials, as well as methods for dynamic authentication of users and integrity checking of service providers in online environments. Thus, described in the present specification are systems and methods for constructing and destroying private, secure, browsing environments (a secure disposable browser), insulating the user from the threats associated with being online for the purposes of providing secure, policy-based interaction with online services.

Abstract: Techniques for notification of reassembly-free file scanning are described herein. According to one embodiment, a first request for accessing a document provided by a remote node is received from a client. In response to the first request, it is determined whether a second request previously for accessing the document of the remote node indicates that the requested document from the remote node contains offensive data. If the requested document contains offensive data, a message is returned to the client, without accessing the requested document of the remote node, indicating that the requested document is not delivered to the client.

Abstract: A method of identifying sections of code that can be disregarded when detecting features that are characteristic of malware, which features are subsequently used for detecting malware. The method includes, for each of a multiplicity of sample files, subdividing file code of the sample file into a plurality of code blocks and then removing duplicate code blocks to leave a sequence of unique code blocks. The sequence of unique code blocks is then compared with those obtained for other sample files in order to identify standard sections of code. The standard sections of code identified are then included within a database such that those sections of code can subsequently be disregarded when identifying features characteristic of malware.

Abstract: An automatic malignant code collecting system comprises a first database configured to store detection target website information, a virtual machine controller configured to read the website information from the first database and transmit the website information, a first virtual machine configured to periodically gain access to a website using the website information and to collect a malignant code and evidence thereof if an abnormal event occurs when the first virtual machine gains access to the website, a second virtual machine configured to periodically gain access to the same website as accessed by the first virtual machine using the website information received from the virtual machine controller and to collect a malignant code and evidence thereof if an abnormal event occurs when the second virtual machine gains access to the website, and a second database configured to store the malignant code and the evidence thereof collected by the first virtual machine and the second virtual machine.

Abstract: In one embodiment, a first set of digital data (e.g., an image) is tested for the presence of a certain feature (e.g., a certain face), yielding one of two outcomes (e.g., not-present, or present). If the testing yields the first outcome, no additional testing is performed. If, however, the testing yields the second outcome, further testing is performed to further check this outcome. Such further testing is performed on a second set of digital data that is based on, but different from, the first set of data. Only if the original testing and the further testing both yield the same second outcome is it treated as a valid result. A variety of other features and arrangements are also detailed.

Abstract: A device sending electronic messages first verifies the intended recipient of the message by sending a message beacon (101) comprising data uniquely identifying the electronic message and the electronic address of the intended recipient of the message to a receiving device. The receiving device verifies that the intended recipient is serviced by the receiving device and then replies to the sending device returning the message beacon (102). The sending device thereafter sends the electronic message to the intended recipient (103). The receiving device may also reply to the sending device with a verification reply including data related to the intended recipient (108). Upon consideration of the data, the sending device may alter the electronic message prior to forwarding, forward the message or determine to withhold the message.

Abstract: Technologies for self-regulation for virtualized environments may include, by a virtual machine on an electronic device, detecting an attempted anti-malware operation by a monitored module, determining anti-malware operation levels of one or more other virtual machines on the electronic device, and, based on the attempted anti-malware operation and upon the anti-malware operation levels, determining whether to allow the attempted operation.

Abstract: Some examples of security cloud computing environments can be implemented as methods. A processor of a first computer system that lacks permission to store data in a cloud computing environment receives data to be stored in the cloud computing environment. The data is received from a second computer system implementing the cloud computing environment and having permissions to store data in the cloud computing environment. The processor of the first computer system determines that the received data is safe for storage in the cloud computing environment. The processor of the first computer system determines that the received data is safe for storage in the cloud computing environment. The processor of the first computer system provides a notification to the second computer system indicating that the received data is safe for storage in the cloud computing environment, and an identifier that points to the stored data at the computer-readable storage medium.

Abstract: Disk-backed array techniques can, in some implementations, help ensure that the arrays contain consistent data. An alert can be provided if it is determined that the data in the array is, or may be, corrupted.

Abstract: A computer implemented method, apparatus, and program code for detecting malicious software components. A series of calls made by a software component is monitored to identify an identified respective series of call types to components named in said calls. A determination is made as to whether the identified respective series of call types to components named in said calls is indicative of malicious behavior.

Abstract: A system and method to detect and contain threatening executable code by employing a threat monitor, verifier, endpoint agent, and a security information and event management module. The system and method are a departure from and an improvement over conventional systems in that, among other things, the system and method allow an investigator to determine whether a threat has persisted or executed, and allow that information to be communicated back to the detection mechanism (or other system) such that a user (or machine) may make a decision to take further action such as to contain the threat quickly and/or permit the system to do so automatically.

Abstract: A system for scanning a file for malicious codes may include a client agent running in a client computer and a scan server running in a server computer, the client computer and the server computer communicating over a computer network. The client agent may be configured to locally receive a scan request to scan a target file for malicious codes and to communicate with the scan server to scan the target file using a scan engine running in the server computer. The scan server in communication with the client agent allows the scan engine to scan the target file by issuing file I/O requests to access the target file located in the client computer. The client agent may be configured to check for digital signatures and to maintain a file cache of previously scanned files to minimize network traffic.

Abstract: Technologies are generally presented for identifying inconsistent usage of computing devices in a multiple computing device environment. When software or hardware are compromised or faulty, the results of self-monitoring may be unreliable for determining inconsistent usage arising from a security breach, a hardware fault, or a software error. Computing devices may be independently monitored for physical attributes, such as temperature, vibration, emitted noise, etc., and such attributes may be compared to expected values based on computing load, network load, or the like. When the monitored and expected physical attribute values differ or conflict, possible inconsistent usage may be identified so that appropriate measures may be taken to rectify the situation.

Abstract: A method of managing the risk of a monitored application installed on a mobile communication device comprises determining a risk profile of the monitored application based on at least one of: comparison of performance of the mobile communication device before and after installation of the monitored application on the mobile communication device, comparison of permission requests of the monitored application versus a type of the monitored application, community feedback of the monitored application, an amount of time elapsed since release of the monitored application, and a risk profile of a publisher of the monitored application; and performing a first action if the risk profile of the monitored application meets or exceeds a predefined first threshold.

Abstract: Disclosed are systems and methods to perform coordinated blocking of source addresses, such as an Internet Protocol (IP) addresses, across a plurality of network appliances (e.g., gateways). In one disclosed embodiment the method and system temporarily alter a configuration of one or more network appliances (based on user defined configuration parameters) to allow communication from a “blocked” IP address for a period of time. A network appliance can then “receive” an email and perform analysis and provide results of the analysis to a reputation service. Thereby, the temporarily allowed communication can be used to learn information about a threat which would not have been available if all communication from that IP address had actually been blocked at the network appliance.

Abstract: Methods, systems, and computer programs for detecting targeted attacks on compromised computer. An example method includes receiving from a plurality of computer systems data about the network resource, wherein each of the plurality of computer systems has a set of parameters and associated parameter values; detecting presence of a suspect indicator in the respective data received from each of a first group of the plurality of computer systems; detecting absence of the suspect indicator in the respective data received from each of a second group of the plurality of computer systems; determining at least one suspect parameter and at least one suspect parameter value; and estimating a probability of the targeted attack from the network resource based on the suspect indicator, the at least one suspect parameter, and the at least one parameter value.

Abstract: Signature compilation on a security device is disclosed. A first set of malware signatures is received. The first set of signatures is compiled at a first time. A second set of malware signatures is received. The second set of signatures is compiled at a second time that is different from the first time. A determination of whether a file is malicious is made based at least in part by performing a scan using the first and second compiled signatures.