09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Downloadable enterprise software for monitoring the security
of cloud environments. Software as a service (SAAS) services featuring software for
monitoring the security of cloud environments.
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
(1) Downloadable enterprise software for monitoring the security of cloud environments. (1) Software as a service (SAAS) services featuring software for monitoring the security of cloud environments.
3.
System and method for predicting and mitigating cybersecurity system misconfigurations
A computerized method for reconfiguring one or more malware detection systems each performing cybersecurity analyses on incoming data is described. The method involves receiving meta-information including metrics associated with a malware detection system. Based on the meta-information, a determination is made whether the malware detection system is operating at an optimal performance level. If not, results produced by conducting behavior analyses predicting operability of the malware detection system are determined and the results are provided as feedback to the malware detection system to update one or more configuration parameter values thereof.
A system for detecting artifacts associated with a cyber-attack features a cybersecurity intelligence hub that includes a data store with stored meta-information associated with each artifact of a plurality of artifacts and each stored meta-information includes a verdict classifying an artifact corresponding to the stored meta-information as a malicious classification or a benign classification. The hub is configured to (i) receive meta- information associated with a first artifact from a cybersecurity sensor, and (ii) determine a verdict for the first artifact based on an analysis of meta-information associated with the first artifact stored meta-information associated with each of the plurality of artifacts. A verdict for the first artifact is returned to the cybersecurity sensor in response to a detected match between a portion of stored meta-information and a portion of the meta-information associated with the first artifact.
A system for detecting artifacts associated with a cyber-attack features a cybersecurity intelligence hub remotely located from and communicatively coupled to one or more network devices via a network. The hub includes a data store and retroactive reclassification logic. The data store includes stored meta-information associated with each prior evaluated artifact of a plurality of prior evaluated artifacts. Each meta-information associated with a prior evaluated artifact of the plurality of prior evaluated artifacts includes a verdict classifying the prior evaluated artifact as a malicious classification or a benign classification. The retroactive reclassification logic is configured to analyze the stored meta-information associated with the prior evaluated artifact and either (a) identify whether the verdict associated with the prior evaluated artifact is in conflict with trusted cybersecurity intelligence or (b) identify inconsistent verdicts for the same prior evaluated artifact.
A system for detecting whether a file including content s associated with a cyber-attack is described. The content may include an executable file for example. The system includes an intelligence-driven analysis subsystem and a computation analysis subsystem. The intelligence-driven analysis subsystem is configured to (i) receive the file, (ii) inspect and compute features of the file for indicators associated with a cyber-attack, and (iii) produce a first output representing the detected indicators. The computational analysis subsystem includes an artificial neural network to (i) receive a network input being a first representation of at least one section of binary code from the file as input, and (ii) process the first representation of the section to produce a second output. The first output and the second output are used in determination a classification assigned to the file.
A computerized method for analyzing a subject URL to determine whether the subject URL is associated with a phishing attack is disclosed. The method includes steps of detecting keypoints within a screenshot of a webpage corresponding to the subject URL and determining a set of confidences based on an analysis of the detected keypoints with a model. Each confidence within the set of confidences is assigned to feature vector within a set of training feature vectors representing a training set of URLs used in generating the model. The method comprises performing an image comparison between the screenshot and a screenshot corresponding to a feature vector within the set of training feature vectors, the feature vector being assigned a highest confidence. Responsive to determining the image comparison result exceeds a predefined threshold, transmitting an alert indicating that the subject URL is associated with the phishing attack.
A method for detecting a cyber-attack after infiltration into an enterprise network is described. The method features receiving a second plurality of weak indicators included as part of a first plurality of weak indicators and performing a correlation operation between the second plurality of weak indicators and one or more patterns or sequences of indicators associated with known malware. The first plurality of weak indicators is greater in number than the second plurality of weak indicators. A report is generated and issued based on results from the correlation operation.
A computerized method for authenticating access to a subscription-based service to detect an attempted cyber-attack. The method features operations by the cloud broker that include receiving service policy level information and information based on operational metadata. The service policy level information includes at least subscription attributes to identify one or more performance criterion in analyses conducted on one or more objects submitted by a sensor for malware representing an attempted cyber-attack. The operational metadata includes metadata that pertains to an operating state of one or more clusters of a plurality of clusters of the subscription-based service. The cloud broker, using both the service policy level information and the information based on the operational metadata, selecting a cluster of the plurality of clusters to analyze the one or more objects submitted by the sensor and establishes a communication session between the sensor and the cluster via the cloud broker.
A system and method for automatically analyzing an object for malware is described. Operating one or more virtual machines, the system and method provide an analysis environment variation framework to provide a more robust analysis of an object for malware. The multi- application, multi-plugin processing framework is configured within a virtual machine, where the framework generates a plurality of processes for analyzing the object for malware and each of plurality of processes is configured with a different application and plug- in combination selected based in part on a type of object being analyzed.
G06F 21/53 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p.ex. "boîte à sable" ou machine virtuelle sécurisée
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
A threat-aware microvisor may be deployed in a malware detection endpoint architecture and execute on an endpoint to provide exploit and malware detection within a network environment. Exploit and malware detection on the endpoint may be performed in accordance with one or more processes embodied as software modules or engines configured to detect suspicious and/or malicious behaviors of an operating system process (object), and to correlate and classify the detected behaviors as indicative of malware. Detection of suspicious and/or malicious behaviors may be performed by static and dynamic analysis of the object. Static analysis may perform examination of the object to determine whether it is suspicious, while dynamic analysis may instrument the behavior of the object as the operating system process runs via capability violations of, e.g. operating system events. A behavioral analysis logic engine and a classifier may thereafter cooperate to perform correlation and classification of the detected behaviors.
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
G06F 9/455 - Dispositions pour exécuter des programmes spécifiques Émulation; Interprétation; Simulation de logiciel, p.ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
12.
INTELLIGENT CONTEXT AWARE USER INTERACTION FOR MALWARE DETECTION
According to one embodiment, a malware detection system is integrated with at least a static analysis engine and a dynamic analysis engine. The static analysis engine is configured to automatically determine an object type of a received object. The dynamic analysis engine is configured to automatically launch the object after selecting an action profile based on the object type. The dynamic analysis engine is further configured to, provide simulated user interaction to the object based on the selected action profile either in response to detecting a request for human interaction or as a result of a lapse of time since a previous simulated human interaction was provided.
A system and method to communicate secure information between a plurality of computing machines using an untrusted intermediate with resilience to disconnected network topology. The system and method utilize agnostic endpoints that are generalized to be interoperable among various systems, with their functionality based on their location in a network. The system and method enable horizontal scaling on the network. One or more clusters may be set up in a location within a network or series of networks in electronic communication, e.g., in a cloud or a sub-network, residing between a secure area of the network(s) and an unsecure area such as of an external network or portion of a network. The horizontal scaling allows the system to take advantage of a capacity of a local network. As long as an agent has connectivity to at least one locale of the network, the agent is advantageously operable to move data across the system.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 9/30 - Clé publique, c. à d. l'algorithme de chiffrement étant impossible à inverser par ordinateur et les clés de chiffrement des utilisateurs n'exigeant pas le secret
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
A trusted threat-aware microvisor may be deployed as a module of a trusted computing base (TCB) that also includes a root task module configured to cooperate with the microvisor to load and initialize one or more other modules executing on a node of a network environment. The root task may cooperate with the microvisor to allocate one or more kernel resources of the node to those other modules. As a trusted module of the TCB, the microvisor may be configured to enforce a security policy of the TCB that, e.g., prevents alteration of a state related to security of the microvisor by a module of or external to the TCB. The security policy of the TCB may be implemented by a plurality of security properties of the microvisor. Trusted (or trustedness) may therefore denote a predetermined level of confidence that the security property is demonstrated by the microvisor.
G06F 9/455 - Dispositions pour exécuter des programmes spécifiques Émulation; Interprétation; Simulation de logiciel, p.ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
H04L 12/26 - Dispositions de surveillance; Dispositions de test
A trusted threat-aware microvisor may be deployed as a module of a trusted computing base (TCB). The microvisor is illustratively configured to enforce a security policy of the TCB, which may be implemented as a security property of the microvisor. The microvisor may manifest (i.e., demonstrate) the security property in a manner that enforces the security policy. Trustedness denotes a predetermined level of confidence that the security property is demonstrated by the microvisor. The predetermined level of confidence is based on an assurance (i.e., grounds) that the microvisor demonstrates the security property. Trustedness of the microvisor may be verified by subjecting the TCB to enhanced verification analysis configured to ensure that the TCB conforms to an operational model with an appropriate level of confidence over an appropriate range of activity. The operational model may then be configured to analyze conformance of the microvisor to the security property. A combination of conformance by the microvisor to the operational model and to the security property provides assurance (i.e., grounds) for the level of confidence and, thus, verifies trustedness.
G06F 9/455 - Dispositions pour exécuter des programmes spécifiques Émulation; Interprétation; Simulation de logiciel, p.ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
H04L 9/00 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité
16.
MALWARE DETECTION AND REMEDIATION FOR ENDPOINT DEVICES
According to one embodiment, a computerized method is directed to neutralizing callback malware. This method involves intercepting an incoming message from a remote source directed to a compromised endpoint device. Next, a first portion of information within the incoming message is substituted with a second portion of information. The second portion of information is designed to mitigate operability of the callback malware. Thereafter, the modified incoming message, which includes the second portion of the information, is returned to the compromised endpoint device.
According to one embodiment, a computerized method is directed to neutralizing callback malware. This method involves intercepting an incoming message from a remote source directed to a compromised endpoint device. Next, a first portion of information within the incoming message is substituted with a second portion of information. The second portion of information is designed to mitigate operability of the callback malware. Thereafter, the modified incoming message, which includes the second portion of the information, is returned to the compromised endpoint device.
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Computer software and hardware for digital security;
computer security products, namely, computer peripherals;
computer software and computer hardware for detection,
blocking and removal of computer viruses, rootkits, advanced
persistent threats, malware, and malicious attacks; computer
software and computer hardware for real-time detection,
blocking, removal and remediation of computer viruses,
rootkits, advanced persistent threats, malware and malicious
attacks; computer software for identifying and preventing
malicious attacks on computers, computer systems, and
digital devices; computer software and hardware providing
secure virtual computer systems and virtual computer
environments. Technical support services, namely, troubleshooting and
support services in the nature of diagnosing computer
hardware and software problems, providing back-up computer
programs and facilities, virus removal, maintenance of
computer software relating to computer security and
prevention of computer risks, updating and maintenance of
computer software, and software installation for computers,
peripherals, USB devices, computer networks and mobile
devices.
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
(1) Computer software and hardware for digital security; computer software and computer hardware for detection, blocking and removal of computer viruses, rootkits, advanced persistent threats, malware, and malicious attacks; computer software and computer hardware for real-time detection, blocking, removal and remediation of computer viruses, rootkits, advanced persistent threats, malware and malicious attacks; computer software for identifying and preventing malicious attacks on computers, computer systems, and digital devices (1) Technical support services, namely, troubleshooting and support services in the nature of diagnosing computer hardware and software problems, providing back-up computer programs and facilities, virus removal, maintenance of computer software relating to computer security and prevention of computer risks, updating and maintenance of computer software, and software installation for computers, peripherals, USB devices, computer networks and mobile devices
A threat-aware microvisor is configured to facilitate real-time security analysis, including exploit detection and threat intelligence, of operating system processes executing on a node of a network environment. The microvisor may be embodied as a module disposed or layered beneath (underlying) an operating system kernel executing on the node to thereby control privileges (i.e., access permissions) to kernel resources, such as one or more central processing units (CPUs), network interfaces, memory, and/or devices, of the node. Illustratively, the microvisor may be configured to control access to one or more of the resources in response to a request by an operating system process to access the resource.
G06F 21/50 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation
21.
MICRO-VIRTUALIZATION ARCHITECTURE FOR THREAT-AWARE MICROVISOR DEPLOYMENT IN A NODE OF A NETWORK ENVIRONMENT
A micro-virtualization architecture deploys a threat-aware microvisor as a module of a virtualization system configured to facilitate real-time security analysis, including exploit detection and threat intelligence, of operating system processes executing in a memory of a node in a network environment. The micro-virtualization architecture organizes the memory as a user space and kernel space, wherein the microvisor executes in the kernel space of the architecture, while the operating system processes, an operating system kernel, a virtual machine monitor (VMM) and its spawned virtual machines (VMs) execute in the user space. Notably, the microvisor executes at the highest privilege level of a central processing unit of the node to virtualize access to kernel resources. The operating system kernel executes under control of the microvisor at a privilege level lower than a highest privilege level of the microvisor. The VMM and its spawned VMs execute at the highest privilege level of the microvisor.
G06F 9/06 - Dispositions pour la commande par programme, p.ex. unités de commande utilisant des programmes stockés, c. à d. utilisant un moyen de stockage interne à l'équipement de traitement de données pour recevoir ou conserver les programmes
22.
EXPLOIT DETECTION SYSTEM WITH THREAT-AWARE MICROVISOR
An exploit detection system deploys a threat-aware microvisor to facilitate real-time security analysis, including exploit detection and threat intelligence, of an operating system process executing on a node of a network environment. The microvisor may be organized as a main protection domain representative of the operating system process. In response to the process attempting to access a kernel resource for which it does not have permission, a capability violation may be generated at the main protection domain of the microvisor and a micro-virtual machine (VM) may be spawned as a container configured to encapsulate the process. The main protection domain may then be cloned to create a cloned protection domain that is representative of the process and that is bound to the spawned micro-VM. Capabilities of the cloned protection domain may be configured to be more restricted than the capabilities of the main protection domain with respect to access to the kernel resource. The restricted capabilities may be configured to generate more capability violations than those generated by the capabilities of the main protection domain and, in turn, enable further monitoring of the process as it attempts to access the kernel resource.
G06F 21/10 - Protection de programmes ou contenus distribués, p.ex. vente ou concession de licence de matériel soumis à droit de reproduction
23.
SYSTEM, APPARATUS AND METHOD FOR AUTOMATICALLY VERIFYING EXPLOITS WITHIN SUSPECT OBJECTS AND HIGHLIGHTING THE DISPLAY INFORMATION ASSOCIATED WITH THE VERIFIED EXPLOITS
According to one embodiment, a threat detection system is integrated with intrusion protection system (IPS) logic and virtual execution logic. The IPS logic is configured to receive a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as suspicious objects. The second plurality of objects is a subset of the first plurality of objects and is lesser or equal in number to the first plurality of objects. The virtual execution logic is configured to automatically verify whether any of the suspicious objects is an exploit. The virtual execution logic comprises at least one virtual machine configured to virtually process content within the suspicious objects and monitor for anomalous behaviors during the virtual processing that are indicative of exploits.
Techniques for malware detection are described herein. According to one aspect, control logic determines an analysis plan for analyzing whether a specimen should be classified as malware, where the analysis plan identifies at least first and second analyses to be performed. Each of the first and second analyses identified in the analysis plan including one or both of a static analysis and a dynamic analysis. The first analysis is performed based on the analysis plan to identify suspicious indicators characteristics related to processing of the specimen. The second analysis is performed based on the analysis plan to identify unexpected behaviors having processing or communications anomalies. A classifier determines whether the specimen should be classified as malicious based on the static and dynamic analyses. The analysis plan, the indicators, the characteristics, and the anomalies are stored in a persistent memory.
According to one embodiment, an electronic device comprises a memory to store information and a processor. The processor is adapted to receive information associated with content such as network traffic, to process the stored information and to conduct operations on the content. These operations may comprise determining, by a virtual machine processed by the processor, an occurrence of an event during malware analysis of an object associated with the content, and dynamically altering a virtual machine instrumentation of the virtual machine based on information associated with the event.
A computerized method is described in which one or more received objects are analyzed by an advanced persistent threat (APT) detection center to determine if the objects are APTs. The analysis may include the extraction of features describing and characterizing features of the received objects. The extracted features may be compared with features of known APT malware objects and known non-APT malware objects to determine a classification or probability of the received objects being APT malware. Upon determination that the received objects are APT malware, warning messages may be transmitted to a user of associated client devices. Classified objects may also be used to generate analytic data for the prediction and prevention of future APT attacks.
A computerized method is described in which a received object is analyzed by a malicious content detection (MCD) system to determine whether the object is malware or non-malware. The analysis may include the generation of a fuzzy hash based on a collection of behaviors for the received object. The fuzzy hash may be used by the MCD system to determine the similarity of the received object with one or more objects in previously classified/analyzed clusters. Upon detection of a "similar" object, the suspect object may be associated with the cluster and classified based on information attached to the cluster. This similarity matching provides 1) greater flexibility in analyzing potential malware objects, which may share multiple characteristics and behaviors but are also slightly different from previously classified objects and 2) a more efficient technique for classifying/assigning attributes to objects.
According to one embodiment, in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, any known URL links are removed from the URL links based on a list of known link signatures. For each of remaining URL links that are unknown, a link analysis is performed on the URL link based on link heuristics to determine whether the URL link is suspicious. For each of the suspicious URL links, a dynamic analysis is performed on a resource of the suspicious URL link. It is classified whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis.
A method for determining a zero-day attack by an electronic device is described. According to one embodiment, the method comprises instantiating, by the electronic device, at least one virtual machine, the at least one virtual machine being based on a fortified software profile. The method further comprises executing content capable of behaving as an exploit on the at least one virtual machine, and determining that the exploit is associated with zero-day exploit when the exploit, upon execution of the content on the at least one virtual machine, performs an undesired behavior.
According to one embodiment, a system comprises one or more counters; comparison logic; and one or more hardware processors communicatively coupled to the one or more counters and the comparison logic. The one or more hardware processors are configured to instantiate one or more virtual machines that are adapted to analyze received content, where the one or more virtual machines are configured to monitor a delay caused by one or more events conducted during processing of the content and identify the content as including malware if the delay exceed a first time period.
According to one embodiment, an electronic device comprises a network port and a controller. The network port is adapted to receive incoming content. Coupled to the network port, the controller is configured to (i) determine software profile information associated with the incoming content, (ii) determine whether a first virtual machine instance operating with a first software profile that corresponds to the software profile information is currently running, the first virtual machine instance being allocated resources to provide a first virtual execution environment at a prescribed virtual operating state, and (iii) instantiate a second virtual machine instance operating with the first software profile to conduct malware analysis on the incoming content, the second virtual machine instance being provided access to the resources allocated for use by the first virtual machine instance
G06F 21/50 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Computer software and hardware for digital security;
computer security products, namely, computer peripherals;
computer hardware and software, namely, network security
appliances, email security appliances, digital data and
media security appliances, security software applications,
and management stations related to the foregoing; computer
software and computer hardware for detection, blocking, and
facilitating removal and remediation of computer viruses,
rootkits, bootkits, backdoors, zero-day attacks, data
exfiltration, phishing, bots, time bombs, worms,
cyber-attacks, malicious attacks, and advanced persistent
threats; computer software for identifying and preventing
malicious attacks on, and unauthorized activities and
intrusions in computers, computer systems, networks,
hardware, software applications, digital devices, and mobile
devices; computer software and hardware providing secure
networks, virtual computer systems and virtual computer
environments; computer hardware; computer peripherals. Technical support and consulting services related to
security and vulnerability of, and cyber-attacks and threats
against computers, computer systems, networks, hardware,
software applications, digital devices, digital data, and
mobile devices; technical and consulting services related to
designing, developing, customizing, configuring, deploying,
installing, maintaining, analyzing, integrating, repairing,
and managing of cyber-security systems for others; technical
support services in the nature of detecting and diagnosing
computer hardware and software security problems and
vulnerabilities, updating and maintenance of computer
software relating to computer security and to prevention and
mitigation of computer risks; updating and maintaining
computer software for others; cloud computing services
featuring software and databases for use in computer
security and prevention and mitigation of computer risks;
computer consultation and research in the field of computer
hardware, computer software and network security; computer
security consultancy in the field of malware, intrusion and
penetration testing and diagnosis of computers and networks
to assess information technology security and vulnerability;
information technology security services in the nature of
providing network access to cyber-threat intelligence, to
cyber-attack verification, and to security analysis of
network traffic, emails, files, media computer software, and
mobile applications; application service provider (ASP)
featuring software for use for detection, blocking, and
facilitating removal and remediation of computer viruses,
rootkits, advanced persistent threats, malware and malicious
attacks in computers, computer systems, networks, hardware,
software applications, digital devices, and mobile digital
devices; application service provider (ASP) featuring
software that provides secure virtual computer systems and
virtual computing environments.
09 - Appareils et instruments scientifiques et électriques
37 - Services de construction; extraction minière; installation et réparation
38 - Services de télécommunications
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
(1) Computer software and hardware for digital security; computer software, namely, security software applications; computer software and computer hardware for detection, blocking, and facilitating removal and remediation of computer viruses, rootkits, bootkits, backdoors, zero-day attacks, data exfiltration, phishing, bots, time bombs, worms, cyber-attacks, malicious attacks, and advanced persistent threats; computer software for identifying and preventing malicious attacks on, and unauthorized activities and intrusions in computers, computer systems, networks, hardware, software applications, digital devices, and mobile devices; computer software and hardware that provides virtual computer systems and virtual computer environments for the purpose of providing network security; computer hardware providing secure networks, virtual computer systems and virtual computer environments; computer hardware; computer software for monitoring, filtering, and recording network traffic; computer software for detecting, reporting, blocking and eliminating viruses, worms, malware, spyware, unauthorized software and network attacks.
(2) Computer hardware; computer software for monitoring, filtering and reporting network traffic; computer software for detecting, reporting, blocking and eliminating viruses, worms, malware, spyware, unauthorized software and network attacks. (1) Technical support and consulting services related to security and vulnerability of, and cyber-attacks and threats against computers, computer systems, networks, hardware, software applications, digital devices, digital data, and mobile devices; technical and consulting services related to designing, developing, customizing, configuring, deploying, installing, maintaining, analyzing, integrating, repairing, and managing of cyber-security systems for others; technical support services in the nature of detecting and diagnosing computer hardware and software security problems and vulnerabilities, updating and maintenance of computer software relating to computer security and to prevention and mitigation of computer risks; updating and maintaining computer software for others; cloud computing services featuring software and databases for use in computer security and prevention and mitigation of computer risks; computer consultation and research in the field of computer hardware, computer software and network security; computer security consultancy in the field of malware, intrusion and penetration testing and diagnosis of computers and networks to assess information technology security and vulnerability; information technology security services in the nature of analyzing network traffic, emails, computer files, computer software media, and mobile applications for the presence of malware or other evidence of cyber attacks; application service provider (ASP) featuring software for use for detection, blocking, and facilitating removal and remediation of computer viruses, rootkits, advanced persistent threats, malware and malicious attacks in computers, computer systems, networks, hardware, software applications, digital devices, and mobile digital devices; application service provider that provides access to software that houses virtual computer systems and virtual computing environments to analyze network traffic, emails, computer files, computer software media, and mobile applications for the presence of malware or other evidence of cyber attacks; information technology security services in the nature of providing access to information about cyber-threats; information technology security services in the nature of verifying the existence of cyber attacks; technical support services, namely, troubleshooting of computer hardware and software problems.
(2) Technical support services, namely, troubleshooting of computer hardware and software problems.
An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.
Systems and methods for detecting malicious PDF network content are provided herein. According to some embodiments, the methods may include at least the steps of examining received PDF network content to determine if one or more suspicious characteristics indicative of malicious network content are included in the PDF network content, providing PDF network content determined to include at least one suspicious characteristic to one or more virtual machines, and analyzing responses received from the one or more virtual machines to verify the inclusion of malicious network content in the PDF network content determined to include at least one suspicious characteristic.
