Abstract:
Providing malware-free web content to a user is disclosed. The web content is any type of web content that may potentially be infected by any type of malware. Upon receiving a request for a piece of web content from the user, the requested piece of web content is obtained from the appropriate source, and a dynamic template for the piece of web content is retrieved. The dynamic template indicates whether the requested piece of web content includes any malware and what actions are to be performed if any malware is included in the piece of web content. The requested piece of web content is cleaned up by performing the actions indicated in the dynamic template. Thereafter, the piece of web content is provided to the user. The dynamic template is updated from time to time based on the currently available information regarding the piece of web content.
Abstract:
A Web site uses a behavior monitor that operates as a gatekeeper for a browser. The attack injects Web content with malicious executable code that executes on an end user device when the code executes in a browser on the device. A message is received at the monitor from a browser for retrieving Web content; the browser executes on a computing device having sensitive information. The Web content is retrieved from a target Web server and analyzed for XSS. If found, the destination to which some or all of the sensitive information will be sent if the XSS executes is determined. A message is displayed in the browser regarding whether the Web content that was requested should be viewed in the browser. In this manner, execution of the XSS in the browser is prevented. The analyzing and determining steps are performed before the Web content is received by the browser.
Abstract:
Detection and prevention of botnet behavior is accomplished by monitoring access request in a network. Each request includes a domain of content to access and a path of content to access, and each path includes a file name and query string. Once obtained, the query strings for each of these requests are normalized. A signature is then created for each of the normalized query strings. The obtained requests can then be grouped by signature. Once the requests have been grouped by signature, each grouping is examined to identify suspicious signatures based on common botnet behavior. Suspicious requests are used in back-end and front-end defenses against botnets.
Abstract:
Daily query counts for e-mail messages sent from a number of IP addresses having unknown reputations are collected and logged, and optionally plotted. The logged query count data may optionally be normalized. The normalized query count data may also be plotted. The normalized data is divided into regions (numerically or graphically). Next, the divided regions are tagged (symbolically or graphically) with unique, symbolic identifiers such as letters, numbers, symbols or colors. Patterns for each unknown IP address are formed based upon the tagged regions. Common good and bad patterns are also identified for known good and bad IP addresses. The reputation of these unknown IP addresses are then predicted using these identified good and bad patterns using a suffix tree (for example). Finally, an output identifying the determined reputations of these unknown IP addresses is generated and output.
Abstract:
A Web site reputation service automatically redirects a browsing request for analysis by a rating server. On the browsing request, a proxy autoconfiguration (PAC) file is downloaded from a PAC server to a Web browser of a user computer. The function of the PAC file is executed, sending a request to a rating server along with a host name of a target Web site. The function does not immediately return a proxy server, but first requests a rating of the Web site. A rating result associated with the Web site is produced by the rating server. The rating server returns the rating result and the function returns an address of a proxy server to the Web browser based upon the rating result. A user can enable the Web Proxy Autodiscovery Protocol to use the service. Access control may be implemented by applying an HTTP authentication mechanism on the Web server that hosts the PAC file.
Abstract:
Applications running in an API-proxy-based emulator are prevented from infecting a PC's hard disk when executing file I/O commands. Such commands are redirected to an I/O redirection engine instead of going directly to the PC's normal operating system where it can potentially harm files in on the hard disk. The redirection engine executes the file I/O command using a private storage area in the hard disk that is not accessible by the PC's normal operating system. If a file that is the subject of a file I/O command from an emulated application is not in the private storage area, a copy is made from the original that is presumed to exist in the public storage area. This copy is then acted on by the command and is stored in the private storage area, which can be described as a controlled, quarantined storage space on the hard disk. In this manner the PC's (or any computing device's) hard disk is defended from potential malware that may originate from applications running in emulated environments.
Abstract:
A trust network database has any number of nodes, each node representing a user e-mail address. Links between nodes represent whether one user trusts another. Trust (that the recipient is trusted) is established when a sender sends an e-mail message to a recipient. The recipient is effectively placed on the white list for the sender. A legitimate e-mail address creates a strong trust link, otherwise it is weak. A spam count tracks by an amount of spam sent by each node. Outgoing e-mail messages are screened to make a determination that the sender trusts the recipient and that information is added to a local or remote trust network. Incoming e-mail messages are first screened to determine that the sender is legitimate. Then, the sender and recipient e-mail addresses are forwarded to the trust network to make a determination as to whether the recipient trusts the sender. A score (based upon number and type of links into or out of a node, the spam count for the node, etc.) for the sender is returned indicating whether or not the e-mail message is likely to be spam. An anti-spam engine is bypassed, used normally, or used aggressively based upon the score.
Abstract:
A training model for malware detection is developed using common substrings extracted from known malware samples. The probability of each substring occurring within a malware family is determined and a decision tree is constructed using the substrings. An enterprise server receives indications from client machines that a particular file is suspected of being malware. The suspect file is retrieved and the decision tree is walked using the suspect file. A leaf node is reached that identifies a particular common substring, a byte offset within the suspect file at which it is likely that the common substring begins, and a probability distribution that the common substring appears in a number of malware families. A hash value of the common substring is compared (exact or approximate) against the corresponding substring in the suspect file. If positive, a result is returned to the enterprise server indicating the probability that the suspect file is a member of a particular malware family.
Abstract:
A DNS engine monitors domain name system (DNS) network activity occurring between a user computer and a remote computer server. The engine collects DNS traffic information during a specified time window at the user computer using the monitored DNS network activity. The engine generates a local DNS reputation for the user computer and stores the local DNS reputation on the user computer. When a triggering event is received at the user computer the engine determines that the triggering event is abnormal in comparison to the stored local DNS reputation. An alert is issued to a software product on the user computer. The engine takes an action using a software product upon the alert. The reputation may be a frequency distribution for each accessed domain name and IP address. A triggering event may be an abnormal access to a domain name or IP address, or a mismatch between DNS queries and DNS responses of the user computer.
Abstract:
An anti-virus program executes simultaneously with another anti-virus program by accessing a function (target) driver in the driver model directly instead of traversing each filter driver in the driver model as is conventionally done. The filter driver component of the anti-virus program avoids deadlock and infinite execution loops by bypassing filter drivers of other executing anti-virus programs and other filter drivers and going straight to the driver that will be performing the specific function, such as opening a file for scanning. This is done by having the filter driver component of the anti-virus program obtain directly the handle of the function driver that will perform the function needed by the anti-virus program and thereby avoiding the filter drivers of other programs, specifically other anti-virus programs, that can prevent completion of the required function.