摘要:
A computer-implemented method for detecting an obfuscated executable may include identifying an executable file programmed to execute on a target architecture. The method may also include disassembling a first section of the executable file and determining whether the first section of the executable file comprises a valid instruction. The method may further include determining, based on whether the first section of the executable file comprises a valid instruction, whether the executable file poses a security risk. Various other methods, computer-readable media, and systems are also disclosed.
摘要:
An exemplary method for reducing false positives produced by heuristics may include: 1) training a heuristic using a set of training data, 2) deploying the heuristic, 3) identifying false positives produced by the heuristic during deployment, and then 4) tuning the heuristic by: a) duplicating at least a portion of the false positives, b) modifying the training data to include the duplicate false positives, and c) re-training the heuristic using the modified training data. Corresponding systems and computer-readable media are also disclosed.
摘要:
The launch of an installer or uninstaller is detected. A process lineage tree is created representing the detected launched installer/uninstaller process, and all processes launched directly and indirectly thereby. The detected installer/uninstaller process is represented by the root node in the process lineage tree. Launches of child processes by the installer/uninstaller process and by any subsequently launched child processes are detected. The launched child processes are represented by child nodes in the tree. As long as the installer/uninstaller process represented by the root node in the tree is running, the processes represented by nodes in tree are exempted from anti-malware analysis. The termination of the installer/uninstaller process is detected, after which the processes represented by nodes in the process lineage tree are no longer exempted from anti-malware analysis.
摘要:
A method for analyzing an unverified executable file within an antivirus engine in order to identify the executable file as being obfuscated by an unknown obfuscator program is described. An unverified executable file comprising obfuscated library strings is received. A list of pre-verified library strings is accessed. A determination is made as to whether the unverified executable file comprises one or more of the pre-verified library strings. The unverified executable file is identified as being obfuscated by an unknown obfuscator program if the file does not comprise one or more of the pre-verified library strings.
摘要:
A stealth threat detection manager detects stealth threats. The stealth threat detection manager monitors system activities that are vulnerable to being used by stealth threats. Dynamic link libraries are often used by stealth threats, so in some embodiments the stealth threat detection manager monitors for the loading thereof. The stealth threat detection manager detects when a system activity being monitored occurs, and after the occurrence of the activity, determines whether a specific component associated with the activity (e.g., the dynamic link library being loaded) is accessible on the computer. If the component is accessible, the stealth threat detection manager concludes that the component is non-stealthed. On the other hand, if the component is not accessible, the stealth threat detection manager concludes that the component is a stealth threat, and takes appropriate action in response.
摘要:
In one embodiment an IO request packet (IRP) attempting to access a computer disk is evaluated to determine if the request identifies an area of a computer disk to be accessed that is marked as bad in a file system. When the request identifies an area of the computer disk to be accessed that is marked as bad in a file system, the request is assumed to be indicative of a rootkit. In another embodiment an IO request packet is evaluated to determine if the request identifies an area of the computer disk to be accessed that was not identified in requests detected in the file system level of the kernel. When the stalled request identifies an area of the computer disk to be accessed not detected in requests detected in the file system level of the kernel, the request is assumed to be indicative of a rootkit.
摘要:
Methods, apparatuses, and computer-readable media for preventing the spread of malicious computer code. An embodiment of the inventive method comprises the steps of: identifying (110) a computer application that is data mining an e-mail address; determining (130) whether the computer application associates at least one executable application and the data mined e-mail address with an e-mail message (120); and blocking (140) the transmission of the e-mail message when the e-mail message is associated with the at least one executable application and the data mined e-mail address.
摘要:
A cap which can form an essentially leak-proof seal with an open-ended vessel capable of receiving and holding fluid specimens or other materials for analysis. To minimize potentially contaminating contact between a fluid sample present in the vessel and humans or the environment, the present invention features a cap having a frangible seal which is penetrable by a plastic pipette tip or other fluid transfer device. The cap further includes a filter for limiting dissemination of an aerosol or bubbles once the frangible seal has been pierced. The filter is positioned between the frangible seal and a retaining structure. The retaining structure is positioned on the cap above the filter and may be used to contain the filter within the cap. The material of the retaining structure may be penetrable by a fluid transfer device.
摘要:
A clamp includes a hoop section and actuating elements. The hoop section forms a cavity for holding a tubular object. The hoop section has first and second ends. First and second actuating elements are respectively coupled with the first and second ends of the hoop section. Squeezing the ends of the actuating members together causes the hoop section to expand to facilitate installation of the clamp onto an object to be clamped and removal of the clamp from the object. Thus, the clamping force generated by the clamp is limited by the restoring forces inherent in the shape, sized, and material of the hoop section when the actuating members are released. The actuating members include expansion limiting extensions which contact each other after a prescribed amount of expansion of the hoop section to thereby prevent further expansion, and possible yielding, of the hoop section. The clamp can be employed as an anti-rotation device secured to a syringe of a syringe pump.
摘要:
An exemplary method for using multiple in-line heuristics to reduce false positives may include: 1) training a first heuristic using a set of training data, 2) deploying the first heuristic, 3) identifying false positives produced by the first heuristic during deployment, 4) modifying the training data to include the false positives produced by the first heuristic, 5) creating a second heuristic using the modified training data, 6) deploying both the first heuristic and the second heuristic, and then 7) applying both the first heuristic and the second heuristic, in sequence, to a set of field data.