A virtualized storage for use in performing dynamic analysis on a sample is configured, at least in part by copying the sample to the virtualized storage. A virtual machine emulator is launched using a snapshot of a virtualized platform. The virtualized platform is previously configured to use the virtualized storage, and the snapshot is configured to use a placeholder file to occupy space for later use when installing the sample. A location of the copied sample in an image corresponding to the virtualized storage is determined. The copied sample is installed and dynamic analysis is performed on the sample.

A computer-implemented method, computer program product and computing system for: obtaining system-defined consolidated platform information for a computing platform from an independent information source; obtaining client-defined consolidated platform information for the computing platform from a client information source; and comparing the system-defined consolidated platform information to the client-defined consolidated platform information to define differential consolidated platform information for the computing platform.

A system includes a hypervisor, a memory, and boot firmware stored in the memory. The boot firmware is configured to execute on a processor to load a trusted code that includes a condition checker from the hypervisor, check a signature of the trusted code, and verify the signature is trusted by a guest. The boot firmware is also configured to load the trusted code into an encrypted memory at a known guest address. The hypervisor is configured to protect the known guest address. The trusted code includes a first instruction, one or more intermediate instructions, and a final instruction. The first instruction and the final instruction are exits to the hypervisor. The hypervisor is also configured to execute the condition checker and detect an inconsistency in guest memory.

A learning apparatus according to the present disclosure includes a first classification unit for classifying a plurality of first malware programs collected in a first period of time into a plurality of clusters, a second classification unit for classifying a plurality of second malware programs collected in a second period of time into the plurality of clusters, and a learning unit for creating a learning model for determining whether a file is malware based on feature amounts of the plurality of clusters according to a result of the classification of the plurality of second malware programs.

Methods, apparatus, systems and articles of manufacture to classify a first file are disclosed herein. Example apparatus include a feature hash generator to generate respective sets of one or more feature hashes for respective features of the first file. The number of the one or more feature hashes to be generated is based on an ability of the feature to distinguish the first file from a second file. The apparatus also includes a bit setter to set respective bits of a first fuzzy hash value based on respective ones of the one or more feature hashes, a classifier to assign the first file to a class associated with a second file based on a similarity between the first fuzzy hash value and a second fuzzy hash value for a second file.

A computer-implemented method, a computer program product, and a computer system for creating malware domain sinkholes by domain clustering. The computer system clusters malware domains into domain clusters. The computer system collects domain metrics in the domain clusters. The computer system sorts clustered malware domains in the respective ones of the domain clusters, based on the domain metrics. The computer system selects, from the clustered malware domains in the respective ones of the domain clusters, a predetermined number of top domains as candidates of respective domain sinkholes, wherein the respective domain sinkholes are created for the respective ones of the domain clusters.

A technique of protecting data from ransomware attacks identifies a set of blocks written to a data object between first and second points in time, determines a set of attributes of the set of blocks, and, in response to the set of attributes indicating a likelihood of a ransomware attack, secures a state of the data object as of the first point in time.

Techniques are provided for tracking a virus footprint in data copies. Data copies can be made in a variety of ways, like with snapshots, backups, replications, and simple copies. As copies of files that have not been scanned since they were last modified are made, these copies can be kept track of, and associated with the original file. When the original file is later scanned and found to be clean or infected, this information can be propagated through the copies.

Described herein are systems and methods for improving incident response in an information technology (IT) environment. In one implementation, an incident service initiates execution of a course of action and identifies a step in the first course of action that determines data in a first format. The incident service further determines a format requirement for a second step in the course of action and translates the data from the first format to the second format in accordance with the format requirement.

A method for preventing ransomware attacks on a computing system. By controlling the access to a calling interface through which cryptographic functions, such as the random number generator, can be accessed to generate strong encryption keys the method allows to efficiently terminate cryptographic ransomware attacks on the system before they can start doing any damage. If the access to the cryptographic functions, such as the random number generator, is not granted, the ransomware is unable to build a strong encryption key, and it is unable to deploy its intended effect.