A method of operating a media scanner to protect a target machine from malware on a removable storage device is disclosed. The target machine and the removable storage device each include a respective data line, and the media scanner comprises a data switch. Data is scanned on the removable storage device with malware detection software of the media scanner via a first data path, the first data path comprising the data line of the removable storage device connected to the data line of the media scanner by the data switch in a first switching state. After the data has been scanned with the malware detection software, the data switch is operated to switch from the first switching state to a second switching state, thereby disconnecting the data line of the removable storage device from the data line of the media scanner and connecting the data line of the removable storage device to the data line of the target machine.

An adaptor includes non-volatile memory that stores a scan engine. A removable storage device is connected to the adaptor, which in turn is connected to a host computer. Files being copied between the removable storage device and the host computer through the adaptor are scanned for malware using the scan engine.

In some implementations, a method includes retrieving data from multiple sensors in a computing device, and the multiple sensors comprise different types of sensors. The sensor data is analyzed based on a predictive model, and the predictive model is trained to detect malware. Initiation of malware is determined based on the analysis. In response to the determination, the malware is terminated.

Various implementations described herein relate to systems and methods for protecting data stored on a Solid State Drive (SSD) against malware, including determining, by a controller of the SSD, a typical traffic profile, receiving, by the controller, commands from a host, and determining, by the controller, that the commands are likely caused by malware by determining that the commands deviate from the typical traffic profile. In response to determining the commands are likely caused by the malware, the controller performs a malware response action.

An information management system implements a method for securing a media agent from unauthorized access, where the method includes configuring a secondary storage computing device to initialize a filter driver at boot time and monitor process calls to a media agent, where the media agent provides read and write operations to a secondary storage device in communication with the secondary storage computing device. The filter driver may detect a process call to the media agent, and determine whether the process call is authorized. In response to a determination that the process call is authorized, the filter driver may allow the process call to request an operation be performed by the media agent, and the media agent may then perform the requested operation. If the filter driver determines that the process call is not authorized, the filter driver may ignore the process call for the requested operation.

Apparatus and method for role-based register protection. For example, one embodiment of an apparatus comprises: one or more processor cores to execute instructions and process data, the one or more processor cores to execute one or more security instructions to protect a virtual machine or trusted application from a virtual machine monitor (VMM) or operating system (OS); an interconnect fabric to couple the one or more processor cores to a device; and security hardware logic to determine whether to allow a read or write transaction directed to a protected register to proceed over the interconnect fabric, the security hardware logic to evaluate one or more security attributes associated with an initiator of the transaction to make the determination.

The invention comprises a mobile device with two circuit boards and certain shared resources, in order to provide the security of physically separate devices, yet do so in a single device using shared resources that do not affect security. Specifically, the invention has two boards connected via input/output switch, each having its own System-on-a-Chip (SoC), Memory (RAM), Storage and Radio Module (SIM(s)/Bluetooth/Wi-Fi), and may include one or more SIM cards. Touchscreen, battery, physical buttons and other peripherals are shared between boards. Each shared peripheral hardware module will be used by a single board only (the active in-use board being the “Foreground Board”); another board (the inactive “Background Board”) uses an emulated version of the same hardware module. At any moment, a user can switch between Boards and the Background Board becomes the active Foreground Board and vice versa.

Mobile device security, device management, and policy enforcement are described in a cloud-based system where the “cloud” is used to pervasively enforce security and policy and perform device management regardless of device type, platform, location, etc. A method includes receiving one of a mobile profile and an application for an enterprise and a cloud-based system; installing the one of the mobile profile and the application on the mobile device; connecting to a network using the one of the mobile profile and the application; and having traffic content inspected and policy enforced thereon to/from the mobile device and the network via the cloud-based system.

Methods, apparatus, systems, and articles of manufacture are disclosed to classify a sample as clean or malicious. An example apparatus includes instruction identifies circuitry to convert a sample into a sequence of instructions, abstract language circuitry to transform the sequence of instructions into an abstract language representation, transition matrix circuitry to create a Markov transition matrix, the Markov transition matrix to represent transitions within the abstract language representation, and classifier circuitry to classify an unknown sample as clean or malicious, the classification in response to whether the Markov transition matrix is closer to a clean group of Markov transition matrices or a malicious group of Markov transition matrices.

In example implementations, an apparatus is provided. The apparatus includes an input sensor, a memory, a comparator, and a processor. The processor is communicatively coupled to the input sensor, the memory, and the comparator to control operation of the input sensor, the memory, and the comparator. The input sensor is to measure a bus signal of a computing device. The memory is to store the bus signal that is measured and a reference bus signal. The comparator is to compare the bus signal that is measured to the reference bus signal to detect a hardware security attack.