Techniques are provided for detection of anomalous backup files using known anomalous file fingerprints (or other file-dependent values such as hash values, signatures and/or digest values). One method comprises obtaining first file-dependent values corresponding to respective known anomalous files; obtaining a second file-dependent value for a stored backup file; comparing the second file-dependent value to the first file-dependent values; and performing an automated remedial action in response to a result of the comparing. The second file-dependent value for the stored backup file may be determined by a backup server in response to a source file corresponding to the stored backup file being backed up by the backup server, and may be stored as part of metadata associated with the stored backup file.

Example methods are provided to build a smart file reputation cache at a cloud, and to provide the smart file reputation cache to an antivirus (AV) endpoint such as a virtualized computing instance in a virtualized computing environment. Training techniques can be used to build the smart file reputation cache at the cloud, based on information learned from existing AV endpoints and a management server. The smart file reputation can then be provided to newly installed AV endpoints for local access, instead of the AV endpoints sending file reputation requests to the cloud.

Methods, apparatus, systems and articles of manufacture for detecting malware via analysis of a screen capture are disclosed. An example apparatus includes at least one memory, instructions, and processor circuitry to execute the instructions. The processor circuitry is to detect execution of a process, capture a portion of a screen buffer as a captured image, after the execution of the process is detected, analyze the captured image to determine an image similarity to a stored image in a database, the database to at least store malicious images, and perform a responsive action when the image similarity satisfies a similarity threshold.

Certain aspects of the disclosure are directed toward validation and installation of a file system. A method for mitigating security breach for a circuit platform subject to compromise by unauthorized changes to a file system includes abstracting the file system into an encrypted file with cryptographically signed components. The file system may have instruction code or other data for an operating system and may be stored by or on behalf of the circuit platform. During boot time of the operating system, an unencrypted version of the operating system and the encrypted file may be accessed and used by validating a signature associated with the file system. In response to validating the signature, the file system is installed into a transient, non-persistent storage circuit. As such, the operating system executes instruction code via a central processing unit (CPU) circuit under authorization based on the validated signature.

An apparatus for detecting a phishing website based on website icons is disclosed. A disclosed example apparatus includes a parser to locate a first website icon corresponding to a first website, an icon hasher to generate a first hash of the first website icon, and a hash checker to determine whether the first hash matches a second hash of a second website icon corresponding to a second website in an icon hash database, the hash checker to, in response to the first hash matching the second hash, determine whether a first portion of a first Uniform Resource Locator (URL) corresponding to the first website matches a second portion of a second URL corresponding to the second website, the hash checker to, in response to the first portion not matching the second portion, identify the first website as a phishing website.

A security system for software to be input to a closed internal network includes: a kiosk including a registration module configured to read the stored software of a connected portable storage medium, a vaccine module configured to detect malicious code in the software, and an authentication module configured to set inspection authentication for the portable storage medium whose software has been inspected for malicious code; and a client including a check module configured to check the portable storage medium for inspection authentication and authorize the execution of the stored software.

Providing an isolation system that allows analysts to analyze suspicious information in way that aids in preventing harmful information from spreading to other applications and systems on a network. A plurality of virtual containers may be used by analysts to analyze suspicious information. The suspicious information may first be checked for signatures or patterns before being analyzed by the analyst or the isolation system. The identified signatures or patterns are then compared with the stored signatures or patterns to determine whether the suspicious information comprises harmful information or not. When the identified signatures or patterns are matched with stored signatures or patterns, the system may determine that the suspicious information comprises harmful information and performs one or more mitigation actions.

A method including determining a combined data set including query data files that are to be classified, clean data files that are known to be free of malware, and malicious data files that are known to include malware; calculating respective compression functions for each of the query data files, each of the clean data files, and each of the malicious data files; individually comparing each respective compression function with each other respective compression function to determine degrees of similarity between contents included in the data files; determining a plurality of clusters based on the degrees of similarity between contents included in the data files; and classifying each query data file as a file that is likely free of malware or as a file that likely includes malware based on analyzing the combination of the query data files, the clean data files, and the malicious data files in each cluster.

A computing apparatus includes a hardware platform having a processor and a memory; an operating system (OS) having a GUI with a user-initiatable share function, and an interface to register a share target for the share function; and instructions encoded within the memory to provide a security agent, the instructions to instruct the processor to: receive from the OS a notification that an object has been shared to the security agent via the share function; responsive to the notification, initiate a security scan or reputation action for the shared object; receive a security or reputation response from the security scan or reputation action; and based at least in part on the security scan or reputation response, display a security or reputation notification via the GUI.

An event handler implements a state machine or similar construct for processing of complex event chains as incremental events are detected. This approach advantageously limits processing to monitoring for and responding to a next event in a sequence of events, and supports complex event detection in a manner that scales efficiently in time and computation.