Methods and devices for determining whether a mobile device has been compromised. File tree structure information for the mobile device is obtained that details at least a portion of a tree-based structure of folders and files in a portion of memory. The file tree structure information is analyzed to determine that the mobile device has been compromised, has not been compromised, or might be compromised. Based on determining that the mobile device might be compromised, the mobile device is instructed to execute a restricted action. If the restricted action occurs on the mobile device then it is determined that the mobile device has been compromised. Based on that determination, an action is taken.

A data processing system and a data processing method are capable of separating application processes. The data processing system of the invention includes a data storage device and at least one processor. When a user operates the at least one processor to execute an application process to access a designated file from the data storage device through a file control module residing in a kernel mode of an operating system, the file control module compares a user account of the user and M rules and M characteristics of the application process with a plurality of execution space setting data previously stored to obtain an authority data, where M is a natural number. The file control module selectively returns the designated file to the application process in accordance with the authority data.

A method for detecting a false positive outcome in classification of files includes, analyzing a file to determine whether or not the file is to be recognized as being malicious, analyzing a file to determine whether a digital signature certificate is present for the file, in response to recognizing the file as being malicious; comparing the digital certificate of the file with one or more digital certificates stored in a database of trusted files, in response to determining that the digital signature certificate is present for the file; and detecting a false positive outcome if the digital certificate of the file is found in the database of trusted files, when the false positive outcome is detected, excluding the file from further determination of whether the file is malicious and calculating a flexible hash value of the file.

Methods, apparatus, systems and articles of manufacture to classify a first file are disclosed herein. Example apparatus include a feature hash generator to generate respective sets of one or more feature hashes for respective features of the first file. The number of the one or more feature hashes to be generated is based on an ability of the feature to distinguish the first file from a second file. The apparatus also includes a bit setter to set respective bits of a first fuzzy hash value based on respective ones of the one or more feature hashes, a classifier to assign the first file to a class associated with a second file based on a similarity between the first fuzzy hash value and a second fuzzy hash value for a second file.

A system and method for securing virtual cloud assets in a cloud computing environment against cyber threats. The method includes: determining a location of a snapshot of at least one virtual disk of a protected virtual cloud asset, wherein the virtual cloud asset is instantiated in the cloud computing environment; accessing the snapshot of the virtual disk based on the determined location; analyzing the snapshot of the protected virtual cloud asset to detect potential cyber threats risking the protected virtual cloud asset; and alerting detected potential cyber threats based on a determined priority.

Techniques are provided for tracking a virus footprint in data copies. Data copies can be made in a variety of ways, like with snapshots, backups, replications, and simple copies. As copies of files that have not been scanned since they were last modified are made, these copies can be kept track of, and associated with the original file. When the original file is later scanned and found to be clean or infected, this information can be propagated through the copies.

The present disclosure provides a method, system, and device for distributing a software release. To illustrate, based on one or more files for distribution as a software release, a release bundle is generated that includes release bundle information, such as, for each file of the one or more files, a checksum, meta data, or both. One or more other aspects of the present disclosure further provide sending the release bundle to a node device. After receiving the release bundle at the node device, the node device receives and stores at least one file at a transaction directory. After verification that each of the one or more files is present/available at the node device, the one or more files may be provided to a memory of a node device and meta data included in the release bundle information may be applied to the one or more files transferred to the memory.

A method for detecting malware in a distributed malware detection system comprising a plurality of endpoints, is provided. The method generally includes inspecting, at a first endpoint of the plurality of endpoints, a file classified as an unknown file; based on the inspecting, determining, at the first endpoint, a first verdict for the file, the first verdict indicating the file is benign or malicious; determining whether an aggregate number of verdicts for the file from the plurality of endpoints, including the first verdict, meets a first threshold; and selectively reclassifying the file as benign or malicious based on whether the aggregate number of verdicts for the file meets the first threshold.

Systems, apparatuses, and methods for efficient handling of subroutine epilogues. When an indirect control transfer instruction corresponding to a procedure return for a subroutine is identified, the return address and a signature are retrieved from one or more of a return address stack and the memory stack. An authenticator generates a signature based on at least a portion of the retrieved return address. While the signature is being generated, instruction processing speculatively continues. No instructions are permitted to commit yet. The generated signature is later compared to a copy of the signature generated earlier during the corresponding procedure call. A mismatch causes an exception.

This relates generally to protecting adjustable cipher solutions using trusted execution mechanisms. An example method includes, at one or more electronic devices, receiving a request for configuring a cipher solution for one or more cryptographic operations, retrieving one or more cryptographic policies from a first module protected by a secure enclave within a trusted execution environment, accessing one or more libraries in accordance with the one or more cryptographic policies, attesting the one or more libraries by verifying attestation data associated with the one or more libraries within a second module protected by the secure enclave of the trusted execution environment, and configuring the cipher solution for the electronic device based on attesting the one or more libraries.