Robert Conrad

A computer-implemented method for using file paths to identify potentially malicious computer files may include: 1) identifying a file, 2) identifying a file path associated with the file, 3) determining, by applying a heuristic to the file, that at least a portion of the file path is likely to have been randomly generated, 4) determining, based at least in part on the determination that at least portion of the file path has likely been randomly generated, that the file is potentially… Show more

A computer-implemented method for using file paths to identify potentially malicious computer files may include: 1) identifying a file, 2) identifying a file path associated with the file, 3) determining, by applying a heuristic to the file, that at least a portion of the file path is likely to have been randomly generated, 4) determining, based at least in part on the determination that at least portion of the file path has likely been randomly generated, that the file is potentially malicious, and 5) performing a security operation on the file. Corresponding systems and computer-readable instructions embodied on computer-readable media are also disclosed. Show less

A malware source analysis component determines which sources of malware are sufficiently suspicious such that all binary files located thereon should be analyzed. In order to makes such determinations, the malware source analysis component receives information concerning malware infections from a plurality of sources. The malware source analysis component analyzes the received information, and determines suspiciousness levels associated with specific sources. Responsive to identifying a given… Show more

A malware source analysis component determines which sources of malware are sufficiently suspicious such that all binary files located thereon should be analyzed. In order to makes such determinations, the malware source analysis component receives information concerning malware infections from a plurality of sources. The malware source analysis component analyzes the received information, and determines suspiciousness levels associated with specific sources. Responsive to identifying a given threshold suspiciousness level associated with a source, the malware source analysis component adjudicates that source to be suspicious. Where a source is adjudicated to be suspicious, the malware source analysis component submits submission instructions to that source, directing it to identify binary files thereon and submit them to be analyzed. The malware source analysis component receives binary files from suspicious sources according to the submission instructions, and analyzes the received binary files. Show less

A method and apparatus for employing user input to classify unknown websites whereby when a given unknown/unclassified website is accessed on a given computer system associated with a given user, the given user is asked to provide input regarding the legitimacy of the given unknown/unclassified website. The classification of the given unknown/unclassified website is then determined via one or more sources other than the given user's input. The accuracy of the given user's input regarding the… Show more

A method and apparatus for employing user input to classify unknown websites whereby when a given unknown/unclassified website is accessed on a given computer system associated with a given user, the given user is asked to provide input regarding the legitimacy of the given unknown/unclassified website. The classification of the given unknown/unclassified website is then determined via one or more sources other than the given user's input. The accuracy of the given user's input regarding the legitimacy of the given unknown/unclassified website is then determined and used to calculate, and/or transform, a reliability score that is then associated with the given user. A given user's reliability score is then used to determine the given user's eligibility to provide further input regarding the legitimacy of other unknown/unclassified websites, and/or to determine a value to be place on, or otherwise filter, future input from the given user regarding the legitimacy of other unknown/unclassified websites. Show less

The prevalence rate of a file to be subject to behavior based heuristics analysis is determined, and the aggressiveness level to use in the analysis is adjusted, responsive to the prevalence rate. The aggressiveness is set to higher levels for lower prevalence files and to lower levels for higher prevalence files. Behavior based heuristics analysis is applied to the file, using the set aggressiveness level. In addition to setting the aggressiveness level, the heuristic analysis can also… Show more

The prevalence rate of a file to be subject to behavior based heuristics analysis is determined, and the aggressiveness level to use in the analysis is adjusted, responsive to the prevalence rate. The aggressiveness is set to higher levels for lower prevalence files and to lower levels for higher prevalence files. Behavior based heuristics analysis is applied to the file, using the set aggressiveness level. In addition to setting the aggressiveness level, the heuristic analysis can also comprise dynamically weighing lower prevalence files as being more likely to be malicious and higher prevalence files as being less likely. Based on the applied behavior based heuristics analysis, it is determined whether or not the file comprises malware. If it is determined that the file comprises malware, appropriate steps can be taken, such as blocking, deleting, quarantining and/or disinfecting the file. Show less

A computer-implemented method for evaluating the health of computing systems based on when operating-system changes occur is disclosed. In one example, this method may include: 1) identifying an operating-system change made to a computing system, 2) determining when the operating-system change occurred, and then 3) assessing the health of the computing system based at least in part on when the operating-system change occurred. Various other methods, systems, and computer-readable media are also… Show more

A computer-implemented method for evaluating the health of computing systems based on when operating-system changes occur is disclosed. In one example, this method may include: 1) identifying an operating-system change made to a computing system, 2) determining when the operating-system change occurred, and then 3) assessing the health of the computing system based at least in part on when the operating-system change occurred. Various other methods, systems, and computer-readable media are also disclosed. Show less

A method and apparatus for employing user input to classify unknown files whereby when a given unknown/unclassified file is downloaded and/or activated on a given computer system associated with a given user, the given user is asked to provide input regarding the legitimacy of the given unknown/unclassified file. The classification of the given unknown/unclassified file is then determined via one or more sources other than the given user's input. The accuracy of the given user's input regarding… Show more

A method and apparatus for employing user input to classify unknown files whereby when a given unknown/unclassified file is downloaded and/or activated on a given computer system associated with a given user, the given user is asked to provide input regarding the legitimacy of the given unknown/unclassified file. The classification of the given unknown/unclassified file is then determined via one or more sources other than the given user's input. The accuracy of the given user's input regarding the legitimacy of the given unknown/unclassified file is then determined and used to calculate, and/or transform, a reliability score that is then associated with the given user. A given user's reliability score is then used to determine the given user's eligibility to provide further input regarding the legitimacy of other unknown/unclassified files, and/or to determine a value to be place on, or otherwise filter, future input from the given user regarding the legitimacy of other unknown/unclassified files. Show less

A malware analysis component receives information concerning malware infections on a large plurality of client computers, as detected by an anti-malware product or submitted directly by users. The malware analysis component analyzes this wide array of information, and identifies suspicious malware detection and submission activity associated with specific sources. Where identified suspicious patterns of malware detection and submission activity associated with a specific source meet a given… Show more

A malware analysis component receives information concerning malware infections on a large plurality of client computers, as detected by an anti-malware product or submitted directly by users. The malware analysis component analyzes this wide array of information, and identifies suspicious malware detection and submission activity associated with specific sources. Where identified suspicious patterns of malware detection and submission activity associated with a specific source meet a given threshold over time, the malware analysis component determines that the source is an originator of malware. Show less

A submission filtering component filters malware related content received for analysis. The submission filtering component determines an analysis priority rating for each source from which malware related content is received. An analysis priority ratings is based on various factors indicative of how likely the source is to transmit malware related content that is important to analyze. The malware filtering component transforms the received stream of malware related content into a subset to be… Show more

A submission filtering component filters malware related content received for analysis. The submission filtering component determines an analysis priority rating for each source from which malware related content is received. An analysis priority ratings is based on various factors indicative of how likely the source is to transmit malware related content that is important to analyze. The malware filtering component transforms the received stream of malware related content into a subset to be analyzed, based on the analysis priority ratings associated with sources from which malware related content is received. A malware analysis component analyzes the subset of malware related content. Show less