Methods and systems for identifying potential enterprise software threats based on visual and non-visual data

C: \Interwovn\NRPortbl\DCC\DER\17559068_l docx-I7 08 2018 An apparatus comprising: a memory storing processor-executable instructions; and a processing device configured to execute the processor-executable instructions to perform operations including: identifying visual and non-visual data of a software package being presented for an action on a computing device, the visual data comprising an icon image; for each of a plurality of reference images, comparing a measure of similarity between the icon image and the reference image to a similarity threshold associated with the reference image; determining, based at least in part on one or more of the non-visual data of the software package, whether the software package comprises a legitimate software package or a potential threat; and based, at least in part, on the comparisons and on the determination of whether the software package comprises a legitimate software package or a potential threat, performing a threat-detection adaptation selected from the group consisting of removing a first of the reference images from the plurality of reference images, adding the icon image to the plurality of reference images, increasing a similarity threshold associated with the first reference image, and decreasing the similarity threshold associated with the first reference image.