| MCAFEE, INC. Patent applications |
| Patent application number | Title | Published |
|---|
| 20120110672 | SYSTEMS AND METHODS FOR CLASSIFICATION OF MESSAGING ENTITIES - Methods and systems for operation upon one or more data processors for biasing a reputation score. A communication having data that identifies a plurality of biasing characteristics related to a messaging entity associated with the communication is received. The identified plurality of biasing characteristics related to the messaging entity associated with the communication based upon a plurality of criteria are analyzed, and a reputation score associated with the messaging entity is biased based upon the analysis of the identified plurality of biasing characteristics related to the messaging entity associated with the communication. | 05-03-2012 |
| 20120102568 | SYSTEM AND METHOD FOR MALWARE ALERTING BASED ON ANALYSIS OF HISTORICAL NETWORK AND PROCESS ACTIVITY - A method for malware protection includes receiving detection information for detecting malware on an electronic device, accessing historical information of an electronic device, comparing the detection information to the historical information, and based on the comparison of the detection information with the historical information, alerting a user of the electronic device of risks of malware evidenced by the historical information. Comparing detection information to historical information includes determining that information from a first category of historical information is associated with a source of malware, cross-referencing information from a second category of historical information to the information from the first category, and associating the information from the second category with the malware. | 04-26-2012 |
| 20120102545 | METHOD AND SYSTEM FOR PROTECTING AGAINST UNKNOWN MALICIOUS ACTIVITIES BY DETERMINING A REPUTATION OF A LINK - A method and system for protecting against unknown malicious activities by determining a reputation of a link are disclosed. A reputation server queries a database including reputation information associated with a plurality of links to retrieve a reputation of a redirected link. The reputation information may indicate whether the links are associated with a malicious activity. The reputation of the redirected link may be associated with the original link to create a reputation of the original link. | 04-26-2012 |
| 20120084441 | PRIORITIZING NETWORK TRAFFIC - Methods, systems and apparatus, including computer programs encoded on a computer storage medium, for receiving, at a global server system, from each of a plurality of local network devices, network data specifying network communication activity at the local network device, wherein the plurality of local network devices collectively provide backbone communications facilities for multiple networks; aggregating, at the global server system, the network data from each of the local network devices; analyzing, at the global server system, the aggregated network data to identify network activities; generating, at the global server system, update data based on the analysis of the aggregated network data, the update data including instructions for the local network devices for processing network communications to or from the local network devices; and transmitting from the global server system the update data to the local network devices. | 04-05-2012 |
| 20120060217 | ATOMIC DETECTION AND REPAIR OF KERNEL MEMORY - A method for detecting memory modifications includes allocating a contiguous block of a memory of an electronic device, and loading instructions for detecting memory modifications into the contiguous block of memory. The electronic device includes a plurality of processing entities. The method also includes disabling all but one of a plurality of processing entities of the electronic device, scanning the memory of the electronic device for modifications performed by malware, and, if a memory modification is detected, repairing the memory modification. The method also includes enabling the processing entities that were disabled. The remaining processing entity executes the instructions for detecting memory modifications. | 03-08-2012 |
| 20120047259 | WEB HOSTED SECURITY SYSTEM COMMUNICATION - A distributed proxy server system is operable to receive a request for Internet data from a user, obtain the user's identity, store at least one cookie on the user's web browser identifying the user, and filter undesired content before forwarding requested Internet data to the user. A master cookie is associated with the proxy server including user identity information, and an injected domain cookie is associated with the domain of the requested Internet data including user identity information. | 02-23-2012 |
| 20120023583 | SYSTEM AND METHOD FOR PROACTIVE DETECTION OF MALWARE DEVICE DRIVERS VIA KERNEL FORENSIC BEHAVIORAL MONITORING AND A BACK-END REPUTATION SYSTEM - A method for detecting malware device drivers includes the steps of identifying one or more device drivers loaded on an electronic device, analyzing the device drivers to determine suspicious device drivers, accessing information about the suspicious device drivers in a reputation system, and evaluating whether the suspicious device driver include malware. The suspicious device drivers are not recognized as not including malware. The reputation system is configured to store information about suspicious device drivers. The evaluation is based upon historical data regarding the suspicious device driver. | 01-26-2012 |
| 20120017274 | WEB SCANNING SITE MAP ANNOTATION - A computerized website vulnerability scanner includes a scanning module operable to navigate through a website and scan the website for vulnerabilities, and an annotation module operable to present a map of web pages comprising a part of the website. The annotation module is also operable to receive annotations from a user that are associated with the web pages, and the scanning module is further operable to use the user-provided annotations in subsequently scanning the website. | 01-19-2012 |
| 20120011252 | PRIORITIZING NETWORK TRAFFIC - Methods and systems for operation upon one or more data processors for prioritizing transmission among a plurality of data streams based upon a classification associated with the data packets associated with each of the plurality of data streams, respectively. Systems and methods can operate to allocate bandwidth to priority data streams first and recursively allocate remaining bandwidth to lesser priority data streams based upon the priority associated with those respective lesser priority data streams. | 01-12-2012 |
| 20110321160 | SYSTEMS AND METHODS TO DETECT MALICIOUS MEDIA FILES - Systems and method to detect malicious media file are described. In one example, an apparatus including a network connection, a memory, and a programmable processor communicatively coupled to the memory is discussed. The memory can include instructions, which when executed by the programmable processor cause the apparatus to receive a data stream from the network connection and detect at least a portion of a media file within the data stream. The instructions can also cause the apparatus to determine a file type of the media file and extract the media file from the data stream. Further, the instructions cause the apparatus to parse the media file to location a suspicious tag, extract an embedded URL from the suspicious tag, determine with the embedded URL is malicious, and block the media file if the embedded URL is malicious. | 12-29-2011 |
| 20110314545 | METHOD AND SYSTEM FOR AUTOMATIC INVARIANT BYTE SEQUENCE DISCOVERY FOR GENERIC DETECTION - A method for creating a set of genericized signatures for detection of byte sequences in computer code includes accessing a first set of sample signatures, determining a maximum number of wildcards that a wildcarded signature may comprise, determining a first wildcarded signature corresponding to the first set of sample signatures, evaluating the first wildcarded signature, and repeating the steps of evaluating for any second wildcarded signatures. Each of the signatures corresponds to an instance of malware. The evaluation further includes if the number of wildcards in the first wildcarded signature exceeds the maximum number of wildcards, determining a plurality of second wildcarded signatures corresponding to a plurality of subsets of the set of sample signatures. The evaluation further includes if the number of wildcards in the first wildcarded signature is less than or equal to the maximum number of wildcards, adding the first wildcarded signature to a set of genericized signatures. | 12-22-2011 |
| 20110296519 | REPUTATION BASED CONNECTION CONTROL - Methods and systems for operation upon one or more data processors for reputation based firewall processing of communications. The reputation based firewall processing includes receiving a communication identifying an entity, retrieving the reputation of the entity identified by the communication, and handling the communication based upon the retrieved reputation. | 12-01-2011 |
| 20110296164 | SYSTEM AND METHOD FOR PROVIDING SECURE NETWORK SERVICES - A system and method for providing secure network services. A secure computer including a processor, a memory, and a secure operating system is discussed. The secure operating system includes an operational kernel and an administrative kernel. The operational kernel includes a Type Enforcement security mechanism for restricting execution of files stored in the memory by the processor. The execution restrictions placed on files in the memory of the secure computer can only be modified from within the administrative kernel. | 12-01-2011 |
| 20110283358 | METHOD AND SYSTEM TO DETECT MALWARE THAT REMOVES ANTI-VIRUS FILE SYSTEM FILTER DRIVER FROM A DEVICE STACK - A method for detecting removal of a filter driver includes performing an operation on an element of a kernel mode of an operating system, the operation initiated by a user mode entity, obtaining the result of performing the operation, and comparing the result of performing the operation against an expected result of the operation. If the result of performing the operation matches the expected result of the operation, it is determined that a file system filter driver in the kernel mode of the operating system is working correctly. If the result of performing the operation does not match the expected result of the operation, it is determined that a file system filter driver in the kernel mode of the operating system has been compromised by malware. | 11-17-2011 |
| 20110280160 | VoIP Caller Reputation System - Methods and systems for collecting data from a plurality of voice over Internet protocol (VoIP) calls and determining at least one attribute for each of the plurality of calls. Relationships between the VoIP calls based on the determined attributes are identified, and a reputation score is assigned to a first entity based on the identified relationships. A call policy is associated with a caller reputation profile based on the reputation score. | 11-17-2011 |
| 20110277035 | Detection of Malicious System Calls - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting malicious system calls. In one aspect, a method includes monitoring a function vulnerable to a buffer overflow attack; receiving a call to the function, the call associated with a call stack, the call stack including one or more base pointers, and a destination buffer associated with the function; identifying a first critical memory address vulnerable to the buffer overflow attack comprising: determining the first critical memory address based on a base pointer of the one or more base pointers, wherein the base pointer address is greater than an address of the destination buffer; identifying a first address based on the base pointer of the one or more base pointers; and determining that the first address is a critical memory address in response to the first memory address is greater than the address of the destination buffer. | 11-10-2011 |
| 20110277033 | Identifying Malicious Threads - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for identifying and processing malicious threads In one aspect, a method includes identifying a memory heap block; identifying threads that reside in the memory heap block; determining whether at least one of the identified threads in the memory heap block is a malicious thread; and in response to determining that at least one of the identified threads is a malicious thread, terminating each of the identified threads | 11-10-2011 |
| 20110277031 | Token Processing - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for mapping security processing rules into a data structure that facilitates a more efficient processing of the security processing rules. In one aspect, a method includes receiving security processing rules, each of the security processing rules defining one or more security checks and security operations corresponding to the security checks and that are to be performed when the security checks occur; and generating from the security processing rules a mapping of security checks to security operations, the mapping including a security check entry for each security check that is defined in one or more of the security processing rules, and each security check entry being mapped to one or more security operations that the security processing rules define as corresponding to the security check. | 11-10-2011 |
| 20110219448 | SYSTEMS AND METHODS FOR RISK RATING AND PRO-ACTIVELY DETECTING MALICIOUS ONLINE ADS - Methods and systems for risk rating and pro-actively detecting malicious online ads are described. In one example embodiment, a system for risk rating and pro-actively detecting malicious online ads includes an extraction module, an analysis engine, and a filter module. The extraction module is configured to extract a SWF file from a web page downloaded by the system. The analysis engine is communicatively coupled to the extraction module. The analysis engine is configured to determine a risk rating for the SWF file and send the risk rating to a web application for display. In an example, determining the risk rating includes locating an embedded redirection URL and determining a risk rating for the embedded redirection URL. The filter module is configured to determine, based on the risk rating, whether to block the SWF file and send a warning to the web application for display. | 09-08-2011 |
| 20110219002 | METHOD AND SYSTEM FOR DISCOVERING LARGE CLUSTERS OF FILES THAT SHARE SIMILAR CODE TO DEVELOP GENERIC DETECTIONS OF MALWARE - A computer-implemented method for determining similarities between system executable objects includes the steps of determining with one or more computing systems a plurality of subsequences of operation codes in a plurality of disassembled system executable objects, for each subsequence, determining with the one or more computing systems a first set of system executable objects associated with the subsequence, with the computing systems, clustering the first set of system executable objects with a cluster. The cluster includes a set of system executable objects. The step of clustering the first set of system executable objects and the cluster includes the steps of determining with the computing systems the relative similarity between the first set of system executable objects and the cluster, and if the first set of system executable objects is similar to the cluster, adding with the computing systems the system executable objects to the cluster. | 09-08-2011 |
| 20110214185 | SYSTEM AND METHOD FOR TRACKING COMPUTER VIRUSES - A method for collecting and distributing data on computer viruses identified on a plurality of computers during virus scanning includes receiving virus scan results from the plurality of computers and collecting and storing the virus scan results in a database. The results include the type of virus identified. The method further includes aggregating at scheduled intervals the virus scan results over a specified time period at a publisher server to create a virus database and replicating the virus database to a subscriber server. A virus report is created from the virus database upon receiving a request from a user computer at the subscriber server and sent to the user computer. | 09-01-2011 |
| 20110197281 | SYSTEMS AND METHODS FOR MALWARE DETECTION - Various embodiments include a computer system comprising a computer network including at least one client computer, the at least one client computer operable to generate a request, and an anti-malware engine coupled to the computer system and operable to provide anti-malware protection for the computer network, wherein the anti-malware engine is operable to receive the request generated by the at least one client, and to determine if the request is classified as malware by determining whether the request includes one or more valid tags. | 08-11-2011 |
| 20110191423 | REPUTATION MANAGEMENT FOR NETWORK CONTENT CLASSIFICATION - A system derives a reputation for a plurality of network addresses, the reputation of each network address determined by analyzing a plurality of high-level email features related to one or more emails originating from the network address. The plurality of high-level email features include domain registration analysis, hashed term frequency indexing, persistent communication, address age, correlation analysis, zombie detection, and hash vault matching. | 08-04-2011 |
| 20110185430 | METHOD AND SYSTEM FOR DISCRETE STATEFUL BEHAVIORAL ANALYSIS - A method for analyzing a computing system includes the steps of at a first moment in time, scanning the resources of the computing system for indications of malware, at a second moment in time scanning the resources of the computing system for indications of malware and determining the system executable objects loaded on the computing system, determining malware system changes, identifying a relationship between the malware system changes and the system executable objects loaded on the computing system, and identifying as suspected malware the system executable objects loaded on the computing system which have a relationship with the malware system changes. The malware system changes include differences between the results of scanning the resources of the computing system for indications of malware at the second and first moment of time. | 07-28-2011 |
| 20110185429 | METHOD AND SYSTEM FOR PROACTIVE DETECTION OF MALICIOUS SHARED LIBRARIES VIA A REMOTE REPUTATION SYSTEM - A method for proactively detecting shared libraries suspected of association with malware includes the steps of determining one or more shared libraries loaded on an electronic device, determining that one or more of the shared libraries include suspicious shared libraries by determining that the shared library is associated with indications that the shared library may have been maliciously injected, loaded, and/or operating on the electronic device, and identifying the suspicious shared libraries to a reputation server. | 07-28-2011 |
| 20110185428 | METHOD AND SYSTEM FOR PROTECTION AGAINST UNKNOWN MALICIOUS ACTIVITIES OBSERVED BY APPLICATIONS DOWNLOADED FROM PRE-CLASSIFIED DOMAINS - A method for monitoring an application includes the steps of detecting the download of an application that originates from a website, identifying the domain of the website, and querying a database to select one or more behavioral analysis rules to apply to the application. The behavioral analysis rules are selected based upon an evaluation of the domain of the website. The evaluation of the domain of the website indicates a possible association with malware. | 07-28-2011 |
| 20110185424 | SYSTEM AND METHOD FOR PROACTIVE DETECTION AND REPAIR OF MALWARE MEMORY INFECTION VIA A REMOTE MEMORY REPUTATION SYSTEM - A method for detecting malware memory infections includes the steps of scanning a memory on an electronic device, determining a suspicious entry present in the memory, accessing information about the suspicious entry in a reputation system, and evaluating whether the suspicious entry indicates a malware memory infection. The memory includes memory known to be modified by malware. The suspicious entry is not recognized as a safe entry. The reputation system is configured to store information on suspicious entries. The evaluation is based upon historical data regarding the suspicious entry. | 07-28-2011 |
| 20110185423 | METHOD AND SYSTEM FOR DETECTION OF MALWARE THAT CONNECT TO NETWORK DESTINATIONS THROUGH CLOUD SCANNING AND WEB REPUTATION - A method for detecting malware includes the steps of identifying a one or more open network connections of an electronic device, associating one or more executable objects on the electronic device with the one or more open network connections of the electronic device, determining the address of a first network destination that is connected to the open network connections of the electronic device, receiving an evaluation of the first network destination, and identifying one or more of the executable objects as malware executable objects. The evaluation includes an indication that the first network destination is associated with malware. The malware executable objects includes the executable objects that are associated with the open network connections that are connected to the first network destination. | 07-28-2011 |
| 20110173342 | METHOD AND APPARATUS FOR RATE LIMITING - A method and apparatus for a network monitor internals mechanism, which serves to translate packet data into multiple concurrent streams of encoded network event data, to contribute to enterprise management, reporting, and global mechanisms for aggregating monitors at a centralized aggregation point, and to facilitate rate limiting techniques because such monitors are not in control (i.e. cannot back pressure flow) is provided. | 07-14-2011 |
| 20110162070 | MALWARE DETECTION VIA REPUTATION SYSTEM - A computer network device receives a digital file and extracts a plurality of high level features from the file. The plurality of high level features are evaluated using a classifier to determine whether the file is benign or malicious. The file is forwarded to a requesting computer if the file is determined to be benign, and blocked if the file is determined to be malicious. | 06-30-2011 |
| 20110145926 | SYSTEMS AND METHODS FOR BEHAVIORAL SANDBOXING - Methods and system for behavioral sandboxing are described. In one example embodiment, a system for behavioral sandboxing can include a network and a computer. The network communicatively coupled to a source of an executable application. The computer communicatively couple to the network and including a behavioral analysis module and a plurality of execution environments. The behavioral analysis module is configured to perform behavioral analysis on the executable application downloaded over the network. The plurality of execution environments including a standard execution environment and a protected execution environment. The behavioral analysis module is configured to evaluate a plurality of behavioral characteristics of the executable application to determine whether the executable application should be executed within the protected execution environment prior to execution of the executable application. The behavioral analysis module also monitors execution of the executable application to determine whether the execution environment can be changed. | 06-16-2011 |
| 20110145921 | OBFUSCATED MALWARE DETECTION - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes executing from a binary executable a call instruction and a plurality of instruction subsequent to a target of the call instruction, determining if the value identified by the stack pointer of the call stack is equal to a default value stored in the call stack prior to emulation, determining if there is a non-obfuscation signal resulting from the execution of the call instructions and the plurality of instructions, and if the value identified by the stack pointer is the default value and there is no obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; Additionally, the method includes determining that if the number of call instructions identified as possibly obfuscated call instructions exceeds a threshold number, identifying the binary executable as an obfuscated executable. | 06-16-2011 |
| 20110131657 | HOOKING NONEXPORTED FUNCTIONS BY THE OFFSET OF THE FUNCTION - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes accessing offset data associated with a binary executable, the offset data including an offset of a nonexported function; and modifying instructions at the offset. In another aspect, a method includes analyzing a reference generated for a binary executable, identifying a unique identifier for the binary executable, determining an offset of a nonexported function in the binary executable, and generating offset data that includes the offset and the unique identifier. | 06-02-2011 |
| 20110107424 | Rollback Feature - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for rolling back protection processes. In one aspect, a method includes determining that a file is a malicious file, storing a duplicate of the file in a quarantine area, performing one or more protection processes on the file, if the determination that the file is a malicious file is a false positive determination, restoring the file by a pre-boot rollback process to a state prior to the one or more protection processes performed on the file, and booting the computer with the restored file, and if the determination that the file is a malicious file is not a false positive determination, not restoring the file to a state prior to the one or more protection processes performed on the file, and booting the computer. | 05-05-2011 |
| 20110093953 | PREVENTING AND RESPONDING TO DISABLING OF MALWARE PROTECTION SOFTWARE - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for responding to an attempt to disable a malware protection program and performing an identification process and one or more protection processes to prevent the execution of potentially malicious code. In one aspect, a method includes monitoring for attempts to disable a malware protection program, identifying a process that generated an attempt to disable the malware protection program, determining whether the process is an approved process, and in response, performing one or more protection processes on the process so as to prevent the execution of potentially malicious code. | 04-21-2011 |
| 20110093952 | DETECTING AND RESPONDING TO MALWARE USING LINK FILES - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for monitoring the generation of link files by processes on a computer and performing protection processes based on whether the link files target malicious objects or are generated by malicious processes. In one aspect, a method includes monitoring for a generation of a first file that includes a target path that points to an object; in response to monitoring the generation of the first file: determining whether the target path is a uniform resource locator; in response to determining that the target path is a uniform resource locator, identifying a process that caused the first file to be generated; determining whether the process is a prohibited process; in response to determining that the process is a prohibited process, performing one or more protection processes on the process and the first file; in response to determining that the process is not a prohibited process, determining whether the uniform resource locator is a prohibited uniform resource locator; in response to determining that the uniform resource locator is a prohibited uniform resource locator, performing one or more protection processes on the process and the first file. | 04-21-2011 |
| 20110055907 | HOST STATE MONITORING - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for a host state machine. In one aspect, the method includes defining a state machine in a memory of a data processing apparatus, the state machine comprising a plurality of states, and wherein network access for a host device is controlled in each state according to one or more network access zones associated with the state, each network access zone defining network access capabilities for the host device; monitoring, by the data processing apparatus, host devices attempting to access the network and host devices that have access to the network; and transitioning, for each host device, a state of the host based on the monitoring and a current state of the host. | 03-03-2011 |
| 20110055580 | NONCE GENERATION - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for generating a nonce. In one aspect, a method includes generating, by a data processing apparatus, a source value, and hashing, by the data processing apparatus, the source value to generate the nonce. | 03-03-2011 |
| 20110055383 | PROBE ELECTION IN FAILOVER CONFIGURATION - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for allocating probing responsibilities between a primary sensor and a secondary sensor. In one aspect, a method includes determining a first probe type, the first probe type being the probe type of the highest priority information probe for which a reply from the host device was received at the primary sensor, determining a second probe type, the second probe type being the probe type of the highest priority information probe for which a reply from the host device was received at the secondary sensor, determining whether the second probe type is prioritized higher than the first probe type, and allocating probing responsibilities between the primary sensor and the second sensor based on the prioritization of the first probe type and the second probe type. | 03-03-2011 |
| 20110055382 | HOST ENTRY SYNCHRONIZATION - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, synchronizing records in peer devices. In one aspect, a method includes comparing, in a first peer device, a peer record received from a second peer device based on an IP address of the peer record from the second peer device and an IP address of a record stored in a host table of the first peer device. Unique agent identifiers, MAC addresses and time stamps are also compared to determine whether the peer record indicates a new host device, a new IP assignment to a known host device, or a new user logged into a known host device. | 03-03-2011 |
| 20110055381 | HOST INFORMATION COLLECTION - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for collecting information of host devices. In one aspect, a method includes transmitting a plurality of information probes to the host device, including an agent probe that queries an agent installed on the host device for a unique agent identifier, monitoring for replies to the information probes from the host device during the host detection phase, ending the host detection phase in response to receiving a reply to the agent probe and that includes the unique agent identifier, resending the plurality of information probes and incrementing a repeat counter in response to not receiving a reply to the agent probe after the expiration of a time period and ending the host detection phase in response to a value of the repeat counter exceeding a maximum repeat value. | 03-03-2011 |
| 20100306846 | REPUTATION BASED LOAD BALANCING - Methods and systems for operation upon one or more data processors for efficiently processing communications based upon reputation of an entity associated with the communication. | 12-02-2010 |
| 20100281540 | DETECTION OF CODE EXECUTION EXPLOITS - Various embodiments include a method of detecting shell code in an arbitrary file comprising determining where one or more candidate areas exist within an arbitrary file, searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, and calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset for the instruction candidate that the disassembled instructions are shellcode. | 11-04-2010 |
