Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


Virus detection

Subclass of:

726 - Information security

726022000 - MONITORING OR SCANNING OF SOFTWARE OR DATA INCLUDING ATTACK PREVENTION

726023000 - Intrusion detection

Patent class list (only not empty are listed)

Deeper subclasses:

Entries
DocumentTitleDate
20110179490Apparatus and Method for Detecting a Code Injection Attack - A code injection attack detecting apparatus and method are provided. The code injection attack may be detected based on characteristics occurring when a malicious code injected by the code injection attack is executed. For example, the code injection attack detecting apparatus and method may detect that a code injection attack occurs when a buffer miss is detected, a page corresponding to an address is updated, a mode of the page corresponding to the address is in user mode, and/or the page corresponding to the page is inserted by an external input.07-21-2011
20120266243Emulation for malware detection - According to a first aspect of the present invention there is provided a method of performing emulation of at least part of a program using an emulated computer system implemented on a computer system. The method comprises includes, during execution of the program within the emulated computer system, when the program attempts to access a unit of data, copying the unit of data from a memory of the computer system into an emulated memory, and allowing the program to access the unit of data within emulated computer system. A unit of data may be a memory page.10-18-2012
20120174226System and Methods for Launching Antivirus Application Tasks during Computer Downtime - Disclosed are systems, methods and computer program products that enable deployment of an antivirus application on a computer system in a manner that reduce interference of the antivirus application with activities of system users. In particular, the computers system is provided with a plurality of detection devices that may be used to detect when the computers system is being used by the user or when it is in downtime mode. The detection devices may include data input device, such as a mouse or keyboard, temperature sensors, pressure sensors, digital camera, sound wave source and sound wave receiver or other detection devices. The computer system also includes a software agent associated with an antivirus application. The software agent collects and analyses data from the detection devices, determines when the computer system is in a downtime mode, and then launches various antivirus application tasks.07-05-2012
20120174225Systems and Methods for Malware Detection and Scanning - Systems and methods are provided for malware scanning and detection. In one exemplary embodiment, the method includes a hub computing device that receives, from a controller computing device, a scan request, and identifies spoke computing devices for performing the scan request. The method performed by the hub computing device also includes sending to the identified spoke computing devices, the scan request, receiving, from the spoke computing devices, results associated with the scan request, and sending, to the controller computing device, the results associated with the scan request.07-05-2012
20120174224Systems and Methods for Malware Detection and Scanning - Systems and methods are provided for malware scanning and detection in a computing system. In one exemplary embodiment, the method includes launching, in a computing device of the computing system, a virtual machine, and launching, in the virtual machine of the computing device, an internet browser. The method also includes requesting, by the internet browser, data from a web page, and performing, using one or more analysis tools, analysis on the web page. In the method, performing analysis on the web page includes performing monitoring and recording of system application programming interface (API) calls, and creating software objects associated with the web page. The method also includes performing antivirus scanning of the software objects, de-obfuscating JavaScript associated with the software objects, and correlating data associated with the performed analysis to determine if the web page is a malicious web page.07-05-2012
20100017880Website content regulation - A method of facilitating the scanning of web pages for suspect and/or malicious hyperlinks that includes receiving at a content hosting website, user generated content. A web page or web page containing said content is then generated and, in the web page source code is included a detection code segment or a link from which a detection code segment can be downloaded. The detection code segment is executable by a web browser or web browser plug-in to scan the web page(s), or cause the web page(s) to be scanned, for suspect and/or malicious links.01-21-2010
20130086684CONTEXTUAL VIRTUAL MACHINES FOR APPLICATION QUARANTINE AND ASSESSMENT METHOD AND SYSTEM - Described are embodiments that provide for the use of multiple quarantine partitions and/or multi-partition spaces (e.g., virtual machines) for initially installing and running downloaded content. The downloaded content can be run securely in the quarantine partitions and/or multi-partition spaces. Each quarantine partition and/or multi-partition space can be configured differently with different capabilities. Based on the configuration and capabilities of the quarantine partitions and/or multi-partition spaces, the downloaded content may have limited capabilities to access secure data, applications, or other code limiting the damage that the content can potentially cause.04-04-2013
20130086683SELECTIVELY SCANNING OBJECTS FOR INFECTION BY MALWARE - Techniques are described herein that are capable of selectively scanning objects for infection by malware (i.e., to determine whether one or more of the objects are infected by malware). For instance, metadata that is associated with the objects may be reviewed to determine whether update(s) have been made with regard to the objects since a determination was made that the objects were not infected by malware. An update may involve increasing a number of the objects, modifying one of the objects, etc. Objects that have been updated (e.g., added and/or modified) since the determination may be scanned. Objects that have not been updated since the determination need not necessarily be scanned. For instance, an allowance may be made to perform operations with respect to the objects that have not been updated since the determination without first scanning the objects for infection by malware.04-04-2013
20080256636Method and System for Detecting Malware Using a Remote Server - The present disclosure is directed to a method and system for detecting malware using a remote server. In accordance with a particular embodiment of the present disclosure a hash value for a file is generated. The hash value is transmitted to a remote server. A notification is received from the remote server indicating whether the file comprises malware. At least one operation on the file is prevented if the notification indicates the file comprises malware.10-16-2008
20080256635Method and System for Detecting Malware Using a Secure Operating System Mode - The present disclosure is directed to a method and system for detecting malware using a secure operating system mode. In accordance with a particular embodiment of the present disclosure a file is received. The file is stored in a secure directory. At least one operation is prevented on the file. A secure operating system mode is started to detect whether the file comprises malware.10-16-2008
20120246729DATA STORAGE DEVICES INCLUDING INTEGRATED ANTI-VIRUS CIRCUITS AND METHOD OF OPERATING THE SAME - A data storage device includes a storage medium and a controller circuit configured to be coupled to an external host to provide an interface between the external host and the storage medium, the controller circuit configured to detect a virus carried by a data file transferred to and/or stored in the storage medium. The controller circuit may be further configured to cure the detected virus.09-27-2012
20100077483METHODS, SYSTEMS, AND MEDIA FOR BAITING INSIDE ATTACKERS - Methods, systems, and media for providing trap-based defenses are provided. In accordance with some embodiments, a method for providing trap-based defenses is provided, the method comprising: generating decoy information based at least in part on actual information in a computing environment, wherein the decoy information is generated to comply with one or more document properties; embedding a beacon into the decoy information; and inserting the decoy information with the embedded beacon into the computing environment, wherein the embedded beacon provides a first indication that the decoy information has been accessed by an attacker and wherein the embedded beacon provides a second indication that differentiates between the decoy information and the actual information.03-25-2010
20100115620STRUCTURAL RECOGNITION OF MALICIOUS CODE PATTERNS - Various embodiments include an apparatus comprising a detection database including a tree structure of descriptor parts including one or more root nodes and one or more child nodes linked to from one or more parent descriptor parts chains, each of the root nodes representing a descriptor part, and each root node linked to at least one of the child nodes, each root node and each child node linked to any possible additional child nodes, wherein the possible additional child nodes include any possible successor child nodes and a descriptor comparator coupled to the detection database, the descriptor comparator operable to receive data including a plurality of logic entities, once or successively, and to continuously compare logic entities provided to the tree structure of descriptor parts stored in detection database, and to provide an output based on the comparison.05-06-2010
20100115619METHOD AND SYSTEM FOR SCANNING A COMPUTER STORAGE DEVICE FOR MALWARE INCORPORATING PREDICTIVE PREFETCHING OF DATA - A method and system for scanning a computer storage device for malware is described. One embodiment keeps track of which portion or portions of each of a plurality of files on a computer storage device are requested for analysis by an anti-malware engine during a first scan of the computer storage device for malware; prefetches, during a second scan of the computer storage device for malware, the portion or portions of each of at least a subset of the plurality of files that were requested by the anti-malware engine during the first scan, the prefetched data being supplied to the anti-malware engine for analysis as requested; and takes corrective action responsive to the results of at least one of the first and second scans.05-06-2010
20130081142System, Method, and Logic for Classifying Communications - In accordance with particular embodiments, a method includes intercepting a communication and extracting metadata associated with the communication. The extracted metadata comprises a plurality of different fields from communication metadata and file metadata. The method further includes determining a score, based on previous communications, for each field of the extracted metadata. The score is indicative of a likelihood that the communication is a malicious communication. The method additionally includes combining the scores to generate a combined score for the communication based on an algorithm developed from the previous communications. The method also includes generating, based on the combined score at a first time, a predicted classification as to whether the communication is a malicious communication. The method further includes receiving, at a second time subsequent to the first time, an indication of whether the communication is a malicious communication and updating the algorithm based on the indication.03-28-2013
20130036472Computer Worm Defense System and Method - A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.02-07-2013
20100043073ANTI-VIRUS METHOD, COMPUTER, AND RECORDING MEDIUM - In one computer system, causing the second virtual machine, which executes antivirus software for detecting and removing the virus, to monitor at least one first virtual machine that is created on the computer and execute one or more application program, periodically storing a state of the first virtual machine as snapshot, suspending the first virtual machine from which the virus is detected if the antivirus software executed on the second virtual machine detects the virus, and restoring the first virtual machine at a state of a point in time when the snapshot is stored by using the snapshot of the suspended first virtual machine.02-18-2010
20100043072COMPUTER PROTECTION AGAINST MALWARE AFFECTION - A method is provided of protecting a computer against malware affection. The computer has a data storage and an operating system for managing the data storage. The method comprises providing a filter module in the operating system which operates to detect an attempt to store data in the data storage, to determine a data format of the data to be stored in the data storage, and to prevent storage of the data if the data format is determined to relate to a predefined type. The filter module may be provided as a file system filter driver in a kernel of the operating system. The filter module may be arranged to operate between an input/output manager of the operating system and a driver associated with the data storage. The input/output manager and driver associated with the data storage may form part of the kernel of the operating system.02-18-2010
20130139265SYSTEM AND METHOD FOR CORRECTING ANTIVIRUS RECORDS TO MINIMIZE FALSE MALWARE DETECTIONS - Disclose are system, method and computer program product for correcting antivirus records. In an example method, during analysis of a software object for malware, an antivirus application retrieves from an antivirus database an antivirus record associated with the analyzed object, which identifies the object as malicious or clean. The application also checks if there is a correction for the antivirus record in an antivirus cache and use the correction for analysis of the software object. If no correction is found in the cache, the application checks correctness of the antivirus record with an antivirus server. The antivirus server uses statistical information about software objects collected from antivirus applications deployed on different computers to validate correctness of antivirus records. If the antivirus server provides a correction for the antivirus record, the application uses the provided correction for analysis of the software object for malware.05-30-2013
20090158435HASH-BASED SYSTEMS AND METHODS FOR DETECTING, PREVENTING, AND TRACING NETWORK WORMS AND VIRUSES06-18-2009
20090158434Method of detecting virus infection of file - Provided is a method of detecting virus infection of a file. The method includes the steps of a) copying an original file, and converting and simplifying data of the copied file; b) normalizing the simplified file data; c) acquiring distribution of similarity between data using the normalized file data; and d) analyzing the acquired distribution of similarity between data, and determining that the file is virus-infected when a preset dense distribution pattern exists. Thus, the method can effectively determine whether or not the file is infected with a virus without using a database (DB) of spam filtering or virus information.06-18-2009
20090158432On-Access Anti-Virus Mechanism for Virtual Machine Architecture - A tangible medium embodying instructions usable by a computer system to protect a plurality of guest virtual machines (VMs), which execute via virtualization software on a common host platform, from malicious code is described. A scan engine is configured to scan data for malicious code and determine a result of the scanning, wherein the result indicates whether malicious code is present in the data. A driver portion is configured for installation in an operating system of a target VM, which is one of the guest VMs. The driver portion intercepts an access request to a file, that originates within the target VM. The driver portion communicates information identifying a location of the data to be scanned by the scan engine without sending a copy of the data to the scan engine. The scan engine executes within the virtualization layer outside a context of the target VM.06-18-2009
20100107257SYSTEM, METHOD AND PROGRAM PRODUCT FOR DETECTING PRESENCE OF MALICIOUS SOFTWARE RUNNING ON A COMPUTER SYSTEM - A system, method and program product for detecting presence of malicious software running on a computer system. The method includes locally querying the system to enumerate a local inventory of tasks and network services running on the system for detecting presence of malicious software running on the system and remotely querying the system from a remote system via a network to enumerate a remote inventory of tasks and network services running on the system for detecting presence of malicious software running on the system, where the local inventory enumerates ports in use on the system and where the remote inventory enumerates ports in use on the system. Further, the method includes collecting the local inventory and the remote inventory and comparing the local inventory with the remote inventory to identify any discrepancies between the local and the remote inventories for detecting presence of malicious software running on the system.04-29-2010
20100107256Methods for Software Virus Protection in a Digital Display Device - This invention relates to methods for identifying potentially infected files downloaded to a digital display device (“DDD”) and for managing those potentially infected files. These methods may include the steps of: connecting the DDD to a device; downloading one or more files to the DDD; disconnecting the DDD from the device; verifying and repairing the boot sector of the DDD; removing the one or more downloaded files that are not supported for playback on the DDD; and scanning the one or more downloaded files that are supported for playback on the DDD.04-29-2010
20100031361Fixing Computer Files Infected by Virus and Other Malware - The disclosed invention is a new method and apparatus for detecting and removing virus from a computing device based on a web or network service. Virus is detected by transmitting the attributes and behavior of application modules on a computing device to another computing device via a web service, where it is analyzed. After the item has been classified, that information is sent back to the computing device along with the instructions on how the remove the virus. Along with the instructions on virus remediation a clean copy of the file or a network location of the clean copy can be sent.02-04-2010
20100031359PROBABILISTIC SHELLCODE DETECTION - Various embodiments include a method of detecting shell code in an arbitrary file comprising determining where one or more candidate areas exist within an arbitrary file, searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, and calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset for the instruction candidate that the disassembled instructions are shellcode.02-04-2010
20120167218SIGNATURE-INDEPENDENT, SYSTEM BEHAVIOR-BASED MALWARE DETECTION - A method, system, and computer program product for detecting malware based upon system behavior. At least one process expected to be active is identified for a current mode of operation of a processing system comprising one or more resources. An expected activity level of the one or more resources of the processing system is calculated based upon the current mode of operation and the at least one process expected to be active. An actual activity level of the plurality of resources is determined. If a deviation is detected between the expected activity level and the actual activity level, a source of unexpected activity is identified as a potential cause of the deviation. Policy guidelines are used to determine whether the unexpected activity is legitimate. If the unexpected activity is not legitimate, the source of the unexpected activity is classified as malware.06-28-2012
20130047257Systems and Methods for Computer Worm Defense - A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.02-21-2013
20130047256METHOD FOR PREVENTING A MOBILE COMMUNICATION DEVICE FROM LEAKING SECRET AND SYSTEM THEREOF - The invention provides a method for preventing a mobile communication device from leaking secret and a system thereof. In the method, by adopting a mobile communication device side and PC side structure, a controlling module installation package is transferred from a PC side to the mobile communication device; a controlling module runs automatically and obtains root privilege of the operating system of the mobile communication device; the controlling module forbids functions of silently dialing, silently answering, photo taking, video recording, voice recording, Bluetooth and infrared connection. The advantages of the present invention are that the present invention is suitable for on-site operation and possibility of leaking secret by any mobile communication device is eliminated by a PC terminal.02-21-2013
20090044276METHOD AND APPARATUS FOR DETECTING MALWARE - A method of detecting malware may include: a) examining header data in each PDU transferred by a port of an access switch to identify PDUs transferred from a local network device, b) extracting a far-end device address for PDUs based at least in part on examination of an address portion of the corresponding header data, c) maintaining fan-out information indicative of a quantity of unique far-end device addresses extracted from the PDUs during consecutive time windows, d) determining a current trend based on the fan-out information for a current time window, e) comparing the current trend to an expected trend, and f) identifying a suspected malware infection in the local network device when the current trend exceeds the expected trend by a trend threshold. A network element that may implement the method may include a header data processing unit, data storage logic, data processing logic, and malware identification logic.02-12-2009
20090044275PACKET DATA COMPARATOR AS WELL AS VIRUS FILTER, VIRUS CHECKER AND NETWORK SYSTEM USING THE SAME - It is an object of the present invention to realize a network system which can quickly detect a virus and tends not to be a new cause of vulnerability. A packet data comparator disclosed by the present invention branches inputted packet data into three branches, and includes an additional pattern matching unit which compares the branched packet data with a part of stored data and performs matching with collation patterns stored in a rewritable storage area, a fixed pattern matching unit which compares the branched packet data with the part of the stored data and performs the matching with a logical operation which has been configured with known collation patterns, a notification packet matching unit which compares the branched packet data with the part of the stored data and finds a notification packet, and an identity detection aggregation unit which aggregates results from the respective matching units. Moreover, a virus filter is configured by using the packet data comparator, a virus checker which can be updated through a network is configured by using the above described virus filter, and a secure network system is realized by using the above described virus checker.02-12-2009
20090044274Impeding Progress of Malicious Guest Software - One embodiment of the present invention is a method of operating a virtualization system, the method including: (a) instantiating a virtualization system on an underlying hardware machine, the virtualization system exposing a virtual machine in which multiple execution contexts of a guest execute; (b) monitoring the execution contexts from the virtualization system; and (c) selectively impeding computational progress of a particular one of the execution contexts.02-12-2009
20090044273CIRCUITS AND METHODS FOR EFFICIENT DATA TRANSFER IN A VIRUS CO-PROCESSING SYSTEM - Various embodiments of the present invention circuits and methods for improved virus processing. As one example, such methods may include providing a system memory, a general purpose processor and a virus co processor. The methods further include receiving a data segment at the general purpose processor, and storing the data segment to the system memory using virtual addresses. The date segment is accessed from the system memory by the virus co processor using the virtual addresses. The virus co processor then scans the date segment for viruses and returns results.02-12-2009
20090313700METHOD AND SYSTEM FOR GENERATING MALWARE DEFINITIONS USING A COMPARISON OF NORMALIZED ASSEMBLY CODE - A system and method for generating malware definitions for use in managing malware on a computer is described. One embodiment comprises receipt of a binary file running in system memory; taking a memory dump of the binary file at a time slice and storing the memory dump in a memory dump file; applying a normalization process to the memory dump file, wherein the normalization process alters a collection of data from the memory dump file, resulting in a normalized file; applying a comparison process between the normalized file and each of a plurality of normalized files stored in a database of malware definitions wherein the comparison process produces a comparison value associated with each of the normalized files in the database of malware definitions; and inserting the normalized file into the database of malware definitions, when each of the comparison values satisfies a predetermined criterion.12-17-2009
20090307776METHOD AND APPARATUS FOR PROVIDING NETWORK SECURITY BY SCANNING FOR VIRUSES - The invention relates to the provision of virus scanning capabilities in a network environment. A plurality of preliminary content processing functions are carried out on content passed over the network before the content is passed to one or more virus scanners. The virus scanners then scan the content for viruses using one or more results of the content processing functions.12-10-2009
20120192278UNAUTHORIZED PROCESS DETECTION METHOD AND UNAUTHORIZED PROCESS DETECTION SYSTEM - Provided is a system whereby information on activities obtained by way of monitoring system access to input and output devices and storage devices in a terminal as well as information on activities executed by way of a terminal and obtained by way of monitoring communications through a network are associated with processes in the terminal that generated the activities, and if the activities are predetermined activities executed by the same or related processes, the system detects that unauthorized processes are running on the terminal.07-26-2012
20120192277SYSTEM AND METHODS FOR PROTECTING USERS FROM MALICIOUS CONTENT - A method, system and device for allowing the secure collection of sensitive information is provided. The device includes a display, and a user interface capable of receiving at least one user-generated interrupt in response to a stimulus generated in response to content received by the device, wherein the action taken upon receiving the user-generated interrupt depends on a classification of the content, the classification identifying the content as trusted or not trusted. The method includes detecting a request for sensitive information in content, determining if an interrupt is generated, determining if the content is trusted, allowing the collection of the sensitive information if the interrupt is generated and the content is trusted, and performing an alternative action if the interrupt is generated and the content is not trusted. The method may include instructions stored on a computer readable medium.07-26-2012
20120192276SELECTING ONE OF A PLURALITY OF SCANNER NODES TO PERFORM SCAN OPERATIONS FOR AN INTERFACE NODE RECEIVING A FILE REQUEST - Provided are a computer program product, system, and method for selecting one of a plurality of scanner nodes to perform scan operations for an interface node receiving a file request. A list includes a plurality of scanner nodes in a network and for each scanner node a performance value. A file request is received with respect to a file. In response to the file request, one of the scanner nodes in the list is selected based on the performance values of the scanner nodes. The file is transmitted to the selected scanner node to perform a scan operation with respect to the file. Indication is received from the selected scanner node performing the scan operation whether a subset of code in the file matches code in a definition set. The file request is processed to result in execution of the file request based on the indication of whether the subset of code in the file matches a definition in the definition set.07-26-2012
20120192275REPUTATION CHECKING OF EXECUTABLE PROGRAMS - The reputation of an executable computer program is checked when a user input to a computing device initiates a program launch, thus triggering a check of a local cache of reputation information. If the local cache confirms that the program is safe, it is permitted to launch, typically without notifying the user that a reputation check has been made. If the local cache cannot confirm the safety of the program, a reputation check is made by accessing a reputation service in the cloud. If the reputation service identifies the program as safe, it returns an indication to the computing device and the program is permitted to be launched, again without notifying the user that a reputation check has been made. If the reputation service identifies the program as unsafe or potentially unsafe, or does not recognize it at all, a warning is displayed to the user.07-26-2012
20130167235AUGMENTING SYSTEM RESTORE WITH MALWARE DETECTION - An anti-malware program monitors the behavior of a system after a system restore to determine the likelihood of a hidden infection of malicious code still existing after the system restore. The anti-malware program observes the dynamic behavior of the system by monitoring conditions that are likely to signify the possibility of an infection thereby necessitating the need to initiate anti-malware detection. The anti-malware program may observe the restoration history, system settings, malware infection history, to determine the likelihood of an existing hidden infection after a system restore.06-27-2013
20130074185Providing a Network-Accessible Malware Analysis - In certain embodiments, a computer-implemented method comprises receiving, via a computer network and from a first computer system, a first malware analysis request. The first malware analysis request comprises a file to be analyzed for malware by a malware analysis system. The method includes initiating a malware analysis by the malware analysis system of the first file for malware. The method includes communicating to the first computer system a response for the first file determined by the malware analysis system to the first computer system. The response comprises an indication of whether the first file comprises malware.03-21-2013
20130074187HACKER VIRUS SECURITY-INTEGRATED CONTROL DEVICE - A hacker virus security-integrated control device separately operated by implementing existing security programs for viruses, malicious spyware and cloaker programs as an embedded device that is integrated hardware. The hacker virus security-integrated control device can protect computers and external storage devices from malicious programs that may infect data transmitted from Internet, data transmitted between the computers and data in the external storage devices by implementing, as integrated hardware, a protection and disinfection program for various malicious programs, a protection and disinfection program for spyware, a defense programs for cloaker's intrusion and a program for actively coping with new malicious programs, etc., so as to defend intrusion of existing malicious programs and perform disinfection on the existing malicious program, to actively cope with newly generated malicious programs, to defend cloakers' malicious access to the computers, and to warn the cloakers of their malicious actions.03-21-2013
20130074186DEVICE-TAILORED WHITELISTS - A particular set of attributes of a particular computing device is identified. A first plurality of whitelisted objects is identified in a global whitelist corresponding to the particular set of attributes. A particular whitelist is generated to include the identified set of whitelisted objects, the particular whitelist tailored to the particular computing device. In some aspects, device-tailored updates to the particular whitelist are also generated.03-21-2013
20130061325Dynamic Cleaning for Malware Using Cloud Technology - A method for providing malware cleaning includes detecting potential malware on a first device connected to a network. A request including information to allow a second device connected to the network to determine an appropriate cleaning response is sent from the first device to the second device over the network. Upon receiving the request, the second device attempts to identify an appropriate cleaning response and, if a response is identified, sends the cleaning response over the network to the first device. The cleaning response is usable by the first device to address the detected potential malware.03-07-2013
20130061326BROWSING SUPPORT INFRASTRUCTURE WITH TIERED MALWARE SUPPORT - A network browser has a Malware detection manager for direct or indirect scanning of files during an upload or download processes for viruses, adware, spyware, etc. The malware detection manager defines and employs a quarantine bin, which is an isolated and secure memory space or directory for temporary placement of file packets during the file transmission while malware detection can commence. The malware detection manager scans for malware code associated with the packet sequence encountered during a file transmission to and from the Internet, during which it quarantines all the scanned packets in the quarantine bin. Quarantined files can be released if there is a human challenge authorizing the release of the file. Exchanging a Malware free signature between server and client via a trusted download center may be done so the client device need not scan the files for malware if content is certified and guaranteed as malware-free.03-07-2013
20090282486PRE-BOOT FIRMWARE BASED VIRUS SCANNER - The present disclosure relates to allowing the utilization of a virus scanner and cleaner that operates primarily in the pre-boot phase of computer operation and, more particularly, to allowing the utilization of a virus scanner and cleaner that operates primarily during the loading of an operating system.11-12-2009
20120227110NETWORK BROWSER SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR SCANNING DATA FOR UNWANTED CONTENT AND ASSOCIATED UNWANTED SITES - A system, method, and computer program product are provided for scanning data for unwanted content and unwanted sites in response to a user request. In use, a user request is received via a network to scan data prior to downloading the data utilizing a network browser. In addition, the data is scanned for unwanted content and associated unwanted sites in response to the user request. Further, a response is sent to the user via the network.09-06-2012
20120117653MALWARE DETECTION SYSTEM AND METHOD - Methods and systems are presented for detection of malware such as worms in which a network switch entices the malware into sending scan packets by allocating one or more ports as bait addresses, sending outgoing bait packets, and identifying compromised hosts that send unexpected incoming packets to a bait address.05-10-2012
20120117650IP-BASED BLOCKING OF MALWARE - A security module on a client monitors file download activities at the client and reports hosting website data to a security server. A download analysis module at the security server receives a hosting website data report from the client, where the hosting website data report describes a domain name and an IP address of a website hosting a file the client is attempting to download. The download analysis module analyzes the domain name and IP address of the website to generate file download control data indicating whether to allow downloading of the file to the client. The download analysis module reports the file download control data to the security module of the client. The security module uses the file download control data to selectively block downloading of the file.05-10-2012
20120117649INTERNET-BASED PROXY SECURITY SERVICES - A proxy server receives from a client device a request to perform an action on an identified resource that is hosted at an origin server for a domain. The proxy server receives the request as a result of a DNS request for the domain resolving to the proxy server. The origin server is one of multiple origin servers that belong to different domains that resolve to the proxy server and are owned by different entities. The proxy server and the origin servers are owned by different entities. The proxy server analyzes the request to determine whether a visitor belonging to that request poses a threat. If the proxy server determines that the visitor poses a threat, the proxy server blocks the request and transmits a block page to the client device that indicates that the request has been blocked.05-10-2012
20130067577Malware scanning - According to a first aspect of the present invention there is provided a method of scanning a computer device in order to detect potential malware when an operating system running on the computer device prevents applications installed on the device from accessing installed files of other applications installed on the device. The method includes the steps of detecting installation of an application on the device, identifying one or more installation files that are required to perform the installation of the application, and performing a malware scan of the identified installation files and/or information obtained from the installation files.03-14-2013
20130067576Restoration of file damage caused by malware - In accordance with an example embodiment of the present invention, there is provided a method including: detecting a malware in a computer system and in response to the detection of the malware in the computer system initiating a deactivation of malware; detecting a file altered by the malware in response to a successful deactivation of the malware; and initiating a restoration of the altered file in response to the detection of the file altered by the malware.03-14-2013
20130067578Malware Risk Scanner - A technique for improving the installation of anti-malware software performs an analysis of a computer on which anti-malware software is to be installed prior to complete installation of the anti-malware software. If the analysis determines that the computer may already contain malware, then an attempt may be made to scan and clean the computer prior to the installation of a portion of the anti-malware software. Otherwise, the pre-installation scan and clean may be bypassed, allowing the installation of that portion of the anti-malware software.03-14-2013
20130067579System and Method for Statistical Analysis of Comparative Entropy - In accordance with one embodiment of the present disclosure, a method for determining the similarity between a first data set and a second data set is provided. The method includes performing an entropy analysis on the first and second data sets to produce a first entropy result, wherein the first data set comprises data representative of a first one or more computer files of known content and the second data set comprises data representative of a one or more computer files of unknown content; analyzing the first entropy result; and if the first entropy result is within a predetermined threshold, identifying the second data set as substantially related to the first data set.03-14-2013
20130067580Computer Virus Screening Methods and Systems - A method includes receiving a status update from a client device, the status update reflects at least one change associated with the client device, updating a model of the client deice based on the status update, receiving data to be screened for a virus, the data is received after an updating of the model of the client device, and screening the model of the client device for the virus. Systems and articles of manufacture are also disclosed.03-14-2013
20110023121DETECTION OF UNDESIRED COMPUTER FILES IN DAMAGED ARCHIVES - Systems and methods for an anti-virus detection module that can detect known undesired computer files in damaged archives that may be encrypted, compressed and/or password-protected are provided. According to one embodiment, a damaged or incomplete RAR, CAB or ZIP archive is received. Without decrypting or decompressing the contents, an anti-virus detection module identifies the archive as a RAR, CAB or ZIP archive by assuming each of multiple possible archive types in turn and searching all of or certain parts of the archive for content consistent with a current archive type. Based on the identified type, for each contained file, descriptive information is extracted from corresponding local file headers and a threat evaluation is performed by comparing the descriptive information to signatures of known malicious or undesired files. If the treat evaluation concludes a particular contained file is a threat, then appropriate defensive actions are taken in relation to the archive.01-27-2011
20120198553SECURE AUDITING SYSTEM AND SECURE AUDITING METHOD - Disclosed is a technique that audits security of a terminal connected to a network and executes a given program wherein a computer-virus free file is permitted to execute a program in a manner such that a computer virus is not activated. As a result, the terminal is maintained in a secure state.08-02-2012
20090083855System and methods for detecting intrusions in a computer system by monitoring operating system registry accesses - A method for detecting intrusions in the operation of a computer system is disclosed which comprises gathering features from records of normal processes that access the files system of the computer, such as the Windows registry, and generating a probabilistic model of normal computer system usage based on occurrences of said features. The features of a record of a process that accesses the Windows registry are analyzed to determine whether said access to the Windows registry is an anomaly. A system is disclosed, comprising a registry auditing module configured to gather records regarding processes that access the Windows registry; a model generator configured to generate a probabilistic model of normal computer system usage based on records of a plurality of processes that access the Windows registry and that are indicative of normal computer system usage; and a model comparator configured to determine whether the access of the Windows registry is an anomaly.03-26-2009
20120272320METHOD AND SYSTEM FOR PROVIDING MOBILE DEVICE SCANNING - An approach for providing mobile device scanning is described. A file stored within a mobile device is received. A scan of the received file is initiated to determine a status relating to presence of an unauthorized code or to execution of an unauthorized activity. A notification message is generated based on the scan, wherein the notification message specifies information relating to the determined status.10-25-2012
20090235358SYSTEMS AND METHODS FOR ATTACHING A VIRTUAL MACHINE VIRTUAL HARD DISK TO A HOST MACHINE - Various embodiments of the present invention are directed to systems and methods for “attaching” a virtual hard drive to the physical computer hardware by implementing a specialized disk controller driver for the host operating system that is recognized by the host operating system as a disk controller driver but which in fact also emulates the virtual hard disk it is “attached” to. When the host operating system sends requests to read and write sectors from the virtual hard drive, the specialized driver (the “virtual hard drive controller driver”) directly accesses and manipulates the back-end file mentioned above. Thus the virtual disk is “attached” and recognizable by the host operating system and can be manipulated thereby (and applications executing thereon).09-17-2009
20090271867Virtual machine to detect malicious code - One embodiment of the invention discloses a method for receiving in a virtual machine (VM) contents of a program for creating a virtual environment for interacting with a host platform in a computing device; and determining by the VM if the received contents comprise predetermined instructions for performing at least one unauthorized task. Another embodiment of the invention discloses a method for receiving a system call for a host platform in communication with a VM of a computing device; and determining by the VM if the received system call comprises at least one predetermined system call for performing at least one unauthorized task. Yet another embodiment of the invention discloses a method for receiving a virtualized memory address for a host platform in communication with a VM of a computing device; and determining by the VM if the received virtualized memory address comprises at least one predetermined unauthorized virtualized memory address.10-29-2009
20090013408Detection of exploits in files - A scanning system for scanning computer files for exploits uses a database of validation rules, in respect of each of a plurality of file formats comprising data fields having a predetermined structure, the validation rules specifying valid structure and/or content for the data fields of the respective file format. Files are analysed to determine their file format. A validation process is performed comprising parsing the file to determine the structure and content of its data fields and validating the structure and/or content of the data fields of the file against the validation rules stored in the database in respect of the determined file format of the file. A file is determined to contain an exploit in response to the structure and/or content of the data fields of the file failing to be validated.01-08-2009
20130167236METHOD AND SYSTEM FOR AUTOMATICALLY GENERATING VIRUS DESCRIPTIONS - Systems and methods for automatically generating information describing malware are disclosed. In accordance with certain embodiments, a client computer may be provided with an antivirus program capable of finding malware and a server for receiving malware information sent from the antivirus program via a network. In accordance with one embodiment, the antivirus program may checked the client computer for malware and, in the event that malware is found, the antivirus program may acquire information about the malware such as the type of malware, the form of identification of the malware, whether the malware has already been executed, and/or whether it has been possible to remove the malware. This malware information may be transmitted from the client computer to the server in an automatic, structured manner. When received by the server, the malware information may be fed into a database on the server and subsequently displayed, for example, in an automatic, structured manner on a web page or via an interface of the antivirus program.06-27-2013
20120240231APPARATUS AND METHOD FOR DETECTING MALICIOUS CODE, MALICIOUS CODE VISUALIZATION DEVICE AND MALICIOUS CODE DETERMINATION DEVICE - An apparatus for detecting a malicious code includes: a malicious code visualization device for generating a graph for a malicious file by using strings in the malicious file, a connection among the strings and entropies for the strings and establishing a malicious code database with the generated graph for the malicious file. The apparatus further includes a malicious code determination device for generating a graph for a specific executable file and comparing the graph for the executable file with graphs for malicious files stored in the malicious code database to detect a malicious code in the executable file.09-20-2012
20120240230MEMORY STORAGE DEVICE AND MEMORY CONTROLLER AND VIRUS SCANNING METHOD THEREOF - A memory storage device, a memory controller, and a virus scanning method are provided. In the method, a virus signature database recording a predetermined file segment and a corresponding virus signature is provided. A plurality of logical addresses is mapped to a part of a plurality of physical addresses in a rewritable non-volatile memory chip of the memory storage device, a host system accesses the logical addresses by using a file system including a file allocation table (FAT). At lease one binary code is received. The FAT is analyzed to identify a file segment containing the at least one binary code. If the file segment matches the predetermined file segment, the at least one binary code is not written into the memory storage device or transmitted back to the host system when the at least one binary code matches the virus signature corresponding to the predetermined file segment.09-20-2012
20080295177ANTIVIRAL NETWORK SYSTEM11-27-2008
20080295176Anti-virus Scanning of Partially Available Content11-27-2008
20110119764FINGERPRINT ANALYSIS FOR ANTI-VIRUS SCAN - Disclosed is a method of operating a data identification system. The method comprises identifying a first plurality of changed blocks in a first primary storage volume, processing the first plurality of changed blocks to generate a first plurality of fingerprints, scanning a first plurality of data items stored in a first secondary storage volume within the first primary storage volume corresponding to the first plurality of changed blocks to identify a first infected data item of the first plurality of data items, identifying a first reference fingerprint from the first plurality of fingerprints corresponding to the first infected data item, identifying a second plurality of changed blocks in a second primary storage volume corresponding to a second plurality of data items stored in a second secondary storage volume within the second primary storage volume, processing the second plurality of changed blocks to generate a second plurality of fingerprints, and identifying a first target fingerprint from the second plurality of fingerprints that corresponds to the first reference fingerprint.05-19-2011
20120151586Malware detection using feature analysis - A method of identifying sections of code that can be disregarded when detecting features that are characteristic of malware, which features are subsequently used for detecting malware. The method includes, for each of a multiplicity of sample files, subdividing file code of the sample file into a plurality of code blocks and then removing duplicate code blocks to leave a sequence of unique code blocks. The sequence of unique code blocks is then compared with those obtained for other sample files in order to identify standard sections of code. The standard sections of code identified are then included within a database such that those sections of code can subsequently be disregarded when identifying features characteristic of malware.06-14-2012
20120192279MALWARE DETECTION USING EXTERNAL CALL CHARACTERISTICS - A malware scanner 07-26-2012
20110283360IDENTIFYING MALICIOUS QUERIES - A framework identifies malicious queries contained in search logs to uncover relationships between the malicious queries and the potential attacks launched by attackers submitting the malicious queries. A small seed set of malicious queries may be used to identify an IP address in the search logs that submitted the malicious queries. The seed set may be expanded by examining all queries in the search logs submitted by the identified IP address. Regular expressions may be generated from the expanded set of queries and used for detecting yet new malicious queries. Upon identifying the malicious queries, the framework may be used to detect attacks on vulnerable websites, spamming attacks, and phishing attacks.11-17-2011
20110283361METHOD AND SYSTEM FOR NETWORK-BASED DETECTING OF MALWARE FROM BEHAVIORAL CLUSTERING - A computerized system and method for performing behavioral clustering of malware samples, comprising: executing malware samples in a controlled computer environment fbr a predetermined time to obtain HTTP traffic; clustering the malware samples into at least one cluster based on network behavioral information from the HTTP traffic; and extracting, using the at least one processor, network signatures from the HTTP traffic information for each cluster, the network signatures being indicative of malware infection.11-17-2011
20080209562Metamorphic Computer Virus Detection - The executions of computer viruses are analyzed to develop register signatures for the viruses. The register signatures specify the sets of outputs the viruses produce when executed with a given set of inputs. A virus detection system (VDS) (08-28-2008
20110302656DETECTING MALICIOUS BEHAVIOUR ON A COMPUTER NETWORK - A malicious behaviour detector (12-08-2011
20110302655Anti-virus application and method - A method of performing an anti-virus scan on an electronic file. An anti-virus application running at a computer device determines that an electronic file requires scanning. The electronic file is placed in a queue for analysis, and the state of the electronic file is altered such that it can be written to a memory but not accessed before analysis is complete. An icon associated with the electronic file is altered to indicate that the analysis is not yet complete, the icon being displayable on a display device. Once the electronic file has been analysed, the icon associated with the electronic file is altered again to indicate that it has been analysed.12-08-2011
20120005755INFECTION INSPECTION SYSTEM, INFECTION INSPECTION METHOD, STORAGE MEDIUM, AND PROGRAM - When detecting a traffic abnormality, an abnormality detection apparatus 01-05-2012
20120005754METHOD FOR RECORDING, RECOVERING, AND REPLAYING REAL TRAFFIC - A recording, recovering, and replaying method for real traffic is used for processing a plurality of network packets of a plurality of network connections. A recording procedure of the method includes the following steps. A recording parameter (N, M, P) is received. A header and a payload of each network packet of the network connections are completely recorded, and a payload accumulation value of each network connection is accumulated. When one of the payload accumulation values exceeds N, the header of each network packet and first M bytes of the payload are recorded for P consecutive network packets corresponding to the payload accumulation value. When one of the payload accumulation values exceeds N and after the P consecutive network packets of the network connection corresponding to the payload accumulation value are recorded, the header of each network packet is recorded for the network connection corresponding to the payload accumulation value.01-05-2012
20110167497System and Method for Managing Wireless Devices in an Enterprise - Methods and systems are disclosed for managing wireless devices in an enterprise. A first exemplary method manages the physical access points of a wireless network in an enterprise. A second exemplary method manages the assets of wireless devices in an enterprise. A third exemplary method enables virus detection within wireless devices. A fourth exemplary method manages wireless device data backup.07-07-2011
20110167496ENHANCED HARDWARE COMMAND FILTER MATRIX INTEGRATED CIRCUIT - A semiconductor integrated circuit includes a hardware mechanism arranged to ensure that associations between instructions and data are enforced so that a processor cannot execute an instruction that is not authorized. A Command Filter Matrix stores entries comprising instructions and associated data memory ranges. A hardware arrangement denies command execution if the CPU attempts to make a data fetch from an instruction that is outside the range associated with data in the Command Filter Matrix. The Command Filter Matrix may be implemented in a Field Programmable Gate Array such that the memory cell content is pre-programmed with entrusted code by a separate trusted hardware source. In this way, an operating system may function normally but only execute trusted instructions, commands and memory operations. The Command Filter Matrix also contains external write-only capability to enable external monitoring of performance.07-07-2011
20110289586METHODS, SYSTEMS, AND MEDIA FOR DETECTING AND PREVENTING MALCODE EXECUTION - A system for detecting and halting execution of malicious code includes a kernel-based system call interposition mechanism and a libc function interception mechanism. The kernel-based system call interposition mechanism detects a system call request from an application, determines a memory region from which the system call request emanates, and halts execution of the code responsible for the call request if the memory region from which the system call request emanates is a data memory region. The libc function interception mechanism maintains an alternative wrapper function for each of the relevant standard libc routines, intercepts a call from an application to one or more libc routines and redirects the call into the corresponding alternative wrapper function.11-24-2011
20110289584SYSTEMS AND METHODS TO SECURE BACKUP IMAGES FROM VIRUSES - A system and method provide for storing virus metadata with a backup image. Upon restoring files or data from the backup image, the virus metadata from the backup image is compared with current virus data. The comparison yields a list of new viruses that have been discovered after the backup image was created. The restore process may cause restored files to be scanned for the new viruses, while excluding previously known viruses from the scan.11-24-2011
20110289587Method and system for detecting and removing hidden pestware files - A method and system for detecting and removing a hidden pestware file is described. One illustrative embodiment detects, using direct drive access, a file on a computer storage device; determines whether the file is also detectable by the operating system by attempting to access the file using a standard file Application-Program-Interface (API) function call of the operating system; identifies the file as a potential hidden pestware file, when the file is undetectable by the operating system; confirms through an automated pestware-signature scan of the potential hidden pestware file that the potential hidden pestware file is a hidden pestware file; and removes automatically, using direct drive access, the hidden pestware file from the storage device.11-24-2011
20120090031DETECTION OF UNDESIRED COMPUTER FILES IN ARCHIVES - Systems and methods for content filtering are provided. According to one embodiment, a self-extracting archive is received with an electronic mail (email) message. Prior to delivery of the email message, a determination is made regarding whether a file contained in the archive may be malicious or undesired. A type of archive and associated structure of the archive are determined by examining identification bytes stored within a header portion of the archive that identify the type of archive. Based on the type and associated structure, for each contained file, descriptive information, including a checksum of the file in uncompressed form, a size of the file in uncompressed form and/or a size of the file in the compressed form, is extracted from the header portion. A file is identified as potentially malicious or undesired when the descriptive information matches a detection signature of a known malicious or undesired file.04-12-2012
20110296527INTEGRATED FIREWALL, IPS, AND VIRUS SCANNER SYSTEM AND METHOD - A system, method and computer program product are provided including a router and a security sub-system coupled to the router. Such security sub-system includes a plurality of virtual firewalls, a plurality of virtual intrusion prevention systems (IPSs), and a plurality of virtual virus scanners. Further, each of the virtual firewalls, IPSs, and virus scanners is assigned to at least one of a plurality of user and is configured in a user-specific.12-01-2011
20110296526APPARATUS AND METHOD FOR PREEMPTIVELY PROTECTING AGAINST MALICIOUS CODE BY SELECTIVE VIRTUALIZATION - An apparatus for preemptively protecting against malicious code by selective virtualization comprises: a compulsory resource storage unit which selects and stores compulsory resources required for executing a vulnerable program having an interface with an external source in a separated space; a modified resource-generating unit which generates a new resource by modifying the content of a resource accessed by the vulnerable program in the event the vulnerable program accesses a resource other than said compulsory resources; and a resource control unit which performs an operating system-level virtualization when the vulnerable program accesses the compulsory resource, and permits the vulnerable program to access the modified resource when the vulnerable program accesses a resource other than the compulsory resource.12-01-2011
20090282484COMPUTER SECURITY - Method and apparatus for mitigating the effects of security threat involving malicious code concealed in computer files (for example computer viruses, etc.). The method operates by inserting additional strings of arbitrary length within computer files of known type which may contain such security threats. The strings are chosen to have no substantial effect on the files in normal operation, but potentially disrupt attack code located in the file. Inserted sequences may incorporate a character sequence which, if interpreted as code, halts execution of that program. Alternatively, or in addition, character sequences may be deleted or reordered provided that they have no effect on normal interpretation of the file. As a result, the effect of malicious code operating successfully as intended by an attacker may be mitigated. The methods do not require prior knowledge of the nature of a specific threat and so provide threat mitigation for previously unidentified threats.11-12-2009
20090070878MALWARE PREVENTION SYSTEM MONITORING KERNEL EVENTS - A malware prevention system monitors kernel level events of the operating system and applies user programmable or preprepared policies to those events to detect and block malware.03-12-2009
20090165138Computer Virus Protection - A network is protected from e-mail viruses through the use of a sacrificial server. Any executable programs or other suspicious parts of incoming e-mail messages are forwarded to a sacrificial server, where they are converted to non-executable format such as Adobe Acrobat PDF and sent to the recipient. The sacrificial server is then checked for virus activity. After the execution is completed, the sacrificial server is rebooted.06-25-2009
20090165136Detection of Window Replacement by a Malicious Software Program - Various embodiments of a system and method for providing protection against malicious software programs are disclosed. The system and method may be operable to detect that a first window of a legitimate software program has been replaced by a second window of a malicious software program, e.g., where the second window includes features to mimic the first window in an effort to fool the user into inputting sensitive information into the second window. The method may operate to alert the user when the window replacement is detected.06-25-2009
20090013409Malware automated removal system and method - The present invention automates the operation of multiple malware removal software products using a computerized system that systematically operates the multiple selected software products. These products are operated them in a customized “Safe Mode” using a shell that is different than the computer's other shell environments. Unlike the ordinary Safe Modes shells, the Custom Safe Mode prevents malware from functioning that ties itself to the normal shell, such as the Windows Explorer shell. In addition, the Custom Safe Mode allows the automation of tasks beyond that which is available under the standard command line shell.01-08-2009
20100031360Systems and methods for preventing unauthorized modification of an operating system - Systems and methods are provided for preventing unauthorized modification of an operating system. The system includes an operating system comprised of kernel code for controlling access to operation of a processing unit. The system further includes an enforcement agent executing at a higher privilege than the kernel code such that any changes to the kernel code are approved by the enforcement agent prior to execution.02-04-2010
20100031358SYSTEM THAT PROVIDES EARLY DETECTION, ALERT, AND RESPONSE TO ELECTRONIC THREATS - The invention is a computer system that provides early detection alert and response to electronic threats (eThreats) in large wide area networks, e.g. the network of an Internet Services Provider or a Network Services Provider. The system of the invention accomplishes this by harnessing the processing power of dedicated hardware, software residing in specialized servers, distributed personal computers connected to the network, and the human brain to provide multi-layered early detection, alarm and response. The layers comprise: a Protection Layer, which detects and eliminates from the network data stream eThreats known to the system; a Detection Layer, which detects and creates signatures for new eThreats that are unknown to the system; an Expert Analysis Layer, which comprises a group of human experts who receive information from various components of the system and analyze the information to confirm the identity of new eThreats; and a Collaborative Detection & Protection Layer, which detects potential new eThreats by processing information received from various system agents and users. A Dynamic Sandbox Protection Layer associated with the distributed personal computers connected to the network. can optionally be part of the system of the invention.02-04-2010
20110219453Security method and apparatus directed at removeable storage devices - A method of protecting a computer against malware infection. The method includes during operation of the computer, reading master boot record code from a removable storage device into the computer and inspecting said code to identify any instructions associated with suspicious behaviour. In the event that suspicious instructions are identified, the master boot record code on the removable storage device is modified and/or the behaviour of the computer adapted in order to prevent said master boot record code installing malware into the computer. Examples of suspicious behaviour include hard disk read or write operations.09-08-2011
20100083381Hardware-based anti-virus scan service - A device, system, and method are disclosed. In an embodiment, the device includes a storage medium to store files. The device also includes a manageability engine. The manageability engine accesses a virus signature file. The manageability engine then performs an anti-virus scan using patterns in the signature file to compare to one or more of the files. The manageability engine then reports the results of the scan to an external agent.04-01-2010
20090158433Method and Apparatus to Facilitate Generating Worm-Detection Signatures Using Data Packet Field Lengths - Network-level data traffic comprising data packets, wherein at least some of the data packets have at least one field of unbounded length, are received (06-18-2009
20100005531Isolated multiplexed multi-dimensional processing in a virtual processing space having virus, spyware, and hacker protection features - Information appliance, computing device, or other processor or microprocessor based device or system provides security and anti-viral, anti-hacker, and anti-cyber terror features, and can automatically create multiple sequentially or concurrently and intermittently isolated and/or restricted computing environments to prevent viruses, malicious or other computer hacking, computer or device corruption and failure by using these computing environments in conjunction with restricted and controlled methods of moving and copying data, combined with a process that destroys malicious code located in computing environments and data stores. Time multiplexed processing streams with system, device, architecture and method for maintaining isolation of multiple processes executing in single physical processor. Virtual multi-dimensional processing space and virtual processing environments. Temporally multiplexed processing in a single CPU. Process isolation using address control and mapping. Selecting, configuring, switching, and/or multiplexing multiple processes in physical and/or virtual processing or computing spaces to create physical and/or virtual processing or computing environments.01-07-2010
20100100960SYSTEM AND METHOD FOR PROTECTING DATA OF NETWORK USERS - A system and method for protecting data of network users are provided. A user end device is connected to a routing device. Then, the routing device directs data packets of the user end device into a data protection device connected to the routing device in series, according to profiles corresponding to the user end device. Security services are performed on the received data packets by the data protection device, thereby providing effective data security protection services to network users and overcoming the drawbacks of high costs and high maintenance required for self-configuration of such mechanisms in prior techniques.04-22-2010
20090077664Methods for combating malicious software - A method for combating malware monitors all attempts by any software executing on a computer to write data to the computer's digital storage medium and records details of the attempts in a system database having a causal tree structure. The method also intercepts unauthorized attempts by executing objects to modify the memory allocated to other executing objects or to modify a selected set of protected objects stored on the digital storage medium, and may also intercept write attempts by executing objects that have a buffer overflow or that are executing in a data segment of memory. The method may include a procedure for switching the computer into a quasi-safe mode that disables all non-essential processes. Preferably, the database is automatically organized into software packages classified by malware threat level. Entire or packages or portions thereof may be easily selected and neutralized by a local or remote user.03-19-2009
20120110667System and Method for Server-Based Antivirus Scan of Data Downloaded From a Network - Aspect of the invention are directed to antivirus scanning, by a proxy server, of data downloaded from the network onto a PC workstation. The antivirus scanning is optimized for each scan by selecting an algorithm for that scan based on a determined overall likelihood that the downloaded data contains malicious code. Determination of the overall likelihood is augmented by the strength, or confidence, of statistical data relating to malware screening of results of previous downloads having similar parameters to the instant download.05-03-2012
20110271347PRE-BOOT FIRMWARE BASED VIRUS SCANNER - The present disclosure relates to allowing the utilization of a virus scanner and cleaner that operates primarily in the pre-boot phase of computer operation and, more particularly, to allowing the utilization of a virus scanner and cleaner that operates primarily during the loading of an operating system.11-03-2011
20090064336Virus detection in a network - A computer system and storage medium that in an embodiment count the number of times that a file or registry entry is added, changed, or deleted at clients in a network. If the count exceeds a threshold, then a warning is sent to the clients. The warning may prompt the clients to delete or rename the file or registry entry, run an anti-virus program, quarantine the file or registry entry, or issue a message. In this way, viruses may be detected at clients.03-05-2009
20110197280Network Managed Antivirus Appliance - Data can be scanned using a network managed appliance. The network managed appliance may integrate commercial hardware elements connected through a basic or simplified operating system environment expressly developed for the appliance, thus being more malware resistant and less vulnerable to attacks from the scanned data or other sources. The network managed appliance may be a self-contained apparatus with an integrated chassis, designed and configured as “single-purpose” device. Such appliances may be connected to an appliance management network including central management servers in communication with appliances in remote locations. The central management servers may ensure that scanning software and the definitions lists for each of the appliances are current and match an enterprise-approved configuration.08-11-2011
20090094698METHOD AND SYSTEM FOR EFFICIENTLY SCANNING A COMPUTER STORAGE DEVICE FOR PESTWARE - A method and system for efficiently scanning a computer storage volume for pestware is described. One embodiment determines whether a file on the storage device has been modified since it was last scanned for pestware; includes the file in a set of files to be scanned for pestware when it is determined that the file has been modified since it was last scanned for pestware; omits the file from the set of files to be scanned for pestware when it is determined that the file has not been modified since it was last scanned for pestware; scans the files in the set of files for pestware; and reports results of the pestware scan to a user.04-09-2009
20110197282METHOD AND APPARATUS FOR DETECTING SCANS IN REAL-TIME - A method and apparatus for detecting scans are described. In one example, a plurality of flows is allocated into a plurality of bins associated with different source Internet protocol (SIP) addresses. A set of bin characteristics for at least one bin of the plurality of bins is generated if the at least one bin reaches a predefined flow capacity. Afterwards, the set of bin characteristics is compared to a scan characteristics list to determine if a potential scan exists.08-11-2011
20110197281SYSTEMS AND METHODS FOR MALWARE DETECTION - Various embodiments include a computer system comprising a computer network including at least one client computer, the at least one client computer operable to generate a request, and an anti-malware engine coupled to the computer system and operable to provide anti-malware protection for the computer network, wherein the anti-malware engine is operable to receive the request generated by the at least one client, and to determine if the request is classified as malware by determining whether the request includes one or more valid tags.08-11-2011
20110197279MANAGEMENT METHODS OF STORAGE SYSTEM AND FILE SYSTEM - If a file infected with an unknown virus is stored in the file system provided by the NAS system, this invention prevents the invasion of the virus when recovering from the backup data. If the anti-virus program 08-11-2011
20110197278CONTAINMENT MECHANISM FOR POTENTIALLY CONTAMINATED END SYSTEMS - A malware detection and response system based on traffic pattern anomalies detection is provided, whereby packets associated with a variety of protocols on each port of a network element are counted distinctly for each direction. Such packets include: ARP requests, TCP/SYN requests and acknowledgements, TCP/RST packets, DNS/NETBEUI name lookups, out-going ICMP packets, UDP packets, etc. When a packet causes an individual count or combination of counts to exceed a threshold, appropriate action is taken. The system can be incorporated into the fast path, that is, the data plane, enabling communications systems such as switches, routers, and DSLAMs to have built-in security at a very low cost.08-11-2011
20090210943Method to detect viruses hidden inside a password-protected archive of compressed files - A method for inspecting a compressed archive file for virus infection without having to decompress the files contained therein. Data in the archive header is used to determine the probability that the compressed archive is infected. Default parameters used for the compression, the compression ratio, the number of files stored in the compressed archive, and the total size of the archive are factors utilized during inspection according to the present invention to detect archives with a high probability of infection, as well as to recognize archives with a low probability of infection. The method is especially beneficial when the archive has been encrypted or password-protected and the files contained therein cannot be decompressed, but is also advantageous when decompression is possible. In addition, use of the present invention avoids the danger of attempting to decompress a malicious archive containing an archive bomb.08-20-2009
20110202998Method and System for Recognizing Malware - The invention relates to a method for recognizing a piece of malware in a computer memory system, comprising the steps of: providing a master signature comprising a number of byte sequences, producing at least one first signature element, said first signature element comprising a subset of the number of byte sequences in the master signature, and applying the first signature element to data stored in the computer memory system in order to recognize a piece of malware stored in the computer memory system.08-18-2011
20120240233Method and system for detecting malicious web content - A method for determining whether web content intended for transmission from a second device to a first device via a routing device comprises malware is proposed. The method, to be carried out by the routing device, includes receiving at least a part of the web content from the second device, providing to an antivirus service a representation of N bits of the received part of the web content, and receiving, from the antivirus service, test information based on the representation of the N bits provided by the router and indicating whether the web content may comprise malware. An appropriate representation of the N bits of web content serves as a “fingerprint,” sufficiently identifying the entire piece of the web content for the purpose of determining whether or not this piece of web content may contain malware.09-20-2012
20120240234USB FIREWALL APPARATUS AND METHOD - Apparatus and methods prevent malicious data in Universal Serial Bus (USB) configurations by providing a hardware firewall. A hardware device interconnected between a host and the USB monitors communication packets and blocks packets having unwanted or malicious intent. The device may act as a hub, enabling multiple devices to connect to a single host. The device may only allow mass storage packets from a device recognized as a mass storage device. The device may block enumeration of unwanted devices by not forwarding packets between the device and the host. The device may be operative to assign a bogus address to a malicious device so as not to transfer communications from the device further up the chain to the host. The device may provide shallow or deep packet inspection to determine when a trusted device is sending possible malicious data, or provide packet validation to block packets that are malformed.09-20-2012
20120240232QUARANTINE NETWORK SYSTEM AND QUARANTINE CLIENT - A quarantine network system includes a quarantine control apparatus and a quarantine client connectable with each other. The quarantine control apparatus includes a receiving unit to receive verification information of the quarantine client, an identification unit to identify a security policy that the quarantine client is required to conform to, and an inspection request unit to transmit an inspection request to the quarantine client, requesting the quarantine client to inspect conformance/non-conformance to the identified security policy. The quarantine client includes a receiver to receive the inspection request from the quarantine control apparatus, a storage unit storable inspection information to inspect conformance/non-conformance to the security policy, a reading unit to read out the inspection information from the storage unit, an inspection unit to inspect the quarantine client using the read-out inspection information, and an inspection result reporting unit to transmit an inspection result to the quarantine control apparatus.09-20-2012
20100083380NETWORK STREAM SCANNING FACILITY - In embodiments of the present invention improved capabilities are described for providing a scanning of data associated with a network computer facility. In the process, a request may be received for network content from a content requesting computing facility. A source lookup associated with the request for network content may be performed, where the source lookup may be from a networked source lookup database. The requested network content may then be retrieved, where the type of the content may be determined as a further aid in scanning the content. A checksum of at least a portion of the retrieved network content may then be calculated, and a checksum lookup associated with the portion of the retrieved network content be performed, where the checksum lookup may be from a networked checksum lookup database. Finally, an action may be taken based on at least one of the source lookup and checksum lookup, where the action is associated with protecting the content requesting computing facility from malware.04-01-2010
20100083382Method and System for Managing Computer Security Information - A security management system includes a fusion engine which “fuses” or assembles information from multiple data sources and analyzes this information in order to detect relationships between raw events that may indicate malicious behavior and to provide an organized presentation of information to consoles without slowing down the processing performed by the data sources. The multiple data sources can comprise sensors or detectors that monitor network traffic or individual computers or both. The sensors can comprise devices that may be used in intrusion detection systems (IDS). The data sources can also comprise firewalls, audit systems, and other like security or IDS devices that monitor data traffic in real-time. The present invention can identify relationships between one or more real-time, raw computer events as they are received in real-time. The fusion engine can also assess and rank the risk of real-time raw events as well as mature correlation events.04-01-2010
20130024940OFFLOADING OPERATIONS TO A REPLICATE VIRTUAL MACHINE - A method for detecting malicious code within a first virtual machine comprising creating a snapshot of the first virtual machine and transferring the snapshot to a second machine. A scan operation is run on the snapshot using resources of the second machine. In response to detecting malicious code during the scan operation, action is taken at the first virtual machine to address the detection of the malicious code. Thus, the action in response to detecting the malicious code may include placing the first virtual machine in quarantine.01-24-2013
20130024939Conditional security response using taint vector monitoring - An embodiment or embodiments of a computing system can conditionally trap based on a taint vector. A computing system can comprise at least one taint vector operable to list at least one of a plurality of taints indicative of potential security risk originating from at least one of a plurality of resources, and response logic operable to monitor the at least one taint vector and respond to a predetermined taint condition.01-24-2013
20100138924Accelerating the execution of anti-virus programs in a virtual machine environment - The execution of anti-virus programs can be accelerated in a virtual desktop environment. In one embodiment, a server hosts a plurality of virtual machines. Before performing a virus scan on a file, the server computes a signature value of the file, compares the signature value with the stored signature values in a central database, and performs virus scan on the file according to the result of the comparison. If the signature value exists in the central database, the virus scan on the file can be skipped.06-03-2010
20090293125Centralized Scanner Database With Qptimal Definition Distribution Using Network Queries - A system and method detects malware on client devices based on partially distributed malware definitions from a central server. A server stores malware definitions for known malware. The server generates one or more filters based on the malware definitions and distributes the filter(s) to client devices. The server also distributes full definitions to the clients for a subset of the most commonly detected malware. The client device scans files for malware by first applying the filter to a file. If the filter outputs a positive detection, the client scans the file using the full definition to determine if the file comprises malware. If the full definition is not stored locally by the client, the client queries the server for the definition and then continues the scanning process.11-26-2009
20120144489Antimalware Protection of Virtual Machines - The subject disclosure is directed towards protecting virtual machines on guest partitions from malware in a resource-efficient manner. Antimalware software is divided into lightweight agents that run on each malware-protected guest partition, a shared scanning and signature update mechanism, and a management component. Each agent provides the scanning mechanism with files to scan for malware, such as by running a script, and receives results from the scanning mechanism including possible remediation actions to perform. The management component provides the scanning mechanism with access to virtual machine services, such as to pause, resume, snapshot and rollback guest partitions as requested by the scanning mechanism.06-07-2012
20090288168MANAGEMENT CAPABILITIES FOR REAL-TIME MESSAGING NETWORKS - Techniques for managing instant message (IM) communications are provided. In various embodiments, IM communications in a plurality of network implementations are managed using one or more policies. A policy in the one or more policies includes an action applicable for an IM communication. Once an IM communications is received from an IM client, a policy that is applicable for that IM communication is determined. After determining an applicable policy, an action associated with the policy for the instant message communication is performed. Examples of actions that may be taken include recording the IM communication, modifying the IM communication, blocking the IM communication, forwarding the IM communication, and the like.11-19-2009
20120297487DISTRIBUTING UPDATE INFORMATION BASED ON VALIDATED LICENSE INFORMATION - Example embodiments disclosed herein relate to distributing updated execution information to a cluster of nodes. Licensing information about whether the nodes are licensed to receive the updated execution information is generated. The licensing information is validated. The validated licensing information is used to distribute the updated execution information to the nodes.11-22-2012
20120297486Look ahead malware scanning - According to a first aspect of the present invention there is provided a method of scanning for malware during execution of an application on a computer system. The method includes detecting accesses by the application to files within a common directory, using the detected accesses to identify one or more groups of files within said common directory that the application may subsequently want to access, and scanning said one or more groups of files for malware prior to the application attempting to access files of the group or groups.11-22-2012
20120144488COMPUTER VIRUS DETECTION SYSTEMS AND METHODS - Systems and methods for computer virus detection are presented. In one embodiment; an computer virus detection method includes: receiving an indication of a change to a file; performing a virus analysis process, including executing the changes to the file in a virtual machine and examining results of the executing the changes; and handling the file based upon the virus analysis. The virus analysis can be performed in a system in which the change to the file occurs. Handling the file can include treating the file as potentially infected with a virus based upon the virus analysis. In one exemplary implementation, examining the results includes comparing the results of executing the changes to the file to other results from executing changes to another file, wherein the file is identified as potentially infected with a virus if the examining results indicates the results of executing the changes to the file are similar to results from executing changes to another file. Examining results includes examining behavior resulting from executing the file (e.g., examining system calls, etc.). Outcome of the examining results can be forwarded for utilization in developing virus data sets.06-07-2012
20080301812Method and system for counting new destination addresses - Packets of a certain type from a certain source are directed to a system that estimates the set of destinations and the number of new destinations for which that source has sent packets during a time window T12-04-2008
20080216176HARDWARE-ASSISTED ROOTKIT BLOCKER FOR NETWORKED COMPUTERS - A hardware-assisted security system for networked computers can detect, prevent, and mitigate rootkits. The solution relies upon an add-on card that monitors the system, alerting administrators when malicious changes are made to a system. The technical detail lies in the techniques needed to detect rootkits, preventing rootkits when possible, and granting administration of protected systems. A beneficial side-effect of the solution is that it allows many other security features, like system auditing, forensic capabilities to determine what happened after an attack, and hardware lock-down of important system resources.09-04-2008
20110209220Malware removal - A method and apparatus for scanning for or removing malware from a computer device. Under normal circumstances, the computer device is controlled by a first operating system installed in a memory of the device. In order to scan for or remove the malware from the computer device, control of the computer device is passed from the first operating system to a second operating system and, under the control of the second operating system, the device is either scanned for malware or the malware is removed. This allows malware to be detected or removed, even if it has affected the first operating system in some way in order to evade detection or removal.08-25-2011
20090150999SYSTEM, METHOD AND PROGRAM PRODUCT FOR DETECTING COMPUTER ATTACKS - Detecting obfuscated attacks on a computer. A first program function is invoked to render static components of a web page and identify program code within the web page or associated file. In response, before executing the identified program code, a malicious-code detector is invoked to scan the identified program code for malicious code. If the malicious-code detector identifies malicious code in the identified program code, the identified program code is not executed. If no malicious code is detected, a second program function generates revised program code from execution of the identified, program code. In response, before executing the revised program code, the malicious-code detector is invoked to scan the revised program code for malicious code. If the malicious-code detector identifies malicious code in the revised program code, the revised program code is not executed.06-11-2009
20090265786AUTOMATIC BOTNET SPAM SIGNATURE GENERATION - A framework may be used for generating URL signatures to identify botnet spam and membership. The framework may take a set of unlabeled emails as input that are grouped based on URLs contained within the emails. The framework may return a set of spam URL signatures and a list of corresponding botnet host IP addresses by analyzing the URLs within the emails that are contained within the groups. Each URL signature may be in the form of either a complete URL string or a URL regular expression. The signatures may be used to identify spam emails launched from botnets, while the knowledge of botnet host identities can help filter other spam emails also sent by them.10-22-2009
20080282351Trusted Operating Environment for Malware Detection - Techniques and apparatuses for scanning a computing device for malware are described. In one implementation, a trusted operating environment, which includes a trusted operating system and a trusted antivirus tool, is embodied on a removable data storage medium. A computing device is then booted from the removable data storage medium using the trusted operating system. The trusted antivirus tool searches the computing device for malware definition updates (e.g., virus signature updates) and uses the trusted operating system to scan the computing device for malware. In another implementation, a computing device is booting from a trusted operating system on a removable device and a trusted antivirus tool on the removable device scans the computing device for malware. The removable device can update its own internal components (e.g., virus signatures and antivirus tool) by searching the computing device or a remote resource for updates and authenticating any updates that are located.11-13-2008
20080282350Trusted Operating Environment for Malware Detection - Techniques and apparatuses for scanning a computing device for malware are described. In one implementation, a trusted operating environment, which includes a trusted operating system and a trusted antivirus tool, is embodied on a removable data storage medium. A computing device is then booted from the removable data storage medium using the trusted operating system. The trusted antivirus tool searches the computing device for malware definition updates (e.g., virus signature updates) and uses the trusted operating system to scan the computing device for malware. In another implementation, a computing device is booting from a trusted operating system on a removable device and a trusted antivirus tool on the removable device scans the computing device for malware. The removable device can update its own internal components (e.g., virus signatures and antivirus tool) by searching the computing device or a remote resource for updates and authenticating any updates that are located.11-13-2008
20080235800Systems And Methods For Determining Anti-Virus Protection Status - A method to automatically determine a computer's current level of anti virus protection is described. When a client machine submits a request, a request filter determines if the version of the anti-virus protection software present on the user's computer is sufficient to allow access to the requested destination. If the version of anti virus software on client machine is not sufficient, then the request filter directs the request to an alternate location.09-25-2008
20080289042Method for Identifying Unknown Virus and Deleting It - A method for identifying unknown virus program, includes: getting the behavior data of the program that would be tested, determining whether the said program is a virus program or not based on the behavior data of said program and the behavior data of pre-setting typical virus program. A method for deleting the virus program, according to the behavior of the virus program, sets and performs an anti-operation which is in reversed to the virus program, and gets back the destroyed data.11-20-2008
20080271149ANTIVIRAL NETWORK SYSTEM - An apparatus and program product initiate generation of a metafile at a client computer. The metafile is evaluated at a network server for a potential viral risk. Program code executing at the server may correlate the evaluated potential risk to a risk level stored in a database. The program code may attach a color designator or other assignment indicative of the assessed risk level to the data. A user at the client computer may act on the data based on the attached risk level.10-30-2008
20120297488Discovering Malicious Input Files and Performing Automatic and Distributed Remediation - The subject disclosure is directed towards detecting malware or possible malware in an input file by allowing the input file to be opened, and by monitoring for one or more behaviors corresponding to the open file that likely indicate malware. Only certain executable files and/or file types opened thereby may be monitored, with various collected event data used for antimalware purposes when improper behavior is observed. Example behaviors include writing of a file to storage, generation of network traffic, injection of a process, running of script, and/or writing system registry data. Telemetry data and/or a sample of the file may be sent to an antimalware service, and malware remediation may be performed. Data (e.g., the collected events) may be distributed to other nodes for use in antimalware detection, e.g., to block execution of a similar file.11-22-2012
20080271147Pattern matching for spyware detection - Spyware programs are detected even if their binary code is modified by normalizing the available code and comparing to known spyware patterns. Upon normalizing the known spyware code patterns, a signature of the normalized code is generated. Similar normalization techniques are employed to reduce the executable binary code as well. A match between the normalized spyware signature and the patterns in the normalized executable code is analyzed to determine whether the executable code includes a known spyware. For pattern matching, Deterministic Finite Automata (DFA) is constructed for basic blocks and simulated on the basic blocks of target executable, hash codes are generated for instructions in target code and known spyware code and compared, register usages are replaced with common variables and compared, and finally Direct Acyclic Graphs (DAGs) of all blocks are constructed and compared to catch reordering of mutually independent instructions and renamed variables.10-30-2008
20100146626SYSTEM FOR PROTECTING DEVICES AGAINST VIRUS ATTACKS - A system for protecting devices operating on 64-bit editions of operating systems by retrieving the file path by which the process was run and not the actual file path from where the process is running and scanning this retrieved file path for viruses.06-10-2010
20080271148ANTI-WORM PROGRAM, ANTI-WORM APPARATUS, AND ANTI-WORM METHOD - An anti-worm program allows a computer to execute control of communication suspected as worm communication, the program allowing the computer to execute: a communication information acquisition step that acquires communication information which is information concerning communication from a target source; and a communication control step that has a control amount calculation formula for calculating the control amount of the communication from the target source using the communication information and performs control of the communication from the target source based on the communication control amount obtained using the control amount calculation formula.10-30-2008
20100146627ELECTRONIC MESSAGE AND DATA TRACKING SYSTEM - Systems and methods for tracking electronic messages and data are provided. In one embodiment, the invention consists of a method of tracking email messages. In various embodiments, steps may include a) identifying an email message for tracking and b) inserting a linking object, into a tracked email message. Responsive to activation by a receiver of the email message, the linking object enables the receiver to submit information to a commercial anti-spam service or a commercial anti-virus service. The method can be used to identify and track email messages defined as spam or defined as containing viruses. The receiver's privacy may be preserved with respect to content of the email message by limiting the information submitted to signatures of the electronic message and other information associated with the electronic message that are reasonably required for spam or virus analysis.06-10-2010
20090089879SECURING ANTI-VIRUS SOFTWARE WITH VIRTUALIZATION - The subject disclosure relates to systems and methods that secure anti-virus software through virtualization. Anti-virus systems can be maintained separate from user applications and operating system through virtualization. The user applications and operating system run in a guest virtual machine while anti-virus systems are isolated in a secure virtual machine. The virtual machines are partially interdependent such that the anti-virus systems can monitor user applications and operating systems while the anti-virus systems remain free from possible malicious attack originating from a user environment. Further, the anti-virus system is secured against zero-day attacks so that detection and recovery may occur post zero-day.04-02-2009
20090089880Computer system and virus-scan method - An object of the present invention is to provide a computer system and virus-scan method that are capable of full-scanning the logical volume of a SUTOSEN PC with high frequency while limiting the number of virus-scan devices.04-02-2009
20100154064SYSTEMS AND METHODS FOR UPDATING CONTENT DETECTION DEVICES AND SYSTEMS - A method of updating a content detection module includes obtaining content detection data, and transmitting the content detection data to a content detection module, wherein the transmitting is performed not in response to a request from the content detection module. A method of sending content detection data includes obtaining content detection data, selecting an update station from a plurality of update stations, and sending the, content detection data to the selected update station. A method of building a content detection system includes establishing a first communication link between a central station and an update station, the central station configured to transmit content detection data to the update station, and establishing a second communication link between the update station and a content detection module.06-17-2010
20090070879COMPUTER SYSTEM AND METHOD FOR SCANNING COMPUTER VIRUS - According to the present invention, a timeout caused by executing a virus scan is avoided. A computer system has a first computer, a second computer coupled to the first computer, and a storage system coupled to the first computer and the second computer. The first computer receives a request to write data, writes the requested data in the storage system, and sends a virus scan request of the written data to the second computer. The second computer receives the virus scan request from the first computer, reads the written data out of the storage system, and partially executes a virus scan of the read data. After the partial virus scan of the read data is finished, the first computer sends a response to the received write request. After the first computer sends the response, the second computer executes the remainder of the virus scan of the read data.03-12-2009
20090178141BOOTING A DEVICE FROM A TRUSTED ENVIRONMENT RESPONSIVE TO DEVICE HIBERNATION - Techniques described are capable of receiving an indication that an operating system of a computing device has entered a hibernated state and, in response, booting the computing device from a trusted environment that is unalterable by the hibernated operating system. A component stored on or accessible by the trusted environment may then perform an operation on the computing device. This operation may include scanning the device, performing a memory test on the device, or updating firmware on the device. In some instances, the computing device enters the hibernated state due to a predetermined length of user inactivity on the computing device. As such, the described techniques may perform an operation on the computing device without user interaction causing the operation.07-09-2009
20090133123Worm Propagation Modeling In A Mobile AD-HOC Network - A worm propagation modeling system for use with a mobile ad-hoc network (MANET) includes an infection detection module receiving temporal dynamics information relating to temporal dynamics of worm spread in the MANET and spatial dynamics information relating to spatiality of nodes in the MANET. The infection detection module detects infection in a network segment of the MANET based on the temporal dynamics information and the spatial dynamics information.05-21-2009
20090187992METHOD AND SYSTEM FOR CLASSIFICATION OF SOFTWARE USING CHARACTERISTICS AND COMBINATIONS OF SUCH CHARACTERISTICS - In embodiments of the present invention improved capabilities are described for the steps of identifying a functional code block that performs a particular function within executable code; transforming the functional code block into a generic code representation of its functionality by tokenizing, refactoring, or the like, the functional code block; comparing the generic code representation with a previously characterized malicious code representation; and in response to a positive correlation from the comparison, identifying the executable code as containing malicious code.07-23-2009
20100154061SYSTEM AND METHOD FOR IDENTIFYING MALICIOUS ACTIVITIES THROUGH NON-LOGGED-IN HOST USAGE - A method for identifying malware activities, implemented within a computer infrastructure, includes receiving a data communication via a data channel and determining a user is not interactively logged in to a host. Additionally, the method includes identifying the data communication as a potential malware communication in response to the determining the user is not interactively logged in to the host.06-17-2010
20090138972RESISTING THE SPREAD OF UNWANTED CODE AND DATA - A method or system of receiving an electronic file containing content data in a predetermined data format, the method comprising the steps of: receiving the electronic file, determining the data format, parsing the content data, to determine whether it conforms to the predetermined data format, and if the content data does conform to the predetermined data format, regenerating the parsed data to create a regenerated electronic file in the data format.05-28-2009
20110225654Write-Proof Protection Method of a Storage Device - The present invention is a write-proof protection method of a storage device. The storage device includes a buffer to store data temporarily, with a capacity of the buffer being adjustable; and a write-proof control unit. The write-proof protection method includes transmitting a write-in protection signal to the write-proof control unit from an operating unit; the write-proof control unit writing a file that is written into a computer into the buffer of the storage device, rather than a file system. When a stand-alone write-proof condition has been set by a user, an unknown program that has been written in can be a virus pattern, and the unknown program in the buffer can be analyzed to discover a new virus early, so as to achieve an antivirus effect.09-15-2011
20090144826Systems and Methods for Identifying Malware Distribution - Systems and methods for identifying malware distribution sites are described. In one embodiment, a system includes a malware detection module configured to analyze a file of a protected computer to determine that the file is associated with malware. The system also includes a Web site identification module configured to search a download history log of the protected computer to identify a Web site from which the file was downloaded. 06-04-2009
20110225655Malware protection - According to a first aspect of the present invention there is provided a method of protecting a computer system from malware, which malware attempts to prevent detection or analysis when executed in an emulated computer system. The method comprises determining if an executable file should be identified as being legitimate and, if not, executing the executable file whilst providing indications to the executable file that it is being executed within an emulated computer system.09-15-2011
20090199297THREAD SCANNING AND PATCHING TO DISABLE INJECTED MALWARE THREATS - An arrangement for scanning and patching injected malware code that is executing in otherwise legitimate processes running on a computer system is provided in which malware code is located in the memory of processes by extracting the start addresses of processes' threads and then searching near these addresses. Additional blocks of code in memory that are invoked by the code identified by each start address are also identified and the blocks are then matched against scanning signatures associated with known malware threads. If the entire signature can be matched against a subset of the blocks, then the thread is determined to be infected. The infected thread is suspended and in-memory modifications are performed to patch the injected code to render it harmless. The thread can be resumed or terminated to disable the protection mechanisms of the malware without causing any harm to the process in which the thread is injected.08-06-2009
20090049552Method and Apparatus for Removing Harmful Software - Embodiments of the invention address the problem of removing malicious code from infected computers.02-19-2009
20120079596METHOD AND SYSTEM FOR AUTOMATIC DETECTION AND ANALYSIS OF MALWARE - A method of detecting malicious software (malware) includes receiving a file and storing a memory baseline for a system. The method also includes copying the file to the system, executing the file on the system, terminating operation of the system, and storing a post-execution memory map. The method further includes analyzing the memory baseline and the post-execution memory map and determining that the file includes malware.03-29-2012
20080263669SYSTEMS, APPARATUS, AND METHODS FOR DETECTING MALWARE - Various embodiments, including a method comprising creating a first fuzzy fingerprint of a known malware file, the first fuzzy fingerprint including a first set of calculated complexity approximations and weightings for each of a plurality of blocks within the known malware file, creating a second fuzzy fingerprint of a file to be checked, the second fuzzy fingerprint including a second set of calculated complexity approximations and weightings for each of a plurality of blocks within the file to be checked, comparing the second fuzzy fingerprint to the first fuzzy fingerprint, calculating a similarity probability for each of the block-wise comparisons, the calculation including a respective weightings for each of the plurality of blocks within the known malware file and for each of the plurality of blocks within the file to be checked, and the calculation including a distance between the compared blocks; and calculating an overall similarity probability for the plurality of blocks compared.10-23-2008
20090077665METHOD AND APPLICATIONS FOR DETECTING COMPUTER VIRUSES - A method for detecting computer viruses includes the following steps: (a) enabling a server device to make statistics of computer virus infection record of a mobile terminal and infection record of all computer viruses in a network so as to obtain infection number rankings of viruses that infected the mobile terminal and all computer viruses in the network, respectively; (b) enabling the server device to generate virus pattern data according to infection number ranking results of the viruses that infected the mobile terminal and all computer viruses in the network; (c) enabling the server device to transmit the virus pattern data to the mobile terminal; (d) enabling the mobile terminal to receive data via the network; and (e) enabling the mobile terminal to detect whether the data is infected by a computer virus with reference to the virus pattern data, and to transmit computer virus infection information to the server device upon detection that the data is infected by a computer virus.03-19-2009
20110231934Distributed Virus Detection - A method and system for efficient virus protection in networks of computing resources. Virus definitions are ranked and distributed according to activity. Active viruses are scanned for by substantially every computing resource in the network but scanning for less active virus is distributed across the network according to computing resource capacity.09-22-2011
20090100521MALICIOUS SOFTWARE PREVENTION APPARATUS, SYSTEM, AND METHOD USING SAME - A malicious software prevention method is used for detecting malicious software and includes receiving data transmitted from a host machine or a mobile terminal and temporally storing the received data as temporary data in a random access memory; detecting malicious software by scanning the temporary data with malicious data definitions stored in a read only memory; cutting off a data connection between the host machine and the malicious software prevention apparatus or between the mobile terminal and the malicious software prevention apparatus if the malicious software is detected in the temporary data.04-16-2009
20090064335INSTANT MESSAGING MALWARE PROTECTION - A system including a content server and a plurality of instant messaging clients is configured to enable each client device to scan for malware on incoming or outgoing instant messages. The content server may receive malware configuration information and distribute the malware configuration information to each client device. Each client device may employ the malware configuration information to perform a number of actions, including determining one or more malware scanners to use, selectively scanning incoming or outgoing instant messages, reporting instances of malware that are detected, or selectively restricting one or more instant messaging functions. The system may include a malware information repository that receives and reports of detected malware, analyzes the reports, and determines sources of malware.03-05-2009
20090217379METHOD FOR ANTIVIRUS PROTECTION AND ELECTRONIC DEVICE WITH ANTIVIRUS PROTECTION - The invention provides a method for antivirus protection adapted for an electronic device. First, an option read only memory (ROM) is initialized. Second, all network connection ports of the electronic device are disabled. A first network connection port is enabled to connect the electronic device with an external system. Whether first antivirus software is installed on the electronic device is checked. If it is checked that the first antivirus software is not installed on the electronic device, after second antivirus software is received by the electronic device from the external system via the first network connection port and is installed on the electronic device, the electronic device enables all the network connection ports to connect the electronic device with the external system.08-27-2009
20090210944Anti-maleware data center aggregate - A method for reducing object scanning load in a network, the method including employing a data-center to provide to a client identifying information and classification information relating to a plurality of objects, at the client, obtaining identifying information for a given object, at the client, comparing the identifying information for the given object to the identifying information relating to the plurality of objects and if identifying information relating to one of the plurality of objects is the same as the identifying information for the given object, relying on the classification information relating to the one of the plurality of objects as provided by the data-center.08-20-2009
20090241195DEVICE AND METHOD FOR PREVENTING VIRUS INFECTION OF HARD DISK - A device and a method for preventing virus infection of a hard disk are provided. The virus infection preventing device includes a storage media, a read-only memory, a control circuit and a switch. The virus infection preventing method includes steps of generating either a first signal or a second signal by a switch, and receiving a write command. If the write command allows data to be written into a boot sector of the hard disk and the first signal is generated by the switch, the write command is aborted. Whereas, if the write command allows data to be written into the boot sector of the hard disk and the second signal is generated by the switch, the write command is executed.09-24-2009
20110145922METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR MITIGATING EMAIL ADDRESS HARVEST ATTACKS BY POSITIVELY ACKNOWLEDGING EMAIL TO INVALID EMAIL ADDRESSES - A method of detecting and responding to an email address harvest attack at an Internet Service Provider (ISP) email system includes counting a number of failed email address look-ups during a single Simple Mail Transfer Protocol (SMTP) session associated with an originating Internet Protocol (IP) address and responding to the originating IP address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold.06-16-2011
20090254992SYSTEMS AND METHODS FOR DETECTION OF NEW MALICIOUS EXECUTABLES - A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set.10-08-2009
20090260085APPARATUS, SYSTEM AND METHOD FOR BLOCKING MALICIOUS CODE - Provided are an apparatus, system and method for blocking malicious code. The apparatus includes a first malicious code detector for determining whether or not a received e-mail includes malicious code, on the basis of previously stored malicious code patterns, a second malicious code detector for performing second malicious code detection on a received e-mail determined by the first malicious code detector not to include malicious code, a pattern extractor for extracting a new malicious code pattern from malicious code detected by the second malicious code detector, and a transceiver for transferring the extracted new malicious code pattern to a pattern providing server. According to the apparatus, system and method, when one terminal detects a new malicious code pattern, a pattern providing server rapidly provides the new malicious code pattern to other terminals, and thus it is possible to rapidly and flexibly cope with the spread of malicious codes having new patterns10-15-2009
20080307527APPLYING A POLICY CRITERIA TO FILES IN A BACKUP IMAGE - Provided are a method, system, and article of manufacture for applying a policy criteria to files in a backup image. A backup image of files in a file system is maintained. A policy is applied to the files in the backup image to determine files satisfying a policy criteria. A list is prepared indicating the determined files. The determined files in the file system are accessed and a deferred operation indicated in the applied policy is applied to the accessed files in the file system.12-11-2008
20100175134System and Method for Performing Remote Security Assessment of Firewalled Computer - Methods and systems for scanning an endpoint terminal across an open computer network are disclosed. An exemplary method includes providing a scanner engine in a computer server in communication with an open computer network, and establishing a secure connection across the open computer network between the scanner engine and a scanner agent installed on the endpoint terminal in communication with the open computer network. Commands for collecting data regarding the endpoint terminal are sent from the scanner engine across the secure connection to the scanner agent. The scanner engine then receives the collected data from the scanner agent across the secure connection, analyzes the data to assess a current posture of the endpoint terminal, and determines any updates for the endpoint terminal from the analysis. Updates are sent across the secure connection to the scanner agent for installation on the endpoint terminal, and the secure connection may then be terminated.07-08-2010
20120198554Obfuscated Malware Detection - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting obfuscated malware. In one aspect, a method includes identifying call instructions in a binary executable; executing the call instruction; executing instructions subsequent to a target of the call instruction; determining that an address identified by a stack pointer is different from the return address; in response to the determination that the address is different, determining if there is a non-obfuscation signal; if there is a non-obfuscation signal, identifying the call instruction as a non-obfuscated call instruction; if there is not a non-obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; determining whether the call instructions identified as possibly obfuscated call instructions exceeds a threshold; in response to the determination that the call instructions identified as possibly obfuscated call instructions exceeds the threshold, identifying the executable as an obfuscated executable.08-02-2012
20090007268Tracking computer infections - A technique is disclosed for tracking a virus. For each of at least a subset of received network packets it is determined whether the packet comprises an open packet. Information usable to determine a sender of the packet in the event the a virus associated with a network transmission with which the packet is associated is determined to have been received is copied from each packet determined to be an open packet, but not from at least a subset of packets not determined to be open packets.01-01-2009
20100192227OFFLINE EXTRACTION OF CONFIGURATION DATA - A configuration scanning system is described herein that scans a system configuration database for malware-related information with less impact on other operations that access the system configuration database. The system employs techniques to reduce the impact on other operations that access the configuration database, including parsing a file-based stored version of the configuration database, accessing the configuration database using opportunistic locking, and caching configuration information obtained by scanning the configuration database. In this way, the system is able to respond to requests antimalware programs using cached information without impacting other programs using the configuration database. Thus, the configuration scanning system protects a computer system against malware while reducing the burden on the configuration database and on other programs that access the configuration database.07-29-2010
20100162399METHODS, APPARATUS, AND COMPUTER PROGRAM PRODUCTS THAT MONITOR AND PROTECT HOME AND SMALL OFFICE NETWORKS FROM BOTNET AND MALWARE ACTIVITY - Methods, apparatus and computer program products that protect networks from malware and botnet activity include collecting xFlow data associated with a network, analyzing the collected xFlow data to detect anomalous traffic on the network, investigating the presence of malware on the network in response to detecting anomalous traffic on the network, and taking remedial action to eradicate and/or isolate malware detected on the network. Collecting xFlow data includes capturing xFlow data at a router that connects the network and a communications network, and sending the captured xFlow data to a local or remote xFlow collector. Analyzing collected xFlow data, locally or remotely, to detect anomalous traffic includes applying one or more activity profiling algorithms to the xFlow data.06-24-2010
20100154062Virus Scanning Executed Within a Storage Device to Reduce Demand on Host Resources - Protection against computer viruses is provided by a storage device having a memory, a controller, and a content scanning module used for scanning files for viruses. Infected files are indicated to a virus handling module that resides external to the storage device. The virus handling module may alter access to the infected files and/or indicate their presence to other system components. Such virus scanning mechanism can be built within the controller of the storage device. The protection against computer viruses may be provided by a method that includes transferring file data from the memory to the controller, reconstructing the files from the file data, activating the controller to check the reconstructed files for viruses, and indicating the infected files to the virus handling module. By using the controller within the storage device to scan for viruses, the burden on the host can be greatly reduced.06-17-2010
20100218255Procedure for the 100% infection free installation/re-installation, patching and maintenance of a personal computers operating system - The procedure resolves the several well known and documented issues regarding installing, patching and securing a Personal Computer from the Internet threats that lead to the malfunctioning of the PC as well as Identity theft. The procedure includes the installing of the Operating System so it is 100% free of all of types of malicious computer attacks; Keeping the PC from being infected/re-infected during the required security patches and updates, Keeping the PC safe and in optimal condition for the life of the machine which is much longer than the industry standard 2-6 months.08-26-2010
20100162400MALWARE DETECTION - The invention provides methods and systems for detecting exploits. A received file is examined to determine whether or not it corresponds to any of one or more predetermined models of normal file types. If the received file does not correspond to any of the one or more predetermined models of normal file types, it is flagged as a potential exploit.06-24-2010
20100146625SAMPLE ANALYZER, SAMPLE ANALYZING METHOD, AND COMPUTER PROGRAM PRODUCT - A sample analyzer comprising: a measuring unit for measuring a sample and outputting measurement data; and a measurement controller configured for carrying out operations comprising: obtaining analysis results of measurement data output from the measuring unit; detecting a malicious program; and restricting the output of the obtained analysis results when a malicious program has been detected, is disclosed. A sample analyzing method and a computer program product are also disclosed.06-10-2010
20090293127System for Protecting a Computing System from Harmful Active Content in Documents - A system protects a computing device from potentially harmful code in a document by receiving a data structure representation of the document and adding dynamically one or more definitions of potentially harmful active content to an editable configuration file. Each definition identifies potentially harmful active content and specifies an action to be performed on that potentially harmful active content if that potentially harmful active content is found in the document. The editable configuration file is parsed to generate a data structure representation of the one or more definitions in the editable configuration file. The data structure representation of the document is compared with the data structure representation of the one or more definitions of potentially harmful active content to identify potentially harmful active content within the document. The document is modified to render harmless any identified potentially harmful active content before presenting the document to the computing device.11-26-2009
20100251373SYSTEM AND METHOD FOR INSPECTING DYNAMICALLY GENERATED EXECUTABLE CODE - A method for protecting a client computer from dynamically generated malicious content, including receiving at a gateway computer content being sent to a client computer for processing, the content including a call to an original function, and the call including an input, modifying the content at the gateway computer, including replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection, transmitting the modified content from the gateway computer to the client computer, processing the modified content at the client computer, transmitting the input to the security computer for inspection when the substitute function is invoked, determining at the security computer whether it is safe for the client computer to invoke the original function with the input, transmitting an indicator of whether it is safe for the client computer to invoke the original function with the input, from the security computer to the client computer, and invoking the original function at the client computer with the input, only if the indicator received from the security computer indicates that such invocation is safe. A system and a computer-readable storage medium are also described and claimed.09-30-2010
20100251372DEMAND SCHEDULED EMAIL VIRUS AFTERBURNER APPARATUS, METHOD, AND SYSTEM - Queuing and rescanning email for most recently detected virus signatures. An apparatus comprising a first virus scanning circuit operating on received email and a second virus scanning circuit operating on the outbound email queue and quarantine store. Rescanning for viruses while delivering email to downstream email server or viewing quarantine with virus signatures not previously known when the virus was first introduced to the wild. A circuit determines that an email server or an email client is active and ready to retrieve or read emails from quarantine or from the output queue of a an anti-virus, anti-spam appliance. Upon that condition, one or more virus signatures are read from a most recently discovered virus signature syndication server. Emails in the output queue, or quarantine or rescanned before transmission to the destination email server.09-30-2010
20110113491COLLABORATIVE SYSTEM FOR PROTECTING AGAINST THE PROPAGATION OF MALWARES IN A NETWORK - The present invention is a system for using a collective computing power of a plurality of network stations in a communication network in order to overcome threats generated by malicious applications. Collaboratively, a large group of simple network stations implement a vaccination mechanism, proliferating information concerning malicious applications (malwares) throughout the network in an efficient manner.05-12-2011
20100100961INTRUSION DETECTION SYSTEM - An intrusion detection system monitors the rate and characteristics of Internet attacks on a computer network and filters attack alerts based upon various rates and frequencies of the attacks. The intrusion detection system monitors attacks on other hosts and determines if the attacks are random or general attacks or attacks directed towards a specific computer network and generates a corresponding signal. The intrusion detections system also tests a computer network's vulnerability to attacks detected on the other monitored hosts.04-22-2010
20120144490MALICIOUS CODE INFECTION CAUSE-AND-EFFECT ANALYSIS - A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.06-07-2012
20090328220MALWARE DETECTION METHODS AND SYSTEMS FOR MULTIPLE USERS SHARING COMMON ACCESS SWITCH - Malware detection systems and methods are presented in which header data of protocol data units (PDUs) are examined at a wireless access switch shared by multiple clients, and the PDU type and client are used to establish counters, with the count values being analyzed to identify clients suspected of being infected with malware.12-31-2009
20090282485NETWORK BROWSER BASED VIRUS DETECTION - A network browser has a Malware detection manager for direct or indirect scanning of files during an upload or download processes for viruses, adware, spyware, etc. The malware detection manager defines and employs a quarantine bin, which is an isolated and secure memory space or directory for temporary placement of file packets during the file transmission while malware detection can commence. The malware detection manager scans for any malware code associated with the packet sequence encountered during a file transmission to and from the Internet, during which it quarantines all the scanned packets in the quarantine bin. Quarantined files can be released if there is a human challenge authorizing the release of the file. The invention also comprises exchanging a Malware free signature between server and client via a trusted download center. If a certified and valid malware free signature is provided, the client device need not scan the files for malware bytes as the content is certified and guaranteed as malware-free.11-12-2009
20090249484METHOD AND SYSTEM FOR DETECTING RESTRICTED CONTENT ASSOCIATED WITH RETRIEVED CONTENT - In embodiments of the present invention improved capabilities are described for detecting restricted content associated with retrieved content. The method and system may include receiving a client request for content, saving contextual information from the client request, presenting retrieved content in response to the client request, and presenting the contextual information from the client request, and retrieved content, to a scanning facility. The scanning facility may utilize the contextual information from the client request to aid in the detection of restricted content associated with retrieved content.10-01-2009
20110067109SYSTEM AND METHOD OF CACHING DECISIONS ON WHEN TO SCAN FOR MALWARE - In accordance with this invention, a system, method, and computer-readable medium that selectively scans files stored on a computing device for malware is provided. One aspect of the present invention includes identifying files that need to be scanned for malware when a software update that includes a malware signature is received. More specifically, attributes of the new malware are identified by searching metadata associated with the malware. Then, the method searches a scan cache and determines whether each file with an entry in the scan cache is the type that may be infected by the malware. If a file is the type that may be infected by the malware, the file is scanned for malware when a scanning event such as an I/O request occurs. Conversely, if the file is not the type that may be infected by the malware, the file may be accessed without a scan being performed.03-17-2011
20110067108Digital DNA sequence - In an embodiment of the invention, a method of classifying a data object includes: scanning the data object; evaluating contents of data objects base on at least one selected rule; and generating a digital DNA sequence that classifies at least some contents in the data object.03-17-2011
20090165137Mobile device having self-defense function against virus and network-based attacks and self-defense method using the same - Provided are a mobile device having a self-defense function against virus and network-based attacks and a self-defense method using the same. The mobile device includes a virus checking module, which receives information on files required for virus checking on a basis of input/output (I/O) information created from a file system of an operating system, and determines whether or not the files are infected with a virus using distribution of similarity between data; a malicious packet determination module, which examines information on an Internet protocol (IP) packet created from a network to interrupt a denial-of-service attack (DoS attack); and a control module, which receives the I/O information created from the file system of the operating system, selects the files required for the virus checking, and transmits the selected files to the virus checking module, or receives information on the IP packet created from the network to transmit the received information to the malicious packet determination module, thereby preventing damage caused by the virus in advance, and effectively preventing a denial-of-service attack (DoS attack) caused by wireless network resource depletion and battery consumption that may occur in a wireless environment.06-25-2009
20090320135SYSTEM AND METHOD FOR NETWORK EDGE DATA PROTECTION - Disclosed are systems and methods which examine information communication streams to identify and/or eliminate malicious code, while allowing the good code to pass unaffected. Embodiments operate to provide spam filtering, e.g., filtering of unsolicited and/or unwanted communications. Embodiments provide network based or inline devices that scan and scrub information communication in its traffic pattern. Embodiments are adapted to accommodate various information communication protocols, such as simple mail transfer protocol (SMTP), post office protocol (POP), hypertext transfer protocol (HTTP), Internet message access protocol (IMAP), file transfer protocol (FTP), domain name service (DNS), and/or the like, and/or routing protocols, such as hot standby router protocol (HSRP), border gateway protocol (BGP), open shortest path first (OSPF), enhanced interior gateway routing protocol (EIGRP), and/or the like.12-24-2009
20090320134Detecting Secondary Infections in Virus Scanning - A method, computer program product or computer system for scanning files in a computer system to detect additional infected files of a computer virus when a first infected file of the computer virus is identified, includes maintaining a friends tree for each file in the computer system, maintaining a search tree using the friends trees for scanning the files, searching the files listed in the search tree for the additional infected files, and quarantining the additional infected files detected in the searching.12-24-2009
20090113548Executable Download Tracking System - Systems and methods are disclosed for monitoring executable software applications on a computer network. Executable software applications and data files may be monitored by a risk monitoring system. The executable software application and data files may attempt to access a computer network and/or a computing device and a monitoring process may identify risks associated with the executable software application and/or data file. A suspicious characteristic of the executable software application may be identified during the monitoring process. The suspicious characteristic may be malware and may be neutralized before it causes damage to the computer network and/or computing device.04-30-2009
20080282349Computer Virus Identifying Information Extraction System, Computer Virus Identifying Information Extraction Method, and Computer Virus Identifying Information Extraction Program - To enable quick extraction of computer virus identifying information.11-13-2008
20100223670WIRELESS COMMUNICATION SYSTEM CONGESTION REDUCTION SYSTEM AND METHOD - A messaging server forwards emails to mobile communication devices of users to whom the emails were respectively addressed. An antivirus server determines whether an email addressed to a user of a mobile communication device, to be forwarded by the messaging server to the mobile communication device, is infected with a virus. In response to determining the email is infected with a virus, a bulletin generator transmits, to the mobile communication devices besides the mobile communication device of the addressee of the email determined to be infected, an all points bulletin message disclosing the existence of the virus. The bulletin message is transmitted directly to, instead of via email to, the wireless mobile communication devices.09-02-2010
20080229419Automated identification of firewall malware scanner deficiencies - Automated identification of deficiencies in a malware scanner contained in a firewall is provided by correlating incident reports that are generated by desktop protection clients running on hosts in an enterprise that is protected by the firewall. A desktop protection client scans a host for malware incidents, and when detected, analyzes the host's file access log to extract one or more pieces of information about the incident (e.g., identification of a process that placed the infected file on disk, an associated timestamp, file or content type, malware type, hash of such information, or hash of the infected file). The firewall correlates this file access log information with data in its own log to enable the firewall to download the content again and inspect it. If malware is detected, then it is assumed that it was missed when the file first entered the enterprise because the firewall did not have an updated signature. However, if the malware is not detected, then there is a potential deficiency.09-18-2008
20090038012METHOD AND SYSTEM FOR DELETING OR ISOLATING COMPUTER VIRUSES - The invention discloses a method and a system for deleting or isolating computer viruses. The method of deleting or isolating computer viruses comprises steps of: selecting a first operating system configured with a virus killing module from a plurality of operating systems in a computer, during the computer being in starting process; loading the first operating system; scanning, by the virus killing module, the storage area of at least one operating system of the plurality of operating systems, wherein the at least one operating system doesn't include the first operating system; and deleting or isolating virus found during scanning. According to the present invention, a problem that the basic operating system could not be started due to viruses may be solved, and thus the system stability is greatly improved.02-05-2009
20100306848Method and Data Processing System to Prevent Manipulation of Computer Systems - The present invention relates to the field of computer technology, and relates in particular to a method and system to prevent computer programs and data of any kind stored in a computer system from being manipulated and in particular for preventing hacker attacks and virus infection in computer systems, wherein said computer system comprises a storage means able to be read from and to be written to, and a means for switching said storage means into a write-protected mode. In order to provide improved prevention, the following steps are proposed, either during boot or during an installation process of an application program:12-02-2010
20100306847IDENTIFYING SECURITY PROPERTIES OF SYSTEMS FROM APPLICATION CRASH TRAFFIC - Most machines in an organization's computer network connect to the Internet and create web traffic logs which allow analysis of HTTP traffic in a simple, centralized way. The web traffic logs may contain error reports and error reports contain significant information that can be used to detect network security. By reviewing the error reports, significant information about a network and its security can be found as common sources of network security weakness may be watched for in the error reports.12-02-2010
20090064334Adaptive Autonomic Threat Detection and Quarantine - Autonomic threat detection is performed by collecting traffic samples of traffic patterns associated with a networked device having a device resident validation module. A threat analysis system is used to recognize a pattern of traffic indicative of a compromised device based at least in part upon the traffic samples. If the samples indicate a compromised device, the device is quarantined and a security check is performed on the device. The security check may include requesting data from the corresponding device resident validation module to determine if the device is compromised, analyzing data from the device resident validation module of the quarantined device and taking an action based upon analysis of the data. At least one of the data from the device resident validation module of the quarantined device or the traffic samples is utilized to autonomically train the threat analysis system to identify compromised devices.03-05-2009
20130145471Detecting Malware Using Stored Patterns - In one embodiment, a method includes identifying a plurality of portions of a file and comparing the plurality of portions of the file to a plurality of stored patterns. The plurality of stored patterns include portions of known malware. The method also includes determining, from the plurality of portions of the file and based on the comparing of the plurality of portions of the file to the plurality of stored patterns, a set of matching portions. The set of matching portions include one or more of the plurality of portions of the file. In addition, the method includes determining a score for each portion in the set of matching portions and providing information regarding the set of matching portions. The information includes the scores determined for each portion of the set of matching portions.06-06-2013
20100333204SYSTEM AND METHOD FOR VIRUS RESISTANT IMAGE TRANSFER - A system and method for virus resistant image transfer, comprising a computer capable of accessing electronic sources of information, a connection to a local network, and a connection to the Internet, which enable virus resistant image transfer, by a user opening a computer connection, the user selecting data, the user generating an Internet optimized thumbnail image associated with the selected data, the user converting the selected data to an Internet optimized format, the user creating an Internet optimized pair of the selected data and the thumbnail image, the user compressing all Internet optimized pairs, the user connecting to a server, and the server authenticating the user.12-30-2010
20110010774MULTIMEDIA PLAY APPARATUS AND METHOD - Provided are a multimedia play apparatus and method. The multimedia play apparatus and method enable synchronization between an audio and a video through existing multimedia play time information, and even in a multimedia service that simultaneously provides multimedia and a message, the multimedia play apparatus and method enable synchronization between multimedia and a message that occurs by terminal characteristics between different environments and different users on the basis of existing multimedia play time information and multimedia meaning information. Moreover, by performing synchronization between multimedia and a message on the basis of the multimedia meaning information, the multimedia play apparatus and method can prevent the damage of a multimedia service that provides multimedia and a message together because of a spoiler corresponding to a malicious message.01-13-2011
20100154063IMPROVEMENTS IN RESISTING THE SPREAD OF UNWANTED CODE AND DATA - A method of processing an electronic file by identifying portions of content data in the electronic file and determining if each portion of content data is passive content data having a fixed purpose or active content data having an associated function. If a portion is passive content data, then a determination is made as to whether the portion of passive content data is to be re-generated. If a portion is active content data, then the portion is analysed to determine whether the portion of active content data is to be re-generated. A re-generated electronic file is then created from the portions of content data which are determined to be re-generated.06-17-2010
20100154060METHOD AND APPARATUS FOR PROVIDING MOBILE DEVICE MALWARE DEFENSE - A method and apparatus for protecting a wireless communication network are disclosed. For example, the method identifies an infected mobile endpoint device via at least one audit by a mal-ware defense platform, and performs an anti-malware application update on the infected mobile endpoint device.06-17-2010
20110214185SYSTEM AND METHOD FOR TRACKING COMPUTER VIRUSES - A method for collecting and distributing data on computer viruses identified on a plurality of computers during virus scanning includes receiving virus scan results from the plurality of computers and collecting and storing the virus scan results in a database. The results include the type of virus identified. The method further includes aggregating at scheduled intervals the virus scan results over a specified time period at a publisher server to create a virus database and replicating the virus database to a subscriber server. A virus report is created from the virus database upon receiving a request from a user computer at the subscriber server and sent to the user computer.09-01-2011
20110119763DATA IDENTIFICATION SYSTEM - Disclosed is a method of operating a data storage system. The method comprises identifying changed segments of a primary storage volume, receiving a data request for a plurality of data items in a secondary storage volume, identifying changed data items of the plurality of data items in the secondary storage volume based on a correspondence between the plurality of data items in the secondary storage volume and the changed segments of the primary storage volume, and transferring the changed data items in response to the data request.05-19-2011
20110131655DETECTION OF FREQUENT AND DISPERSED INVARIANTS - A scalable method and apparatus that detects frequent and dispersed invariants is disclosed. More particularly, the application discloses a system that can simultaneously track frequency rates and dispersion criteria of unknown invariants. In other words, the application discloses an invariant detection system implemented in hardware (and/or software) that allows detection of invariants (e.g., byte sequences) that are highly prevalent (e.g., repeating with a high frequency) and dispersed (e.g., originating from many sources and destined to many destinations).06-02-2011
20110214184System and method for controlling applications to mitigate the effects of malicious software - Methods and systems for mitigating the effects of a malicious software application are disclosed. A dedicated module on the computing device receives from a malicious software detector a message indicating whether the application is malicious or has a malicious component. The dedicated module obtains a set of permissions to be granted to the application, and instructs software on the computing device that controls the permissions of the application to grant the set of permissions.09-01-2011
20110083183ANALYSIS OF SCRIPTS - A method and system for analyzing scripts. A script is processed, which executes text blocks of code derived from the script and copied to an output file in a sequential order. The script is the first text block that is copied to the output file. Executing the text blocks includes interpreting each text block to generate and execute a corresponding interpreted block of code. Processing the script results in the text blocks being sequenced in the output file in the sequential order. The text blocks include an original text block of code that includes text that may be directly inferred from text appearing in the script. The blocks of code include a new text block of code, which includes text that may not be directly inferred from text appearing in the script. The new text block is generated from executing the original text block.04-07-2011
20090300764SYSTEM AND METHOD FOR IDENTIFICATION AND BLOCKING OF MALICIOUS CODE FOR WEB BROWSER SCRIPT ENGINES - A system and method to protect web applications from malicious attacks and, in particular, a system and method for identification and blocking of malicious code for web browser script engines. The system includes at least one module configured to protect web applications from malicious attacks by detecting an occurrence of heap spraying and blocking the occurrence of heap spraying.12-03-2009
20100132042METHOD FOR UPGRADING ANTIVIRUS SOFTWARE AND TERMINAL AND SYSTEM THEREOF - A method for upgrading antivirus software and corresponding terminal and system thereof are provided. The method includes: reporting, by a first operating system connected to a terminal, a first device port of the terminal to a computer when the computer is started; running, by the computer, a second operating system of the port via the first device port; loading, by the second operation system, a driver of a network communication device or the terminal, and downloading, by the second operation system, an update file of the antivirus software from a remote virus database server via the network communication device, and adopting, by the first operating system of the terminal, the update file of the antivirus software to update the antivirus software. The beneficial effects of the present invention lie in that the latest antivirus software can be updated when the computer is started, thus ensuring the system security and antivirus efficiency.05-27-2010
20100132041INTERCEPTION-BASED CLIENT DATA NETWORK SECURITY SYSTEM - An interception-based client data network security system is provided, which includes a user end device, an interception device and a security center. The interception device performs interception of data packets from the user end device according to preset conditions and allows the intercepted data packets to be formedints event logs and then transmits the event logs to the security center for storage. And, the security center compares the stored event logs according to specific search commands for providing security services in correspondence with the stored event logs, thereby overcoming the drawbacks of conventional MPLS or mirror techniques in which the transfer of mass data packets causes overloading of the servers of the security center and excessive consumption of network bandwidth.05-27-2010
20110093953PREVENTING AND RESPONDING TO DISABLING OF MALWARE PROTECTION SOFTWARE - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for responding to an attempt to disable a malware protection program and performing an identification process and one or more protection processes to prevent the execution of potentially malicious code. In one aspect, a method includes monitoring for attempts to disable a malware protection program, identifying a process that generated an attempt to disable the malware protection program, determining whether the process is an approved process, and in response, performing one or more protection processes on the process so as to prevent the execution of potentially malicious code.04-21-2011
20110093952DETECTING AND RESPONDING TO MALWARE USING LINK FILES - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for monitoring the generation of link files by processes on a computer and performing protection processes based on whether the link files target malicious objects or are generated by malicious processes. In one aspect, a method includes monitoring for a generation of a first file that includes a target path that points to an object; in response to monitoring the generation of the first file: determining whether the target path is a uniform resource locator; in response to determining that the target path is a uniform resource locator, identifying a process that caused the first file to be generated; determining whether the process is a prohibited process; in response to determining that the process is a prohibited process, performing one or more protection processes on the process and the first file; in response to determining that the process is not a prohibited process, determining whether the uniform resource locator is a prohibited uniform resource locator; in response to determining that the uniform resource locator is a prohibited uniform resource locator, performing one or more protection processes on the process and the first file.04-21-2011
20100011443Method for preventing the spreading of malware via the use of a data security device - Embodiments of the present invention set forth methods for preventing the spreading of malware via the use of a data security device. Specifically, one embodiment of the present invention sets forth a method, which includes the steps of activating a malware scanning engine in the data security device after the data security device is attached to a computer and a mobile device but before data communication between the computer and the mobile device occurs; invoke malware scanning engine before permitting any data communication between the mobile device and the computer to occur.01-14-2010
20090172816DETECTING ROOTKITS OVER A STORAGE AREA NETWORK - Embodiments of the invention improve the detection of malicious software applications, such as a rootkit, on hosts configured to access storage volumes over a storage area network (SAN). A rootkit detection program running on a switch may be configured to detect rootkits present on the storage volumes of the SAN. Because the switch may mount and access storage volumes independently from the (possibly comprised) hosts, the rootkit is not able to conceal itself from the rootkit detection program running on the switch.07-02-2009
20090031423PROACTIVE WORM CONTAINMENT (PWC) FOR ENTERPRISE NETWORKS - A proactive worm containment (PWC) solution for enterprises uses a sustained faster-than-normal outgoing connection rate to determine if a host is infected. Two novel white detection techniques are used to reduce false positives, including a vulnerability time window lemma to avoid false initial containment, and a relaxation analysis to uncontain (or unblock) those mistakenly contained (or blocked) hosts, if there are any. The system integrates seamlessly with existing signature-based or filter-based worm scan filtering solutions. Nevertheless, the invention is signature free and does not rely on worm signatures. Nor is it protocol specific, as the approach performs containment consistently over a large range of worm scan rates. It is not sensitive to worm scan rate and, being a network-level approach deployed on a host, the system requires no changes to the host's OS, applications, or hardware.01-29-2009
20100037321Systems and Methods for Providing Security Services During Power Management Mode - Systems and methods for providing security services during a power management mode are disclosed. In some embodiments, a method comprises detecting a wake event, providing a wake signal in response to the wake event to wake a mobile device from a power management mode, and managing security services of the mobile device. Managing security services may comprise scanning a hard drive of the mobile devices for viruses and/or other malware. Managing security services may also comprise updating security applications or scanning the mobile device for unauthorized data.02-11-2010
20100064369METHODS, MEDIA, AND SYSTEMS FOR DETECTING ATTACK ON A DIGITAL PROCESSING DEVICE - Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack. In some embodiments, the methods include: selecting a data segment in at least one portion of an electronic document; determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; and determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.03-11-2010
20100064368Systems, Methods, and Media for Outputting a Dataset Based Upon Anomaly Detection - Systems, methods, and media for outputting a dataset based upon anomaly detection are provided. In some embodiments, methods for outputting a dataset based upon anomaly detection: receive a training dataset having a plurality of n-grams, which plurality includes a first plurality of distinct training n-grams each being a first size; compute a first plurality of appearance frequencies, each for a corresponding one of the first plurality of distinct training n-grams; receive an input dataset including first input n-grams each being the first size; define a first window in the input dataset; identify as being first matching n-grams, the first input n-grams in the first window that correspond to the first plurality of distinct training n-grams; compute a first anomaly detection score for the input dataset using the first matching n-grams and the first plurality of appearance frequencies; and output the input dataset based on the first anomaly detection score.03-11-2010
20100077482METHOD AND SYSTEM FOR SCANNING ELECTRONIC DATA FOR PREDETERMINED DATA PATTERNS - A method and system for scanning electronic data for predetermined data patterns is described. One embodiment reads the electronic data serially; consults, during the reading, an acceleration list, the acceleration list specifying one or more sections of the electronic data that are to be scanned for the predetermined data patterns, at least one predetermined data pattern being applicable to each of the one or more sections based, at least in part, on a predetermined data address range associated with the at least one predetermined data pattern lying within that section of the electronic data, the predetermined address range specifying a location of a potential occurrence, within the electronic data, of the at least one predetermined data pattern; scans for predetermined data patterns, during the reading, only the one or more sections of the electronic data specified in the acceleration list; and reports results of the scanning to a user.03-25-2010
20090038011SYSTEM AND METHOD OF IDENTIFYING AND REMOVING MALWARE ON A COMPUTER SYSTEM - A system and accompanying method of identifying and removing malware on a computer system is disclosed. The system comprises a source file containing reference attributes and properties of components of a local computer system in a state unaffected by malware, and exact copies of the system control files. The components of the local computer system may comprise executable and script files such as operating system files, application programs, system controls, registry files and all other executable and script files and their related relevant files. Current status of executables are checked against the reference attributes. All executables on local computer system failing certain match criteria are removed from the local system, or alternatively, replaced with reference copies from source file. Thereby, the system and method identifies malware based on previous system state, method of entry into the local computer system, and intention to automatically execute either upon booting or upon launching of a computer program which a user has intentionally installed and which the user would normally believe to be free of malware.02-05-2009
20090217380MESSAGING VIRUS PROTECTION PROGRAM AND THE LIKE - The present invention relates to a messaging virus protection program and the like for dealing with messaging viruses transmitted along with the movement of electronic information. This messaging virus protection program causes a computer to execute the steps of judging whether or not processing is to be performed in a warning mode based on information which either warns or does not warn of a new type of messaging virus, determining whether or not there is a danger of viral infection in case of a warning mode, storing the received electronic information in cases where it is determined that there is a danger, and delivering the received electronic information in cases where it is determined that there is no danger and, in case of not the warning mode, performing processing for the received electronic information based on the characteristics of known messaging viruses.08-27-2009
20100037320System and Method for On-Line Exchange and Trade of Information - A system and method for online trade and exchange information are disclosed. A computer application running on a workstation of an expert and of on workstation of a customer/patient provide an environment on the displays of the workstations which enables both parties to synchronously present and watch, modify and mark documents, video streams, documents, etc. According to embodiments of the invention a customer or patient located remotely from an expert may converse and communicate with that expert in a virtually face-to-face manner, to see and hear each other, to present documents, photos and vide streams to each other, to play and stop playing streams, to point at points of interest on their displays, etc.02-11-2010
20100071064APPARATUS, SYSTEMS, AND METHODS FOR CONTENT SELFSCANNING IN A STORAGE SYSTEM - Apparatus, systems, and method for content self-scanning within a storage system. Features and aspects hereof operable within a storage controller of a storage system scan blocks of data within the storage system to detect the presence of a pattern in one or more data blocks. The patterns to be matched may be stored as regular expressions in a pattern database in the storage system and may represent, for example, viruses to be detected in the data blocks of the storage system. Data blocks may be scanned, in real time, as they are received from an attached host system. Data blocks may also be retrieved from within the storage system for scanning. The storage system may cooperate with a scanning service computer to determine a file of data blocks related to any data block that matches a portion of a pattern.03-18-2010
20100064370METHOD AND DEVICE FOR PROTECTION OF A MICROCIRCUIT AGAINST ATTACKS - The method of protection of a microcircuit against an attack includes: 03-11-2010
20100077480Method for Inferring Maliciousness of Email and Detecting a Virus Pattern - Provided is a method of distinguishing an abnormal e-mail and determining whether an e-mail is affected with a virus. The method includes the steps of: decoding a received e-mail packet in a readable format and then analyzing and classifying a header of the packet according to header information; determining whether each classified piece of header information is normal or abnormal, and giving a specific value to the corresponding header information according to the determination result; distinguishing an abnormal e-mail using the specific values given to the respective pieces of header information according to a logical inference rule; and when there is an executable attachment file among the header information of the e-mail distinguished as abnormal, determining whether the abnormal e-mail is infected with a virus using distribution of similarity among data. The method effectively distinguishes an abnormal e-mail and determines whether an e-mail is infected with a virus without a database for spam filtering or a database of virus information, and thus is capable of stopping the propagation of new viruses. Therefore, an e-mail server can have a security technique and handle abnormal e-mail in a step before operation of a spam filter server or an antivirus server. Consequently, it is possible to manage a mail server more securely.03-25-2010
20100058474SYSTEM AND METHOD FOR THE DETECTION OF MALWARE - A method of automatically identifying malware may include receiving, by an expert system knowledge base, an assembly language sequence from a binary file, identifying an instruction sequence from the received assembly language sequence, and classifying, by the expert system knowledge base, the instruction sequence as threatening, non-threatening or non-classifiable by applying one or more rules of the expert system knowledge base to the instruction sequence. If the instruction sequence is classified as threatening, information may be transmitted to a code analysis component and a user may be notified that the binary file includes malware. The information may include one or more of the following: the instruction sequence, a label comprising an indication that the instruction sequence is threatening, and a request that one or more other assembly language sequences from the binary file be searched for at least a portion of the instruction sequence.03-04-2010
20100071065INFILTRATION OF MALWARE COMMUNICATIONS - Infiltration of malware communications. Malicious programs infecting individual devices within a network oftentimes communicate with another infected device (e.g., a master device by which the infection was established on a slave device in the first place). During this call home to a master device (or receiving a call from the master device), vital information about the attack, target, master device, etc. may be transmitted. The call home may include information acquired/retrieved from the infected device, or it may request additional information from the infecting device. By monitoring the network messages associated with such call home attempts (including any errors associated therewith), an infected device may be identified and appropriate action be taken (e.g., continue monitoring, isolate infected device from network, generate call to network help desk, etc.). This approach may be implemented at a network level to help prevent further promulgation of the malicious program to other devices.03-18-2010
20110154495MALWARE IDENTIFICATION AND SCANNING - A method for automatically generating a genetic signature for a set of malware, comprising parsing (step S06-23-2011
20110083188Virus, trojan, worm and copy protection of audio, video, digital and multimedia, executable files and such installable programs - A TSR (Terminate and Stay Resident) program based virus, trojan, worm and copy protection of audio, video, digital, multi media, executable files and installable programs. The TSR is co-resident on the chip-set or the CPU of the system; the BIOS and the OS (Operating System), whereby it is an intrinsic part of the system and is uninstallable. The TSR monitors any attempt to copy, play, record, any designated copy protected audio, video, digital, multi media; or any attempt to copy, install or execute any executable files or such installable programs and seeks authorization and or authentication from a clearing house or by using a local authentication key, before playing, recording, storing, executing or installing such digital media. Additionally the TSR generates and inserts a unique digitally encrypted source signature that includes the machine number and the date and time code for pay per use and verification purposes.04-07-2011
20100077481COLLECTING AND ANALYZING MALWARE DATA - A malware analysis system is described that provides information about malware execution history on a client computer and allows automated back-end analysis for faster creation of identification signatures and removal instructions. The malware analysis system collects threat information on client computers and sends the threat information to a back-end analysis component for automated analysis. The back-end analysis component analyzes the threat information by comparing the threat information to information about known threats. The system builds a signature for identifying the threat family and a mitigation script for neutralizing the threat. The system sends the signature and mitigation data to client computers, which use the information to mitigate the threat. Thus, the malware analysis system detects and mitigates threats more quickly than previous systems by reducing the burden on technicians to manually create environments for reproducing the threats and manually analyze the threat behavior.03-25-2010
20110252478SYSTEM AND METHOD OF ANALYZING WEB CONTENT - A system and method are provided for identifying inappropriate content in websites on a network. Unrecognized uniform resource locators (URLs) or other web content are accessed by workstations and are identified as possibly having malicious content. The URLs or web content may be preprocessed within a gateway server module or some other software module to collect additional information related to the URLs. The URLs may be scanned for known attack signatures, and if any are found, they may be tagged as candidate URLs in need of further analysis by a classification module.10-13-2011
20110093951Computer worm defense system and method - A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.04-21-2011
20120174227System and Method for Detecting Unknown Malware - The present disclosure relates generally to the field of computer security and, in particular, to systems for detecting unknown malware. A method comprises generating genes for known malicious and dean objects; analyzing object genes using different malware analysis methods; computing a level of successful detection of malicious objects by one or a combination of malware analysis methods based on analysis of genes of the known malicious objects; computing a level of false positive detections of malicious objects by one or a combination of malware analysis methods based on analysis of genes of known clean objects; measuring effectiveness of each one or the combination of malware analysis methods as a function of the level of successful detections and the level of fake positive detections; and selecting one or a combination of the most effective malware analysis methods for analyzing unknown object for malware.07-05-2012
20120304298METHOD FOR ANTIVIRUS IN A MOBILE DEVICE BY USING A MOBILE STORAGE AND A SYSTEM THEREOF - A method for antivirus in a mobile device is performed by using a mobile storage and a system thereof. The method includes a mobile storage that is connected to a mobile device. The control module in the mobile storage automatically runs. The control module obtains root privilege of the operation system of the mobile device, and calls virus-killing module in the mobile storage to eliminate a file(s) or program(s) threatening security of the mobile device. The advantage is to obtain the newest antivirus method by using a mobile storage when a mobile device is unable to update antivirus software through internet.11-29-2012
20110107425APPARATUS AND METHOD FOR PERFORMING VIRUS SCAN IN PORTABLE TERMINAL - An apparatus and method are provided in which, in order to avoid a situation where a vaccine installed in a portable terminal is damaged by a virus and thus a virus scan process cannot be normally performed, when the portable terminal operates as a removable disk or when an external memory is placed in the portable terminal, whether the vaccine installed in the portable terminal is damaged is determined to recover the damaged vaccine, and a version of the vaccine installed in the portable terminal is determined to update the vaccine to the latest version. The apparatus includes a memory divided into a storage area and a backup area to install a vaccine in the storage area and to back up the vaccine in the backup area.05-05-2011
20110083187SYSTEM AND METHOD FOR EFFICIENT AND ACCURATE COMPARISON OF SOFTWARE ITEMS - Apparatus, processes, and related technologies for comparison between a target item of software code and a reference set of software code. The target item is preprocessed to be compared against a reference item from the reference set to identify a selected set of lines of software code from the target item to be used for the comparison. Each line of the selected set of lines from the target software item is individually compared with lines of software code from the reference set to produce a measure of similarity between the target software item and at least one reference item of software code from the reference set. Various techniques for maintaining and updating a numerical representation of similarity of the target item with each reference item, the numerical representation being stored in a corresponding element of a data structure.04-07-2011
20110083186Malware detection by application monitoring - A method of detecting malware on a computer system. The method comprises monitoring the behaviour of trusted applications running on the computer system and, in the event that unexpected behaviour of an application is detected, identifying a file or files responsible for the unexpected behaviour and tagging the file(s) as malicious or suspicious. The unexpected behaviour of the application may comprise, for example, dropping executable files, performing modifications to a registry branch which is not a registry branch of the application, reading a file type class which is not a file type class of the application, writing portable executable (PE) files, and crashing and re-starting of the application.04-07-2011
20110083185Method and System for Improving Website Security - A method for locating and monitoring websites is provided that includes finding websites and contained hyperlinks, downloading a first snapshot of a web page taken at a first time, and downloading a second snapshot of the web page taken at a second time later than the first time. The method also includes enabling a comparison of the first snapshot and the second snapshot. A system for monitoring websites is provided. The system includes means for enabling a comparison of the first snapshot and the second snapshot visually or through the use of content data from that web site. A computer-readable recording medium having recorded thereon an executable program is provided. The program when executed causes a processor to perform a method for monitoring websites.04-07-2011
20110083184ANTI-MALWARE SCANNING IN PARALLEL PROCESSORS OF A GRAPHICS PROCESSING UNIT - A method of anti-malware scanning includes providing, in a computing system including a central processor, a multimedia processor including a number of processors to operate in parallel with one another. The anti-malware scanning further includes executing an anti-malware algorithm using the multimedia processor to free the central processor for a non-anti-malware related task.04-07-2011
20110078796Trusted Operating Environment For Malware Detection - Described herein are techniques and apparatuses for scanning a computing device for malware and/or viruses. In various embodiments, a trusted operating environment, which may include a trusted operating system and/or a trusted antivirus tool, may be utilized with respect to a computing device. More particularly, the trusted operating system may be used to boot the computing device. Moreover, the trusted antivirus tool may search the computing device for malware definition updates (e.g., virus signature updates) and use the trusted operating system to scan the computing device for malware. In other embodiments, the trusted antivirus tool may scan the computing device and remove any viruses detected by the trusted antivirus tool. The trusted operating system may then reboot the computing device into a clean environment once any detected viruses are removed.03-31-2011
20110252476EARLY DETECTION OF POTENTIAL MALWARE - Evidence of attempted malware attacks may be used to identify the location and nature of future attacks. A failed attack may cause a program to crash. Crash data may be sent to an analyzer for analysis. The analysis may reveal information such as the identity of the program that is being exploited, the specific way in which the program is being exploited, and the identity or location of the source of the attack. This information may be used to identify potential sources of attack and to identify the same type of attack from other sources. When the source and/or nature of an attempted attack is known, remedial action may be taken. Filters may warn users who are attempting to visit sites from which attacks have been attempted, and the makers of programs that are being exploited can be notified so that those program makers can release updates.10-13-2011
20110252477Dynamic Load Balancing In An Extended Self Optimizing Network - A method for performing load balancing in a wireless network. Operating conditions are determined in the wireless network. Network policies are dynamically adjusted based upon the operating conditions. Users are offloaded from an overloaded site to another site based upon the operating conditions.10-13-2011
20130160124Disinfection of a File System - A method for determining appropriate actions to remedy potential security lapses following infection of a device by malware. Following detection of infection of the device the device undergoes a cleaning operation. As part of the cleaning operation infected electronic files and any other associated files or objects are removed from the device. From timestamps associated with the infected files and associated files and objects, either directly or from another source such as an anti-virus trace program, the time of infection can be estimated. This allows the system to reference timestamps on the device to determine the source of the infection. Additionally, if the type of infection is identified timestamps on the device can be used to determine where there are particular areas of vulnerability due to user actions on the device.06-20-2013
20130160126MALWARE REMEDIATION SYSTEM AND METHOD FOR MODERN APPLICATIONS - A system is described for remediating a malicious modern application installed on an end user device. In an embodiment, the system includes an antimalware program executing on the end user device that can detect and attempt to remediate the malicious modern application, an operating system executing on the end user device that is configured to interact with the antimalware program for the purpose of facilitating the establishment of a connection between the end user device and an application support system in response to determining that the antimalware program has detected and attempted to remediate the malicious modern application, and the application support system that can perform remediation operations beyond those that can be performed by the antimalware program.06-20-2013
20100313268METHOD FOR PROTECTING A COMPUTER AGAINST MALICIOUS SOFTWARE - A method of protecting a computer by having security software be set to clean mode where the clean mode acts as if files installed or modified before the clean date are safe and installed or modified after the clean date as potentially harmful.12-09-2010
20100122345CONTROL SYSTEM AND PROTECTION METHOD FOR INTEGRATED INFORMATION SECURITY SERVICES - A control system and protection method for integrated information security services are provided, which include protecting data packets of a user end device by a protecting device; generating an event log according to the protection result and transmitting the recorded event log to a collective control platform for standardizing and analyzing association by the collective control platform; detecting and transmitting abnormal information by the collective control platform to a service platform for integrating the information with network status information; displaying the integrated information on a webpage interface and transmitting the same to the user end device, thereby providing direct information on network security to save the high costs of purchasing, configuring and maintaining an information security protection system by the user.05-13-2010
20120204266METHOD FOR PROVIDING AN ANTI-MALWARE SERVICE - The present invention relates to a method for providing an anti-malware service based on a server, wherein at least one server manages ‘local malware information’ associated with a predetermined region, and the server generates ‘malware component information’ for a device, on the basis of the ‘local malware information’ if the device is located in the predetermined region, and the server transmits the ‘malware component information’ to the device. Thus, the method of the present invention permits minimum data traffic to be transceived during malware DB update performed in the device so as to prevent waste of communication resources, permits the device to effectively use a limited resource, and effectively deals with malwares generated from areas of the world.08-09-2012
20120204265Systems and Methods For Message Threat Management - The present invention is directed to systems and methods for detecting unsolicited and threatening communications and communicating threat information related thereto. Threat information is received from one or more sources; such sources can include external security databases and threat information data from one or more application and/or network layer security systems. The received threat information is reduced into a canonical form. Features arc extracted from the reduced threat information; these features in conjunction with configuration data such as goals are used to produce rules, in some embodiments, these rules are tested against one or more sets of test data and compared against the same or different goals; if one or more tests fail, the rules are refined until the tests succeed within ah acceptable margin of error. The hues are then propagated to one or more application layer security systems.08-09-2012
20090241194VIRTUAL MACHINE CONFIGURATION SHARING BETWEEN HOST AND VIRTUAL MACHINES AND BETWEEN VIRTUAL MACHINES - In embodiments of the present invention improved capabilities are described for presenting a physical computing machine including a virtual computer machine monitor and a one or more of virtual computing machines, where each of the virtual computing machines runs its own operating system, presenting one of the multiple virtual computing machines as a host, and the remaining multiple virtual computing machines as guests, and providing for a virtual machine protected environment, where suspicious file information is shared between the virtual machine protected environment and other virtual machines.09-24-2009
20090222924OPERATING A NETWORK MONITORING ENTITY - Network flow records from various administrative domains are provided to a network monitoring entity. The network monitoring entity analyzes the network flow records in a way to locate a source of malicious network flow.09-03-2009
20090222923Malicious Software Detection in a Computing Device - A method of scanning for viruses in the memory of a computing device in which only memory pages marked as executable need to be scanned. The trigger for the scan can be either via an API that changes a page from writeable to executable, or via a kernel notification that an executable page has been modified. This invention is efficient, in that it makes much previous scanning of file systems redundant; this saves power and causes devices to execute faster. It is also more secure, as it detects viruses that other methods cannot reach, and does so at the point of execution.09-03-2009
20080320594Malware Detector - The malware detection system enables out-of-the box, tamper-resistant malware detection without losing the semantic view. This system comprises at least one guest operating system and at least one virtual machine, where the guest operating system runs on the virtual machine. Having virtual resources, the virtual machine resides on a host operating system. The virtual resources include virtual memory and at least one virtual disk. A virtual machine examiner is used to examine the virtual machine. With a virtual machine inspector, a guest function extrapolator, and a transparent presenter, the virtual machine examiner resides outside the virtual machine. The virtual machine inspector is configured to retrieve virtual machine internal system states and/or events. The guest function extrapolator is configured to interpret such states and/or events. The transparent presenter is configured to present the interpreted states and/or events to anti-malware software. The anti-malware software is configured to use the interpreted states and/or events to detect any system compromise.12-25-2008
20110179491SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR CONTEXT-DRIVEN BEHAVIORAL HEURISTICS - A system, method and computer program product are provided for detecting unwanted data. A scan for unwanted data is performed to generate results of the scan. A context of the scan is then identified. Further, the presence of unwanted data is conditionally indicated based on both the results of the scan and the context of the scan.07-21-2011
20080313738Multi-Stage Deep Packet Inspection for Lightweight Devices - A system and method for the multi-stage analysis of incoming packets. Three stages are used, each of which addresses a particular category of threat by examining the headers and/or payload of each packet (“deep packet inspection”). The first stage detects incoming viruses or worms. The second stage detects malicious applications. The third stage detects attempts at intrusion. These three stages operate in sequence, but in alternative embodiments of the invention, they may be applied in a different order. These three stages are followed by a fourth stage that acts as a verification stage. If any of the first three stages detects a possible attack, then the packet or packets that have been flagged are routed to a central verification facility. In an embodiment of the invention, the verification facility is a server, coupled with a database. Here, suspect packets are compared to entries in the database to more comprehensively determine whether or not the packets represent an attempt to subvert the information processing system.12-18-2008
20080289041TARGET DATA DETECTION IN A STREAMING ENVIRONMENT - In embodiments of the present invention improved capabilities are described for a data stream scanner. The present invention may provide for a first data portion received in association with a data stream, and the first data portion may be analyzed to make an assessment. An identity pool may then be selected from a universe of identities based on the assessment, and identities from the identity pool may be selected in a scanning process to analyze a second data portion from the data stream. In addition, the identity pool may be altered based on information obtained during the analysis of the second data portion, wherein the information obtained during the second data portion analysis may indicate the data stream is different from that projected when making the assessment based on the analysis of the first data portion.11-20-2008
20080263670Methods, software and apparatus for detecting and neutralizing viruses from computer systems and networks - Methods, software or computer programs, and apparatus for detecting viruses and mitigating their harm to computers communicating through a gateway node to another network are disclosed. Upon detection of a virus in an incoming data stream or plurality of data packets directed to a gateway device or node, the data requesting recipient is notified and provided with a plurality of pre-defined virus handling action options. If the recipient, or designated proxy, fails to select an action option, then a random selection is made. If a selection is made, then that selection, to the exclusion of other action options, is carried out. Thus, the recipient is empowered to dynamically select, as circumstances dictate and without future prejudice, the appropriate response upon detection of a particular virus. Action options may include data encryption and forwarding with recipient notification, or where email is the vector, attachment removal and location link insertion may be used. Software embodiments of the invention provide the machine readable instructions to carry out the methods according to the invention.10-23-2008
20100319071GENERIC PROTOCOL DECODER FOR GENERIC APPLICATION-LEVEL PROTOCOL SIGNATURES. - Described is a generic protocol decoder that analyzes network traffic or file data to look for a signature, and signals an intrusion prevention mechanism/system if the signature is matched. In one aspect, the generic decoder is built using generic application-level protocol analysis language (GAPAL) primitives. These primitives provide various capabilities, including pattern matching, skipping, reading data, copying variable data and comparing data. The generic decoder may be coupled to a pre-developed protocol parser that provides the decoder with the data to analyze.12-16-2010
20100325729DETERMINATION BY CIRCUITRY OF PRESENCE OF AUTHORIZED AND/OR MALICIOUS DATA - An embodiment may include circuitry that may be comprised in a host. The host may include memory and a host processor to execute an operating system. The circuitry may be to determine, independently of the operating system and the host processor, the authenticity of signature list information, based at least in part upon authentication information received by the circuitry from a remote server. The circuitry also may be to determine, independently of the operating system and the host processor, based at least in part upon comparison of at least one portion of the signature list information with at least one portion of contents of the memory, whether authorized and/or malicious data are present in the at least one portion of the contents of the memory. Of course, many variations, modifications, and alternatives are possible without departing from this embodiment.12-23-2010
20120151591SYSTEM AND METHOD FOR NETWORK EDGE DATA PROTECTION - Disclosed are systems and methods which examine information communication streams to identify and/or eliminate malicious code, while allowing the good code to pass unaffected. Embodiments operate to provide spam filtering, e.g., filtering of unsolicited and/or unwanted communications. Embodiments provide network based or inline devices that scan and scrub information communication in its traffic pattern. Embodiments are adapted to accommodate various information communication protocols, such as simple mail transfer protocol (SMTP), post office protocol (POP), hypertext transfer protocol (HTTP), Internet message access protocol (IMAP), file transfer protocol (FTP), domain name service (DNS), and/or the like, and/or routing protocols, such as hot standby router protocol (HSRP), border gateway protocol (BGP), open shortest path first (OSPF), enhanced interior gateway routing protocol (EIGRP), and/or the like.06-14-2012
20110016530DETECTION OF UNDESIRED COMPUTER FILES IN ARCHIVES - Systems and methods that can detect known undesired computer files in protected archives are provided. According to one embodiment, an archive file in transit across a network as an attachment to an email message destined for a client workstation is scanned, without decrypting or decompressing contents of the archive, by an anti-virus detection module running on a network gateway. A type and associated structure of the archive are identified by examining primary or secondary identification bytes of the archive. Based on the type and structure, descriptive information regarding a contained file is obtained. The descriptive information includes a hash value of the contained file in uncompressed format. If the descriptive information matches a signature of a known undesired computer file, then a clean version of the archive is produced by removing the contained file and regenerating the archive. Finally, the clean version of the archive is delivered.01-20-2011
20120278895METHODS AND APPARATUS FOR DEALING WITH MALWARE - In one aspect, a method of classifying a computer object as malware includes receiving at a base computer data about a computer object from each of plural remote computers on which the object or similar objects are stored. The data about the computer object received from the plural computers is compared in the base computer. The computer object is classified as malware on the basis of said comparison. In one embodiment, the data about the computer object includes one or more of: executable instructions contained within or constituted by the object;11-01-2012
20120311710COMPUTER PROGRAM, METHOD, AND SYSTEM FOR PREVENTING EXECUTION OF VIRUSES AND MALWARE - Preventing execution of viruses or malware on a computing device includes compiling an inventory recordation of legitimate applications while in a training mode and terminating execution of any application not on the inventory recordation while in a protected mode. A user may train the computer program to identify legitimate applications routinely accessed by the user and to be updated to the inventory recordation, such that the inventory recordation is personal to the user. After training, the protected mode is activated. While an Internet browser or e-mail client application is activated while in the protected mode, execution of any accessed application that is not uniquely identified on the inventory recordation is terminated.12-06-2012
20120311709AUTOMATIC MANAGEMENT SYSTEM FOR GROUP AND MUTANT INFORMATION OF MALICIOUS CODES - An automatic management system includes a malicious code group-mutant storage module that receives a malicious codes analysis result from a malicious code collection-analysis system and extracts group information and mutant information of the malicious codes based on the malicious code analysis result, a malicious code group-mutant DB that stores the extracted group information and mutant information, a malicious code group-mutant management module that provides interface to allow a user to detect the group information and mutant information stored in the malicious code group-mutant DB, and a visualizing module that outputs the detection result to the user, wherein the malicious code group-mutant management module that groups malicious codes having action associations using the group information and mutant information stored in the malicious code group-mutant DB, outputs the group information through the visualizing module and outputs the mutant information based on CFG similarity and string similarity through the visualizing module.12-06-2012
20120311708SYSTEM AND METHOD FOR NON-SIGNATURE BASED DETECTION OF MALICIOUS PROCESSES - Systems and methods for detecting malicious processes in a non-signature based manner are disclosed. The system and method may include gathering features of processes running on an electronic device, applying a set of rules to the features, and applying a statistical analysis to the results of the rules application to determine whether a process should be classified into one or more of a plurality of process categories.12-06-2012
20110138467Method and System for Content Distribution Network Security - A content delivery system includes an upload module, a content delivery module, and a monitoring module. The upload module is configured to receive content from a content provider, detect content containing malicious software or proprietary information, and provide information about the content to a monitoring module. The content delivery module is configured to detect content containing malicious software or unauthorized changes, detect operational changes to the content delivery module, provide information about the content and the operational changes to the monitoring module, receive a request for the content from a client system, and provide the content to the client system. The monitoring module is configured to monitor a network for potentially malicious traffic, receive information from the content delivery module and the upload module, correlate the information and the potentially malicious traffic to identify a security event, and trigger a response to the security event.06-09-2011
20110126286SILENT-MODE SIGNATURE TESTING IN ANTI-MALWARE PROCESSING - Method and computer program product for signature testing used in anti-malware processing. Silent signatures, after being tested, are not updated into a white list and are sent directly to users instead. If the silent signature coincides with malware signature, a user is not informed. A checksum (e.g., hash value) of a suspected file is sent to a server, where statistics are kept and analyzed. Based on collected false positive statistics of the silent-signature, the silent-signature is either valid or invalid. Use of the silent signatures provides for effective signature testing and reduces response time to new malware-related threats. The silent signature method is used for turning off a signature upon first false positive occurrence. Use of silent signatures allows improving heuristic algorithms for detection of unknown malware.05-26-2011
20110126287ANTI-VIRUS PROTECTION SYSTEM AND METHOD THEREOF - An anti-virus protection system and method including receiving an address of a data server from a user, writing and transmitting a request message including the address received from the user, receiving the data from the data server, and determining whether the data contains malignant virus. Thus, a malignant web site is scanned/filtered by minimally using a restrictive memory and central process unit (CPU) resource of a mobile device, and a user uses a mobile device whose security is ensured even through a user moves to another country.05-26-2011
20110016529INFORMATION PROCESSING APPARATUS COOPERATING WITH VIRUS MANAGEMENT FUNCTION DEVICE, AND ANTI-VIRUS METHOD - An information processing apparatus provided with a first information processing unit and a second information processing unit, wherein the first information processing unit infected by a virus is cleared and normal communication restored quickly without human operation. The virus infection is quickly detected by an external virus management function device through a first communication system, a communication suspension instruction is transferred through a different second communication system having a high security level to the first information processing unit, and communication by the first communication system is disconnected. Further, anti-virus solution information is transferred to the first processing unit through the second communication system, and virus removal in the first processing unit is carried out. Further, after removal, the disconnected communication is restarted.01-20-2011
20110138468Distributed Security Provisioning - Systems, methods and apparatus for a distributed security that provides security processing external to a network edge. The system can include many distributed processing nodes and one or more authority nodes that provide security policy data, threat data, and other security data to the processing nodes. The processing nodes detect and stop the distribution of malware, spyware and other undesirable content before such content reaches the destination network and computing systems.06-09-2011
20120278894RESISTING THE SPREAD OF UNWANTED CODE AND DATA - A method or system of receiving an electronic file containing content data in a predetermined data format, the method comprising the steps of: receiving the electronic file, determining the data format, parsing the content data, to determine whether it conforms to the predetermined data format, and if the content data does conform to the predetermined data format, regenerating the parsed data to create a regenerated electronic file in the data format.11-01-2012
20100306849ON-ACCESS ANTI-VIRUS MECHANISM FOR VIRTUAL MACHINE ARCHITECTURE - A tangible medium embodying instructions usable by a computer system to protect a plurality of guest virtual machines (VMs), which execute via virtualization software on a common host platform, from malicious code is described. A scan engine is configured to scan data for malicious code and determine a result of the scanning, wherein the result indicates whether malicious code is present in the data. A driver portion is configured for installation in an operating system of a target VM, which is one of the guest VMs. The driver portion intercepts an access request to a file, that originates within the target VM. The driver portion communicates information identifying a location of the data to be scanned by the scan engine without sending a copy of the data to the scan engine. The scan engine executes within the virtualization layer outside a context of the target VM.12-02-2010
20110191850Malware detection - According to a first aspect of the present invention there is provided a method of operating a computer to detect malware, which malware writes a copy of an executable file to a non-volatile memory of the computer and creates a launch point that causes that executable file to be run at start-up of the computer. The method includes, during the shutdown procedures of the computer, monitoring the creation and/or modification of any launch points and, for any such modification or creation, saving a further copy of any executable file associated with the launch point to the non-volatile memory, and, following a subsequent start-up of the computer, examining said further copy to determine if it is potential malware.08-04-2011
20110167495METHOD AND SYSTEM FOR DETECTING MALWARE - A system and method of analysis. NX domain names are collected from an asset in a real network. The NX domain names are domain names that are not registered. The real network NX domain names are utilized to create testing vectors. The testing vectors are classified as benign vectors or malicious vectors based on training vectors. The asset is then classified as infected if the NX testing vector created from the real network NX domain names is classified as a malicious vector.07-07-2011
20110099636Read-only protection method for removable storage medium - A read-only protection method for removable storage medium has steps of establishing a copy prohibited list, receiving a write command for the removable storage medium, determining whether to allow duplication of data to the removable storage medium, allowing duplication of data to the removable storage medium when the data to be duplicated are not listed in the copy prohibited list and prohibiting duplication of data to the removable storage medium when the data to be duplicated are listed in the copy prohibited list. The method of the present invention prohibits copying of pre-designated data to the removable storage medium, but writing other data is allowed.04-28-2011
20120151588Malware Detection for SMS/MMS Based Attacks - Devices, systems, and methods are disclosed which utilize lightweight agents on a mobile device to detect message-based attacks. In exemplary configurations, the lightweight agents are included as contacts on the mobile device addressed to an agent server on a network. A malware onboard the mobile device, intending to propagate, unknowingly addresses the lightweight agents, sending messages to the agent server. The agent server analyzes the messages received from the mobile device of the deployed lightweight agents. The agent server then generates attack signatures for the malware. Using malware propagation models, the system estimates how many active mobile devices are infected as well as the total number of infected mobile devices in the network. By understanding the malware propagation, the service provider can decide how to deploy a mitigation plan on crucial locations. In further configurations, the mechanism may be used to detect message and email attacks on other devices.06-14-2012
20120151585Method and System for Identifying Malicious Messages in Mobile Communication Networks, Related Network and Computer Program Product Therefor - A system for identifying malicious messages transmitted over a mobile communication network includes: sentinel modules associated with respective mobile terminals in the network for monitoring messages passing therethrough, wherein the sentinel modules identify as a candidate malicious message, any message passing through the mobile terminals and failing to comply with a first set of patterns and issue a corresponding sentinel identification message; a set of probe modules for monitoring messages transmitted over the network, wherein the probe modules identify as a candidate malicious message any message transmitted over the network and failing to comply with a second set of patterns and issue a corresponding probe identification message; and preferably at least one client honeypot module for receiving and processing any messages sent thereto to produce corresponding processing results, wherein the client honeypot module identifies as a candidate malicious message any message producing a processing result failing to comply with a third set of patterns and issues a corresponding client honeypot identification message.06-14-2012
20090300765UNKNOWN MALCODE DETECTION USING CLASSIFIERS WITH OPTIMAL TRAINING SETS - The present invention is directed to a method for detecting unknown malicious code, such as a virus, a worm, a Trojan Horse or any combination thereof. Accordingly, a Data Set is created, which is a collection of files that includes a first subset with malicious code and a second subset with benign code files and malicious and benign files are identified by an antivirus program. All files are parsed using n-gram moving windows of several lengths and the TF representation is computed for each n-gram in each file. An initial set of top features (e.g., up to 5500) of all n-grams IS selected, based on the DF measure and the number of the top features is reduced to comply with the computation resources required for classifier training, by using features selection methods. The optimal number of features is then determined based on the evaluation of the detection accuracy of several sets of reduced top features and different data sets with different distributions of benign and malicious files are prepared, based on the optimal number, which will be used as training and test sets. For each classifier, the detection accuracy is iteratively evaluated for all combinations of training and test sets distributions, while in each iteration, training a classifier using a specific distribution and testing the trained classifier on all distributions. The optimal distribution that results with the highest detection accuracy is selected for that classifier.12-03-2009
20090293126MALWARE DETECTION DEVICE - An exemplary malware detection device includes a data pathway provided between a first data transfer device and a second data transfer device and a processor attached to the data pathway. A memory accessible by the processor contains at least one malware signature and instructions for controlling the processor to interconnect the first and second data transfer devices, direct at least a portion of a data transfer across the data pathway to the processor for analysis, independently analyze the portion of the data transfer using the malware signature, identify malware contained in the portion of the data transfer, and interrupt the data transfer based on the identification of malware.11-26-2009
20110145923COMPUTER HAVING SPECIAL PURPOSE SUBSYSTEMS AND CYBER-TERROR AND VIRUS IMMUNITY AND PROTECTION FEATURES - A method or system for supporting a computer systems self repair, including the computer executed steps for booting from a first boot device, and booting from a second boot device in response to a signal indicating a need for repair. While booted from the second boot device the computer system is capable of repairing software on the first boot device. The signal may effect a logical or physical switch. Repairing software may be performed in part by copying, template, backup or archive software from a device other than the first boot device. Repairing software may be performed automatically without direction by a user or according to preset preferences. Computer architecture having special purpose subsystems that provides cyber-terror and virus immunity and protection features.06-16-2011
20110265182MALWARE INVESTIGATION BY ANALYZING COMPUTER MEMORY - Technology is described for malware investigation by analyzing computer memory in a computing device. The method can include performing static analysis on code for a software environment to form an extended type graph. A raw memory snapshot of the computer memory can be obtained at runtime. The raw memory snapshot may include the software environment executing on the computing device. Dynamic data structures can be found in the raw memory snapshot using the extended type graph to form an object graph. An authorized memory area can be defined having executable code, static data structures, and dynamic data structures. Implicit and explicit function pointers can be identified. The function pointers can be checked to validate that the function pointers reference a valid memory location in the authorized memory area and whether the computer memory is uncompromised.10-27-2011
20100024034DETECTING MACHINES COMPROMISED WITH MALWARE - A computer system can be configured to identify when it has been infected with or otherwise compromised by malware, such as viruses, worms, etc. In one implementation, a computer system receives and installs one or more decoy contacts in a contact store and further installs one or more malware reporting modules that effectively filter outgoing messages. For example, a malware reporting module can redirect messages with a decoy contact address to an alternate inbox associated with the decoy contact. The same malware reporting module, or another module in the system, can also generate one or more reports indicating the presence of malware, either due to detection of the decoy contact address, or due to identifying messages in the decoy contact inbox. The host computer system that sent the message to the decoy contact can then be flagged as infected with malware.01-28-2010
20100017881Portable Electronic Device and Method for Securing Such Device - The device of the invention includes: a first interface (01-21-2010
20110154496Removable Apparatus and Method for Verifying an Executable File in a Computing Apparatus and Computer-Readable Medium Thereof - Apparatus and method for verifying an executable file in a computing apparatus by a removable apparatus and computer-readable medium thereof are provided. The removable apparatus boots up the computing apparatus and retrieves the executable file from the computing apparatus. After retrieving the executable file, a vendor-verify module and a digest-check module perform a vendor verification and a digest verification on the executable file, respectively. If the executable file fails in both the vendor verification and the digest verification, a file-link-detect module and an auto-run determination module check the behaviors of the executable file for deciding whether the executable file is suspicious.06-23-2011
20090187991TRUSTED SECURE DESKTOP - Systems and methods for simultaneously protecting software components (07-23-2009
20110307956SYSTEM AND METHOD FOR ANALYZING MALICIOUS CODE USING A STATIC ANALYZER - Analyzing computer code using a tree is described. For example, a client device generates a data request for retrieving data from a non-trusted entity via a network. A gateway is communicatively coupled to the client device and to the network. The gateway is configured to receive computer code from the non-trusted entity via the network. The gateway builds a tree representing the computer code. The tree has one or more nodes. A node of the tree represents a statement from the computer code. The gateway analyzes the statement to identify symbol data. The symbol data describes a name of the variable and the value of the variable. The gateway stores the symbol data in a symbol table.12-15-2011
20120047581EVENT-DRIVEN AUTO-RESTORATION OF WEBSITES - An event-driven auto-restoration system for websites comprises a processing system. The processing system is configured to detect an event associated with a website indicative of a change in the website to an undesired state. The processing system is further configured to dynamically generate a restoration process and employ the restoration process to restore the website to a desired state. The processing system is further configured to employ a verification process to verify that the website has been restored to the desired state.02-23-2012
20120210431Detecting a trojan horse - A method and apparatus for detected a Trojan in a suspicious software application in the form of at least one electronic file. A computer device determines the source from which the suspicious software application was obtained. A comparison is then made between the source from which the suspicious software application was obtained and a source from which an original, clean version of the software application was obtained. If the sources differ, then it is determined that the suspicious application is more likely to contain a Trojan horse than if the sources were the same.08-16-2012
20120047580METHOD AND APPARATUS FOR ENFORCING A MANDATORY SECURITY POLICY ON AN OPERATING SYSTEM (OS) INDEPENDENT ANTI-VIRUS (AV) SCANNER - An antivirus (AV) application specifies a fault handler code image, a fault handler manifest, a memory location of the AV application, and an AV application manifest. A loader verifies the fault handler code image and the fault handler manifest, creates a first security domain having a first security level, copies the fault handler code image to memory associated with the first security domain, and initiates execution of the fault handler. The loader requests the locking of memory pages in the guest OS that are reserved for the AV application. The fault handler locks the executable code image of the AV application loaded into guest OS memory by setting traps on selected code segments in guest OS memory.02-23-2012
20120005756NETWORK SECURITY ARCHITECTURE - A network security system is deployed between an internet backbone and intranets that belong to subscribing organizations. The system includes a scanning system that scans incoming electronic mail for malicious code and an anti-virus server for downloading anti-virus code to clients on the intranets. A switch is provided for directing incoming electronic mail from the internet backbone to the scanning system so that the electronic mail can be scanned. In one embodiment, a decoy server is also provided for masquerading as a legitimate server and logging suspicious activity from communications received from the internet backbone.01-05-2012
20110167494METHODS, SYSTEMS, AND MEDIA FOR DETECTING COVERT MALWARE - Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: generating simulated user activity outside of the computing environment; conveying the simulated user activity to an application inside the computing environment; and determining whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity.07-07-2011
20120011589METHOD, APPARATUS, AND SYSTEM FOR DETECTING A ZOMBIE HOST - The present invention relates to the communications field, and in particular, to a detection method, an apparatus, and a network with detection functions. The present invention solves the problem that the Botnet cannot be detected on a current communication network. The detection method is used to detect a Botnet and includes: obtaining a network address translation (NAT) table; detecting a behavior plane and a communication plane of a host according to the NAT table; and performing cluster analysis on results of detection on the communication plane and the behavior plane.01-12-2012
20120011588METHOD AND APPARATUS FOR ENHANCED BROWSING WITH SECURITY SCANNING - A method and apparatus for enhanced browsing with security scanning. Within a document (e.g., a web page, a word processing document, a list of electronic mail messages), a link to other content or another document is selected by a computing device and the content is identified before a user clicks on the link to open the content. The content is placed into a safe cache that prevents the content from adversely affecting the user's computing device. The content is scanned and/or its behavior is analyzed to detect any security threats or undesirable content (e.g., viruses, worms, scripts, adware, spyware, pornography). Results of the analysis may be collected at a central server. The link or an associated indicator may be configured to indicate whether a threat is present; more information may be provided as desired. A user may be provided with various options to ignore a threat, disable the link, etc.01-12-2012
20120117652Network-Based Binary File Extraction and Analysis for Malware Detection - A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.05-10-2012
20120117651Malicious Mobile Code Runtime Monitoring System and Methods - Protection systems and methods provide for protecting one or more personal computers (“PCs”) and/or other intermittently or persistently network accessible devices or processes from undesirable or otherwise malicious operations of Java TN applets, ActiveX™ controls, JavaScript™ scripts, Visual Basic scripts, add-ins, downloaded/uploaded programs or other “Downloadables” or “mobile code” in whole or part. A protection engine embodiment provides for monitoring information received, determining whether received information does or is likely to include executable code, and if so, causes mobile protection code (MPC) to be transferred to and rendered operable within a destination device of the received information. An MPC embodiment further provides, within a Downloadable-destination, for initiating the Downloadable, enabling malicious Downloadable operation attempts to be received by the MPC, and causing (predetermined) corresponding operations to be executed in response to the attempts.05-10-2012
20120017279METHOD AND APPARATUS FOR VIRUS THROTTLING WITH RATE LIMITING - A method for traffic control of a network device in a network are disclosed. The network device determines potentially malicious behavior by a host device in the network. A permissible rate of traffic from the host device through a port of the network device is reduced in response to determining the potentially malicious behavior. A rate of traffic through the port of the network device is measured. The measured traffic rate is compared with a threshold rate. The permissible rate of traffic is adjusted based on the comparison.01-19-2012
20120017277SYSTEMS AND METHODS FOR UPDATING CONTENT DETECTION DEVICES AND SYSTEMS - A method of updating a content detection module includes obtaining content detection data, and transmitting the content detection data to a content detection module, wherein the transmitting is performed not in response to a request from the content detection module. A method of sending content detection data includes obtaining content detection data, selecting an update station from a plurality of update stations, and sending the, content detection data to the selected update station. A method of building a content detection system includes establishing a first communication link between a central station and an update station, the central station configured to transmit content detection data to the update station, and establishing a second communication link between the update station and a content detection module.01-19-2012
20120017276SYSTEM AND METHOD OF IDENTIFYING AND REMOVING MALWARE ON A COMPUTER SYSTEM - A system and accompanying method of identifying and removing malware on a computer system is disclosed. The system comprises a source file containing reference attributes and properties of components of a local computer system in a state unaffected by malware, and exact copies of the system control files. The components of the local computer system may comprise executable and script files such as operating system files, application programs, system controls, registry files and all other executable and script files and their related relevant files. Current status of executables are checked against the reference attributes. All executables on local compute system failing certain match criteria are removed from the local system, or alternatively, replaced with reference copies from source file. Thereby, the system and method identifies malware based on previous system state, method of entry into local computer system, and intention to automatically execute either upon booting or upon launching of a computer program which a user has intentionally installed and which the user would normally believe to be free of malware.01-19-2012
20120017275Identifying polymorphic malware - A method and apparatus for identifying an electronic file as polymorphic malware. A server receives from a client device a hash value and metadata associated with an electronic file. The server determines that the received metadata relates to corresponding metadata stored at a database, the corresponding stored metadata being associated with a further hash value that differs from the received hash value. A determination is made that each of the received hash values have been reported by fewer than a predetermined number of clients and, as a result, it is determined that the electronic file is likely to be polymorphic malware.01-19-2012
20120017278ALERT MESSAGE CONTROL OF SECURITY MECHANISMS IN DATA PROCESSING SYSTEMS - An authenticated secure network communication link is established between an alert message generating computer 01-19-2012
20130185799TRUSTED INSTALLATION OF A SOFTWARE APPLICATION - The trust reputation of the combination of an installation package and installer, as a pair, and the combination of a file and an installer, as a pair, is used to store the identity of a file in a persistent cache. An entry in the persistent cache indicates the trust worthiness of a file that does not contain malware thereby avoiding a scan of the file for malware. The trust worthiness of a file may be determined from known trust reputations of the installation package, installer, and file from a network of computing resources. By relying on the known trust reputation of the combination of the installation package and installer and the combination of the file and installer, the identity of the file may be stored in persistent cache quickly.07-18-2013
20120023585Method and Systems for Computer Security - A method for computer security, includes intercepting an incoming communication, placing the communication into a quarantine queue, selecting a communication from the quarantine queue, determining whether the selected communication contains undesirable code, determining whether a quarantine time for the selected communication has lapsed if the selected communication does not contain undesirable code and placing the selected communication back in the quarantine queue if the quarantine time has not elapsed.01-26-2012
20120023584DEVICE AND METHOD FOR PROVIDING SOC-BASED ANTI-MALWARE SERVICE, AND INTERFACE METHOD - A device in which a system-on-chip (SOC) providing an anti-malware service is mounted and a method of performing the anti-malware service are provided. The device includes: a storage unit which stores a function library which is a collection of operations provided for use in the SOC providing the anti-malware service; and a scanning data sender which forms SOC transmission data with data to be scanned for viruses by calling at least one of the operations, and transmits the SOC transmission data to the SOC. Accordingly, a mobile device scans files for viruses and filters packets at a high speed.01-26-2012
20120159629METHOD AND SYSTEM FOR DETECTING MALICIOUS SCRIPT - A method for detecting a malicious script is provided. A plurality of distribution eigenvalues are generated according to a plurality of function names of a web script. After the distribution eigenvalues are inputted to a hidden markov model (HMM), probabilities respectively corresponding to a normal state and an abnormal state are calculated. Accordingly, whether the web script is malicious or not can be determined according to the probabilities. Even an attacker attempts to change the event order, insert a new event or replace an event with a new one to avoid detection, the method can still recognize the intent hidden in the web script by using the HMM for event modeling. As such, the method may be applied in detection of obfuscated malicious scripts.06-21-2012
20120159632Method and Arrangement for Detecting Fraud in Telecommunication Networks - Method and arrangement in a mediating function (06-21-2012
20120159633System and Method for Updating Antivirus Cache - Disclosed are systems, methods and computer program products for updating antivirus cache during malware scan of a computer system. In particular, an antivirus cache stored in a non-volatile system memory may be updated with information from an antivirus database during execution of malware detection processes launched on the computer system. If a malware detection process use one or more sections of the antivirus cache which require updating, the system replicates those sections of the antivirus cache and updates them. Each update contains different types of data and code associated with different types of malware. During update, the same types of data for each type of malware is collected and stored as data files in corresponding sections of the antivirus cache and executable code sections are converted into platform-specific dynamic libraries and also stored in the antivirus cache.06-21-2012
20120159630PROGRAM EXECUTION INTEGRITY VERIFICATION FOR A COMPUTER SYSTEM - A computer system may be employed to verify program execution integrity by receiving a request to launch a program that has been instrumented to include at least one integrity marker, instantiating the program with an integrity marker value, and verifying the execution integrity of the program based on the integrity marker value and information received from the program during execution. A computer system may also be employed for program instrumentation by modifying the program to include at least one instruction for passing an integrity marker value to an operating system kernel during execution of the instruction.06-21-2012
20120159631Anti-Virus Scanning - A method and apparatus for performing an anti-virus scan of a file system. Intermediate scanning results are obtained for a file in the file system, prior to a scan of the file being completed. The intermediate scanning results are then stored in a database. The intermediate scanning results can be used to speed up subsequent scans, and to provide other useful information to an on-line anti-virus server. In a subsequent scan of the file system, a determination is made whether intermediate scanning results relating to the file are available in the database. If they are available for a particular type of intermediate scan, then a scan need not be performed for the file. If they are not, then the scan can be performed.06-21-2012
20120159628MALWARE DETECTION APPARATUS, MALWARE DETECTION METHOD AND COMPUTER PROGRAM PRODUCT THEREOF - A malware detection apparatus, a malware detection method, and a computer program product thereof are provided. The malware detection apparatus is used to detect a program. The program executes a first process. The malware detection apparatus comprises a storage unit and a processing unit. The storage unit is configured to store a malicious behavior profile of a malware. The processing unit is configured to construct a first behavior profile according to the first process, compare the first behavior profile with the malicious behavior profile and generate a comparison result. The processing unit updates a behavior record table according to the comparison result, and determines that the program is the malware according to the behavior record table.06-21-2012
20120072988DETECTION OF GLOBAL METAMORPHIC MALWARE VARIANTS USING CONTROL AND DATA FLOW ANALYSIS - Malware feature extraction derives semantic summaries of executable malware using global, inter-procedural program analysis techniques. A combination of global, inter-procedural program analysis techniques constructs semantic summaries of malware which automatically detect and discard any noise introduced by transformations and capture the essence of the underlying computations in a succinct form. This is achieved in two ways. First, global control flow analysis techniques are used to derive a high level representation of malware code that, for instance, removes the effects of subroutine calls. Second, global data flow analysis techniques are employed to detect and remove all spurious elements of malware that do not contribute towards its underlying computation, thereby preventing the resulting summaries from being “corrupted” with unnecessary, extraneous elements.03-22-2012
20080320595Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine - An automated analysis system identifies the presence of malicious P-code or N-code programs in a manner that limits the possibility of the malicious code infecting a target computer. The target computer system initializes an analytical virtual P-code engine (AVPE). As initialized, the AVPE comprises software simulating the functionality of a P-code or intermediate language engine as well as machine language facilities simulating the P-code library routines that allow the execution of N-code programs. The AVPE executes a target program so that the target program does not interact with the target computer. The AVPE analyzes the behavior of the target program to identify occurrence of malicious code behavior and to indicate in a behavior pattern the occurrence of malicious code behavior. The AVPE is terminated at the end of the analysis process, thereby removing from the computer system the copy of the target program that was contained within the AVPE.12-25-2008
20120079597MOBILE COMMUNICATION SYSTEM AND MOBILE TERMINAL HAVING FUNCTION OF INACTIVATING MOBILE COMMUNICATION VIRUSES, AND METHOD THEREOF - A mobile communication system for inactivating a virus includes: a database associated with the mobile communication system, for storing at least one virus vaccine program; and a virus monitoring unit associated with the mobile communication system, for checking virus infection of received data, analyzing virus information, choosing one of virus vaccine programs that are stored in the database and inactivating the virus. Virus vaccine programs are timely updated over the air (OTA) whenever a new version of vaccine program is available.03-29-2012
20120124668Method for Immunizing Data in Computer Systems from Corruption - A system for immunizing a computer network against adverse effects caused by the receipt of a corrupting message. Each message transfers into a protocol-based controlled environment for a specific recipient where message criteria determine whether the incoming message is deemed to be a valid or suspicious message. Transmission criteria determine the final message disposition. If the message is valid, it is delivered to a recipient computer system in the network. If the incoming message is suspicious, the message is isolated in the controlled environment where the transmission criteria may provide remote access to the recipient.05-17-2012
20110107424Rollback Feature - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for rolling back protection processes. In one aspect, a method includes determining that a file is a malicious file, storing a duplicate of the file in a quarantine area, performing one or more protection processes on the file, if the determination that the file is a malicious file is a false positive determination, restoring the file by a pre-boot rollback process to a state prior to the one or more protection processes performed on the file, and booting the computer with the restored file, and if the determination that the file is a malicious file is not a false positive determination, not restoring the file to a state prior to the one or more protection processes performed on the file, and booting the computer.05-05-2011
20110107423PROVIDING AUTHENTICATED ANTI-VIRUS AGENTS A DIRECT ACCESS TO SCAN MEMORY - A computer platform may support anti-virus agents that may be provided access to directly scan the memory. The computer platform may comprise a platform control hub, which may comprise a manageability engine and a virtualizer engine, wherein the manageability engine may allow the anti-virus agents to be downloaded to a platform hardware space that is isolated from an operating system. The manageability engine may authenticate the anti-virus agents and provide an access for the anti-virus agents to directly scan a memory or a storage device coupled to the platform hardware.05-05-2011
20100095380DETECTION OF UNDESIRED COMPUTER FILES IN DAMAGED ARCHIVES - Systems and methods for an anti-virus detection module that can detect known undesired computer files in damaged archives that may be encrypted, compressed and/or password-protected are provided. According to one embodiment, a damaged archive file is received. And, without decrypting or decompressing the contents, an anti-virus detection module identifies a type and associated structure of the archive file by assuming each possible archive file type in turn and searching the archive file for descriptive information consistent with a current archive file type. Based thereon, descriptive information is obtained from the archive file describing one or more contained files within the archive file. Then, the descriptive information for each contained file is evaluated to determine if any contained files are malicious or undesired computer files. Finally, an attempt is made to prevent contained files determined to be a malicious or undesired computer file from being opened.04-15-2010
20110099635SYSTEM AND METHOD FOR DETECTING EXECUTABLE MACHINE INSTRUCTIONS IN A DATA STREAM - Detecting executable machine instructions in a data is accomplished by accessing a plurality of values representing data contained within a memory of a computer system and performing pre-processing on the plurality of values to produce a candidate data subset. The pre-processing may include determining whether the plurality of values meets (a) a randomness condition, (b) a length condition, and/or (c) a string ratio condition. The candidate data subset is inspected for computer instructions, characteristics of the computer instructions are determined, and a predetermined action taken based on the characteristics of the computer instructions.04-28-2011
20110099634Using File Prevalence to Inform Aggressiveness of Behavioral Heuristics - The prevalence rate of a file to be subject to behavior based heuristics analysis is determined, and the aggressiveness level to use in the analysis is adjusted, responsive to the prevalence rate. The aggressiveness is set to higher levels for lower prevalence files and to lower levels for higher prevalence files. Behavior based heuristics analysis is applied to the file, using the set aggressiveness level. In addition to setting the aggressiveness level, the heuristic analysis can also comprise dynamically weighing lower prevalence files as being more likely to be malicious and higher prevalence files as being less likely. Based on the applied behavior based heuristics analysis, it is determined whether or not the file comprises malware. If it is determined that the file comprises malware, appropriate steps can be taken, such as blocking, deleting, quarantining and/or disinfecting the file.04-28-2011
20110099633System and method of containing computer worms - A computer worm containment system comprises a detection system and a blocking system. The detection system orchestrates a sequence of network activities in a decoy computer network and monitors that network to identify anomalous behavior and determine whether the anomalous behavior is caused by a computer worm. The detection system can then determine an identifier of the computer worm based on the anomalous behavior. The detection system can also generate a recovery script for disabling the computer worm or repairing damage caused by the computer worm. The blocking system is configured to use the computer worm identifier to protect another computer network. The blocking system can also use the recovery script to disable a computer worm within the other network and to repair damage caused to the network by the worm.04-28-2011
20090133126APPARATUS AND METHOD FOR DETECTING DLL INSERTED BY MALICIOUS CODE - Provided are an apparatus and method for detecting a Dynamic Link Library (DLL) inserted by a malicious code. The method includes collecting first DLL information from an image file of a process before the process is executed; collecting second DLL information loaded into a memory as the process is executed; comparing the first DLL information with the second DLL information to extract information on an explicit DLL; and determining whether the explicit DLL is a DLL inserted by a malicious code or not.05-21-2009
20090133125METHOD AND APPARATUS FOR MALWARE DETECTION - The present invention relates to an apparatus and method for detecting malware. The malware detection apparatus and method of the present invention determines whether a file is malware or not by analyzing the header of an executable file. Since the malware detection apparatus and method can quickly detect presence of malware, it can shorten detection time considerably. The malware detection apparatus and method can also detect even unknown malware as well as known malware to thereby estimate and determine presence of malware. Therefore, it is possible to cope with malware in advance, protect a system with a program, and increase security level remarkably.05-21-2009
20090133124A METHOD FOR DETECTING THE OPERATION BEHAVIOR OF THE PROGRAM AND A METHOD FOR DETECTING AND CLEARING THE VIRUS PROGRAM - A method for detecting the operation behavior of the program includes: obtaining the destructive operation behavior of the known virus program; setting the corresponding control and process program according to the destructive operation behavior; making the control and process program get the control right of destructive operation behavior; the destructive operation behavior of the program to be detected calling the corresponding control and process program, the corresponding control and process program recording the operation behavior of the said program to be detected. The method can also return the success response information by the control and process program, so as to induce the program to be detected to perform the next behavior, but the program to be detected don't perform in practicality. That is, the present invention can provide a virtual environment for the program to be detected in order to record a series behavior of it. A method for clearing the virus program setup and perform the adverse behavior operation of the program based on the behavior of the virus program to realize the recovery of the demolished data by the virus.05-21-2009
20120167217SYSTEMS AND METHODS TO DETECT AND NEUTRALIZE MALWARE INFECTED ELECTRONIC COMMUNICATIONS - Systems and methods to detect and neutralize malware infected electronic communications are described. The system may receive a request for interface information from over a network from a client machine. In response to receiving the request the system may generate the interface information to include at least one input mechanism to receive user information from the user and countermeasure information for utilization on the client machine to detect whether the interface information is modified on the client machine to receive user information from the user that is not authorized. Finally, the system may communicate the interface information, over the network, to the client machine.06-28-2012
20120167221APPARATUS FOR ANALYZING TRAFFIC - An apparatus for analyzing traffic is provided. The apparatus may precisely identify and analyze web traffic through 5 tuple-, HTTP-, and request/response pair-based packet analysis by monitoring the correlation between sessions.06-28-2012
20120167220SEED INFORMATION COLLECTING DEVICE AND METHOD FOR DETECTING MALICIOUS CODE LANDING/HOPPING/DISTRIBUTION SITES - Provided is seed information collecting device for detecting malicious code landing/hopping/distribution sites. The device comprises: a seed information collecting module collecting social issue keywords from a seed information collecting channel and collecting address information of potential malicious code landing/hopping/distribution sites using the collected social issue keywords; a web source code collecting module collecting web source code of the potential malicious code landing/hopping/distribution sites using the address information of the potential malicious code landing/hopping/distribution sites collected by the seed information collecting module; and a policy management module managing collection policies of the seed information collecting module and the web source code collecting module.06-28-2012
20120167219OPTIMIZATION OF ANTI-MALWARE PROCESSING BY AUTOMATED CORRECTION OF DETECTION RULES - A system, method and computer program product for optimization of execution of anti-malware (AV) applications. A number of false-positive determinations by an AV system are reduced by correcting malware detection rules using correction coefficients. A number of malware objects detected by the AV system are increased by correction of ratings determined by the rules using correction coefficients. An automated testing of new detection rules used by the AV system is provided. The new rules having zero correction coefficients are added to the rules database and results of application of the new rules are analyzed and the rules are corrected or modified for further testing.06-28-2012
20120124667MACHINE-IMPLEMENTED METHOD AND SYSTEM FOR DETERMINING WHETHER A TO-BE-ANALYZED SOFTWARE IS A KNOWN MALWARE OR A VARIANT OF THE KNOWN MALWARE - A machine-implemented method for determining whether a to-be-analyzed software is a known malware or a variant of the known malware includes the steps of: (A) configuring a processor to execute the to-be-analyzed software, and obtain a to-be-analyzed system call sequence that corresponds to the to-be-analyzed software with reference to a plurality of system calls made in sequence as a result of executing the to-be-analyzed software; (B) configuring the processor to determine a degree of similarity between the to-be-analyzed system call sequence and a reference system call sequence that corresponds to the known malware; and (C) configuring the processor to determine that the to-be-analyzed software is neither the known malware nor a variant of the known malware when the degree of similarity determined in step (B) is not greater than a predefined similarity threshold value.05-17-2012
20120317646VIRUS CO-PROCESSOR INSTRUCTIONS AND METHODS FOR USING SUCH - Circuits and methods for detecting, identifying and/or removing undesired content are provided. According to one embodiment, a method for virus processing is provided. A general purpose processor receives and stores a data segment to a first memory at a virtual address. The first memory contains paging data structures for translating virtual addresses to physical addresses. The general purpose processor directs a virus processing hardware accelerator to scan the data segment based on virus signatures compiled for the virus processing hardware accelerator and stored in a second memory. The first memory includes a first virus signature compiled for the general purpose processor. The virus processing hardware accelerator retrieves the data segment by accessing the first memory based on the virtual address and cached information, stored within one or more translation lookaside buffers local to the virus processing hardware accelerator, relating to most recently used entries of the paging data structures.12-13-2012
20120233696METHOD AND SYSTEM FOR ANTIVIRUS BY SIM CARD COMBINED WITH CLOUD COMPUTING - The invention provides a method and a system of antivirus solution by using a SIM card combined with cloud antivirus. The method comprises that the signature data of a file of a present mobile device is sent to a cloud server; the cloud server receives the file the signature data and checks the received file the signature data by using a cloud virus database stored at the cloud server; and the cloud server sends the checking result back to the SIM card of the mobile device via OTA (Over-the-Air).09-13-2012
20120317645THREAT LEVEL ASSESSMENT OF APPLICATIONS - An application safety system is described herein that provides a scoring system of how dangerous an application is based on behavioral inspection of the application. Upon detecting installation of an application or first execution of the application, the application safety system performs static analysis before the new application is executed by the operating system. The system allows the user to approve running the application after displaying information about what the application does. Next, the system performs dynamic analysis as the application runs and alerts the user to any potentially harmful behavior. Over time, the system determines when the application may be acting in a manner that is out of character and informs the user. The system also allows users to restrict behavior that a particular application can perform.12-13-2012
20120222121Systems and Methods for Detecting Malicious PDF Network Content - Systems and methods for detecting malicious PDF network content are provided herein. According to some embodiments, the methods may include at least the steps of examining received PDF network content to determine if one or more suspicious characteristics indicative of malicious network content are included in the PDF network content, providing PDF network content determined to include at least one suspicious characteristic to one or more virtual machines, and analyzing responses received from the one or more virtual machines to verify the inclusion of malicious network content in the PDF network content determined to include at least one suspicious characteristic.08-30-2012
20120131676SECURITY MANAGEMENT METHOD IN VIRTUALIZED ENVIRONMENT, VIRTUAL SERVER MANAGEMENT SYSTEM, AND MANAGEMENT SERVER - Disclosed are a security management method in a virtualized environment, virtual server management system, and management server capable of improving security in the virtualized environment. A management server (05-24-2012
20120131675SERVER, USER DEVICE AND MALWARE DETECTION METHOD THEREOF - A server, a user device, and a malware detection method thereof are provided. The server connects with the user device via a network, and records execution records of the user device. Based on the history of the execution records of the user device, the server can detect whether the user device has malwares or not accordingly.05-24-2012
20100235916Apparatus and method for computer virus detection and remediation and self-repair of damaged files and/or objects - A method and apparatus for detecting and remediating damaged files as well as files containing proscribed code content, involving locating damage or proscribed code within a file, recording an identity of said file in which damage or proscribed code has been located, removing the damage or proscribed code by destroying the file that contains the damage or proscribed code, utilizing a search utility to locate a copy of the destroyed file according to one or more locations which are designated, and when located, copying the file to the original location of the destroyed file.09-16-2010
20120167223Virus Localization Using Cryptographic Hashing - Methods for using integrity checking techniques to identify and locate computer viruses are provided. A method for virus localization for each of three types of virus infections is provided, including the steps of computing a sequence of file blocks, calculating hashes for the sequences of file blocks from a host file and calculating hashes for the same or related sequences of file blocks from an infected file, and comparing the hashes from host file to the hashes from the infected file from the same or related sequences of file blocks such that when some of said first hashes and said second hashes do not match, a location of a virus is output. Methods for computing the sequence of file blocks depending on the type of virus infection, and for calculating the hashes using a collision resistant hash function, a digital signature scheme, a message authentication code, or a pseudo-random function.06-28-2012
20120167222METHOD AND APPARATUS FOR DIAGNOSING MALICOUS FILE, AND METHOD AND APPARATUS FOR MONITORING MALICOUS FILE - An apparatus for diagnosing malicious files includes a information transferring unit configured to receive information regarding a malicious file distributed in a management network and an execution file generated by assembling packets collected from the management network; an anti-virus engine configured to determine whether or not the execution file is malicious to generate information regarding a new malicious file; and a management unit configured to transfer the information regarding the malicious file and the information regarding the new malicious file to a terminal device on the management network through the information transferring unit.06-28-2012
20120255011SYSTEMS AND METHODS FOR IDENTIFYING HIDDEN PROCESSES - A security module may be configured to execute on the electronic device at a level below all of the operating systems of an electronic device accessing the one or more system resources. The security module may be configured to: trap one or more attempts to access system resources of the electronic device, the one or more attempts made from a less privileged ring of execution than the first security module; record information identifying one or more processes attempting to access the system resources of the electronic device; compare the information identifying one or more processes attempting to access the system resources with the enumerated one or more processes visible to the operating system; and based on the comparison, determine one or more hidden processes, the hidden processes determined by at least identifying processes whose information was recorded by first security module but were not enumerated by the second security module.10-04-2012
20120255010SYSTEM AND METHOD FOR FIRMWARE BASED ANTI-MALWARE SECURITY - A system for securing an electronic device includes a non-volatile memory, a processor coupled to the non-volatile memory, a resource of the electronic device, firmware residing in the non-volatile memory and executed by the processor, and a firmware security agent residing in the firmware. The firmware is communicatively coupled to the resource of an electronic device. The firmware security agent is configured to, at a level below all of the operating systems of the electronic device accessing the resource, intercept a request for the resource and determine whether the request is indicative of malware.10-04-2012
20120216284METHOD AND SYSTEM OF POSTING ACHIEVEMENTS REGARDING SCANS FOR MALWARE PROGRAMS - Posting achievements regarding scans for malware programs. At least some of the illustrative embodiments are methods including: initiating a scan for malware programs on a computer system, the initiating by a first user, and the scan by a scan program executed on the computer system; identifying malware programs on the computer system by the scan program, where identifying meets a predetermined achievement; and posting to a social network, the posting comprises an indication of meeting the predetermined achievement, and the posting associated with the first user.08-23-2012
20120216283METHOD AND SYSTEM FOR DISABLING MALWARE PROGRAMS - Disabling malware programs. At least some of the various embodiments are methods including disabling a malware program on a computer system that comprises a native operating system on a long term storage device. In some cases, the disabling by: booting a non-native operating system on the computer system; identifying, by a scan program executed under the non-native operating system, the malware program on the long term storage device; modifying, by the scan program, a file system coupled to the native operating system with respect to the malware program, the file system on the long term storage device; and then booting the native operating system on the computer system.08-23-2012
20100205672HASH-BASED SYSTEMS AND METHODS FOR DETECTING, PREVENTING, AND TRACING NETWORK WORMS AND VIRUSES08-12-2010
20110185430METHOD AND SYSTEM FOR DISCRETE STATEFUL BEHAVIORAL ANALYSIS - A method for analyzing a computing system includes the steps of at a first moment in time, scanning the resources of the computing system for indications of malware, at a second moment in time scanning the resources of the computing system for indications of malware and determining the system executable objects loaded on the computing system, determining malware system changes, identifying a relationship between the malware system changes and the system executable objects loaded on the computing system, and identifying as suspected malware the system executable objects loaded on the computing system which have a relationship with the malware system changes. The malware system changes include differences between the results of scanning the resources of the computing system for indications of malware at the second and first moment of time.07-28-2011
20110185429METHOD AND SYSTEM FOR PROACTIVE DETECTION OF MALICIOUS SHARED LIBRARIES VIA A REMOTE REPUTATION SYSTEM - A method for proactively detecting shared libraries suspected of association with malware includes the steps of determining one or more shared libraries loaded on an electronic device, determining that one or more of the shared libraries include suspicious shared libraries by determining that the shared library is associated with indications that the shared library may have been maliciously injected, loaded, and/or operating on the electronic device, and identifying the suspicious shared libraries to a reputation server.07-28-2011
20110185427SAFELY PROCESSING AND PRESENTING DOCUMENTS WITH EXECUTABLE TEXT - Techniques for processing documents with executable text are disclosed. The techniques, among other things, can effectively address XSS attacks to Internet users when browsing web sites. Content deemed not to be trusted or fully trusted (“untrusted”) can be marked in a document that can include executable text. Remedial action, including not allowing execution of executable text marked as “untrusted” can be taken. In addition, when the document is processed, content deemed not to be trusted or fully trusted (“untrusted”) can be effectively monitored in order to identify executable text that may have been effectively produced by “untrusted” content and/or somehow may have been affected by “untrusted” content.07-28-2011
20110185428METHOD AND SYSTEM FOR PROTECTION AGAINST UNKNOWN MALICIOUS ACTIVITIES OBSERVED BY APPLICATIONS DOWNLOADED FROM PRE-CLASSIFIED DOMAINS - A method for monitoring an application includes the steps of detecting the download of an application that originates from a website, identifying the domain of the website, and querying a database to select one or more behavioral analysis rules to apply to the application. The behavioral analysis rules are selected based upon an evaluation of the domain of the website. The evaluation of the domain of the website indicates a possible association with malware.07-28-2011
20100287616CONTROLLER CAPABLE OF PREVENTING SPREAD OF COMPUTER VIRUSES AND STORAGE SYSTEM AND METHOD THEREOF - A controller capable of preventing spread of computer viruses is provided. The controller includes a microprocessor unit, and a first interface unit, a second interface unit, a comparing unit and a filter unit which are coupled to the microprocessor unit. The first interface unit is coupled to a storage medium, and the second interface unit is coupled to a computer host. The comparing unit determines whether data read form the storage medium by the computer host is an automatic executing file. And, the filter unit replaces the read data with a predetermined data and transmit the predetermined data to the computer host when the read data is the automatic executing file. Accordingly, the controller is capable of preventing the spread of the computer viruses designed in an automatic executing file.11-11-2010
20120317644Applying Antimalware Logic without Revealing the Antimalware Logic to Adversaries - The subject disclosure is directed towards a technology by which antimalware detection logic is maintained and operated at a backend service, with which a customer frontend machine communicates (queries) for purposes of malware detection. In this way, some antimalware techniques are maintained at the backend service rather than revealed to antimalware authors. The backend antimalware detection logic may be based upon feature selection, and may be updated rapidly, in a manner that is faster than malware authors can track. Noise may be added to the results to make it difficult for malware authors to deduce the logic behind the results. The backend may return results indicating malware or not malware, or return inconclusive results. The backend service may also detect probing-related queries that are part of an attempt to deduce the unrevealed antimalware detection logic, with noisy results returned in response and/or other actions taken to foil the attempt.12-13-2012
20110191851COMPUTER AND METHOD FOR SAFE USAGE OF DOCUMENTS, EMAIL ATTACHMENTS AND OTHER CONTENT THAT MAY CONTAIN VIRUS, SPY-WARD, OR MALICIOUS CODE - System, method, computer, and computer program and computer program product for safe usage of potentially malicious code and documents or other content to may contain malicious code. System and method for a virus and hacker-resistant computer. Method and system for supporting a computer systems self repair.08-04-2011
20120222120MALWARE DETECTION METHOD AND MOBILE TERMINAL REALIZING THE SAME - A malware detection method and a mobile terminal realizing the same are provided. The method monitors execution of applications on the mobile terminal, notifies a user of perceived malicious behavior and guides handling of a detected malicious application. The malware detection method includes extracting, when a platform Application Programming Interface (API) is called by an application, an action of the application from the platform API, determining, when the extracted action is a preset trigger action, whether the application is a malware program by comparing the extracted action with a malware pattern file, and outputting, when the application is a malware program, an alert message.08-30-2012
20100050261TERMINAL AND METHOD OF PROTECTING THE SAME FROM VIRUS - A mobile terminal including a display module, a memory configured to store data, a wireless communication unit configured to wirelessly connect with at least one other terminal, a checking unit configured to check at least a portion of the stored data for virus-infected data infected with a virus, and a controller configured to prevent a wireless communication connection with the at least one other terminal when the checking unit finds virus-infected data infected with the virus.02-25-2010
20120180132METHOD, SYSTEM AND PROGRAM PRODUCT FOR OPTIMIZING EMULATION OF A SUSPECTED MALWARE - A method, system and program product for optimizing emulation of a suspected malware. The method includes identifying, using an emulation optimizer tool, whether an instruction in a suspected malware being emulated by an emulation engine in a virtual environment signifies a long loop and, if so, generating a first hash for the loop. Further, the method includes ascertaining whether the first hash generated matches any long loop entries in a storage and, if so calculating a second hash for the long loop. Furthermore, the method includes inspecting any long loop entries ascertained to find an entry having a respective second hash matching the second hash calculated. If an entry matching the second hash calculated is found, the method further includes updating one or more states of the emulation engine, such that, execution of the long loop of the suspected malware is skipped, which optimizes emulation of the suspected malware.07-12-2012
20120180131SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR IDENTIFYING UNWANTED ACTIVITY UTILIZING A HONEYPOT DEVICE ACCESSIBLE VIA VLAN TRUNKING - A system, method, and computer program product are provided for identifying unwanted activity utilizing a honeypot accessible via virtual local area network (VLAN) trunking. In use, a honeypot device is allowed to be accessed via VLAN trunking. Furthermore, unwanted data is identified, utilizing the honeypot device.07-12-2012
20130174258Execution of Multiple Execution Paths - Techniques for execution of multiple execution paths are described. In one or more embodiments, an execution of a portion of executable code is conditioned upon a particular environment-specific value. For example, the execution of the executable code can cause one type of output if the value of the variable equals a particular value, and can cause a different type of output if the value of the variable equals a different value. Techniques discussed herein can enable the executable code to be executed such that multiple outputs are produced, e.g., by executing the code according to the different values for the variable. In implementations, the multiple outputs can be analyzed for various attributes, such as presence of malware, implementation and coding errors, and so on.07-04-2013
20100011442DATA SECURITY DEVICE FOR PREVENTING THE SPREADING OF MALWARE - A method and system for preventing spreading of malware, including: automatically launching an anti-malware control mechanism after a data security device connects to a computing device and receives power from the computing device, determining availability of a data path in the data security device before allowing data to pass through the data path, and scanning the data that passes through the data path.01-14-2010
20100011441SYSTEM FOR MALWARE NORMALIZATION AND DETECTION - Computer programs are preprocessed to produce normalized or standard versions to remove obfuscation that might prevent the detection of embedded malware through comparison with standard malware signatures. The normalization process can provide an unpacking of compressed or encrypted malware, a reordering of the malware into a standard form, and the detection and removal of semantically identified nonfunctional code added to disguise the malware.01-14-2010
20120185941Multi-Network Virus Immunization - An apparatus, device, methods, computer program product, and system are described that determine a virus associated with a communications network, and distribute an anti-viral agent onto the communications network using a bypass network, the bypass network configured to provide transmission of the anti-viral agent with at least one of a higher transmission speed, a higher transmission reliability, a higher transmission security, and/or a physically-separate transmission path, relative to transmission of the virus on the communications network.07-19-2012
20120185940COMPUTER SYSTEM AND METHOD FOR SCANNING COMPUTER VIRUS - According to the present invention, a timeout caused by executing a virus scan is avoided. A computer system has a first computer, a second computer coupled to the first computer, and a storage system coupled to the first computer and the second computer. The first computer receives a request to write data, writes the requested data in the storage system, and sends a virus scan request of the written data to the second computer. The second computer receives the virus scan request from the first computer, reads the written data out of the storage system, and partially executes a virus scan of the read data. After the partial virus scan of the read data is finished, the first computer sends a response to the received write request. After the first computer sends the response, the second computer executes the remainder of the virus scan of the read data.07-19-2012
20120185942SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR PRESENTING AN INDICIA OF RISK ASSOCIATED WITH SEARCH RESULTS WITHIN A GRAPHICAL USER INTERFACE - A system, method, and computer program product comprise presenting a plurality of search results within a graphical user interface. Further, an indicia of risk associated with the search results is presented, in real-time, within the graphical user interface.07-19-2012
20120185939Malware detection - A computer-implemented method of scanning a plurality of files stored in a memory of a computer for malware. The computer includes a processor. The method includes, for each respective file of said plurality of files in said memory determining, using said processor, whether a relationship between the respective file and stored data satisfies a predetermined criterion. The stored data indicates one or more files determined not to contain malware and for which data associated with each of said one or more files has a predetermined characteristic. If the relationship satisfies the predetermined criterion, the respective file is processed according to said first processing method and if said relationship does not satisfy said predetermined criterion, the respective file is processed according to said second processing method.07-19-2012
20120084865False Alarm Detection For Malware Scanning - A method of scanning files for malware on a computer system. The method includes receiving a file to be scanned in the system, and using at least one malware scanning engine to determine whether or not the file possesses properties that are indicative of malware. If it is determined that the file does possess properties that are indicative of malware, then at least one cleanliness scanning engine is used to determine whether or not the file possesses properties that are indicative of a clean file. If it is determined that the file possesses properties that are indicative of a clean file, then a false alarm is signalled.04-05-2012
20120084864SYSTEM AND METHOD FOR A MOBILE CROSS-PLATFORM SOFTWARE SYSTEM - The present invention is a system and method for creating, developing and testing cross-platform software for mobile communications devices. The invention enables mobile device software that must be highly-integrated with the operating system on which it runs to be implemented in a cross-platform manner. Security software for mobile devices is a prime beneficiary of the present invention, as a substantial proportion of its functionality is identical between different platforms yet integrated very specifically into each platform it supports. The cross-platform system includes a core platform-independent component, a platform-specific component, and an abstraction layer component, each of which may communicate with each other using a common defined API. The present invention enables the platform-independent component to be completely re-used between platforms and allows the platform-specific and abstraction components to contain minimal amounts of code on each platform.04-05-2012
20090328221MALWARE DETENTION FOR SUSPECTED MALWARE - A method and system for detecting and managing potential malware utilizes a preliminary signature to scan content and detect potential malware content based upon characteristics that match the preliminary signature. The detected content is detained for a predetermined period of time. If an updated signature is not received, the detained content may be purged, released or quarantined, based upon predetermined content policy. If an updated signature is received, the detained content is released from detention and rescanned with the updated signature. The content is then treated in accordance with the content policy, and again, can be purged, released, or quarantined.12-31-2009
20090320133STREAMING MALWARE DEFINITION UPDATES - A method, system and apparatus for assembling and publishing frequent malware signature definition updates through the use of additive or “streaming” definition packages is provided. Embodiments of the present invention provide such functionality by publishing not only full malware signature definition updates on a long periodicity but also streaming malware signature definition updates containing newly certified signature definitions on a short periodicity. As newly-certified malware signature definitions are received, those newly-certified signature definitions are incorporated not only in the full signature definition file but also in a streaming signature definition update that contains only newly-certified signature definitions received during a streaming update period. At the end of the streaming update period, a streaming signature definition file is made available by publication to anti-malware clients. A streaming signature definition file only contains those signature definitions received during the assembly period for that streaming definition file. Embodiments of the present invention replace a previous streaming signature definition file with a new streaming signature definition file at the time of publication of the new streaming signature definition file.12-24-2009
20120227109System And Method For Packet Profiling - Systems and methods for packet profiling are disclosed. According to one embodiment, a method for profiling incoming data packets for an organization includes the steps of (1) receiving, at an interface for a transport provider, a data packet; (2) using a computer processor, analyzing the data packet; (3) using the computer processor, based on the analysis, marking the data packet; and (4) transmitting the data packet to the organization.09-06-2012
20120260343AUTOMATED MALWARE SIGNATURE GENERATION - Automated malware signature generation is disclosed. Automated malware signature generation includes monitoring incoming unknown files for the presence of malware and analyzing the incoming unknown files based on both a plurality of classifiers of file behavior and a plurality of classifiers of file content. An incoming file is classified as having a particular malware classification based on the analyzing of incoming unknown files and a malware signature is generated for the incoming unknown file based on the particular malware classification. Access is provided to the malware signature.10-11-2012
20090019546Method and Apparatus for Modeling Computer Program Behaviour for Behavioural Detection of Malicious Program - A method and apparatus for modeling a behavior of a computer program that is executed in a computer system is described. The method and apparatus for modeling a behavior of a computer program may be used to detect a malicious program based on the behavior of the computer program. A method includes collecting system use information about resources of the computer system the computer program uses; extracting a behavior signature of the computer program from the collected system use information; and encoding the extracted behavior signature to generate a behavior vector. As a result, behaviors of a particular computer program may be modeled to enable a malicious program detection program and to determine whether the computer program is either normal or malicious.01-15-2009
20120233697Method and Apparatus Reducing Malware Detection Induced Delay - Methods and apparatuses for network 09-13-2012
20110004937SYSTEMS AND METHODS FOR MANAGING A NETWORK - A method of managing a network. The method includes receiving an activation key transmitted from a device connected to the network, automatically transmitting a configuration to the device, automatically maintaining the configuration of the device, and receiving log information from the device.01-06-2011
20110004936BOTNET EARLY DETECTION USING HYBRID HIDDEN MARKOV MODEL ALGORITHM - A botnet detection system is provided. A bursty feature extractor receives an Internet Relay Chat (IRC) packet value from a detection object network, and determines a bursty feature accordingly. A Hybrid Hidden Markov Model (HHMM) parameter estimator determines probability parameters for a Hybrid Hidden Markov Model according to the bursty feature. A traffic profile generator establishes a probability sequential model for the Hybrid Hidden Markov Model according to the probability parameters and pre-defined network traffic categories. A dubious state detector determines a traffic state corresponding to a network relaying the IRC packet in response to reception of a new IRC packet, determines whether the IRC packet flow of the object network is dubious by applying the bursty feature to the probability sequential model for the Hybrid Hidden Markov Model, and generates a warning signal when the IRC packet flow is regarded as having a dubious traffic state.01-06-2011
20120266245Multi-Nodal Malware Analysis - A computer-implemented method includes accessing, by an analysis console, information related to a first file received at a first host of a plurality of hosts. Each host is capable of running a corresponding set of malware detection processes. The information includes: an identifier of the first file; and data indicating a first result of the first host applying the set of malware detection processes to the first file. The identifier is generated by the first host and is usable by each of the hosts to determine whether a second file comprises content substantially equivalent to content of the first file. The analysis console generates a first output including: the identifier of the first file; and a second result indicating whether the first file comprises malware. The second result is usable by each of the hosts to determine whether the second file comprises malware. The first output is propagated to the hosts.10-18-2012
20120266244Detecting Script-Based Malware using Emulation and Heuristics - The subject disclosure is directed towards running script through a malware detection system including an emulator environment to detect any malware within the script. Statistics are collected as part of processing the script, with parameterized heuristic analysis used to determine whether to run the emulation. The processing through the malware detection system may be iterative, to de-obfuscate layers of obfuscated malware. The emulator may be updated via signatures.10-18-2012
20120240229SYSTEMS AND METHODS FOR LOOKING UP ANTI-MALWARE METADATA - A computer-implemented method for looking up anti-malware metadata may include identifying a plurality of executable objects to be scanned for malware before execution. The computer-implemented method may also include, for each executable object within the plurality of executable objects, assessing an imminence of execution of the executable object. The computer-implemented method may further include prioritizing, based on the assessments, a retrieval order for anti-malware metadata corresponding to the plurality of executable objects. The computer-implemented method may additionally include retrieving anti-malware metadata corresponding to an executable object within the plurality of executable objects based on the retrieval order. Various other methods, systems, and computer-readable media are also disclosed.09-20-2012
20110030058SYSTEM AND METHOD FOR SCANNING AND MARKING WEB CONTENT - Instructions to access content at a destination node is intercepted. Content at the destination node is analyzed for malicious components, and results of the analysis are associated with the content prior to being presented to viewers of the content.02-03-2011
20110047621SYSTEM AND METHOD FOR DETECTION OF NON-COMPLIANT SOFTWARE INSTALLATION - A system and method for performing a security check may include using at least one processor to periodically check a status of a flag, generate and store a baseline representation of modules stored on the device where the flag is determined to be set to a first state, and, where the flag is determined to be set to a second state, generate an active representation of modules stored on the first device, compare the active representation of modules to the baseline representation of modules, and, responsive to a determination in the comparing step of a difference between the baseline and active representations of modules, output an alert. The flag status may depend on an association of the device with one of a plurality of authorization policies, each mapped to one of the two states. Results of the comparison may be appended to an activity log of the device.02-24-2011
20120324578MOBILE DEVICE OPERATIONS WITH BATTERY OPTIMIZATION - Techniques for conserving battery power in devices are provided. One or more deferrable tasks are queued for later execution. An initiation of a subsequent charging event for a battery of the device is detected. The queued deferrable task(s) are enabled to be executed during the charging event. For instance, the queued deferrable task(s) may be enabled to be executed if the charging event is predicted to be a long duration charging event, such as by referring to a charging profile of the mobile device. In this manner, battery power is conserved while the device is in use and not connected to a battery charger.12-20-2012
20120324580Method and Apparatus for Selective E-Mail Processing - Disclosed is a system and method for selective email processing. A traffic separator includes an interface for receiving electronic mail traffic from a source network address. The traffic separator also includes a processor for comparing the source network address to a stored list of network addresses to determine a categorization of the network source address. The traffic separator also includes at least one interface for forwarding the electronic mail traffic to one of many message transfer agents (MTAs) based upon said determination. A database stores the list of network addresses. In one embodiment, one or more network addresses in the stored list are network address ranges.12-20-2012
20120324579CLOUD MALWARE FALSE POSITIVE RECOVERY - Methods, systems, and computer program products are provided for recovering from false positives of malware detection. Malware signatures that are defective may be causing false positives during software scanning for malware. Such defective malware signatures may be detected (e.g., by user feedback, etc.) and revoked. Computers that are using the malware signatures to detect malware may be notified of the revoked signatures, and may be enabled to re-scan content identified as containing malware using malware signatures that do not include the revoked malware signatures. As such, if the content is determined during the re-scan to not be infected, the content may be re-enabled for usage on the computer (e.g., may be restored from quarantine storage).12-20-2012
20120324577DETECTING MALICIOUS SOFTWARE ON A COMPUTING DEVICE WITH A MOBILE DEVICE - Systems, methods, devices, and machine readable media for detecting malicious software on a computing device with a mobile device are provided. One method includes causing a mobile device to mount a non-volatile memory of the computing device, scanning the non-volatile memory of the computing device with the mobile device using a low-level read operations scan, collecting data on the mobile device from the low-level read operations scan, and evaluating the data collected on the mobile device for malicious software on the computing device.12-20-2012
20120272321ANTIVIRUS COMPUTING SYSTEM - An antivirus computing system includes: a storage device having an operating partition that has stored therein a to-be-scanned file, and a hidden partition that has stored therein a virus code; and an antivirus device operatively associated with the storage device, and configured to perform a virus scan on the to-be-scanned file in the operating partition based on the virus code in the hidden partition.10-25-2012
20120272319Apparatus, and system for determining and cautioning users of Internet connected clients of potentially malicious software and method for operating such - A system at a central server and at a plurality of web filters is installed to observe traffic and to protect users from attempting connection to suspicious, malicious, and/or infectious targets. Targets are defined as Uniform Resource Identifiers (URI) and Internet Protocol (IP) addresses. Traffic is collected, analyzed, and reported for further analysis. Behavior is analyzed for each client attempting a connection to an uncategorized target. IP addresses and URIs are evaluated toward placement in either a Trusted target store or an Anomalous target store. The accumulated content of Anomalous target store is provided back to the Network Service Subscriber Clients. Warnings and tools are presented when appropriate.10-25-2012
20120272318SYSTEM AND METHOD FOR DYNAMIC GENERATION OF ANTI-VIRUS DATABASES - A method for reducing the size of the AV database on a user computer by dynamically generating an AV database according to user parameters is provided. Critical user parameters that affect the content of the AV database required for this user are determined. The AV database for the single user is generated based on the user parameters. When the parameters of the user computer change or when new malware threats are detected, the user AV database is dynamically updated according to the new parameters and the new malware threats. The update procedure becomes more efficient since a need of updating large volumes of data is eliminated. The AV system, working with a small AV database, finds malware objects more efficiently and uses less of computer system resources.10-25-2012
20110239302APPARATUS AND METHOD FOR PERFORMING SYSTEM EVALUATION IN PORTABLE TERMINAL - An apparatus and method for performing a system evaluation such as real-time virus scan/diagnosis/cure in order to improve system performance in a portable terminal are provided. The apparatus includes an operation monitoring unit for determining an idle state duration and an active state duration by monitoring an operation of the portable terminal, and a pattern analysis unit for defining the idle state duration as a system evaluation duration.09-29-2011
20120278896SYSTEMS AND METHODS FOR UPDATING CONTENT DETECTION DEVICES AND SYSTEMS - A method of updating a content detection module includes obtaining content detection data, and transmitting the content detection data to a content detection module, wherein the transmitting is performed not in response to a request from the content detection module. A method of sending content detection data includes obtaining content detection data, selecting an update station from a plurality of update stations, and sending the, content detection data to the selected update station. A method of building a content detection system includes establishing a first communication link between a central station and an update station, the central station configured to transmit content detection data to the update station, and establishing a second communication link between the update station and a content detection module.11-01-2012
20120278893RING OSCILLATOR BASED DESIGN-FOR-TRUST - A ring oscillator (RO) based Design-For-Trust (DFTr) technique is described. Functional paths of integrated circuit (IC) are included in one or more embedded ROs by (1) selecting a path in the IC, based on path selection criteria, that has one or more unsecured gates, and (2) embedding one or more ROs on the IC until a stop condition is met. An input pattern to activate embedded RO is determined. Further, a golden frequency which is a frequency at which the embedded RO oscillates, and a frequency range of the embedded RO are determined. A Trojan in the IC may be detected by activating the embedded RO (by applying the input pattern), measuring a frequency at which the embedded RO oscillates, and determining whether or not a Trojan is present based on whether or not the measured frequency of the RO is within a predetermined operating frequency range of the RO.11-01-2012
20110277033Identifying Malicious Threads - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for identifying and processing malicious threads In one aspect, a method includes identifying a memory heap block; identifying threads that reside in the memory heap block; determining whether at least one of the identified threads in the memory heap block is a malicious thread; and in response to determining that at least one of the identified threads is a malicious thread, terminating each of the identified threads11-10-2011
20100229239SYSTEM AND METHOD FOR DETECTING NEW MALICIOUS EXECUTABLES, BASED ON DISCOVERING AND MONITORING CHARACTERISTIC SYSTEM CALL SEQUENCES - The invention relates to a method for detecting malicious executables, which comprises: (a) in an offline training phase, finding a collection of system call sequences that are characteristic only to malicious files, when such malicious files are executed, and storing said sequences in a database; and, in runtime, for each running executable, continuously monitoring its issued run-time system calls and comparing with the stored sequences of system calls within the database to determine whether there exists a match between a portion of the sequence of the run-time system calls and one or more of the database sequences, and when such a match is found, declaring said executable as malicious.09-09-2010
20120102569Computer system analysis method and apparatus - A method of analysing a computer on which are installed a plurality of applications each comprising a set of inter-related objects. The method first comprises identifying a local dependency network for each of one or more of said applications, a local dependency network comprising at least a set of object paths and inter-object relationships. The (or each) local application dependency network is then compared against a database of known application dependency networks to determine whether the application associated with the local dependency network is known. The results of the comparison are then used to identify malware and/or orphan objects.04-26-2012
20120291131Malware detection - A method and apparatus for detecting malware in which a computer device that has an operating system and a memory executes an untrusted computer program. In the event that the untrusted program directly accesses a region of the memory used to store information relating to the operating system, a determination is made that the untrusted program is likely to be malware.11-15-2012
20100199350Federated Scanning of Multiple Computers - A data processing apparatus and associated computer-executed method are adapted for federated scanning of multiple computers. The data processing apparatus comprises a logic that controls scanning among a plurality of data objects distributed among a plurality of distributed electronic data storage systems. The logic maintains a data set of paired location identifiers and intrinsic references corresponding to individual data objects of the plurality of data objects and controls scanning so that redundant scanning of duplicate data objects with matching intrinsic references occurring in multiple locations is avoided.08-05-2010
20100199349Method, apparatus, and computer program product for detecting computer worms in a network - A worm is a malicious process that autonomously spreads itself from one host to another. To infect a host, a worm must somehow copy itself to the host. The method in which a worm transmits a copy of itself produces network traffic patterns that can be generalized as a traffic behavior. As a worm spreads itself across the network, the propagation of the traffic behavior can be witnessed as hosts are infected, one after another. By monitoring the network traffic for propagations of traffic behaviors, a presence of a worm can be detected.08-05-2010
20130014262MOBILE COMMUNICATION TERMINAL HAVING A BEHAVIOR-BASED MALICIOUS CODE DETECTION FUNCTION AND DETECTION METHOD THEREOF - A mobile communication terminal comprises: a system unit which performs application installation and removal, outputs an installation completion message upon completion of the application installation, and provides, upon receipt of request for authority information on the application, the requested authority information; a behavior information database in which behavior information data is stored; and an inspection unit which makes a request for the authority information to the system unit and receives the authority information, upon receipt of the installation completion message from the system unit, and which compares the authority information and the behavior information data stored in the behavior information database to examine whether the application is a malicious code or not.01-10-2013
20130014261HASH-BASED SYSTEMS AND METHODS FOR DETECTING AND PREVENTING TRANSMISSION OF POLYMORPHIC NETWORK WORMS AND VIRUSES01-10-2013
20130014260APPARATUS, SYSTEM, AND METHOD FOR PREVENTING INFECTION BY MALICIOUS CODE - The invention relates to an apparatus for preventing infection by malicious code, comprising: a database in which files installed in an agent system, DNA values for each part of the files, and index information for indicating whether each file is normal or malicious are stored; a calculation unit which calculates a DNA value for a part of a file for which an execution is requested in the agent system; and a file inspection unit which searches the database to extract, in a group, files having the DNA value calculated by the calculation unit, inspects whether an object file is normal or malicious on the basis of the index information on the files extracted in a group, and allows the execution of the object file or makes a request for the calculation of DNA values of other parts which selectively include one part of the object file.01-10-2013
20130014259DETECTION OF SPYWARE THREATS WITHIN VIRTUAL MACHINE - A system analyzes content accessed at a network site to determine whether it is malicious. The system employs a tool able to identify spyware that is piggy-backed on executable files (such as software downloads) and is able to detect “drive-by download” attacks that install software on the victim's computer when a page is rendered by a browser program. The tool uses a virtual machine (VM) to sandbox and analyze potentially malicious content. By installing and running executable files within a clean VM environment, commercial anti-spyware tools can be employed to determine whether a specific executable contains piggy-backed spyware. By visiting a Web page with an unmodified browser inside a clean VM environment, predefined “triggers,” such as the installation of a new library, or the creation of a new process, can be used to determine whether the page mounts a drive-by download attack.01-10-2013
20130014258Controlling Network-Based Applications With Social Media Postings - A content posting associated with a user of the social media service is received. The posting can be submitted to the social media service as a status update or message to the social media account associated with the application. The content posting contains an embedded command. The content posting is processed to generate a request to one or more data sources. The request can be a query for information or an instruction to perform an action (e.g. update a data record). The request is sent to one or more data sources, and a response comprising data from the data source is received. The response is parsed to extract data values which are inserted into pre-configured templates in accordance with the characteristics of the response delivery method preference set by the user and stored in a application user profile. The response delivery method can be a social media service and/or other response delivery method (e.g. SMS or RSS feed). In some embodiments, the formatted response is then sent to the social media service and/or other response delivery method for delivery.01-10-2013
20120151590Analyzing Traffic Patterns to Detect Infectious Messages - Managing electronic messages comprises receiving a message, forwarding the message, determining that the forwarded message is infectious after the message has been forwarded and preventing the infectious forwarded message from spreading.06-14-2012
20120151589INTELLIGENT SYSTEM AND METHOD FOR MITIGATING CYBER ATTACKS IN CRITICAL SYSTEMS THROUGH CONTROLLING LATENCY OF MESSAGES IN A COMMUNICATIONS NETWORK - A system and method are provided for controlling the latency of messages to enable a network of devices to detect and respond to potential malware. The system and method receiving a message at a device and determining whether the message represents potential malware and requires a delay to allow time to detect and respond to potential malware. The amount of the delay associated with the message is determined and the message is processed based on the delay amount.06-14-2012
20120151587Devices, Systems, and Methods for Detecting Proximity-Based Mobile Malware Propagation - Devices, systems, and methods are disclosed which leverage an agent that resides in a mobile communication device to detect Proximity based Mobile Malware Propagation (PMMP). The agent injects one or several trigger network connections in the candidate connection list. These connections appear as legitimate networks and devices. However, the triggers connect to an agent server on a service provider's network. Essentially, the method is based on the assumption that malware lacks the intelligence to differentiate the trigger network connection from a normal one. Therefore, by attempting to connect through the trigger network connection, the malware reveals itself. The system helps collect the malware signature within a short period of time after the malware outbreak in local areas, and such attacks typically bypass network based security inspection in the network.06-14-2012
20130019313GRANULAR VIRUS DETECTIONAANM Piccinini; SandroAACI RomeAACO ITAAGP Piccinini; Sandro Rome ITAANM Pichetti; LuigiAACI RomeAACO ITAAGP Pichetti; Luigi Rome ITAANM Secchi; MarcoAACI RomeAACO ITAAGP Secchi; Marco Rome ITAANM Sidoti; StefanoAACI RomeAACO ITAAGP Sidoti; Stefano Rome IT - A group of files for an application installed on a computer system is identified in response to a request to scan the application for malware. The group of files for the application is scanned for the malware. A result is obtained. An action is performed based on the result.01-17-2013
20130024941WINDOWS REGISTRY MODIFICATION VERIFICATION - A method and system is provided by which unauthorized changes to the registry may be detected and that provides the capability to verify whether registry, or other system configuration data, changes that occur on a computer system are undesirable or related to possible malware attack before the changes become effective or are saved on the system. A method for verifying changes to system configuration data in a computer system comprises generating an identifier representing an entry in the system configuration data, packaging the identifier, and sending the packaged identifier to a client for verification. The identifier may be generated by hashing the first portion of the entry and the second portion of the entry to generate the identifier, or by filtering the first portion of the entry and hashing the filtered first portion of the entry and the second portion of the entry to generate the identifier.01-24-2013
20110247073SYSTEM AND METHOD FOR ADAPTING AN INTERNET AND INTRANET FILTERING SYSTEM - According to the present invention, there is provided a system and method for continuously interfacing with a plurality of computer based event monitoring systems such as Internet and Intranet filtering systems and or virus scanning software to determine whether these systems have detected a non-threatening and or security threatening event that corresponds with an event pre-determined and recorded within the events list which contains a plurality of non-threatening and security threatening events that may occur within a computer which in turn triggers a classified, targeted and value-adding hypertext message or information to be instantly displayed to the computer user through a browser or user interface instead of an event monitoring system default hypertext security message, and preferably an editing function shall be provided that enables the login of authorised authors including computer administrator/s to edit and publish targeted and value-adding hypertext messages and information, and preferably a measuring function shall be provided that enables the login of authorised authors including computer administrator/s to define and set up a plurality of metrics that may enable them to measure the effectiveness of the displayed targeted and value-adding hypertext messages and information in terms of being useful, entertaining, educational, interesting or instructional to a computer user through an alternate browser or user interface at the unique point in time when their computer has detected an event.10-06-2011
20110247072Systems and Methods for Detecting Malicious PDF Network Content - Systems and methods for detecting malicious PDF network content are provided herein. According to some embodiments, the methods may include at least the steps of examining received PDF network content to determine if one or more suspicious characteristics indicative of malicious network content are included in the PDF network content, providing PDF network content determined to include at least one suspicious characteristic to one or more virtual machines, and analyzing responses received from the one or more virtual machines to verify the inclusion of malicious network content in the PDF network content determined to include at least one suspicious characteristic.10-06-2011
20110247071Automated Malware Detection and Remediation - Systems and methods for detecting malware in a selected computer that is part of a network of computers. The approach includes inspecting a predetermined set of operational attributes of the selected computer to detect a change in a state of the selected computer. In response to a detected change in state, the selected computer is scanned to create a snapshot of the overall state of the selected computer. The snapshot is transmitted to an analytic system wherein it is compared with an aggregated collection of snapshots previously respectively received from a plurality of computers in the computer network. Based on the comparison, anomalous state of the selected computer can be identified. In turn, a probe of the selected computer is launched to gather additional information related to the anomalous state of the selected computer so that a remediation action for the anomalous state of the selected computer can be generated.10-06-2011
20110265183SECURE VIRTUALIZATION ENVIRONMENT BOOTABLE FROM AN EXTERNAL MEDIA DEVICE - Methods and systems for creating a secure virtualization environment on a host device, without modifying the host device, the secure virtualization environment bootable from an external media device. A host computing device loads and boots a common operating system image stored on an external media device. A client agent stored on the external media device and executing in the common operating system image creates an adapted operating system image by copying the operating system of the host computing device, eliminating all unnecessary files and data and storing the adapted operating system image to the external media device. The host computing device provides a secure virtualized environment by booting the adapted operating system image.10-27-2011
20080222729Containment of Unknown and Polymorphic Fast Spreading Worms - A worm containment system comprising a host computing machine, a virtual machine running under the control of a virtual machine monitor, a worm detector, a diverter and a buffer. The host computing machine has a host operating system and host application(s). The virtual machine has a clone of the host operating system and a clone of the host application(s). The worm detector is configured to monitor the virtual machine traffic for signs of worm propagation. The splitter is configured to duplicate packets intended for the host computing machine into diverted packets and buffered packets. The diverter is configured to route the diverted packets to the virtual machine. The buffer is configured to store the buffered packets and then forward the buffered packets to the host operating system on indication from the worm detector that no worm propagation behavior was detected.09-11-2008
20080222728Methods and interfaces for executable code analysis - Described are methods of a server and for processing an email message. Also described are user interfaces. A user may forward unopened email message and/or URLs to a service provider for analysis of whether the unopened email message or URL is configured to download executable code. The service provider may operate with a server. The server may determine if executable code is present in the email message and/or is downloadable via a website. The executable code may be determined to be malicious. It is also described that after a service provider has determined whether the email message and/or the URL is configured to download malicious executable code, the user can receive an indication to that effect from the server.09-11-2008
20130179975Method for Extracting Digital Fingerprints of a Malicious Document File - A method for extracting the genetic fingerprinting of a malicious document file includes the steps of establishing a database to store a plurality of genetic fingerprinting data of the first malicious document, then retrieving a document file sent via the Internet, and then proceeding with multi-point detection and extraction to the document file, so as to obtain a multi-point section, then comparing and analyzing the multi-point section with the plurality of genetic fingerprinting data of the first malicious document to confirm whether the multi-point section program code of the document file matches a malicious feature, thereby achieves the goal of extracting the content information of the document file and converts it into the genetic fingerprinting data of a new malicious document.07-11-2013
20130145470DETECTING MALWARE USING PATTERNS - In certain embodiments, a method includes receiving a first file. The method also includes accessing at least one storage module comprising a first malware pattern, a second malware pattern, and a third malware pattern. The second malware pattern is a first permutation of the first malware pattern. The third malware pattern is a second permutation of the second malware pattern and is different than the second malware pattern. The method includes comparing, by at least one processor, the first file to the third malware pattern. In addition, the method includes determining, by the at least one processor, that the first file comprises malware in response to comparing the file to the third malware pattern.06-06-2013
20130179972STORAGE DEVICE WITH INTERNALIZED ANTI-VIRUS PROTECTION - An approach to handling connection errors between an external antivirus server and a storage device is disclosed. The storage device is equipped with an internal antivirus server. Antivirus metadata that describes the antivirus scan is stored in an antivirus metadata repository on the storage device. The connection between the external antivirus server and the storage device is monitored. The external antivirus server executes the antivirus scan on the storage device. If the connection fails, control of the antivirus scan is passed from the external antivirus server to the internal antivirus server. The internal antivirus server determines where to begin based on the antivirus metadata. When the connection is restored, control is passed back to the external antivirus server.07-11-2013
20130179973DETECTING STATUS OF AN APPLICATION PROGRAM RUNNING IN A DEVICE - A detecting system includes a sense terminal and detecting circuitry coupled to the sense terminal. The sense terminal receives an indicative signal indicative of a supply current of a power source. The detecting circuitry calculates variation in the supply current based on the indicative signal, estimates power consumption of an application program residing on a computer-readable medium according to the variation, and detects whether an abnormal condition occurs by comparing the estimated power consumption with a reference.07-11-2013
20130179974INFERRING A STATE OF BEHAVIOR THROUGH MARGINAL PROBABILITY ESTIMATION - Systems, computer-readable media storing instructions, and methods can infer a state of behavior. Such a method can include constructing a graph including nodes representing hosts and domains based on an event dataset. The graph can be seeded with information external to the event dataset. A belief whether each of the nodes is in a particular state of behavior can be calculated based on marginal probability estimation.07-11-2013
20130179976PLANT SECURITY MANAGING DEVICE, MANAGING METHOD AND MANAGING PROGRAM - A technology is provided which ensures a high security without affecting a plant operation. A plant security managing device includes a determining unit that determines which one of control units multiplexed as a service system and a standby system associated with monitoring and controlling of a plant is the standby system, a security processing unit that performs a security process for detecting the presence/absence of a security abnormality on the control unit that is the standby system, and a change instructing unit that outputs an instruction for changing the control unit that is the standby system and the control unit that is the service system with each other after the completion of the security process by the security processing unit.07-11-2013
20110271346SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR IDENTIFYING FUNCTIONS IN COMPUTER CODE THAT CONTROL A BEHAVIOR THEREOF WHEN EXECUTED - A security data structure, method and computer program product are provided. In use, computer code is received. Furthermore, functions in the computer code that control a behavior of the computer code when executed are statically identified.11-03-2011
20120255019METHOD AND SYSTEM FOR OPERATING SYSTEM IDENTIFICATION IN A NETWORK BASED SECURITY MONITORING SOLUTION - A method and system for providing network based malware detection in a service provider network is disclosed. Transmission control protocol (TCP) packets defining originating from an access device coupled to the service provider network defining a TCP session between a computing device coupled to the access device, and a destination coupled to the service provider network are received. An operating system identifier (OS ID) associated with the TCP session and the computing device is determined. If malware is present in the TCP session and an associated malware ID is determined by comparing a malware signature to the one or more TCP packets. An alert identifying a network address associated with the access device, the malware ID and the OS ID associated with TCP session that generated the alert can then be generated.10-04-2012
20120255018SYSTEM AND METHOD FOR SECURING MEMORY AND STORAGE OF AN ELECTRONIC DEVICE WITH A BELOW-OPERATING SYSTEM SECURITY AGENT - A security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory or a storage of the electronic device may be further configured to: (i) access one or more security rules to determine a criteria by which an attempted access involving a transfer of content between the memory and the storage of an electronic device will be trapped; (ii) if the criteria is met, trap, at a level below all of the operating systems of the electronic device, attempted access of data between memory and storage of an electronic device; and (iii) analyze, at a level below all of the operating systems of the electronic device, information associated with the attempted access to determine if the attempted access was affected by malware10-04-2012
20120255017SYSTEM AND METHOD FOR PROVIDING A SECURED OPERATING SYSTEM EXECUTION ENVIRONMENT - In one embodiment, a system for launching a security architecture includes an electronic device comprising a processor and one or more operating systems, a security agent, and a launching module. The launching module comprises a boot manager and a secured launching agent. The boot manager is configured to boot the secured launching agent before booting the operating systems, and the secured launching agent is configured to load a security agent. The security agent is configured to execute at a level below all operating systems of the electronic device, intercept a request to access a resource of the electronic device, the request originating from the operational level of one of one or more operating systems of the electronic device, and determine if a request is indicative of malware. In some embodiments, the secured launching agent may be configured to determine whether the security agent is infected with malware prior to loading the security agent.10-04-2012
20120255016SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM PROTECTION OF AN OPERATING SYSTEM KERNEL - A below-operating system security agent may be configured to: (i) trap attempted accesses to the components of the operating system and the set of drivers executing on the electronic device; (ii) in response to trapping an attempted access, compare contextual information associated with the attempted access to an access map; and (iii) determine if the attempted access is trusted based on the comparison. The access map may be generated by: (i) trapping, at a level below all of the operating systems of a second electronic device accessing components of the second operating system and the second set of drivers executing on the second electronic device and each substantially free of malware, accesses to components of the second operating system and the second set of drivers executing on the second electronic device; and (ii) in response to trapping the accesses, recording contextual information regarding the accesses to the access map.10-04-2012
20120255015METHOD AND APPARATUS FOR TRANSPARENTLY INSTRUMENTING AN APPLICATION PROGRAM - Generally, this disclosure describes systems and methods for transparently instrumenting a computer process. The systems and methods are configured to allow instrumenting executable code while permitting legacy memory scanning tools to monitor corresponding uninstrumented executable code stored in memory.10-04-2012
20120255014SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM REPAIR OF RELATED MALWARE-INFECTED THREADS AND RESOURCES - A security agent may be configured to: (i) execute on an electronic device at a level below all of the operating systems of the electronic device accessing a memory or processor resources of the electronic device; (ii) trap attempted accesses to the memory or the processor resources associated with function calls for thread synchronization objects associated with creation, suspension, or termination of one thread by another thread; (iii) in response to trapping each attempted access, record information associated with the attempted access in a history, the information including one or more identities of threads associated with the attempted access; (iv) determine whether a particular thread is affected by malware; and (iv) in response to a determining that the particular thread is affected by malware, analyze information in the history associated with the particular memory location or processor resource to determine one or more threads related to the particular thread.10-04-2012
20120255013SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM MODIFICATION OF MALICIOUS CODE ON AN ELECTRONIC DEVICE - A system for securing an electronic device, may include a memory, a processor, one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to detect presence of malicious code, and in response to detecting presence of the malicious code, modify the malicious code.10-04-2012
20120255012SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM REGULATION AND CONTROL OF SELF-MODIFYING CODE - A system for securing an electronic device may include a memory, a processor; one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to: (i) trap attempted accesses to the memory, wherein each of such attempted accesses may, individually or in the aggregate, indicate the presence of self-modifying malware; (ii) in response to trapping each attempted access to the memory, record information associated with the attempted access in a history; and (iii) in response to a triggering attempted access associated with a particular memory location, analyze information in the history associated with the particular memory location to determine if suspicious behavior has occurred with respect to the particular memory location.10-04-2012
20130139264APPLICATION SANDBOXING USING A DYNAMIC OPTIMIZATION FRAMEWORK - A method for preventing malware attacks includes, launching an application on an electronic device, intercepting one or more instructions from the application, determining whether the one or more instructions includes an attempt to access a sensitive system resource of the electronic device, rewriting the one or more instructions to access the secured system resource of the electronic device, executing the rewritten instructions on the electronic device, and observing the results of the rewritten instructions. The application is attempting to execute the one or more instructions.05-30-2013
20130091576WIRELESS COMMUNICATION SYSTEM CONGESTION REDUCTION SYSTEM AND METHOD - A messaging server forwards emails to mobile communication devices of users to whom the emails were respectively addressed. An antivirus server determines whether an email addressed to a user of a mobile communication device, to be forwarded by the messaging server to the mobile communication device, is infected with a virus. In response to determining the email is infected with a virus, a bulletin generator transmits, to the mobile communication devices besides the mobile communication device of the addressee of the email determined to be infected, an all points bulletin message disclosing the existence of the virus. The bulletin message is transmitted directly to, instead of via email to, the wireless mobile communication devices.04-11-2013
20130091574INCIDENT TRIAGE ENGINE - An incident triage engine performs incident triage in a system by prioritizing responses to incidents within the system. One prioritization method may include receiving attributes of incidents and assets in the system, generating cumulative loss forecasts for the incidents, and prioritizing the responses to the incidents based on the cumulative loss forecasts for the incidents. Another prioritization method may include determining different arrangements of incidents within a response queue, calculating cumulative queue loss forecasts for the different arrangements of incidents within the response queue, and arranging the incidents in the response queue based on the arrangement of incidents that minimizes the total loss to the system over the resolution of all of the incidents present in the response queue.04-11-2013
20130097707TERMINAL AND METHOD FOR TERMINAL TO DETERMINE FILE DISTRIBUTOR - Provided are a terminal and a file distributor determining method of the terminal. According to embodiments of the present invention, files pre-executed in the terminal and distributor information of the files are cached. When a new file is generated in the terminal, the new file and the cached files are compared, and distributor information of the new file is extracted so as to prevent the spread of a malicious code in advance.04-18-2013
20130097705IDENTIFICATION OF ELECTRONIC DOCUMENTS THAT ARE LIKELY TO CONTAIN EMBEDDED MALWARE - The present invention provides a method for determining the likelihood that an electronic document contains embedded malware. After parsing or sequencing an electronic document, the metadata structures that make up the document are analyzed. A number of pre-established rules are then applied with respect to certain metadata structures that are indicative of embedded malware. The application of these rules results in the generation of a score for the electronic document being tested for embedded malware. The score is then compared to a threshold value, where the threshold value was previously generated based on a statistical model relating to electronic documents having the same format as the document being tested. The result of the comparison can then be used to determine whether the document being tested is or is not likely to contain embedded malware.04-18-2013
20130104234Defensive Techniques to Increase Computer Security - Among other disclosed subject matter, a computer-implemented method includes initializing a first descriptor table and a second descriptor table. The first descriptor table is associated with a first permission level and the second descriptor table is associated with a second permission level that is different from the first permission level. The first descriptor table and the second descriptor table are associated with a hardware processor and initialized by an operating system kernel. The method also includes providing a memory address associated with the first descriptor table, in response to a descriptor table address request. The descriptor table address request is provided by a software process. The method also includes updating the second descriptor table, in response to an update request.04-25-2013
20130104235DETECTION OF UNDESIRED COMPUTER FILES IN ARCHIVES - Systems and methods for content filtering are provided. According to one embodiment, a type and structure of an archive file are determined. The archive file includes identification bytes that identify the type of archive file and header information both in unencrypted and uncompressed form and a file data portion containing contents of files in encrypted form, compressed form or both. The determination is based solely on the identification bytes and/or the header information. Based thereon, descriptive information, describing characteristics of the files, is extracted from the header information for each file. The descriptive information includes a checksum of the file in uncompressed form, a size of the file in uncompressed form and/or a size of the file in compressed form. A file is identified as being potentially malicious or undesired when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match.04-25-2013
20130125238CONTENT FILTERING OF REMOTE FILE-SYSTEM ACCESS PROTOCOLS - Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, a first set of Server Message Block/Common Internet File System (SMB/CIFS) protocol requests originated by a first process running on a client and relating to a file associated with a share of a server and a second set of SMB/CIFS protocol requests originated by a second process running on the client and relating to the file are transparently proxied by a gateway device. The existence or non-existence of malicious, dangerous or unauthorized content contained within the file is determined by the gateway device by (i) buffering data being read from or written to the file as a result of the first and second set of SMB/CIFS protocol requests into a shared file buffer; and (ii) performing content filtering on the shared file buffer when a scanning condition is satisfied.05-16-2013
20130145469PREVENTING AND DETECTING PRINT-PROVIDER STARTUP MALWARE - A method for preventing malware attacks includes detecting an attempt on an electronic device to modify a print service registry, determining an entity associated with the attempt to modify the print service registry, determining a malware status of the entity, and, based on the malware status of the entity, allowing or denying the modification to the print service registry. The print service registry is configured to store configuration information about mechanisms to be used when printing from the electronic device.06-06-2013
20130097706AUTOMATED BEHAVIORAL AND STATIC ANALYSIS USING AN INSTRUMENTED SANDBOX AND MACHINE LEARNING CLASSIFICATION FOR MOBILE SECURITY - The present system includes a computer-networked system that allows mobile subscribers, and others, to submit mobile applications to be analyzed for anomalous and malicious behavior using data acquired during the execution of the application within a highly instrumented and controlled environment for which the analysis relies on per-execution as well as comparative aggregate data across many such executions from one or more subscribers.04-18-2013
20110214186TRUSTED OPERATING ENVIRONMENT FOR MALWARE DETECTION - Described herein are techniques and apparatuses for scanning a computing device for malware and/or viruses. In various embodiments, a trusted operating environment, which may include a trusted operating system and/or a trusted antivirus tool, may be utilized with respect to a computing device. More particularly, the trusted operating system may be used to boot the computing device. Moreover, the trusted antivirus tool may search the computing device for malware definition updates (e.g., virus signature updates) and use the trusted operating system to scan the computing device for malware. In other embodiments, the trusted antivirus tool may scan the computing device and remove any viruses detected by the trusted antivirus tool. The trusted operating system may then reboot the computing device into a clean environment once any detected viruses are removed.09-01-2011
20120278892Updating anti-virus software - A method of updating an anti-virus application including an updatable module running on a client terminal. The method includes receiving an update at the client terminal, initialising the updatable module within a sandbox environment and applying the update to the updatable module. Control tests are then run on the updated sandboxed module and if the control tests are passed, the updated module is brought out of the sandbox environment and normal scanning is allowed to proceed using the updated module. If the control tests are not passed, however, normal scanning using the updated module is prevented.11-01-2012
20110258702SYSTEM AND METHOD FOR NEAR-REAL TIME NETWORK ATTACK DETECTION, AND SYSTEM AND METHOD FOR UNIFIED DETECTION VIA DETECTION ROUTING - A system includes a processor. The processor is configured to receive network traffic that includes a data block. The processor will generate a unique identifier (UID) for the file that includes a hash value corresponding to the file. The processor will determine whether the file is indicated as good or bad with the previously-stored UID. The processor will call a file-type specific detection nugget corresponding to the file's file-type to perform a full file inspection to detect whether the file is good or bad and store a result of the inspection together with the UID of the file, when the file is determined to be not listed in the previously-stored UIDs. The processor will not call the file-type specific detection nugget when the file's indicator is “good” or “bad” in the previously-stored UIDs. The processor will issue an alert about the bad file when the file's indicator is “bad”.10-20-2011
20130152200Predictive Heap Overflow Protection - A method for preventing malware attacks includes identifying a set of data whose malware status is not known to be safe, launching an application using the data, determining that one or more prior memory allocations have been created by the application, determining that a new memory allocation has been created by the application, comparing the new memory allocation to the prior memory allocations, and based on the comparison, determining whether the data includes malware.06-13-2013
20130152201Adjunct Computing Machine for Remediating Malware on Compromised Computing Machine - Described is a technology by which a malware-compromised machine, such as a personal computer is cleaned through the use of a functional adjunct machine, such as a mobile device (or vice-versa). The functional adjunct machine performs actions on behalf of the malware-compromised machine and/or to assist the remediation. This may include downloading antimalware-related data (e.g., an application, antimalware code, signature updates and/or the like) via a marketplace/application store, and transferring at least some of the data and/or programs to the compromised machine. Other actions may include using the functional adjunct machine to boot the malware-compromised machine into a non-compromised state and providing the data or programs to allow remediation of the malware while in this state.06-13-2013
20130152203OPERATION OF A DUAL INSTRUCTION PIPE VIRUS CO-PROCESSOR - Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a method for virus processing content objects is provided. A content object is stored within a system memory by a general purpose processor using a virtual address. Most recently used entries of a page directory and a page table of the system memory are cached within a translation lookaside buffer (TLB) of a virus co-processor. Instructions are read from a virus signature memory of the co-processor. Those of a first type are assigned to a first of multiple instruction pipes of the co-processor. The first instruction pipe executes an instruction including accessing a portion of the content object by performing direct virtual memory addressing of the system memory using a physical address derived based on the virtual address and the TLB and comparing it to a string associated with the instruction.06-13-2013
20130152202APPARATUS AND METHOD FOR ANALYZING MALWARE IN DATA ANALYSIS SYSTEM - An apparatus and method for analyzing malware in a data analysis system are provided. The apparatus includes a data analysis unit and a controller. The data analysis unit sorts data into primary harmful data and primary harmless data using screening data information of malicious code information and virus information. The controller screens or deletes the primary harmful data, and sends a request for precision analysis of the primary harmless data to a server. The data analysis unit sorts secondary harmful data from the primary harmless data using the precision analysis result received from the server.06-13-2013
20130091575ANTIVIRUS SYSTEM AND METHOD FOR REMOVABLE MEDIA DEVICES - A removable media device, which may be a USB attached device or other type of removable media device, includes a software program located on the device which upon startup or access, the software program scans one or more of electronic files stored on the removable media device and electronic files being transferred to or from the electronic media device and to or from a host computing system for the detection of viruses therein. The software program is further configured to block the transfer of detected virus-containing electronic files and to disallow the copy or writing of files to or from the removable media device to or from a host computing system that can not be scanned. The software program is further configured to block the encryption of files being written to a removable media device if such device contains hardware or software encryption if such files can not be scanned.04-11-2013
20100299755ANTI-VIRUS/SPAM METHOD IN MOBILE RADIO NETWORKS - The invention concerns a process to protect against viruses/spam in mobile broadcast networks containing convergent messaging services with transmission of protocol data, characterized by having functions included in the protocol of the convergent messaging service, which facilitate the exchange of virus/spam information between the network components of one or more network operators. The invention has the objective of providing a process for convergent messaging systems that will facilitate the exchange of information regarding viruses and spam across network and platform boundaries in order to combat their widespread dissemination.11-25-2010
20100299754Identifying Security Breaches Caused by Web-Enabled Software Applications - Identifying a security breach caused when a computer-based software application uses a computer-based web browser application, including identifying at least one function within a computer-based software application that causes a computer-based web browser application to access data from a source that is external to the software application, at least partially replacing the data with malicious content that is configured to cause a predefined action to occur when the malicious content is accessed by the web browser application, where the predefined action is associated with a known security breach when the predefined action occurs subsequent to the malicious content being accessed by the web browser application, causing the software application to perform the function, and determining whether the predefined action is performed.11-25-2010
20120260342Malware Target Recognition - A method, apparatus and program product are provided to recognize malware in a computing environment having at least one computer. A sample is received. An automatic determination is made by the at least one computer to determine if the sample is malware using static analysis methods. If the static analysis methods determine the sample is malware, dynamic analysis methods are used by the at least one computer to automatically determine if the sample is malware. If the dynamic analysis methods determine the sample is malware, the sample is presented to a malware analyst to adjudicate the automatic determinations of the static and dynamic analyses. If the adjudication determines the sample is malware, a response action is initiated to recover from or mitigate a threat of the sample.10-11-2012
20120284796PROTECTION OF A VOLATILE MEMORY AGAINST VIRUSES BY MODIFICATION OF THE CONTENT OF AN INSTRUCTION - A method for protecting a volatile memory against a virus, wherein: rights of writing, reading, or execution are assigned to certain areas of the memory; and a first list of opcodes for which the access to the areas is authorized or forbidden is associated with each of these areas.11-08-2012
20130160127SYSTEM AND METHOD FOR DETECTING MALICIOUS CODE OF PDF DOCUMENT TYPE - Disclosed herein is a PDF document type malicious code detection system for efficiently detecting a malicious code embedded in a document type and a method thereof. The present invention may perform a dynamic and static analysis on JavaScript within a PDF document, and execute the PDF document to perform a PDF dynamic analysis, thereby achieving an effect of efficiently extracting a malicious code embedded in the PDF document.06-20-2013
20130160125METHOD AND SYSTEM FOR RAPID SIGNATURE SEARCH OVER ENCRYPTED CONTENT - A method for detecting malware includes dividing data to be scanned for malware into at least a first data segment and a second data segment, dividing a signature corresponding to an indication of malware into at least a first signature segment and a second signature segment, performing a relationship function on the first signature segment and the second signature segment yielding a first result, performing the relationship function on the first data segment and the second data segment yielding a second result, comparing the first result and the second result, and, based on the comparison, determining that the data includes information corresponding to the signature. The relationship function characterizes the relationship between at least two information sets.06-20-2013
20130185798IDENTIFYING SOFTWARE EXECUTION BEHAVIOR - The present invention extends to methods, systems, and computer program products for identifying software execution behavior. Embodiments of the invention can be used to assist a user in a making a reasoned and informed decision about whether the behavior of executable code is malicious. Data indicative of executable code behavior can be collected statically without having to execute the executable code. Behavior data can be collected essentially automatically with little, if any, user involvement. A user initiates analysis of executable code and is provided a visual categorized representation of behavior data for the executable code.07-18-2013
20130185800ANTI-VIRUS PROTECTION FOR MOBILE DEVICES - A computing device, machine-readable medium, and method associated with identifying viruses on a mobile device are disclosed. In embodiments, a computing device may include a communication interface, one or more storage media containing instructions, and a processing unit coupled to the communication interface and the one or more storage media. The instructions, when executed by the processor, may configure the computing device to analyze files, received by the computing device, for the presence of a virus. The instructions, when executed by the processor, may further notify the mobile device when the presence of a virus is detected.07-18-2013
20110289585Systems and Methods for Policy-Based Program Configuration - Disclosed are systems, methods and computer program products for adaptive policy-based configuration of programs. An example method comprises collecting from computer system configuration and performance information and rating system performance based on the collected information. The method further includes selecting based on the performance rating an operational policy for a computer program. The policy specifies program settings and limits of system resource utilization by the program. The method further includes monitoring system resource utilization during program execution on the computer system to determine whether system resource utilization exceeds the limit specified in the operational policy. If the system resource utilization exceeds the specified limit, the method selects another policy specifying different program settings and a different limit of system resource utilization.11-24-2011
20110314548ANTI-MALWARE DEVICE, SERVER, AND METHOD OF MATCHING MALWARE PATTERNS - An efficient virus detection, malware detection, and packet filtering system in a mobile device by providing optimized hash functions from a server to a mobile device that reduce hash collisions during the virus detection, malware detection, and packet filtering in a system-on-chip configuration.12-22-2011
20110314547ANTI-MALWARE SYSTEM AND OPERATING METHOD THEREOF - An anti-malware device and an operating method thereof are provided. The operating method includes: filtering by a first logic unit of the processor, input data based on a rule; and scanning by a second logic unit of the processor, for malware in the data, the filtering and the scanning being performed at the same time. Accordingly, the security of the packet data is tightened.12-22-2011
20110314546Electronic Message Analysis for Malware Detection - An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.12-22-2011
20110321163PLATFORM FOR A COMPUTER NETWORK - A platform for a computer network for managing and sharing mostly unstructured data passing through said network, and having an infrastructure including an information system having a database and/or data servers, as well as terminals from which the users generate, modify or consult data of the information system, where the information system includes unique data to be shared and is insulated from the terminals of the users by an application that manages the accessibility to said information system and/or the security of the unique data contained by the same by a physical disconnection of the network protocol used for communication between the information system and the terminals of the users.12-29-2011
20130191918Identifying Trojanized Applications for Mobile Environments - Trojanized apps for mobile environments are identified. Multiple apps for a specific mobile environment are obtained from one or more external sources. Code and digital signers are extracted from the apps and stored. For each given specific one of the obtained apps, the code of the specific app is compared to the code of other obtained apps, to determine whether the specific app 1) contains at least a predetermined threshold amount of code in common with one of the other apps, and 2) contains additional code not contained therein. If so, the digital signer of the specific app is compared to the digital signer of the other app. If it is also the case that the digital signer of the specific app is not the same as the digital signer of the other app, the specific app is identified as being trojanized.07-25-2013
20120023583SYSTEM AND METHOD FOR PROACTIVE DETECTION OF MALWARE DEVICE DRIVERS VIA KERNEL FORENSIC BEHAVIORAL MONITORING AND A BACK-END REPUTATION SYSTEM - A method for detecting malware device drivers includes the steps of identifying one or more device drivers loaded on an electronic device, analyzing the device drivers to determine suspicious device drivers, accessing information about the suspicious device drivers in a reputation system, and evaluating whether the suspicious device driver include malware. The suspicious device drivers are not recognized as not including malware. The reputation system is configured to store information about suspicious device drivers. The evaluation is based upon historical data regarding the suspicious device driver.01-26-2012
20120030766METHOD AND SYSTEM FOR DEFINING A SAFE STORAGE AREA FOR USE IN RECOVERING A COMPUTER SYSTEM - A method for defining an area to record changes made to a computer system is disclosed. The method includes defining a safe area on a primary storage device of the computer system and storing information on the location of the safe area on a secondary storage device. The method further includes booting the computer system utilizing a backup device and changing data on the primary storage device. The changes are recorded in the safe area of the primary storage device and are accessible when the computer system is booted from the backup device.02-02-2012
20120030765OPERATION METHOD OF AN ANTI-VIRUS STORAGE DEVICE HAVING A STORAGE DISK AND A READ-ONLY MEMORY - An operation method of an anti-virus storage device having a storage disk and a read-only memory includes connecting the storage device to a host and displaying a single disk name on an interface of an operating system of the host, executing an anti-virus application program corresponding to the operating system, wherein the anti-virus application program is stored in the read-only memory, generating a hidden partition in the storage disk, wherein the hidden partition comprises an anti-virus engine and a virus pattern, and starting up the anti-virus engine, enabling a main storage partition and only displaying a disk name of the main storage partition on the interface of the operating system. If the anti-virus application program has no an execution file corresponding to the operating system, a user using the anti-virus storage device decides whether enables and displays the main storage partition without executing the anti-virus application program.02-02-2012
20130198843ANTIVIRUS SCAN DURING A DATA SCRUB OPERATION - For an antivirus scan during a data scrub operation, an antivirus scan is concurrently performed as an overlap with the data scrub operation, wherein the data scrub operation periodically inspects and corrects memory errors.08-01-2013
20130198844ANTIVIRUS SCAN DURING A DATA SCRUB OPERATION - For an antivirus scan during a data scrub operation, an antivirus scan is concurrently performed as an overlap with the data scrub operation, wherein the data scrub operation periodically inspects and corrects memory errors.08-01-2013
20120297489COMPUTER NETWORK INTRUSION DETECTION - A method and system of identifying an attacker device attempting an intrusion into a network. At least one managed device of the network detects an incoming TCP/IP connection by the attacker device to the network. It is determined that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the NetBIOS TCP/IP connection, retrieving event log information from a security event log of the network, and determining (i) that a userid of the invalid logon is a local userid defined on a local device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid nor is in the list of userids. The retrieved event log information is stored in a central violation database.11-22-2012
20120060220SYSTEMS AND METHODS FOR COMPUTER SECURITY EMPLOYING VIRTUAL COMPUTER SYSTEMS - A method, system, and computer program product for computer protection, including a protected computer having a protected operating system; and a secure operating system having a first virtual copy of at least a portion of the protected operating system and one or more security mechanisms configured to analyze potentially malicious code before the code is used by the protected computer.03-08-2012
20130205396Detecting Malicious Software - A computer implemented method, apparatus, and program code for detecting malicious software components. A series of calls made by a software component is monitored to identify an identified respective series of call types to components named in said calls. A determination is made as to whether the identified respective series of call types to components named in said calls is indicative of malicious behavior.08-08-2013
20130205395PRE-BOOT FIRMWARE BASED VIRUS SCANNER - The present disclosure relates to allowing the utilization of a virus scanner and cleaner that operates primarily in the pre-boot phase of computer operation and, more particularly, to allowing the utilization of a virus scanner and cleaner that operates primarily during the loading of an operating system.08-08-2013
20120072989INFORMATION PROCESSING SYSTEM, MANAGEMENT APPARATUS, AND INFORMATION PROCESSING METHOD - In an information processing system, a management apparatus reads all data from a storage device connected to an information processing apparatus, and stores the data as one image file in a backup storage device. A virus detection apparatus performs a virus detection process on the image file stored in the backup storage device in response to a request from the management apparatus, and if a computer virus is detected, performs a virus removal process on the image file. When the virus removal process is completed, the management apparatus reads and writes the image file from the backup storage device back to the storage device.03-22-2012
20120096556SYSTEM AND METHOD FOR IDENTIFYING MALICIOUS ACTIVITIES THROUGH NON-LOGGED-IN HOST USAGE - A method for identifying malware activities, implemented within a computer infrastructure, includes receiving a data communication via a data channel and determining a user is not interactively logged in to a host. Additionally, the method includes identifying the data communication as a potential malware communication in response to the determining the user is not interactively logged in to the host.04-19-2012
20120096555SYSTEM AND METHOD FOR ATTACK AND MALWARE PREVENTION - The present invention is a system and method for detecting and preventing attacks and malware on mobile devices such as a cell phones, smartphones or PDAs, which are significantly limited in power consumption, computational power, and memory. The invention enables mobile devices to analyze network data, executable data files, and non-executable data files in order to detect and prevent both known and unknown attacks and malware over vectors that are not typically protected by desktop and server security systems. Security analysis is performed by a combination of “known good,” “known bad,” and decision components. The invention identifies known good executables and/or known characteristics of network data or data files that must be present in order for the data to be considered good. Furthermore, known good and known bad identifier databases may be stored on a server which may be queried by a mobile device.04-19-2012
20120096554Malware identification - A method for identifying a data collection as malware, comprising the steps of parsing the data collection to generate program code and to verify conformance to a language syntax, emulating the interaction between the program code and a processor, detecting presence of a portion of the program code that is likely to have been added to the program code for the purpose of avoiding detection by malware detection programs, and, in the presence of such code, identifying the data collection as malware.04-19-2012
20120096553Social Engineering Protection Appliance - Methods and systems for detecting social engineering attacks comprise: extracting one or more non-semantic data items from an incoming email; determining whether the one or more non-semantic data items match information stored in a data store of previously collected information; performing behavioral analysis on the one or more non-semantic data items; analyzing semantic data associated with the email to determine whether the non-semantic data matches one or more patterns associated with malicious emails; and based on the determining, performing, and analyzing, identifying the email as potentially malicious or non-malicious. The system also includes processes for collecting relevant information for storage within the data store and processes for harvesting information from detected social engineering attacks for entry into the data store and seeding of the collection processes.04-19-2012

Patent applications in class Virus detection