Entries |
Document | Title | Date |
20080209562 | Metamorphic Computer Virus Detection - The executions of computer viruses are analyzed to develop register signatures for the viruses. The register signatures specify the sets of outputs the viruses produce when executed with a given set of inputs. A virus detection system (VDS) ( | 08-28-2008 |
20080216176 | HARDWARE-ASSISTED ROOTKIT BLOCKER FOR NETWORKED COMPUTERS - A hardware-assisted security system for networked computers can detect, prevent, and mitigate rootkits. The solution relies upon an add-on card that monitors the system, alerting administrators when malicious changes are made to a system. The technical detail lies in the techniques needed to detect rootkits, preventing rootkits when possible, and granting administration of protected systems. A beneficial side-effect of the solution is that it allows many other security features, like system auditing, forensic capabilities to determine what happened after an attack, and hardware lock-down of important system resources. | 09-04-2008 |
20080222728 | Methods and interfaces for executable code analysis - Described are methods of a server and for processing an email message. Also described are user interfaces. A user may forward unopened email message and/or URLs to a service provider for analysis of whether the unopened email message or URL is configured to download executable code. The service provider may operate with a server. The server may determine if executable code is present in the email message and/or is downloadable via a website. The executable code may be determined to be malicious. It is also described that after a service provider has determined whether the email message and/or the URL is configured to download malicious executable code, the user can receive an indication to that effect from the server. | 09-11-2008 |
20080222729 | Containment of Unknown and Polymorphic Fast Spreading Worms - A worm containment system comprising a host computing machine, a virtual machine running under the control of a virtual machine monitor, a worm detector, a diverter and a buffer. The host computing machine has a host operating system and host application(s). The virtual machine has a clone of the host operating system and a clone of the host application(s). The worm detector is configured to monitor the virtual machine traffic for signs of worm propagation. The splitter is configured to duplicate packets intended for the host computing machine into diverted packets and buffered packets. The diverter is configured to route the diverted packets to the virtual machine. The buffer is configured to store the buffered packets and then forward the buffered packets to the host operating system on indication from the worm detector that no worm propagation behavior was detected. | 09-11-2008 |
20080229419 | Automated identification of firewall malware scanner deficiencies - Automated identification of deficiencies in a malware scanner contained in a firewall is provided by correlating incident reports that are generated by desktop protection clients running on hosts in an enterprise that is protected by the firewall. A desktop protection client scans a host for malware incidents, and when detected, analyzes the host's file access log to extract one or more pieces of information about the incident (e.g., identification of a process that placed the infected file on disk, an associated timestamp, file or content type, malware type, hash of such information, or hash of the infected file). The firewall correlates this file access log information with data in its own log to enable the firewall to download the content again and inspect it. If malware is detected, then it is assumed that it was missed when the file first entered the enterprise because the firewall did not have an updated signature. However, if the malware is not detected, then there is a potential deficiency. | 09-18-2008 |
20080235800 | Systems And Methods For Determining Anti-Virus Protection Status - A method to automatically determine a computer's current level of anti virus protection is described. When a client machine submits a request, a request filter determines if the version of the anti-virus protection software present on the user's computer is sufficient to allow access to the requested destination. If the version of anti virus software on client machine is not sufficient, then the request filter directs the request to an alternate location. | 09-25-2008 |
20080256635 | Method and System for Detecting Malware Using a Secure Operating System Mode - The present disclosure is directed to a method and system for detecting malware using a secure operating system mode. In accordance with a particular embodiment of the present disclosure a file is received. The file is stored in a secure directory. At least one operation is prevented on the file. A secure operating system mode is started to detect whether the file comprises malware. | 10-16-2008 |
20080256636 | Method and System for Detecting Malware Using a Remote Server - The present disclosure is directed to a method and system for detecting malware using a remote server. In accordance with a particular embodiment of the present disclosure a hash value for a file is generated. The hash value is transmitted to a remote server. A notification is received from the remote server indicating whether the file comprises malware. At least one operation on the file is prevented if the notification indicates the file comprises malware. | 10-16-2008 |
20080263669 | SYSTEMS, APPARATUS, AND METHODS FOR DETECTING MALWARE - Various embodiments, including a method comprising creating a first fuzzy fingerprint of a known malware file, the first fuzzy fingerprint including a first set of calculated complexity approximations and weightings for each of a plurality of blocks within the known malware file, creating a second fuzzy fingerprint of a file to be checked, the second fuzzy fingerprint including a second set of calculated complexity approximations and weightings for each of a plurality of blocks within the file to be checked, comparing the second fuzzy fingerprint to the first fuzzy fingerprint, calculating a similarity probability for each of the block-wise comparisons, the calculation including a respective weightings for each of the plurality of blocks within the known malware file and for each of the plurality of blocks within the file to be checked, and the calculation including a distance between the compared blocks; and calculating an overall similarity probability for the plurality of blocks compared. | 10-23-2008 |
20080263670 | Methods, software and apparatus for detecting and neutralizing viruses from computer systems and networks - Methods, software or computer programs, and apparatus for detecting viruses and mitigating their harm to computers communicating through a gateway node to another network are disclosed. Upon detection of a virus in an incoming data stream or plurality of data packets directed to a gateway device or node, the data requesting recipient is notified and provided with a plurality of pre-defined virus handling action options. If the recipient, or designated proxy, fails to select an action option, then a random selection is made. If a selection is made, then that selection, to the exclusion of other action options, is carried out. Thus, the recipient is empowered to dynamically select, as circumstances dictate and without future prejudice, the appropriate response upon detection of a particular virus. Action options may include data encryption and forwarding with recipient notification, or where email is the vector, attachment removal and location link insertion may be used. Software embodiments of the invention provide the machine readable instructions to carry out the methods according to the invention. | 10-23-2008 |
20080271147 | Pattern matching for spyware detection - Spyware programs are detected even if their binary code is modified by normalizing the available code and comparing to known spyware patterns. Upon normalizing the known spyware code patterns, a signature of the normalized code is generated. Similar normalization techniques are employed to reduce the executable binary code as well. A match between the normalized spyware signature and the patterns in the normalized executable code is analyzed to determine whether the executable code includes a known spyware. For pattern matching, Deterministic Finite Automata (DFA) is constructed for basic blocks and simulated on the basic blocks of target executable, hash codes are generated for instructions in target code and known spyware code and compared, register usages are replaced with common variables and compared, and finally Direct Acyclic Graphs (DAGs) of all blocks are constructed and compared to catch reordering of mutually independent instructions and renamed variables. | 10-30-2008 |
20080271148 | ANTI-WORM PROGRAM, ANTI-WORM APPARATUS, AND ANTI-WORM METHOD - An anti-worm program allows a computer to execute control of communication suspected as worm communication, the program allowing the computer to execute: a communication information acquisition step that acquires communication information which is information concerning communication from a target source; and a communication control step that has a control amount calculation formula for calculating the control amount of the communication from the target source using the communication information and performs control of the communication from the target source based on the communication control amount obtained using the control amount calculation formula. | 10-30-2008 |
20080271149 | ANTIVIRAL NETWORK SYSTEM - An apparatus and program product initiate generation of a metafile at a client computer. The metafile is evaluated at a network server for a potential viral risk. Program code executing at the server may correlate the evaluated potential risk to a risk level stored in a database. The program code may attach a color designator or other assignment indicative of the assessed risk level to the data. A user at the client computer may act on the data based on the attached risk level. | 10-30-2008 |
20080282349 | Computer Virus Identifying Information Extraction System, Computer Virus Identifying Information Extraction Method, and Computer Virus Identifying Information Extraction Program - To enable quick extraction of computer virus identifying information. | 11-13-2008 |
20080282350 | Trusted Operating Environment for Malware Detection - Techniques and apparatuses for scanning a computing device for malware are described. In one implementation, a trusted operating environment, which includes a trusted operating system and a trusted antivirus tool, is embodied on a removable data storage medium. A computing device is then booted from the removable data storage medium using the trusted operating system. The trusted antivirus tool searches the computing device for malware definition updates (e.g., virus signature updates) and uses the trusted operating system to scan the computing device for malware. In another implementation, a computing device is booting from a trusted operating system on a removable device and a trusted antivirus tool on the removable device scans the computing device for malware. The removable device can update its own internal components (e.g., virus signatures and antivirus tool) by searching the computing device or a remote resource for updates and authenticating any updates that are located. | 11-13-2008 |
20080282351 | Trusted Operating Environment for Malware Detection - Techniques and apparatuses for scanning a computing device for malware are described. In one implementation, a trusted operating environment, which includes a trusted operating system and a trusted antivirus tool, is embodied on a removable data storage medium. A computing device is then booted from the removable data storage medium using the trusted operating system. The trusted antivirus tool searches the computing device for malware definition updates (e.g., virus signature updates) and uses the trusted operating system to scan the computing device for malware. In another implementation, a computing device is booting from a trusted operating system on a removable device and a trusted antivirus tool on the removable device scans the computing device for malware. The removable device can update its own internal components (e.g., virus signatures and antivirus tool) by searching the computing device or a remote resource for updates and authenticating any updates that are located. | 11-13-2008 |
20080289041 | TARGET DATA DETECTION IN A STREAMING ENVIRONMENT - In embodiments of the present invention improved capabilities are described for a data stream scanner. The present invention may provide for a first data portion received in association with a data stream, and the first data portion may be analyzed to make an assessment. An identity pool may then be selected from a universe of identities based on the assessment, and identities from the identity pool may be selected in a scanning process to analyze a second data portion from the data stream. In addition, the identity pool may be altered based on information obtained during the analysis of the second data portion, wherein the information obtained during the second data portion analysis may indicate the data stream is different from that projected when making the assessment based on the analysis of the first data portion. | 11-20-2008 |
20080289042 | Method for Identifying Unknown Virus and Deleting It - A method for identifying unknown virus program, includes: getting the behavior data of the program that would be tested, determining whether the said program is a virus program or not based on the behavior data of said program and the behavior data of pre-setting typical virus program. A method for deleting the virus program, according to the behavior of the virus program, sets and performs an anti-operation which is in reversed to the virus program, and gets back the destroyed data. | 11-20-2008 |
20080295176 | Anti-virus Scanning of Partially Available Content | 11-27-2008 |
20080295177 | ANTIVIRAL NETWORK SYSTEM | 11-27-2008 |
20080301812 | Method and system for counting new destination addresses - Packets of a certain type from a certain source are directed to a system that estimates the set of destinations and the number of new destinations for which that source has sent packets during a time window T | 12-04-2008 |
20080307527 | APPLYING A POLICY CRITERIA TO FILES IN A BACKUP IMAGE - Provided are a method, system, and article of manufacture for applying a policy criteria to files in a backup image. A backup image of files in a file system is maintained. A policy is applied to the files in the backup image to determine files satisfying a policy criteria. A list is prepared indicating the determined files. The determined files in the file system are accessed and a deferred operation indicated in the applied policy is applied to the accessed files in the file system. | 12-11-2008 |
20080313738 | Multi-Stage Deep Packet Inspection for Lightweight Devices - A system and method for the multi-stage analysis of incoming packets. Three stages are used, each of which addresses a particular category of threat by examining the headers and/or payload of each packet (“deep packet inspection”). The first stage detects incoming viruses or worms. The second stage detects malicious applications. The third stage detects attempts at intrusion. These three stages operate in sequence, but in alternative embodiments of the invention, they may be applied in a different order. These three stages are followed by a fourth stage that acts as a verification stage. If any of the first three stages detects a possible attack, then the packet or packets that have been flagged are routed to a central verification facility. In an embodiment of the invention, the verification facility is a server, coupled with a database. Here, suspect packets are compared to entries in the database to more comprehensively determine whether or not the packets represent an attempt to subvert the information processing system. | 12-18-2008 |
20080320594 | Malware Detector - The malware detection system enables out-of-the box, tamper-resistant malware detection without losing the semantic view. This system comprises at least one guest operating system and at least one virtual machine, where the guest operating system runs on the virtual machine. Having virtual resources, the virtual machine resides on a host operating system. The virtual resources include virtual memory and at least one virtual disk. A virtual machine examiner is used to examine the virtual machine. With a virtual machine inspector, a guest function extrapolator, and a transparent presenter, the virtual machine examiner resides outside the virtual machine. The virtual machine inspector is configured to retrieve virtual machine internal system states and/or events. The guest function extrapolator is configured to interpret such states and/or events. The transparent presenter is configured to present the interpreted states and/or events to anti-malware software. The anti-malware software is configured to use the interpreted states and/or events to detect any system compromise. | 12-25-2008 |
20080320595 | Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine - An automated analysis system identifies the presence of malicious P-code or N-code programs in a manner that limits the possibility of the malicious code infecting a target computer. The target computer system initializes an analytical virtual P-code engine (AVPE). As initialized, the AVPE comprises software simulating the functionality of a P-code or intermediate language engine as well as machine language facilities simulating the P-code library routines that allow the execution of N-code programs. The AVPE executes a target program so that the target program does not interact with the target computer. The AVPE analyzes the behavior of the target program to identify occurrence of malicious code behavior and to indicate in a behavior pattern the occurrence of malicious code behavior. The AVPE is terminated at the end of the analysis process, thereby removing from the computer system the copy of the target program that was contained within the AVPE. | 12-25-2008 |
20090007268 | Tracking computer infections - A technique is disclosed for tracking a virus. For each of at least a subset of received network packets it is determined whether the packet comprises an open packet. Information usable to determine a sender of the packet in the event the a virus associated with a network transmission with which the packet is associated is determined to have been received is copied from each packet determined to be an open packet, but not from at least a subset of packets not determined to be open packets. | 01-01-2009 |
20090013408 | Detection of exploits in files - A scanning system for scanning computer files for exploits uses a database of validation rules, in respect of each of a plurality of file formats comprising data fields having a predetermined structure, the validation rules specifying valid structure and/or content for the data fields of the respective file format. Files are analysed to determine their file format. A validation process is performed comprising parsing the file to determine the structure and content of its data fields and validating the structure and/or content of the data fields of the file against the validation rules stored in the database in respect of the determined file format of the file. A file is determined to contain an exploit in response to the structure and/or content of the data fields of the file failing to be validated. | 01-08-2009 |
20090013409 | Malware automated removal system and method - The present invention automates the operation of multiple malware removal software products using a computerized system that systematically operates the multiple selected software products. These products are operated them in a customized “Safe Mode” using a shell that is different than the computer's other shell environments. Unlike the ordinary Safe Modes shells, the Custom Safe Mode prevents malware from functioning that ties itself to the normal shell, such as the Windows Explorer shell. In addition, the Custom Safe Mode allows the automation of tasks beyond that which is available under the standard command line shell. | 01-08-2009 |
20090019546 | Method and Apparatus for Modeling Computer Program Behaviour for Behavioural Detection of Malicious Program - A method and apparatus for modeling a behavior of a computer program that is executed in a computer system is described. The method and apparatus for modeling a behavior of a computer program may be used to detect a malicious program based on the behavior of the computer program. A method includes collecting system use information about resources of the computer system the computer program uses; extracting a behavior signature of the computer program from the collected system use information; and encoding the extracted behavior signature to generate a behavior vector. As a result, behaviors of a particular computer program may be modeled to enable a malicious program detection program and to determine whether the computer program is either normal or malicious. | 01-15-2009 |
20090031423 | PROACTIVE WORM CONTAINMENT (PWC) FOR ENTERPRISE NETWORKS - A proactive worm containment (PWC) solution for enterprises uses a sustained faster-than-normal outgoing connection rate to determine if a host is infected. Two novel white detection techniques are used to reduce false positives, including a vulnerability time window lemma to avoid false initial containment, and a relaxation analysis to uncontain (or unblock) those mistakenly contained (or blocked) hosts, if there are any. The system integrates seamlessly with existing signature-based or filter-based worm scan filtering solutions. Nevertheless, the invention is signature free and does not rely on worm signatures. Nor is it protocol specific, as the approach performs containment consistently over a large range of worm scan rates. It is not sensitive to worm scan rate and, being a network-level approach deployed on a host, the system requires no changes to the host's OS, applications, or hardware. | 01-29-2009 |
20090038011 | SYSTEM AND METHOD OF IDENTIFYING AND REMOVING MALWARE ON A COMPUTER SYSTEM - A system and accompanying method of identifying and removing malware on a computer system is disclosed. The system comprises a source file containing reference attributes and properties of components of a local computer system in a state unaffected by malware, and exact copies of the system control files. The components of the local computer system may comprise executable and script files such as operating system files, application programs, system controls, registry files and all other executable and script files and their related relevant files. Current status of executables are checked against the reference attributes. All executables on local computer system failing certain match criteria are removed from the local system, or alternatively, replaced with reference copies from source file. Thereby, the system and method identifies malware based on previous system state, method of entry into the local computer system, and intention to automatically execute either upon booting or upon launching of a computer program which a user has intentionally installed and which the user would normally believe to be free of malware. | 02-05-2009 |
20090038012 | METHOD AND SYSTEM FOR DELETING OR ISOLATING COMPUTER VIRUSES - The invention discloses a method and a system for deleting or isolating computer viruses. The method of deleting or isolating computer viruses comprises steps of: selecting a first operating system configured with a virus killing module from a plurality of operating systems in a computer, during the computer being in starting process; loading the first operating system; scanning, by the virus killing module, the storage area of at least one operating system of the plurality of operating systems, wherein the at least one operating system doesn't include the first operating system; and deleting or isolating virus found during scanning. According to the present invention, a problem that the basic operating system could not be started due to viruses may be solved, and thus the system stability is greatly improved. | 02-05-2009 |
20090044273 | CIRCUITS AND METHODS FOR EFFICIENT DATA TRANSFER IN A VIRUS CO-PROCESSING SYSTEM - Various embodiments of the present invention circuits and methods for improved virus processing. As one example, such methods may include providing a system memory, a general purpose processor and a virus co processor. The methods further include receiving a data segment at the general purpose processor, and storing the data segment to the system memory using virtual addresses. The date segment is accessed from the system memory by the virus co processor using the virtual addresses. The virus co processor then scans the date segment for viruses and returns results. | 02-12-2009 |
20090044274 | Impeding Progress of Malicious Guest Software - One embodiment of the present invention is a method of operating a virtualization system, the method including: (a) instantiating a virtualization system on an underlying hardware machine, the virtualization system exposing a virtual machine in which multiple execution contexts of a guest execute; (b) monitoring the execution contexts from the virtualization system; and (c) selectively impeding computational progress of a particular one of the execution contexts. | 02-12-2009 |
20090044275 | PACKET DATA COMPARATOR AS WELL AS VIRUS FILTER, VIRUS CHECKER AND NETWORK SYSTEM USING THE SAME - It is an object of the present invention to realize a network system which can quickly detect a virus and tends not to be a new cause of vulnerability. A packet data comparator disclosed by the present invention branches inputted packet data into three branches, and includes an additional pattern matching unit which compares the branched packet data with a part of stored data and performs matching with collation patterns stored in a rewritable storage area, a fixed pattern matching unit which compares the branched packet data with the part of the stored data and performs the matching with a logical operation which has been configured with known collation patterns, a notification packet matching unit which compares the branched packet data with the part of the stored data and finds a notification packet, and an identity detection aggregation unit which aggregates results from the respective matching units. Moreover, a virus filter is configured by using the packet data comparator, a virus checker which can be updated through a network is configured by using the above described virus filter, and a secure network system is realized by using the above described virus checker. | 02-12-2009 |
20090044276 | METHOD AND APPARATUS FOR DETECTING MALWARE - A method of detecting malware may include: a) examining header data in each PDU transferred by a port of an access switch to identify PDUs transferred from a local network device, b) extracting a far-end device address for PDUs based at least in part on examination of an address portion of the corresponding header data, c) maintaining fan-out information indicative of a quantity of unique far-end device addresses extracted from the PDUs during consecutive time windows, d) determining a current trend based on the fan-out information for a current time window, e) comparing the current trend to an expected trend, and f) identifying a suspected malware infection in the local network device when the current trend exceeds the expected trend by a trend threshold. A network element that may implement the method may include a header data processing unit, data storage logic, data processing logic, and malware identification logic. | 02-12-2009 |
20090049552 | Method and Apparatus for Removing Harmful Software - Embodiments of the invention address the problem of removing malicious code from infected computers. | 02-19-2009 |
20090064334 | Adaptive Autonomic Threat Detection and Quarantine - Autonomic threat detection is performed by collecting traffic samples of traffic patterns associated with a networked device having a device resident validation module. A threat analysis system is used to recognize a pattern of traffic indicative of a compromised device based at least in part upon the traffic samples. If the samples indicate a compromised device, the device is quarantined and a security check is performed on the device. The security check may include requesting data from the corresponding device resident validation module to determine if the device is compromised, analyzing data from the device resident validation module of the quarantined device and taking an action based upon analysis of the data. At least one of the data from the device resident validation module of the quarantined device or the traffic samples is utilized to autonomically train the threat analysis system to identify compromised devices. | 03-05-2009 |
20090064335 | INSTANT MESSAGING MALWARE PROTECTION - A system including a content server and a plurality of instant messaging clients is configured to enable each client device to scan for malware on incoming or outgoing instant messages. The content server may receive malware configuration information and distribute the malware configuration information to each client device. Each client device may employ the malware configuration information to perform a number of actions, including determining one or more malware scanners to use, selectively scanning incoming or outgoing instant messages, reporting instances of malware that are detected, or selectively restricting one or more instant messaging functions. The system may include a malware information repository that receives and reports of detected malware, analyzes the reports, and determines sources of malware. | 03-05-2009 |
20090064336 | Virus detection in a network - A computer system and storage medium that in an embodiment count the number of times that a file or registry entry is added, changed, or deleted at clients in a network. If the count exceeds a threshold, then a warning is sent to the clients. The warning may prompt the clients to delete or rename the file or registry entry, run an anti-virus program, quarantine the file or registry entry, or issue a message. In this way, viruses may be detected at clients. | 03-05-2009 |
20090070878 | MALWARE PREVENTION SYSTEM MONITORING KERNEL EVENTS - A malware prevention system monitors kernel level events of the operating system and applies user programmable or preprepared policies to those events to detect and block malware. | 03-12-2009 |
20090070879 | COMPUTER SYSTEM AND METHOD FOR SCANNING COMPUTER VIRUS - According to the present invention, a timeout caused by executing a virus scan is avoided. A computer system has a first computer, a second computer coupled to the first computer, and a storage system coupled to the first computer and the second computer. The first computer receives a request to write data, writes the requested data in the storage system, and sends a virus scan request of the written data to the second computer. The second computer receives the virus scan request from the first computer, reads the written data out of the storage system, and partially executes a virus scan of the read data. After the partial virus scan of the read data is finished, the first computer sends a response to the received write request. After the first computer sends the response, the second computer executes the remainder of the virus scan of the read data. | 03-12-2009 |
20090077664 | Methods for combating malicious software - A method for combating malware monitors all attempts by any software executing on a computer to write data to the computer's digital storage medium and records details of the attempts in a system database having a causal tree structure. The method also intercepts unauthorized attempts by executing objects to modify the memory allocated to other executing objects or to modify a selected set of protected objects stored on the digital storage medium, and may also intercept write attempts by executing objects that have a buffer overflow or that are executing in a data segment of memory. The method may include a procedure for switching the computer into a quasi-safe mode that disables all non-essential processes. Preferably, the database is automatically organized into software packages classified by malware threat level. Entire or packages or portions thereof may be easily selected and neutralized by a local or remote user. | 03-19-2009 |
20090077665 | METHOD AND APPLICATIONS FOR DETECTING COMPUTER VIRUSES - A method for detecting computer viruses includes the following steps: (a) enabling a server device to make statistics of computer virus infection record of a mobile terminal and infection record of all computer viruses in a network so as to obtain infection number rankings of viruses that infected the mobile terminal and all computer viruses in the network, respectively; (b) enabling the server device to generate virus pattern data according to infection number ranking results of the viruses that infected the mobile terminal and all computer viruses in the network; (c) enabling the server device to transmit the virus pattern data to the mobile terminal; (d) enabling the mobile terminal to receive data via the network; and (e) enabling the mobile terminal to detect whether the data is infected by a computer virus with reference to the virus pattern data, and to transmit computer virus infection information to the server device upon detection that the data is infected by a computer virus. | 03-19-2009 |
20090083855 | System and methods for detecting intrusions in a computer system by monitoring operating system registry accesses - A method for detecting intrusions in the operation of a computer system is disclosed which comprises gathering features from records of normal processes that access the files system of the computer, such as the Windows registry, and generating a probabilistic model of normal computer system usage based on occurrences of said features. The features of a record of a process that accesses the Windows registry are analyzed to determine whether said access to the Windows registry is an anomaly. A system is disclosed, comprising a registry auditing module configured to gather records regarding processes that access the Windows registry; a model generator configured to generate a probabilistic model of normal computer system usage based on records of a plurality of processes that access the Windows registry and that are indicative of normal computer system usage; and a model comparator configured to determine whether the access of the Windows registry is an anomaly. | 03-26-2009 |
20090089879 | SECURING ANTI-VIRUS SOFTWARE WITH VIRTUALIZATION - The subject disclosure relates to systems and methods that secure anti-virus software through virtualization. Anti-virus systems can be maintained separate from user applications and operating system through virtualization. The user applications and operating system run in a guest virtual machine while anti-virus systems are isolated in a secure virtual machine. The virtual machines are partially interdependent such that the anti-virus systems can monitor user applications and operating systems while the anti-virus systems remain free from possible malicious attack originating from a user environment. Further, the anti-virus system is secured against zero-day attacks so that detection and recovery may occur post zero-day. | 04-02-2009 |
20090089880 | Computer system and virus-scan method - An object of the present invention is to provide a computer system and virus-scan method that are capable of full-scanning the logical volume of a SUTOSEN PC with high frequency while limiting the number of virus-scan devices. | 04-02-2009 |
20090094698 | METHOD AND SYSTEM FOR EFFICIENTLY SCANNING A COMPUTER STORAGE DEVICE FOR PESTWARE - A method and system for efficiently scanning a computer storage volume for pestware is described. One embodiment determines whether a file on the storage device has been modified since it was last scanned for pestware; includes the file in a set of files to be scanned for pestware when it is determined that the file has been modified since it was last scanned for pestware; omits the file from the set of files to be scanned for pestware when it is determined that the file has not been modified since it was last scanned for pestware; scans the files in the set of files for pestware; and reports results of the pestware scan to a user. | 04-09-2009 |
20090100521 | MALICIOUS SOFTWARE PREVENTION APPARATUS, SYSTEM, AND METHOD USING SAME - A malicious software prevention method is used for detecting malicious software and includes receiving data transmitted from a host machine or a mobile terminal and temporally storing the received data as temporary data in a random access memory; detecting malicious software by scanning the temporary data with malicious data definitions stored in a read only memory; cutting off a data connection between the host machine and the malicious software prevention apparatus or between the mobile terminal and the malicious software prevention apparatus if the malicious software is detected in the temporary data. | 04-16-2009 |
20090113548 | Executable Download Tracking System - Systems and methods are disclosed for monitoring executable software applications on a computer network. Executable software applications and data files may be monitored by a risk monitoring system. The executable software application and data files may attempt to access a computer network and/or a computing device and a monitoring process may identify risks associated with the executable software application and/or data file. A suspicious characteristic of the executable software application may be identified during the monitoring process. The suspicious characteristic may be malware and may be neutralized before it causes damage to the computer network and/or computing device. | 04-30-2009 |
20090133123 | Worm Propagation Modeling In A Mobile AD-HOC Network - A worm propagation modeling system for use with a mobile ad-hoc network (MANET) includes an infection detection module receiving temporal dynamics information relating to temporal dynamics of worm spread in the MANET and spatial dynamics information relating to spatiality of nodes in the MANET. The infection detection module detects infection in a network segment of the MANET based on the temporal dynamics information and the spatial dynamics information. | 05-21-2009 |
20090133124 | A METHOD FOR DETECTING THE OPERATION BEHAVIOR OF THE PROGRAM AND A METHOD FOR DETECTING AND CLEARING THE VIRUS PROGRAM - A method for detecting the operation behavior of the program includes: obtaining the destructive operation behavior of the known virus program; setting the corresponding control and process program according to the destructive operation behavior; making the control and process program get the control right of destructive operation behavior; the destructive operation behavior of the program to be detected calling the corresponding control and process program, the corresponding control and process program recording the operation behavior of the said program to be detected. The method can also return the success response information by the control and process program, so as to induce the program to be detected to perform the next behavior, but the program to be detected don't perform in practicality. That is, the present invention can provide a virtual environment for the program to be detected in order to record a series behavior of it. A method for clearing the virus program setup and perform the adverse behavior operation of the program based on the behavior of the virus program to realize the recovery of the demolished data by the virus. | 05-21-2009 |
20090133125 | METHOD AND APPARATUS FOR MALWARE DETECTION - The present invention relates to an apparatus and method for detecting malware. The malware detection apparatus and method of the present invention determines whether a file is malware or not by analyzing the header of an executable file. Since the malware detection apparatus and method can quickly detect presence of malware, it can shorten detection time considerably. The malware detection apparatus and method can also detect even unknown malware as well as known malware to thereby estimate and determine presence of malware. Therefore, it is possible to cope with malware in advance, protect a system with a program, and increase security level remarkably. | 05-21-2009 |
20090133126 | APPARATUS AND METHOD FOR DETECTING DLL INSERTED BY MALICIOUS CODE - Provided are an apparatus and method for detecting a Dynamic Link Library (DLL) inserted by a malicious code. The method includes collecting first DLL information from an image file of a process before the process is executed; collecting second DLL information loaded into a memory as the process is executed; comparing the first DLL information with the second DLL information to extract information on an explicit DLL; and determining whether the explicit DLL is a DLL inserted by a malicious code or not. | 05-21-2009 |
20090138972 | RESISTING THE SPREAD OF UNWANTED CODE AND DATA - A method or system of receiving an electronic file containing content data in a predetermined data format, the method comprising the steps of: receiving the electronic file, determining the data format, parsing the content data, to determine whether it conforms to the predetermined data format, and if the content data does conform to the predetermined data format, regenerating the parsed data to create a regenerated electronic file in the data format. | 05-28-2009 |
20090144826 | Systems and Methods for Identifying Malware Distribution - Systems and methods for identifying malware distribution sites are described. In one embodiment, a system includes a malware detection module configured to analyze a file of a protected computer to determine that the file is associated with malware. The system also includes a Web site identification module configured to search a download history log of the protected computer to identify a Web site from which the file was downloaded. | 06-04-2009 |
20090150999 | SYSTEM, METHOD AND PROGRAM PRODUCT FOR DETECTING COMPUTER ATTACKS - Detecting obfuscated attacks on a computer. A first program function is invoked to render static components of a web page and identify program code within the web page or associated file. In response, before executing the identified program code, a malicious-code detector is invoked to scan the identified program code for malicious code. If the malicious-code detector identifies malicious code in the identified program code, the identified program code is not executed. If no malicious code is detected, a second program function generates revised program code from execution of the identified, program code. In response, before executing the revised program code, the malicious-code detector is invoked to scan the revised program code for malicious code. If the malicious-code detector identifies malicious code in the revised program code, the revised program code is not executed. | 06-11-2009 |
20090158432 | On-Access Anti-Virus Mechanism for Virtual Machine Architecture - A tangible medium embodying instructions usable by a computer system to protect a plurality of guest virtual machines (VMs), which execute via virtualization software on a common host platform, from malicious code is described. A scan engine is configured to scan data for malicious code and determine a result of the scanning, wherein the result indicates whether malicious code is present in the data. A driver portion is configured for installation in an operating system of a target VM, which is one of the guest VMs. The driver portion intercepts an access request to a file, that originates within the target VM. The driver portion communicates information identifying a location of the data to be scanned by the scan engine without sending a copy of the data to the scan engine. The scan engine executes within the virtualization layer outside a context of the target VM. | 06-18-2009 |
20090158433 | Method and Apparatus to Facilitate Generating Worm-Detection Signatures Using Data Packet Field Lengths - Network-level data traffic comprising data packets, wherein at least some of the data packets have at least one field of unbounded length, are received ( | 06-18-2009 |
20090158434 | Method of detecting virus infection of file - Provided is a method of detecting virus infection of a file. The method includes the steps of a) copying an original file, and converting and simplifying data of the copied file; b) normalizing the simplified file data; c) acquiring distribution of similarity between data using the normalized file data; and d) analyzing the acquired distribution of similarity between data, and determining that the file is virus-infected when a preset dense distribution pattern exists. Thus, the method can effectively determine whether or not the file is infected with a virus without using a database (DB) of spam filtering or virus information. | 06-18-2009 |
20090158435 | HASH-BASED SYSTEMS AND METHODS FOR DETECTING, PREVENTING, AND TRACING NETWORK WORMS AND VIRUSES | 06-18-2009 |
20090165136 | Detection of Window Replacement by a Malicious Software Program - Various embodiments of a system and method for providing protection against malicious software programs are disclosed. The system and method may be operable to detect that a first window of a legitimate software program has been replaced by a second window of a malicious software program, e.g., where the second window includes features to mimic the first window in an effort to fool the user into inputting sensitive information into the second window. The method may operate to alert the user when the window replacement is detected. | 06-25-2009 |
20090165137 | Mobile device having self-defense function against virus and network-based attacks and self-defense method using the same - Provided are a mobile device having a self-defense function against virus and network-based attacks and a self-defense method using the same. The mobile device includes a virus checking module, which receives information on files required for virus checking on a basis of input/output (I/O) information created from a file system of an operating system, and determines whether or not the files are infected with a virus using distribution of similarity between data; a malicious packet determination module, which examines information on an Internet protocol (IP) packet created from a network to interrupt a denial-of-service attack (DoS attack); and a control module, which receives the I/O information created from the file system of the operating system, selects the files required for the virus checking, and transmits the selected files to the virus checking module, or receives information on the IP packet created from the network to transmit the received information to the malicious packet determination module, thereby preventing damage caused by the virus in advance, and effectively preventing a denial-of-service attack (DoS attack) caused by wireless network resource depletion and battery consumption that may occur in a wireless environment. | 06-25-2009 |
20090165138 | Computer Virus Protection - A network is protected from e-mail viruses through the use of a sacrificial server. Any executable programs or other suspicious parts of incoming e-mail messages are forwarded to a sacrificial server, where they are converted to non-executable format such as Adobe Acrobat PDF and sent to the recipient. The sacrificial server is then checked for virus activity. After the execution is completed, the sacrificial server is rebooted. | 06-25-2009 |
20090172816 | DETECTING ROOTKITS OVER A STORAGE AREA NETWORK - Embodiments of the invention improve the detection of malicious software applications, such as a rootkit, on hosts configured to access storage volumes over a storage area network (SAN). A rootkit detection program running on a switch may be configured to detect rootkits present on the storage volumes of the SAN. Because the switch may mount and access storage volumes independently from the (possibly comprised) hosts, the rootkit is not able to conceal itself from the rootkit detection program running on the switch. | 07-02-2009 |
20090178141 | BOOTING A DEVICE FROM A TRUSTED ENVIRONMENT RESPONSIVE TO DEVICE HIBERNATION - Techniques described are capable of receiving an indication that an operating system of a computing device has entered a hibernated state and, in response, booting the computing device from a trusted environment that is unalterable by the hibernated operating system. A component stored on or accessible by the trusted environment may then perform an operation on the computing device. This operation may include scanning the device, performing a memory test on the device, or updating firmware on the device. In some instances, the computing device enters the hibernated state due to a predetermined length of user inactivity on the computing device. As such, the described techniques may perform an operation on the computing device without user interaction causing the operation. | 07-09-2009 |
20090187991 | TRUSTED SECURE DESKTOP - Systems and methods for simultaneously protecting software components ( | 07-23-2009 |
20090187992 | METHOD AND SYSTEM FOR CLASSIFICATION OF SOFTWARE USING CHARACTERISTICS AND COMBINATIONS OF SUCH CHARACTERISTICS - In embodiments of the present invention improved capabilities are described for the steps of identifying a functional code block that performs a particular function within executable code; transforming the functional code block into a generic code representation of its functionality by tokenizing, refactoring, or the like, the functional code block; comparing the generic code representation with a previously characterized malicious code representation; and in response to a positive correlation from the comparison, identifying the executable code as containing malicious code. | 07-23-2009 |
20090199297 | THREAD SCANNING AND PATCHING TO DISABLE INJECTED MALWARE THREATS - An arrangement for scanning and patching injected malware code that is executing in otherwise legitimate processes running on a computer system is provided in which malware code is located in the memory of processes by extracting the start addresses of processes' threads and then searching near these addresses. Additional blocks of code in memory that are invoked by the code identified by each start address are also identified and the blocks are then matched against scanning signatures associated with known malware threads. If the entire signature can be matched against a subset of the blocks, then the thread is determined to be infected. The infected thread is suspended and in-memory modifications are performed to patch the injected code to render it harmless. The thread can be resumed or terminated to disable the protection mechanisms of the malware without causing any harm to the process in which the thread is injected. | 08-06-2009 |
20090210943 | Method to detect viruses hidden inside a password-protected archive of compressed files - A method for inspecting a compressed archive file for virus infection without having to decompress the files contained therein. Data in the archive header is used to determine the probability that the compressed archive is infected. Default parameters used for the compression, the compression ratio, the number of files stored in the compressed archive, and the total size of the archive are factors utilized during inspection according to the present invention to detect archives with a high probability of infection, as well as to recognize archives with a low probability of infection. The method is especially beneficial when the archive has been encrypted or password-protected and the files contained therein cannot be decompressed, but is also advantageous when decompression is possible. In addition, use of the present invention avoids the danger of attempting to decompress a malicious archive containing an archive bomb. | 08-20-2009 |
20090210944 | Anti-maleware data center aggregate - A method for reducing object scanning load in a network, the method including employing a data-center to provide to a client identifying information and classification information relating to a plurality of objects, at the client, obtaining identifying information for a given object, at the client, comparing the identifying information for the given object to the identifying information relating to the plurality of objects and if identifying information relating to one of the plurality of objects is the same as the identifying information for the given object, relying on the classification information relating to the one of the plurality of objects as provided by the data-center. | 08-20-2009 |
20090217379 | METHOD FOR ANTIVIRUS PROTECTION AND ELECTRONIC DEVICE WITH ANTIVIRUS PROTECTION - The invention provides a method for antivirus protection adapted for an electronic device. First, an option read only memory (ROM) is initialized. Second, all network connection ports of the electronic device are disabled. A first network connection port is enabled to connect the electronic device with an external system. Whether first antivirus software is installed on the electronic device is checked. If it is checked that the first antivirus software is not installed on the electronic device, after second antivirus software is received by the electronic device from the external system via the first network connection port and is installed on the electronic device, the electronic device enables all the network connection ports to connect the electronic device with the external system. | 08-27-2009 |
20090217380 | MESSAGING VIRUS PROTECTION PROGRAM AND THE LIKE - The present invention relates to a messaging virus protection program and the like for dealing with messaging viruses transmitted along with the movement of electronic information. This messaging virus protection program causes a computer to execute the steps of judging whether or not processing is to be performed in a warning mode based on information which either warns or does not warn of a new type of messaging virus, determining whether or not there is a danger of viral infection in case of a warning mode, storing the received electronic information in cases where it is determined that there is a danger, and delivering the received electronic information in cases where it is determined that there is no danger and, in case of not the warning mode, performing processing for the received electronic information based on the characteristics of known messaging viruses. | 08-27-2009 |
20090222923 | Malicious Software Detection in a Computing Device - A method of scanning for viruses in the memory of a computing device in which only memory pages marked as executable need to be scanned. The trigger for the scan can be either via an API that changes a page from writeable to executable, or via a kernel notification that an executable page has been modified. This invention is efficient, in that it makes much previous scanning of file systems redundant; this saves power and causes devices to execute faster. It is also more secure, as it detects viruses that other methods cannot reach, and does so at the point of execution. | 09-03-2009 |
20090222924 | OPERATING A NETWORK MONITORING ENTITY - Network flow records from various administrative domains are provided to a network monitoring entity. The network monitoring entity analyzes the network flow records in a way to locate a source of malicious network flow. | 09-03-2009 |
20090235358 | SYSTEMS AND METHODS FOR ATTACHING A VIRTUAL MACHINE VIRTUAL HARD DISK TO A HOST MACHINE - Various embodiments of the present invention are directed to systems and methods for “attaching” a virtual hard drive to the physical computer hardware by implementing a specialized disk controller driver for the host operating system that is recognized by the host operating system as a disk controller driver but which in fact also emulates the virtual hard disk it is “attached” to. When the host operating system sends requests to read and write sectors from the virtual hard drive, the specialized driver (the “virtual hard drive controller driver”) directly accesses and manipulates the back-end file mentioned above. Thus the virtual disk is “attached” and recognizable by the host operating system and can be manipulated thereby (and applications executing thereon). | 09-17-2009 |
20090241194 | VIRTUAL MACHINE CONFIGURATION SHARING BETWEEN HOST AND VIRTUAL MACHINES AND BETWEEN VIRTUAL MACHINES - In embodiments of the present invention improved capabilities are described for presenting a physical computing machine including a virtual computer machine monitor and a one or more of virtual computing machines, where each of the virtual computing machines runs its own operating system, presenting one of the multiple virtual computing machines as a host, and the remaining multiple virtual computing machines as guests, and providing for a virtual machine protected environment, where suspicious file information is shared between the virtual machine protected environment and other virtual machines. | 09-24-2009 |
20090241195 | DEVICE AND METHOD FOR PREVENTING VIRUS INFECTION OF HARD DISK - A device and a method for preventing virus infection of a hard disk are provided. The virus infection preventing device includes a storage media, a read-only memory, a control circuit and a switch. The virus infection preventing method includes steps of generating either a first signal or a second signal by a switch, and receiving a write command. If the write command allows data to be written into a boot sector of the hard disk and the first signal is generated by the switch, the write command is aborted. Whereas, if the write command allows data to be written into the boot sector of the hard disk and the second signal is generated by the switch, the write command is executed. | 09-24-2009 |
20090249484 | METHOD AND SYSTEM FOR DETECTING RESTRICTED CONTENT ASSOCIATED WITH RETRIEVED CONTENT - In embodiments of the present invention improved capabilities are described for detecting restricted content associated with retrieved content. The method and system may include receiving a client request for content, saving contextual information from the client request, presenting retrieved content in response to the client request, and presenting the contextual information from the client request, and retrieved content, to a scanning facility. The scanning facility may utilize the contextual information from the client request to aid in the detection of restricted content associated with retrieved content. | 10-01-2009 |
20090254992 | SYSTEMS AND METHODS FOR DETECTION OF NEW MALICIOUS EXECUTABLES - A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set. | 10-08-2009 |
20090260085 | APPARATUS, SYSTEM AND METHOD FOR BLOCKING MALICIOUS CODE - Provided are an apparatus, system and method for blocking malicious code. The apparatus includes a first malicious code detector for determining whether or not a received e-mail includes malicious code, on the basis of previously stored malicious code patterns, a second malicious code detector for performing second malicious code detection on a received e-mail determined by the first malicious code detector not to include malicious code, a pattern extractor for extracting a new malicious code pattern from malicious code detected by the second malicious code detector, and a transceiver for transferring the extracted new malicious code pattern to a pattern providing server. According to the apparatus, system and method, when one terminal detects a new malicious code pattern, a pattern providing server rapidly provides the new malicious code pattern to other terminals, and thus it is possible to rapidly and flexibly cope with the spread of malicious codes having new patterns | 10-15-2009 |
20090265786 | AUTOMATIC BOTNET SPAM SIGNATURE GENERATION - A framework may be used for generating URL signatures to identify botnet spam and membership. The framework may take a set of unlabeled emails as input that are grouped based on URLs contained within the emails. The framework may return a set of spam URL signatures and a list of corresponding botnet host IP addresses by analyzing the URLs within the emails that are contained within the groups. Each URL signature may be in the form of either a complete URL string or a URL regular expression. The signatures may be used to identify spam emails launched from botnets, while the knowledge of botnet host identities can help filter other spam emails also sent by them. | 10-22-2009 |
20090271867 | Virtual machine to detect malicious code - One embodiment of the invention discloses a method for receiving in a virtual machine (VM) contents of a program for creating a virtual environment for interacting with a host platform in a computing device; and determining by the VM if the received contents comprise predetermined instructions for performing at least one unauthorized task. Another embodiment of the invention discloses a method for receiving a system call for a host platform in communication with a VM of a computing device; and determining by the VM if the received system call comprises at least one predetermined system call for performing at least one unauthorized task. Yet another embodiment of the invention discloses a method for receiving a virtualized memory address for a host platform in communication with a VM of a computing device; and determining by the VM if the received virtualized memory address comprises at least one predetermined unauthorized virtualized memory address. | 10-29-2009 |
20090282484 | COMPUTER SECURITY - Method and apparatus for mitigating the effects of security threat involving malicious code concealed in computer files (for example computer viruses, etc.). The method operates by inserting additional strings of arbitrary length within computer files of known type which may contain such security threats. The strings are chosen to have no substantial effect on the files in normal operation, but potentially disrupt attack code located in the file. Inserted sequences may incorporate a character sequence which, if interpreted as code, halts execution of that program. Alternatively, or in addition, character sequences may be deleted or reordered provided that they have no effect on normal interpretation of the file. As a result, the effect of malicious code operating successfully as intended by an attacker may be mitigated. The methods do not require prior knowledge of the nature of a specific threat and so provide threat mitigation for previously unidentified threats. | 11-12-2009 |
20090282485 | NETWORK BROWSER BASED VIRUS DETECTION - A network browser has a Malware detection manager for direct or indirect scanning of files during an upload or download processes for viruses, adware, spyware, etc. The malware detection manager defines and employs a quarantine bin, which is an isolated and secure memory space or directory for temporary placement of file packets during the file transmission while malware detection can commence. The malware detection manager scans for any malware code associated with the packet sequence encountered during a file transmission to and from the Internet, during which it quarantines all the scanned packets in the quarantine bin. Quarantined files can be released if there is a human challenge authorizing the release of the file. The invention also comprises exchanging a Malware free signature between server and client via a trusted download center. If a certified and valid malware free signature is provided, the client device need not scan the files for malware bytes as the content is certified and guaranteed as malware-free. | 11-12-2009 |
20090282486 | PRE-BOOT FIRMWARE BASED VIRUS SCANNER - The present disclosure relates to allowing the utilization of a virus scanner and cleaner that operates primarily in the pre-boot phase of computer operation and, more particularly, to allowing the utilization of a virus scanner and cleaner that operates primarily during the loading of an operating system. | 11-12-2009 |
20090288168 | MANAGEMENT CAPABILITIES FOR REAL-TIME MESSAGING NETWORKS - Techniques for managing instant message (IM) communications are provided. In various embodiments, IM communications in a plurality of network implementations are managed using one or more policies. A policy in the one or more policies includes an action applicable for an IM communication. Once an IM communications is received from an IM client, a policy that is applicable for that IM communication is determined. After determining an applicable policy, an action associated with the policy for the instant message communication is performed. Examples of actions that may be taken include recording the IM communication, modifying the IM communication, blocking the IM communication, forwarding the IM communication, and the like. | 11-19-2009 |
20090293125 | Centralized Scanner Database With Qptimal Definition Distribution Using Network Queries - A system and method detects malware on client devices based on partially distributed malware definitions from a central server. A server stores malware definitions for known malware. The server generates one or more filters based on the malware definitions and distributes the filter(s) to client devices. The server also distributes full definitions to the clients for a subset of the most commonly detected malware. The client device scans files for malware by first applying the filter to a file. If the filter outputs a positive detection, the client scans the file using the full definition to determine if the file comprises malware. If the full definition is not stored locally by the client, the client queries the server for the definition and then continues the scanning process. | 11-26-2009 |
20090293126 | MALWARE DETECTION DEVICE - An exemplary malware detection device includes a data pathway provided between a first data transfer device and a second data transfer device and a processor attached to the data pathway. A memory accessible by the processor contains at least one malware signature and instructions for controlling the processor to interconnect the first and second data transfer devices, direct at least a portion of a data transfer across the data pathway to the processor for analysis, independently analyze the portion of the data transfer using the malware signature, identify malware contained in the portion of the data transfer, and interrupt the data transfer based on the identification of malware. | 11-26-2009 |
20090293127 | System for Protecting a Computing System from Harmful Active Content in Documents - A system protects a computing device from potentially harmful code in a document by receiving a data structure representation of the document and adding dynamically one or more definitions of potentially harmful active content to an editable configuration file. Each definition identifies potentially harmful active content and specifies an action to be performed on that potentially harmful active content if that potentially harmful active content is found in the document. The editable configuration file is parsed to generate a data structure representation of the one or more definitions in the editable configuration file. The data structure representation of the document is compared with the data structure representation of the one or more definitions of potentially harmful active content to identify potentially harmful active content within the document. The document is modified to render harmless any identified potentially harmful active content before presenting the document to the computing device. | 11-26-2009 |
20090300764 | SYSTEM AND METHOD FOR IDENTIFICATION AND BLOCKING OF MALICIOUS CODE FOR WEB BROWSER SCRIPT ENGINES - A system and method to protect web applications from malicious attacks and, in particular, a system and method for identification and blocking of malicious code for web browser script engines. The system includes at least one module configured to protect web applications from malicious attacks by detecting an occurrence of heap spraying and blocking the occurrence of heap spraying. | 12-03-2009 |
20090300765 | UNKNOWN MALCODE DETECTION USING CLASSIFIERS WITH OPTIMAL TRAINING SETS - The present invention is directed to a method for detecting unknown malicious code, such as a virus, a worm, a Trojan Horse or any combination thereof. Accordingly, a Data Set is created, which is a collection of files that includes a first subset with malicious code and a second subset with benign code files and malicious and benign files are identified by an antivirus program. All files are parsed using n-gram moving windows of several lengths and the TF representation is computed for each n-gram in each file. An initial set of top features (e.g., up to 5500) of all n-grams IS selected, based on the DF measure and the number of the top features is reduced to comply with the computation resources required for classifier training, by using features selection methods. The optimal number of features is then determined based on the evaluation of the detection accuracy of several sets of reduced top features and different data sets with different distributions of benign and malicious files are prepared, based on the optimal number, which will be used as training and test sets. For each classifier, the detection accuracy is iteratively evaluated for all combinations of training and test sets distributions, while in each iteration, training a classifier using a specific distribution and testing the trained classifier on all distributions. The optimal distribution that results with the highest detection accuracy is selected for that classifier. | 12-03-2009 |
20090307776 | METHOD AND APPARATUS FOR PROVIDING NETWORK SECURITY BY SCANNING FOR VIRUSES - The invention relates to the provision of virus scanning capabilities in a network environment. A plurality of preliminary content processing functions are carried out on content passed over the network before the content is passed to one or more virus scanners. The virus scanners then scan the content for viruses using one or more results of the content processing functions. | 12-10-2009 |
20090313700 | METHOD AND SYSTEM FOR GENERATING MALWARE DEFINITIONS USING A COMPARISON OF NORMALIZED ASSEMBLY CODE - A system and method for generating malware definitions for use in managing malware on a computer is described. One embodiment comprises receipt of a binary file running in system memory; taking a memory dump of the binary file at a time slice and storing the memory dump in a memory dump file; applying a normalization process to the memory dump file, wherein the normalization process alters a collection of data from the memory dump file, resulting in a normalized file; applying a comparison process between the normalized file and each of a plurality of normalized files stored in a database of malware definitions wherein the comparison process produces a comparison value associated with each of the normalized files in the database of malware definitions; and inserting the normalized file into the database of malware definitions, when each of the comparison values satisfies a predetermined criterion. | 12-17-2009 |
20090320133 | STREAMING MALWARE DEFINITION UPDATES - A method, system and apparatus for assembling and publishing frequent malware signature definition updates through the use of additive or “streaming” definition packages is provided. Embodiments of the present invention provide such functionality by publishing not only full malware signature definition updates on a long periodicity but also streaming malware signature definition updates containing newly certified signature definitions on a short periodicity. As newly-certified malware signature definitions are received, those newly-certified signature definitions are incorporated not only in the full signature definition file but also in a streaming signature definition update that contains only newly-certified signature definitions received during a streaming update period. At the end of the streaming update period, a streaming signature definition file is made available by publication to anti-malware clients. A streaming signature definition file only contains those signature definitions received during the assembly period for that streaming definition file. Embodiments of the present invention replace a previous streaming signature definition file with a new streaming signature definition file at the time of publication of the new streaming signature definition file. | 12-24-2009 |
20090320134 | Detecting Secondary Infections in Virus Scanning - A method, computer program product or computer system for scanning files in a computer system to detect additional infected files of a computer virus when a first infected file of the computer virus is identified, includes maintaining a friends tree for each file in the computer system, maintaining a search tree using the friends trees for scanning the files, searching the files listed in the search tree for the additional infected files, and quarantining the additional infected files detected in the searching. | 12-24-2009 |
20090320135 | SYSTEM AND METHOD FOR NETWORK EDGE DATA PROTECTION - Disclosed are systems and methods which examine information communication streams to identify and/or eliminate malicious code, while allowing the good code to pass unaffected. Embodiments operate to provide spam filtering, e.g., filtering of unsolicited and/or unwanted communications. Embodiments provide network based or inline devices that scan and scrub information communication in its traffic pattern. Embodiments are adapted to accommodate various information communication protocols, such as simple mail transfer protocol (SMTP), post office protocol (POP), hypertext transfer protocol (HTTP), Internet message access protocol (IMAP), file transfer protocol (FTP), domain name service (DNS), and/or the like, and/or routing protocols, such as hot standby router protocol (HSRP), border gateway protocol (BGP), open shortest path first (OSPF), enhanced interior gateway routing protocol (EIGRP), and/or the like. | 12-24-2009 |
20090328220 | MALWARE DETECTION METHODS AND SYSTEMS FOR MULTIPLE USERS SHARING COMMON ACCESS SWITCH - Malware detection systems and methods are presented in which header data of protocol data units (PDUs) are examined at a wireless access switch shared by multiple clients, and the PDU type and client are used to establish counters, with the count values being analyzed to identify clients suspected of being infected with malware. | 12-31-2009 |
20090328221 | MALWARE DETENTION FOR SUSPECTED MALWARE - A method and system for detecting and managing potential malware utilizes a preliminary signature to scan content and detect potential malware content based upon characteristics that match the preliminary signature. The detected content is detained for a predetermined period of time. If an updated signature is not received, the detained content may be purged, released or quarantined, based upon predetermined content policy. If an updated signature is received, the detained content is released from detention and rescanned with the updated signature. The content is then treated in accordance with the content policy, and again, can be purged, released, or quarantined. | 12-31-2009 |
20100005531 | Isolated multiplexed multi-dimensional processing in a virtual processing space having virus, spyware, and hacker protection features - Information appliance, computing device, or other processor or microprocessor based device or system provides security and anti-viral, anti-hacker, and anti-cyber terror features, and can automatically create multiple sequentially or concurrently and intermittently isolated and/or restricted computing environments to prevent viruses, malicious or other computer hacking, computer or device corruption and failure by using these computing environments in conjunction with restricted and controlled methods of moving and copying data, combined with a process that destroys malicious code located in computing environments and data stores. Time multiplexed processing streams with system, device, architecture and method for maintaining isolation of multiple processes executing in single physical processor. Virtual multi-dimensional processing space and virtual processing environments. Temporally multiplexed processing in a single CPU. Process isolation using address control and mapping. Selecting, configuring, switching, and/or multiplexing multiple processes in physical and/or virtual processing or computing spaces to create physical and/or virtual processing or computing environments. | 01-07-2010 |
20100011441 | SYSTEM FOR MALWARE NORMALIZATION AND DETECTION - Computer programs are preprocessed to produce normalized or standard versions to remove obfuscation that might prevent the detection of embedded malware through comparison with standard malware signatures. The normalization process can provide an unpacking of compressed or encrypted malware, a reordering of the malware into a standard form, and the detection and removal of semantically identified nonfunctional code added to disguise the malware. | 01-14-2010 |
20100011442 | DATA SECURITY DEVICE FOR PREVENTING THE SPREADING OF MALWARE - A method and system for preventing spreading of malware, including: automatically launching an anti-malware control mechanism after a data security device connects to a computing device and receives power from the computing device, determining availability of a data path in the data security device before allowing data to pass through the data path, and scanning the data that passes through the data path. | 01-14-2010 |
20100011443 | Method for preventing the spreading of malware via the use of a data security device - Embodiments of the present invention set forth methods for preventing the spreading of malware via the use of a data security device. Specifically, one embodiment of the present invention sets forth a method, which includes the steps of activating a malware scanning engine in the data security device after the data security device is attached to a computer and a mobile device but before data communication between the computer and the mobile device occurs; invoke malware scanning engine before permitting any data communication between the mobile device and the computer to occur. | 01-14-2010 |
20100017880 | Website content regulation - A method of facilitating the scanning of web pages for suspect and/or malicious hyperlinks that includes receiving at a content hosting website, user generated content. A web page or web page containing said content is then generated and, in the web page source code is included a detection code segment or a link from which a detection code segment can be downloaded. The detection code segment is executable by a web browser or web browser plug-in to scan the web page(s), or cause the web page(s) to be scanned, for suspect and/or malicious links. | 01-21-2010 |
20100017881 | Portable Electronic Device and Method for Securing Such Device - The device of the invention includes: a first interface ( | 01-21-2010 |
20100024034 | DETECTING MACHINES COMPROMISED WITH MALWARE - A computer system can be configured to identify when it has been infected with or otherwise compromised by malware, such as viruses, worms, etc. In one implementation, a computer system receives and installs one or more decoy contacts in a contact store and further installs one or more malware reporting modules that effectively filter outgoing messages. For example, a malware reporting module can redirect messages with a decoy contact address to an alternate inbox associated with the decoy contact. The same malware reporting module, or another module in the system, can also generate one or more reports indicating the presence of malware, either due to detection of the decoy contact address, or due to identifying messages in the decoy contact inbox. The host computer system that sent the message to the decoy contact can then be flagged as infected with malware. | 01-28-2010 |
20100031358 | SYSTEM THAT PROVIDES EARLY DETECTION, ALERT, AND RESPONSE TO ELECTRONIC THREATS - The invention is a computer system that provides early detection alert and response to electronic threats (eThreats) in large wide area networks, e.g. the network of an Internet Services Provider or a Network Services Provider. The system of the invention accomplishes this by harnessing the processing power of dedicated hardware, software residing in specialized servers, distributed personal computers connected to the network, and the human brain to provide multi-layered early detection, alarm and response. The layers comprise: a Protection Layer, which detects and eliminates from the network data stream eThreats known to the system; a Detection Layer, which detects and creates signatures for new eThreats that are unknown to the system; an Expert Analysis Layer, which comprises a group of human experts who receive information from various components of the system and analyze the information to confirm the identity of new eThreats; and a Collaborative Detection & Protection Layer, which detects potential new eThreats by processing information received from various system agents and users. A Dynamic Sandbox Protection Layer associated with the distributed personal computers connected to the network. can optionally be part of the system of the invention. | 02-04-2010 |
20100031359 | PROBABILISTIC SHELLCODE DETECTION - Various embodiments include a method of detecting shell code in an arbitrary file comprising determining where one or more candidate areas exist within an arbitrary file, searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, and calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset for the instruction candidate that the disassembled instructions are shellcode. | 02-04-2010 |
20100031360 | Systems and methods for preventing unauthorized modification of an operating system - Systems and methods are provided for preventing unauthorized modification of an operating system. The system includes an operating system comprised of kernel code for controlling access to operation of a processing unit. The system further includes an enforcement agent executing at a higher privilege than the kernel code such that any changes to the kernel code are approved by the enforcement agent prior to execution. | 02-04-2010 |
20100031361 | Fixing Computer Files Infected by Virus and Other Malware - The disclosed invention is a new method and apparatus for detecting and removing virus from a computing device based on a web or network service. Virus is detected by transmitting the attributes and behavior of application modules on a computing device to another computing device via a web service, where it is analyzed. After the item has been classified, that information is sent back to the computing device along with the instructions on how the remove the virus. Along with the instructions on virus remediation a clean copy of the file or a network location of the clean copy can be sent. | 02-04-2010 |
20100037320 | System and Method for On-Line Exchange and Trade of Information - A system and method for online trade and exchange information are disclosed. A computer application running on a workstation of an expert and of on workstation of a customer/patient provide an environment on the displays of the workstations which enables both parties to synchronously present and watch, modify and mark documents, video streams, documents, etc. According to embodiments of the invention a customer or patient located remotely from an expert may converse and communicate with that expert in a virtually face-to-face manner, to see and hear each other, to present documents, photos and vide streams to each other, to play and stop playing streams, to point at points of interest on their displays, etc. | 02-11-2010 |
20100037321 | Systems and Methods for Providing Security Services During Power Management Mode - Systems and methods for providing security services during a power management mode are disclosed. In some embodiments, a method comprises detecting a wake event, providing a wake signal in response to the wake event to wake a mobile device from a power management mode, and managing security services of the mobile device. Managing security services may comprise scanning a hard drive of the mobile devices for viruses and/or other malware. Managing security services may also comprise updating security applications or scanning the mobile device for unauthorized data. | 02-11-2010 |
20100043072 | COMPUTER PROTECTION AGAINST MALWARE AFFECTION - A method is provided of protecting a computer against malware affection. The computer has a data storage and an operating system for managing the data storage. The method comprises providing a filter module in the operating system which operates to detect an attempt to store data in the data storage, to determine a data format of the data to be stored in the data storage, and to prevent storage of the data if the data format is determined to relate to a predefined type. The filter module may be provided as a file system filter driver in a kernel of the operating system. The filter module may be arranged to operate between an input/output manager of the operating system and a driver associated with the data storage. The input/output manager and driver associated with the data storage may form part of the kernel of the operating system. | 02-18-2010 |
20100043073 | ANTI-VIRUS METHOD, COMPUTER, AND RECORDING MEDIUM - In one computer system, causing the second virtual machine, which executes antivirus software for detecting and removing the virus, to monitor at least one first virtual machine that is created on the computer and execute one or more application program, periodically storing a state of the first virtual machine as snapshot, suspending the first virtual machine from which the virus is detected if the antivirus software executed on the second virtual machine detects the virus, and restoring the first virtual machine at a state of a point in time when the snapshot is stored by using the snapshot of the suspended first virtual machine. | 02-18-2010 |
20100050261 | TERMINAL AND METHOD OF PROTECTING THE SAME FROM VIRUS - A mobile terminal including a display module, a memory configured to store data, a wireless communication unit configured to wirelessly connect with at least one other terminal, a checking unit configured to check at least a portion of the stored data for virus-infected data infected with a virus, and a controller configured to prevent a wireless communication connection with the at least one other terminal when the checking unit finds virus-infected data infected with the virus. | 02-25-2010 |
20100058474 | SYSTEM AND METHOD FOR THE DETECTION OF MALWARE - A method of automatically identifying malware may include receiving, by an expert system knowledge base, an assembly language sequence from a binary file, identifying an instruction sequence from the received assembly language sequence, and classifying, by the expert system knowledge base, the instruction sequence as threatening, non-threatening or non-classifiable by applying one or more rules of the expert system knowledge base to the instruction sequence. If the instruction sequence is classified as threatening, information may be transmitted to a code analysis component and a user may be notified that the binary file includes malware. The information may include one or more of the following: the instruction sequence, a label comprising an indication that the instruction sequence is threatening, and a request that one or more other assembly language sequences from the binary file be searched for at least a portion of the instruction sequence. | 03-04-2010 |
20100064368 | Systems, Methods, and Media for Outputting a Dataset Based Upon Anomaly Detection - Systems, methods, and media for outputting a dataset based upon anomaly detection are provided. In some embodiments, methods for outputting a dataset based upon anomaly detection: receive a training dataset having a plurality of n-grams, which plurality includes a first plurality of distinct training n-grams each being a first size; compute a first plurality of appearance frequencies, each for a corresponding one of the first plurality of distinct training n-grams; receive an input dataset including first input n-grams each being the first size; define a first window in the input dataset; identify as being first matching n-grams, the first input n-grams in the first window that correspond to the first plurality of distinct training n-grams; compute a first anomaly detection score for the input dataset using the first matching n-grams and the first plurality of appearance frequencies; and output the input dataset based on the first anomaly detection score. | 03-11-2010 |
20100064369 | METHODS, MEDIA, AND SYSTEMS FOR DETECTING ATTACK ON A DIGITAL PROCESSING DEVICE - Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack. In some embodiments, the methods include: selecting a data segment in at least one portion of an electronic document; determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; and determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program. | 03-11-2010 |
20100064370 | METHOD AND DEVICE FOR PROTECTION OF A MICROCIRCUIT AGAINST ATTACKS - The method of protection of a microcircuit against an attack includes:
| 03-11-2010 |
20100071064 | APPARATUS, SYSTEMS, AND METHODS FOR CONTENT SELFSCANNING IN A STORAGE SYSTEM - Apparatus, systems, and method for content self-scanning within a storage system. Features and aspects hereof operable within a storage controller of a storage system scan blocks of data within the storage system to detect the presence of a pattern in one or more data blocks. The patterns to be matched may be stored as regular expressions in a pattern database in the storage system and may represent, for example, viruses to be detected in the data blocks of the storage system. Data blocks may be scanned, in real time, as they are received from an attached host system. Data blocks may also be retrieved from within the storage system for scanning. The storage system may cooperate with a scanning service computer to determine a file of data blocks related to any data block that matches a portion of a pattern. | 03-18-2010 |
20100071065 | INFILTRATION OF MALWARE COMMUNICATIONS - Infiltration of malware communications. Malicious programs infecting individual devices within a network oftentimes communicate with another infected device (e.g., a master device by which the infection was established on a slave device in the first place). During this call home to a master device (or receiving a call from the master device), vital information about the attack, target, master device, etc. may be transmitted. The call home may include information acquired/retrieved from the infected device, or it may request additional information from the infecting device. By monitoring the network messages associated with such call home attempts (including any errors associated therewith), an infected device may be identified and appropriate action be taken (e.g., continue monitoring, isolate infected device from network, generate call to network help desk, etc.). This approach may be implemented at a network level to help prevent further promulgation of the malicious program to other devices. | 03-18-2010 |
20100077480 | Method for Inferring Maliciousness of Email and Detecting a Virus Pattern - Provided is a method of distinguishing an abnormal e-mail and determining whether an e-mail is affected with a virus. The method includes the steps of: decoding a received e-mail packet in a readable format and then analyzing and classifying a header of the packet according to header information; determining whether each classified piece of header information is normal or abnormal, and giving a specific value to the corresponding header information according to the determination result; distinguishing an abnormal e-mail using the specific values given to the respective pieces of header information according to a logical inference rule; and when there is an executable attachment file among the header information of the e-mail distinguished as abnormal, determining whether the abnormal e-mail is infected with a virus using distribution of similarity among data. The method effectively distinguishes an abnormal e-mail and determines whether an e-mail is infected with a virus without a database for spam filtering or a database of virus information, and thus is capable of stopping the propagation of new viruses. Therefore, an e-mail server can have a security technique and handle abnormal e-mail in a step before operation of a spam filter server or an antivirus server. Consequently, it is possible to manage a mail server more securely. | 03-25-2010 |
20100077481 | COLLECTING AND ANALYZING MALWARE DATA - A malware analysis system is described that provides information about malware execution history on a client computer and allows automated back-end analysis for faster creation of identification signatures and removal instructions. The malware analysis system collects threat information on client computers and sends the threat information to a back-end analysis component for automated analysis. The back-end analysis component analyzes the threat information by comparing the threat information to information about known threats. The system builds a signature for identifying the threat family and a mitigation script for neutralizing the threat. The system sends the signature and mitigation data to client computers, which use the information to mitigate the threat. Thus, the malware analysis system detects and mitigates threats more quickly than previous systems by reducing the burden on technicians to manually create environments for reproducing the threats and manually analyze the threat behavior. | 03-25-2010 |
20100077482 | METHOD AND SYSTEM FOR SCANNING ELECTRONIC DATA FOR PREDETERMINED DATA PATTERNS - A method and system for scanning electronic data for predetermined data patterns is described. One embodiment reads the electronic data serially; consults, during the reading, an acceleration list, the acceleration list specifying one or more sections of the electronic data that are to be scanned for the predetermined data patterns, at least one predetermined data pattern being applicable to each of the one or more sections based, at least in part, on a predetermined data address range associated with the at least one predetermined data pattern lying within that section of the electronic data, the predetermined address range specifying a location of a potential occurrence, within the electronic data, of the at least one predetermined data pattern; scans for predetermined data patterns, during the reading, only the one or more sections of the electronic data specified in the acceleration list; and reports results of the scanning to a user. | 03-25-2010 |
20100077483 | METHODS, SYSTEMS, AND MEDIA FOR BAITING INSIDE ATTACKERS - Methods, systems, and media for providing trap-based defenses are provided. In accordance with some embodiments, a method for providing trap-based defenses is provided, the method comprising: generating decoy information based at least in part on actual information in a computing environment, wherein the decoy information is generated to comply with one or more document properties; embedding a beacon into the decoy information; and inserting the decoy information with the embedded beacon into the computing environment, wherein the embedded beacon provides a first indication that the decoy information has been accessed by an attacker and wherein the embedded beacon provides a second indication that differentiates between the decoy information and the actual information. | 03-25-2010 |
20100083380 | NETWORK STREAM SCANNING FACILITY - In embodiments of the present invention improved capabilities are described for providing a scanning of data associated with a network computer facility. In the process, a request may be received for network content from a content requesting computing facility. A source lookup associated with the request for network content may be performed, where the source lookup may be from a networked source lookup database. The requested network content may then be retrieved, where the type of the content may be determined as a further aid in scanning the content. A checksum of at least a portion of the retrieved network content may then be calculated, and a checksum lookup associated with the portion of the retrieved network content be performed, where the checksum lookup may be from a networked checksum lookup database. Finally, an action may be taken based on at least one of the source lookup and checksum lookup, where the action is associated with protecting the content requesting computing facility from malware. | 04-01-2010 |
20100083381 | Hardware-based anti-virus scan service - A device, system, and method are disclosed. In an embodiment, the device includes a storage medium to store files. The device also includes a manageability engine. The manageability engine accesses a virus signature file. The manageability engine then performs an anti-virus scan using patterns in the signature file to compare to one or more of the files. The manageability engine then reports the results of the scan to an external agent. | 04-01-2010 |
20100083382 | Method and System for Managing Computer Security Information - A security management system includes a fusion engine which “fuses” or assembles information from multiple data sources and analyzes this information in order to detect relationships between raw events that may indicate malicious behavior and to provide an organized presentation of information to consoles without slowing down the processing performed by the data sources. The multiple data sources can comprise sensors or detectors that monitor network traffic or individual computers or both. The sensors can comprise devices that may be used in intrusion detection systems (IDS). The data sources can also comprise firewalls, audit systems, and other like security or IDS devices that monitor data traffic in real-time. The present invention can identify relationships between one or more real-time, raw computer events as they are received in real-time. The fusion engine can also assess and rank the risk of real-time raw events as well as mature correlation events. | 04-01-2010 |
20100095380 | DETECTION OF UNDESIRED COMPUTER FILES IN DAMAGED ARCHIVES - Systems and methods for an anti-virus detection module that can detect known undesired computer files in damaged archives that may be encrypted, compressed and/or password-protected are provided. According to one embodiment, a damaged archive file is received. And, without decrypting or decompressing the contents, an anti-virus detection module identifies a type and associated structure of the archive file by assuming each possible archive file type in turn and searching the archive file for descriptive information consistent with a current archive file type. Based thereon, descriptive information is obtained from the archive file describing one or more contained files within the archive file. Then, the descriptive information for each contained file is evaluated to determine if any contained files are malicious or undesired computer files. Finally, an attempt is made to prevent contained files determined to be a malicious or undesired computer file from being opened. | 04-15-2010 |
20100100960 | SYSTEM AND METHOD FOR PROTECTING DATA OF NETWORK USERS - A system and method for protecting data of network users are provided. A user end device is connected to a routing device. Then, the routing device directs data packets of the user end device into a data protection device connected to the routing device in series, according to profiles corresponding to the user end device. Security services are performed on the received data packets by the data protection device, thereby providing effective data security protection services to network users and overcoming the drawbacks of high costs and high maintenance required for self-configuration of such mechanisms in prior techniques. | 04-22-2010 |
20100100961 | INTRUSION DETECTION SYSTEM - An intrusion detection system monitors the rate and characteristics of Internet attacks on a computer network and filters attack alerts based upon various rates and frequencies of the attacks. The intrusion detection system monitors attacks on other hosts and determines if the attacks are random or general attacks or attacks directed towards a specific computer network and generates a corresponding signal. The intrusion detections system also tests a computer network's vulnerability to attacks detected on the other monitored hosts. | 04-22-2010 |
20100107256 | Methods for Software Virus Protection in a Digital Display Device - This invention relates to methods for identifying potentially infected files downloaded to a digital display device (“DDD”) and for managing those potentially infected files. These methods may include the steps of: connecting the DDD to a device; downloading one or more files to the DDD; disconnecting the DDD from the device; verifying and repairing the boot sector of the DDD; removing the one or more downloaded files that are not supported for playback on the DDD; and scanning the one or more downloaded files that are supported for playback on the DDD. | 04-29-2010 |
20100107257 | SYSTEM, METHOD AND PROGRAM PRODUCT FOR DETECTING PRESENCE OF MALICIOUS SOFTWARE RUNNING ON A COMPUTER SYSTEM - A system, method and program product for detecting presence of malicious software running on a computer system. The method includes locally querying the system to enumerate a local inventory of tasks and network services running on the system for detecting presence of malicious software running on the system and remotely querying the system from a remote system via a network to enumerate a remote inventory of tasks and network services running on the system for detecting presence of malicious software running on the system, where the local inventory enumerates ports in use on the system and where the remote inventory enumerates ports in use on the system. Further, the method includes collecting the local inventory and the remote inventory and comparing the local inventory with the remote inventory to identify any discrepancies between the local and the remote inventories for detecting presence of malicious software running on the system. | 04-29-2010 |
20100115619 | METHOD AND SYSTEM FOR SCANNING A COMPUTER STORAGE DEVICE FOR MALWARE INCORPORATING PREDICTIVE PREFETCHING OF DATA - A method and system for scanning a computer storage device for malware is described. One embodiment keeps track of which portion or portions of each of a plurality of files on a computer storage device are requested for analysis by an anti-malware engine during a first scan of the computer storage device for malware; prefetches, during a second scan of the computer storage device for malware, the portion or portions of each of at least a subset of the plurality of files that were requested by the anti-malware engine during the first scan, the prefetched data being supplied to the anti-malware engine for analysis as requested; and takes corrective action responsive to the results of at least one of the first and second scans. | 05-06-2010 |
20100115620 | STRUCTURAL RECOGNITION OF MALICIOUS CODE PATTERNS - Various embodiments include an apparatus comprising a detection database including a tree structure of descriptor parts including one or more root nodes and one or more child nodes linked to from one or more parent descriptor parts chains, each of the root nodes representing a descriptor part, and each root node linked to at least one of the child nodes, each root node and each child node linked to any possible additional child nodes, wherein the possible additional child nodes include any possible successor child nodes and a descriptor comparator coupled to the detection database, the descriptor comparator operable to receive data including a plurality of logic entities, once or successively, and to continuously compare logic entities provided to the tree structure of descriptor parts stored in detection database, and to provide an output based on the comparison. | 05-06-2010 |
20100122345 | CONTROL SYSTEM AND PROTECTION METHOD FOR INTEGRATED INFORMATION SECURITY SERVICES - A control system and protection method for integrated information security services are provided, which include protecting data packets of a user end device by a protecting device; generating an event log according to the protection result and transmitting the recorded event log to a collective control platform for standardizing and analyzing association by the collective control platform; detecting and transmitting abnormal information by the collective control platform to a service platform for integrating the information with network status information; displaying the integrated information on a webpage interface and transmitting the same to the user end device, thereby providing direct information on network security to save the high costs of purchasing, configuring and maintaining an information security protection system by the user. | 05-13-2010 |
20100132041 | INTERCEPTION-BASED CLIENT DATA NETWORK SECURITY SYSTEM - An interception-based client data network security system is provided, which includes a user end device, an interception device and a security center. The interception device performs interception of data packets from the user end device according to preset conditions and allows the intercepted data packets to be formedints event logs and then transmits the event logs to the security center for storage. And, the security center compares the stored event logs according to specific search commands for providing security services in correspondence with the stored event logs, thereby overcoming the drawbacks of conventional MPLS or mirror techniques in which the transfer of mass data packets causes overloading of the servers of the security center and excessive consumption of network bandwidth. | 05-27-2010 |
20100132042 | METHOD FOR UPGRADING ANTIVIRUS SOFTWARE AND TERMINAL AND SYSTEM THEREOF - A method for upgrading antivirus software and corresponding terminal and system thereof are provided. The method includes: reporting, by a first operating system connected to a terminal, a first device port of the terminal to a computer when the computer is started; running, by the computer, a second operating system of the port via the first device port; loading, by the second operation system, a driver of a network communication device or the terminal, and downloading, by the second operation system, an update file of the antivirus software from a remote virus database server via the network communication device, and adopting, by the first operating system of the terminal, the update file of the antivirus software to update the antivirus software. The beneficial effects of the present invention lie in that the latest antivirus software can be updated when the computer is started, thus ensuring the system security and antivirus efficiency. | 05-27-2010 |
20100138924 | Accelerating the execution of anti-virus programs in a virtual machine environment - The execution of anti-virus programs can be accelerated in a virtual desktop environment. In one embodiment, a server hosts a plurality of virtual machines. Before performing a virus scan on a file, the server computes a signature value of the file, compares the signature value with the stored signature values in a central database, and performs virus scan on the file according to the result of the comparison. If the signature value exists in the central database, the virus scan on the file can be skipped. | 06-03-2010 |
20100146625 | SAMPLE ANALYZER, SAMPLE ANALYZING METHOD, AND COMPUTER PROGRAM PRODUCT - A sample analyzer comprising: a measuring unit for measuring a sample and outputting measurement data; and a measurement controller configured for carrying out operations comprising: obtaining analysis results of measurement data output from the measuring unit; detecting a malicious program; and restricting the output of the obtained analysis results when a malicious program has been detected, is disclosed. A sample analyzing method and a computer program product are also disclosed. | 06-10-2010 |
20100146626 | SYSTEM FOR PROTECTING DEVICES AGAINST VIRUS ATTACKS - A system for protecting devices operating on 64-bit editions of operating systems by retrieving the file path by which the process was run and not the actual file path from where the process is running and scanning this retrieved file path for viruses. | 06-10-2010 |
20100146627 | ELECTRONIC MESSAGE AND DATA TRACKING SYSTEM - Systems and methods for tracking electronic messages and data are provided. In one embodiment, the invention consists of a method of tracking email messages. In various embodiments, steps may include a) identifying an email message for tracking and b) inserting a linking object, into a tracked email message. Responsive to activation by a receiver of the email message, the linking object enables the receiver to submit information to a commercial anti-spam service or a commercial anti-virus service. The method can be used to identify and track email messages defined as spam or defined as containing viruses. The receiver's privacy may be preserved with respect to content of the email message by limiting the information submitted to signatures of the electronic message and other information associated with the electronic message that are reasonably required for spam or virus analysis. | 06-10-2010 |
20100154060 | METHOD AND APPARATUS FOR PROVIDING MOBILE DEVICE MALWARE DEFENSE - A method and apparatus for protecting a wireless communication network are disclosed. For example, the method identifies an infected mobile endpoint device via at least one audit by a mal-ware defense platform, and performs an anti-malware application update on the infected mobile endpoint device. | 06-17-2010 |
20100154061 | SYSTEM AND METHOD FOR IDENTIFYING MALICIOUS ACTIVITIES THROUGH NON-LOGGED-IN HOST USAGE - A method for identifying malware activities, implemented within a computer infrastructure, includes receiving a data communication via a data channel and determining a user is not interactively logged in to a host. Additionally, the method includes identifying the data communication as a potential malware communication in response to the determining the user is not interactively logged in to the host. | 06-17-2010 |
20100154062 | Virus Scanning Executed Within a Storage Device to Reduce Demand on Host Resources - Protection against computer viruses is provided by a storage device having a memory, a controller, and a content scanning module used for scanning files for viruses. Infected files are indicated to a virus handling module that resides external to the storage device. The virus handling module may alter access to the infected files and/or indicate their presence to other system components. Such virus scanning mechanism can be built within the controller of the storage device. The protection against computer viruses may be provided by a method that includes transferring file data from the memory to the controller, reconstructing the files from the file data, activating the controller to check the reconstructed files for viruses, and indicating the infected files to the virus handling module. By using the controller within the storage device to scan for viruses, the burden on the host can be greatly reduced. | 06-17-2010 |
20100154063 | IMPROVEMENTS IN RESISTING THE SPREAD OF UNWANTED CODE AND DATA - A method of processing an electronic file by identifying portions of content data in the electronic file and determining if each portion of content data is passive content data having a fixed purpose or active content data having an associated function. If a portion is passive content data, then a determination is made as to whether the portion of passive content data is to be re-generated. If a portion is active content data, then the portion is analysed to determine whether the portion of active content data is to be re-generated. A re-generated electronic file is then created from the portions of content data which are determined to be re-generated. | 06-17-2010 |
20100154064 | SYSTEMS AND METHODS FOR UPDATING CONTENT DETECTION DEVICES AND SYSTEMS - A method of updating a content detection module includes obtaining content detection data, and transmitting the content detection data to a content detection module, wherein the transmitting is performed not in response to a request from the content detection module. A method of sending content detection data includes obtaining content detection data, selecting an update station from a plurality of update stations, and sending the, content detection data to the selected update station. A method of building a content detection system includes establishing a first communication link between a central station and an update station, the central station configured to transmit content detection data to the update station, and establishing a second communication link between the update station and a content detection module. | 06-17-2010 |
20100162399 | METHODS, APPARATUS, AND COMPUTER PROGRAM PRODUCTS THAT MONITOR AND PROTECT HOME AND SMALL OFFICE NETWORKS FROM BOTNET AND MALWARE ACTIVITY - Methods, apparatus and computer program products that protect networks from malware and botnet activity include collecting xFlow data associated with a network, analyzing the collected xFlow data to detect anomalous traffic on the network, investigating the presence of malware on the network in response to detecting anomalous traffic on the network, and taking remedial action to eradicate and/or isolate malware detected on the network. Collecting xFlow data includes capturing xFlow data at a router that connects the network and a communications network, and sending the captured xFlow data to a local or remote xFlow collector. Analyzing collected xFlow data, locally or remotely, to detect anomalous traffic includes applying one or more activity profiling algorithms to the xFlow data. | 06-24-2010 |
20100162400 | MALWARE DETECTION - The invention provides methods and systems for detecting exploits. A received file is examined to determine whether or not it corresponds to any of one or more predetermined models of normal file types. If the received file does not correspond to any of the one or more predetermined models of normal file types, it is flagged as a potential exploit. | 06-24-2010 |
20100175134 | System and Method for Performing Remote Security Assessment of Firewalled Computer - Methods and systems for scanning an endpoint terminal across an open computer network are disclosed. An exemplary method includes providing a scanner engine in a computer server in communication with an open computer network, and establishing a secure connection across the open computer network between the scanner engine and a scanner agent installed on the endpoint terminal in communication with the open computer network. Commands for collecting data regarding the endpoint terminal are sent from the scanner engine across the secure connection to the scanner agent. The scanner engine then receives the collected data from the scanner agent across the secure connection, analyzes the data to assess a current posture of the endpoint terminal, and determines any updates for the endpoint terminal from the analysis. Updates are sent across the secure connection to the scanner agent for installation on the endpoint terminal, and the secure connection may then be terminated. | 07-08-2010 |
20100192227 | OFFLINE EXTRACTION OF CONFIGURATION DATA - A configuration scanning system is described herein that scans a system configuration database for malware-related information with less impact on other operations that access the system configuration database. The system employs techniques to reduce the impact on other operations that access the configuration database, including parsing a file-based stored version of the configuration database, accessing the configuration database using opportunistic locking, and caching configuration information obtained by scanning the configuration database. In this way, the system is able to respond to requests antimalware programs using cached information without impacting other programs using the configuration database. Thus, the configuration scanning system protects a computer system against malware while reducing the burden on the configuration database and on other programs that access the configuration database. | 07-29-2010 |
20100199349 | Method, apparatus, and computer program product for detecting computer worms in a network - A worm is a malicious process that autonomously spreads itself from one host to another. To infect a host, a worm must somehow copy itself to the host. The method in which a worm transmits a copy of itself produces network traffic patterns that can be generalized as a traffic behavior. As a worm spreads itself across the network, the propagation of the traffic behavior can be witnessed as hosts are infected, one after another. By monitoring the network traffic for propagations of traffic behaviors, a presence of a worm can be detected. | 08-05-2010 |
20100199350 | Federated Scanning of Multiple Computers - A data processing apparatus and associated computer-executed method are adapted for federated scanning of multiple computers. The data processing apparatus comprises a logic that controls scanning among a plurality of data objects distributed among a plurality of distributed electronic data storage systems. The logic maintains a data set of paired location identifiers and intrinsic references corresponding to individual data objects of the plurality of data objects and controls scanning so that redundant scanning of duplicate data objects with matching intrinsic references occurring in multiple locations is avoided. | 08-05-2010 |
20100205672 | HASH-BASED SYSTEMS AND METHODS FOR DETECTING, PREVENTING, AND TRACING NETWORK WORMS AND VIRUSES | 08-12-2010 |
20100218255 | Procedure for the 100% infection free installation/re-installation, patching and maintenance of a personal computers operating system - The procedure resolves the several well known and documented issues regarding installing, patching and securing a Personal Computer from the Internet threats that lead to the malfunctioning of the PC as well as Identity theft. The procedure includes the installing of the Operating System so it is 100% free of all of types of malicious computer attacks; Keeping the PC from being infected/re-infected during the required security patches and updates, Keeping the PC safe and in optimal condition for the life of the machine which is much longer than the industry standard 2-6 months. | 08-26-2010 |
20100223670 | WIRELESS COMMUNICATION SYSTEM CONGESTION REDUCTION SYSTEM AND METHOD - A messaging server forwards emails to mobile communication devices of users to whom the emails were respectively addressed. An antivirus server determines whether an email addressed to a user of a mobile communication device, to be forwarded by the messaging server to the mobile communication device, is infected with a virus. In response to determining the email is infected with a virus, a bulletin generator transmits, to the mobile communication devices besides the mobile communication device of the addressee of the email determined to be infected, an all points bulletin message disclosing the existence of the virus. The bulletin message is transmitted directly to, instead of via email to, the wireless mobile communication devices. | 09-02-2010 |
20100229239 | SYSTEM AND METHOD FOR DETECTING NEW MALICIOUS EXECUTABLES, BASED ON DISCOVERING AND MONITORING CHARACTERISTIC SYSTEM CALL SEQUENCES - The invention relates to a method for detecting malicious executables, which comprises: (a) in an offline training phase, finding a collection of system call sequences that are characteristic only to malicious files, when such malicious files are executed, and storing said sequences in a database; and, in runtime, for each running executable, continuously monitoring its issued run-time system calls and comparing with the stored sequences of system calls within the database to determine whether there exists a match between a portion of the sequence of the run-time system calls and one or more of the database sequences, and when such a match is found, declaring said executable as malicious. | 09-09-2010 |
20100235916 | Apparatus and method for computer virus detection and remediation and self-repair of damaged files and/or objects - A method and apparatus for detecting and remediating damaged files as well as files containing proscribed code content, involving locating damage or proscribed code within a file, recording an identity of said file in which damage or proscribed code has been located, removing the damage or proscribed code by destroying the file that contains the damage or proscribed code, utilizing a search utility to locate a copy of the destroyed file according to one or more locations which are designated, and when located, copying the file to the original location of the destroyed file. | 09-16-2010 |
20100251372 | DEMAND SCHEDULED EMAIL VIRUS AFTERBURNER APPARATUS, METHOD, AND SYSTEM - Queuing and rescanning email for most recently detected virus signatures. An apparatus comprising a first virus scanning circuit operating on received email and a second virus scanning circuit operating on the outbound email queue and quarantine store. Rescanning for viruses while delivering email to downstream email server or viewing quarantine with virus signatures not previously known when the virus was first introduced to the wild. A circuit determines that an email server or an email client is active and ready to retrieve or read emails from quarantine or from the output queue of a an anti-virus, anti-spam appliance. Upon that condition, one or more virus signatures are read from a most recently discovered virus signature syndication server. Emails in the output queue, or quarantine or rescanned before transmission to the destination email server. | 09-30-2010 |
20100251373 | SYSTEM AND METHOD FOR INSPECTING DYNAMICALLY GENERATED EXECUTABLE CODE - A method for protecting a client computer from dynamically generated malicious content, including receiving at a gateway computer content being sent to a client computer for processing, the content including a call to an original function, and the call including an input, modifying the content at the gateway computer, including replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection, transmitting the modified content from the gateway computer to the client computer, processing the modified content at the client computer, transmitting the input to the security computer for inspection when the substitute function is invoked, determining at the security computer whether it is safe for the client computer to invoke the original function with the input, transmitting an indicator of whether it is safe for the client computer to invoke the original function with the input, from the security computer to the client computer, and invoking the original function at the client computer with the input, only if the indicator received from the security computer indicates that such invocation is safe. A system and a computer-readable storage medium are also described and claimed. | 09-30-2010 |
20100287616 | CONTROLLER CAPABLE OF PREVENTING SPREAD OF COMPUTER VIRUSES AND STORAGE SYSTEM AND METHOD THEREOF - A controller capable of preventing spread of computer viruses is provided. The controller includes a microprocessor unit, and a first interface unit, a second interface unit, a comparing unit and a filter unit which are coupled to the microprocessor unit. The first interface unit is coupled to a storage medium, and the second interface unit is coupled to a computer host. The comparing unit determines whether data read form the storage medium by the computer host is an automatic executing file. And, the filter unit replaces the read data with a predetermined data and transmit the predetermined data to the computer host when the read data is the automatic executing file. Accordingly, the controller is capable of preventing the spread of the computer viruses designed in an automatic executing file. | 11-11-2010 |
20100299754 | Identifying Security Breaches Caused by Web-Enabled Software Applications - Identifying a security breach caused when a computer-based software application uses a computer-based web browser application, including identifying at least one function within a computer-based software application that causes a computer-based web browser application to access data from a source that is external to the software application, at least partially replacing the data with malicious content that is configured to cause a predefined action to occur when the malicious content is accessed by the web browser application, where the predefined action is associated with a known security breach when the predefined action occurs subsequent to the malicious content being accessed by the web browser application, causing the software application to perform the function, and determining whether the predefined action is performed. | 11-25-2010 |
20100299755 | ANTI-VIRUS/SPAM METHOD IN MOBILE RADIO NETWORKS - The invention concerns a process to protect against viruses/spam in mobile broadcast networks containing convergent messaging services with transmission of protocol data, characterized by having functions included in the protocol of the convergent messaging service, which facilitate the exchange of virus/spam information between the network components of one or more network operators. The invention has the objective of providing a process for convergent messaging systems that will facilitate the exchange of information regarding viruses and spam across network and platform boundaries in order to combat their widespread dissemination. | 11-25-2010 |
20100306847 | IDENTIFYING SECURITY PROPERTIES OF SYSTEMS FROM APPLICATION CRASH TRAFFIC - Most machines in an organization's computer network connect to the Internet and create web traffic logs which allow analysis of HTTP traffic in a simple, centralized way. The web traffic logs may contain error reports and error reports contain significant information that can be used to detect network security. By reviewing the error reports, significant information about a network and its security can be found as common sources of network security weakness may be watched for in the error reports. | 12-02-2010 |
20100306848 | Method and Data Processing System to Prevent Manipulation of Computer Systems - The present invention relates to the field of computer technology, and relates in particular to a method and system to prevent computer programs and data of any kind stored in a computer system from being manipulated and in particular for preventing hacker attacks and virus infection in computer systems, wherein said computer system comprises a storage means able to be read from and to be written to, and a means for switching said storage means into a write-protected mode. In order to provide improved prevention, the following steps are proposed, either during boot or during an installation process of an application program: | 12-02-2010 |
20100306849 | ON-ACCESS ANTI-VIRUS MECHANISM FOR VIRTUAL MACHINE ARCHITECTURE - A tangible medium embodying instructions usable by a computer system to protect a plurality of guest virtual machines (VMs), which execute via virtualization software on a common host platform, from malicious code is described. A scan engine is configured to scan data for malicious code and determine a result of the scanning, wherein the result indicates whether malicious code is present in the data. A driver portion is configured for installation in an operating system of a target VM, which is one of the guest VMs. The driver portion intercepts an access request to a file, that originates within the target VM. The driver portion communicates information identifying a location of the data to be scanned by the scan engine without sending a copy of the data to the scan engine. The scan engine executes within the virtualization layer outside a context of the target VM. | 12-02-2010 |
20100313268 | METHOD FOR PROTECTING A COMPUTER AGAINST MALICIOUS SOFTWARE - A method of protecting a computer by having security software be set to clean mode where the clean mode acts as if files installed or modified before the clean date are safe and installed or modified after the clean date as potentially harmful. | 12-09-2010 |
20100319071 | GENERIC PROTOCOL DECODER FOR GENERIC APPLICATION-LEVEL PROTOCOL SIGNATURES. - Described is a generic protocol decoder that analyzes network traffic or file data to look for a signature, and signals an intrusion prevention mechanism/system if the signature is matched. In one aspect, the generic decoder is built using generic application-level protocol analysis language (GAPAL) primitives. These primitives provide various capabilities, including pattern matching, skipping, reading data, copying variable data and comparing data. The generic decoder may be coupled to a pre-developed protocol parser that provides the decoder with the data to analyze. | 12-16-2010 |
20100325729 | DETERMINATION BY CIRCUITRY OF PRESENCE OF AUTHORIZED AND/OR MALICIOUS DATA - An embodiment may include circuitry that may be comprised in a host. The host may include memory and a host processor to execute an operating system. The circuitry may be to determine, independently of the operating system and the host processor, the authenticity of signature list information, based at least in part upon authentication information received by the circuitry from a remote server. The circuitry also may be to determine, independently of the operating system and the host processor, based at least in part upon comparison of at least one portion of the signature list information with at least one portion of contents of the memory, whether authorized and/or malicious data are present in the at least one portion of the contents of the memory. Of course, many variations, modifications, and alternatives are possible without departing from this embodiment. | 12-23-2010 |
20100333204 | SYSTEM AND METHOD FOR VIRUS RESISTANT IMAGE TRANSFER - A system and method for virus resistant image transfer, comprising a computer capable of accessing electronic sources of information, a connection to a local network, and a connection to the Internet, which enable virus resistant image transfer, by a user opening a computer connection, the user selecting data, the user generating an Internet optimized thumbnail image associated with the selected data, the user converting the selected data to an Internet optimized format, the user creating an Internet optimized pair of the selected data and the thumbnail image, the user compressing all Internet optimized pairs, the user connecting to a server, and the server authenticating the user. | 12-30-2010 |
20110004936 | BOTNET EARLY DETECTION USING HYBRID HIDDEN MARKOV MODEL ALGORITHM - A botnet detection system is provided. A bursty feature extractor receives an Internet Relay Chat (IRC) packet value from a detection object network, and determines a bursty feature accordingly. A Hybrid Hidden Markov Model (HHMM) parameter estimator determines probability parameters for a Hybrid Hidden Markov Model according to the bursty feature. A traffic profile generator establishes a probability sequential model for the Hybrid Hidden Markov Model according to the probability parameters and pre-defined network traffic categories. A dubious state detector determines a traffic state corresponding to a network relaying the IRC packet in response to reception of a new IRC packet, determines whether the IRC packet flow of the object network is dubious by applying the bursty feature to the probability sequential model for the Hybrid Hidden Markov Model, and generates a warning signal when the IRC packet flow is regarded as having a dubious traffic state. | 01-06-2011 |
20110004937 | SYSTEMS AND METHODS FOR MANAGING A NETWORK - A method of managing a network. The method includes receiving an activation key transmitted from a device connected to the network, automatically transmitting a configuration to the device, automatically maintaining the configuration of the device, and receiving log information from the device. | 01-06-2011 |
20110010774 | MULTIMEDIA PLAY APPARATUS AND METHOD - Provided are a multimedia play apparatus and method. The multimedia play apparatus and method enable synchronization between an audio and a video through existing multimedia play time information, and even in a multimedia service that simultaneously provides multimedia and a message, the multimedia play apparatus and method enable synchronization between multimedia and a message that occurs by terminal characteristics between different environments and different users on the basis of existing multimedia play time information and multimedia meaning information. Moreover, by performing synchronization between multimedia and a message on the basis of the multimedia meaning information, the multimedia play apparatus and method can prevent the damage of a multimedia service that provides multimedia and a message together because of a spoiler corresponding to a malicious message. | 01-13-2011 |
20110016529 | INFORMATION PROCESSING APPARATUS COOPERATING WITH VIRUS MANAGEMENT FUNCTION DEVICE, AND ANTI-VIRUS METHOD - An information processing apparatus provided with a first information processing unit and a second information processing unit, wherein the first information processing unit infected by a virus is cleared and normal communication restored quickly without human operation. The virus infection is quickly detected by an external virus management function device through a first communication system, a communication suspension instruction is transferred through a different second communication system having a high security level to the first information processing unit, and communication by the first communication system is disconnected. Further, anti-virus solution information is transferred to the first processing unit through the second communication system, and virus removal in the first processing unit is carried out. Further, after removal, the disconnected communication is restarted. | 01-20-2011 |
20110016530 | DETECTION OF UNDESIRED COMPUTER FILES IN ARCHIVES - Systems and methods that can detect known undesired computer files in protected archives are provided. According to one embodiment, an archive file in transit across a network as an attachment to an email message destined for a client workstation is scanned, without decrypting or decompressing contents of the archive, by an anti-virus detection module running on a network gateway. A type and associated structure of the archive are identified by examining primary or secondary identification bytes of the archive. Based on the type and structure, descriptive information regarding a contained file is obtained. The descriptive information includes a hash value of the contained file in uncompressed format. If the descriptive information matches a signature of a known undesired computer file, then a clean version of the archive is produced by removing the contained file and regenerating the archive. Finally, the clean version of the archive is delivered. | 01-20-2011 |
20110023121 | DETECTION OF UNDESIRED COMPUTER FILES IN DAMAGED ARCHIVES - Systems and methods for an anti-virus detection module that can detect known undesired computer files in damaged archives that may be encrypted, compressed and/or password-protected are provided. According to one embodiment, a damaged or incomplete RAR, CAB or ZIP archive is received. Without decrypting or decompressing the contents, an anti-virus detection module identifies the archive as a RAR, CAB or ZIP archive by assuming each of multiple possible archive types in turn and searching all of or certain parts of the archive for content consistent with a current archive type. Based on the identified type, for each contained file, descriptive information is extracted from corresponding local file headers and a threat evaluation is performed by comparing the descriptive information to signatures of known malicious or undesired files. If the treat evaluation concludes a particular contained file is a threat, then appropriate defensive actions are taken in relation to the archive. | 01-27-2011 |
20110030058 | SYSTEM AND METHOD FOR SCANNING AND MARKING WEB CONTENT - Instructions to access content at a destination node is intercepted. Content at the destination node is analyzed for malicious components, and results of the analysis are associated with the content prior to being presented to viewers of the content. | 02-03-2011 |
20110047621 | SYSTEM AND METHOD FOR DETECTION OF NON-COMPLIANT SOFTWARE INSTALLATION - A system and method for performing a security check may include using at least one processor to periodically check a status of a flag, generate and store a baseline representation of modules stored on the device where the flag is determined to be set to a first state, and, where the flag is determined to be set to a second state, generate an active representation of modules stored on the first device, compare the active representation of modules to the baseline representation of modules, and, responsive to a determination in the comparing step of a difference between the baseline and active representations of modules, output an alert. The flag status may depend on an association of the device with one of a plurality of authorization policies, each mapped to one of the two states. Results of the comparison may be appended to an activity log of the device. | 02-24-2011 |
20110067108 | Digital DNA sequence - In an embodiment of the invention, a method of classifying a data object includes: scanning the data object; evaluating contents of data objects base on at least one selected rule; and generating a digital DNA sequence that classifies at least some contents in the data object. | 03-17-2011 |
20110067109 | SYSTEM AND METHOD OF CACHING DECISIONS ON WHEN TO SCAN FOR MALWARE - In accordance with this invention, a system, method, and computer-readable medium that selectively scans files stored on a computing device for malware is provided. One aspect of the present invention includes identifying files that need to be scanned for malware when a software update that includes a malware signature is received. More specifically, attributes of the new malware are identified by searching metadata associated with the malware. Then, the method searches a scan cache and determines whether each file with an entry in the scan cache is the type that may be infected by the malware. If a file is the type that may be infected by the malware, the file is scanned for malware when a scanning event such as an I/O request occurs. Conversely, if the file is not the type that may be infected by the malware, the file may be accessed without a scan being performed. | 03-17-2011 |
20110078796 | Trusted Operating Environment For Malware Detection - Described herein are techniques and apparatuses for scanning a computing device for malware and/or viruses. In various embodiments, a trusted operating environment, which may include a trusted operating system and/or a trusted antivirus tool, may be utilized with respect to a computing device. More particularly, the trusted operating system may be used to boot the computing device. Moreover, the trusted antivirus tool may search the computing device for malware definition updates (e.g., virus signature updates) and use the trusted operating system to scan the computing device for malware. In other embodiments, the trusted antivirus tool may scan the computing device and remove any viruses detected by the trusted antivirus tool. The trusted operating system may then reboot the computing device into a clean environment once any detected viruses are removed. | 03-31-2011 |
20110083183 | ANALYSIS OF SCRIPTS - A method and system for analyzing scripts. A script is processed, which executes text blocks of code derived from the script and copied to an output file in a sequential order. The script is the first text block that is copied to the output file. Executing the text blocks includes interpreting each text block to generate and execute a corresponding interpreted block of code. Processing the script results in the text blocks being sequenced in the output file in the sequential order. The text blocks include an original text block of code that includes text that may be directly inferred from text appearing in the script. The blocks of code include a new text block of code, which includes text that may not be directly inferred from text appearing in the script. The new text block is generated from executing the original text block. | 04-07-2011 |
20110083184 | ANTI-MALWARE SCANNING IN PARALLEL PROCESSORS OF A GRAPHICS PROCESSING UNIT - A method of anti-malware scanning includes providing, in a computing system including a central processor, a multimedia processor including a number of processors to operate in parallel with one another. The anti-malware scanning further includes executing an anti-malware algorithm using the multimedia processor to free the central processor for a non-anti-malware related task. | 04-07-2011 |
20110083185 | Method and System for Improving Website Security - A method for locating and monitoring websites is provided that includes finding websites and contained hyperlinks, downloading a first snapshot of a web page taken at a first time, and downloading a second snapshot of the web page taken at a second time later than the first time. The method also includes enabling a comparison of the first snapshot and the second snapshot. A system for monitoring websites is provided. The system includes means for enabling a comparison of the first snapshot and the second snapshot visually or through the use of content data from that web site. A computer-readable recording medium having recorded thereon an executable program is provided. The program when executed causes a processor to perform a method for monitoring websites. | 04-07-2011 |
20110083186 | Malware detection by application monitoring - A method of detecting malware on a computer system. The method comprises monitoring the behaviour of trusted applications running on the computer system and, in the event that unexpected behaviour of an application is detected, identifying a file or files responsible for the unexpected behaviour and tagging the file(s) as malicious or suspicious. The unexpected behaviour of the application may comprise, for example, dropping executable files, performing modifications to a registry branch which is not a registry branch of the application, reading a file type class which is not a file type class of the application, writing portable executable (PE) files, and crashing and re-starting of the application. | 04-07-2011 |
20110083187 | SYSTEM AND METHOD FOR EFFICIENT AND ACCURATE COMPARISON OF SOFTWARE ITEMS - Apparatus, processes, and related technologies for comparison between a target item of software code and a reference set of software code. The target item is preprocessed to be compared against a reference item from the reference set to identify a selected set of lines of software code from the target item to be used for the comparison. Each line of the selected set of lines from the target software item is individually compared with lines of software code from the reference set to produce a measure of similarity between the target software item and at least one reference item of software code from the reference set. Various techniques for maintaining and updating a numerical representation of similarity of the target item with each reference item, the numerical representation being stored in a corresponding element of a data structure. | 04-07-2011 |
20110083188 | Virus, trojan, worm and copy protection of audio, video, digital and multimedia, executable files and such installable programs - A TSR (Terminate and Stay Resident) program based virus, trojan, worm and copy protection of audio, video, digital, multi media, executable files and installable programs. The TSR is co-resident on the chip-set or the CPU of the system; the BIOS and the OS (Operating System), whereby it is an intrinsic part of the system and is uninstallable. The TSR monitors any attempt to copy, play, record, any designated copy protected audio, video, digital, multi media; or any attempt to copy, install or execute any executable files or such installable programs and seeks authorization and or authentication from a clearing house or by using a local authentication key, before playing, recording, storing, executing or installing such digital media. Additionally the TSR generates and inserts a unique digitally encrypted source signature that includes the machine number and the date and time code for pay per use and verification purposes. | 04-07-2011 |
20110093951 | Computer worm defense system and method - A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems. | 04-21-2011 |
20110093952 | DETECTING AND RESPONDING TO MALWARE USING LINK FILES - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for monitoring the generation of link files by processes on a computer and performing protection processes based on whether the link files target malicious objects or are generated by malicious processes. In one aspect, a method includes monitoring for a generation of a first file that includes a target path that points to an object; in response to monitoring the generation of the first file: determining whether the target path is a uniform resource locator; in response to determining that the target path is a uniform resource locator, identifying a process that caused the first file to be generated; determining whether the process is a prohibited process; in response to determining that the process is a prohibited process, performing one or more protection processes on the process and the first file; in response to determining that the process is not a prohibited process, determining whether the uniform resource locator is a prohibited uniform resource locator; in response to determining that the uniform resource locator is a prohibited uniform resource locator, performing one or more protection processes on the process and the first file. | 04-21-2011 |
20110093953 | PREVENTING AND RESPONDING TO DISABLING OF MALWARE PROTECTION SOFTWARE - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for responding to an attempt to disable a malware protection program and performing an identification process and one or more protection processes to prevent the execution of potentially malicious code. In one aspect, a method includes monitoring for attempts to disable a malware protection program, identifying a process that generated an attempt to disable the malware protection program, determining whether the process is an approved process, and in response, performing one or more protection processes on the process so as to prevent the execution of potentially malicious code. | 04-21-2011 |
20110099633 | System and method of containing computer worms - A computer worm containment system comprises a detection system and a blocking system. The detection system orchestrates a sequence of network activities in a decoy computer network and monitors that network to identify anomalous behavior and determine whether the anomalous behavior is caused by a computer worm. The detection system can then determine an identifier of the computer worm based on the anomalous behavior. The detection system can also generate a recovery script for disabling the computer worm or repairing damage caused by the computer worm. The blocking system is configured to use the computer worm identifier to protect another computer network. The blocking system can also use the recovery script to disable a computer worm within the other network and to repair damage caused to the network by the worm. | 04-28-2011 |
20110099634 | Using File Prevalence to Inform Aggressiveness of Behavioral Heuristics - The prevalence rate of a file to be subject to behavior based heuristics analysis is determined, and the aggressiveness level to use in the analysis is adjusted, responsive to the prevalence rate. The aggressiveness is set to higher levels for lower prevalence files and to lower levels for higher prevalence files. Behavior based heuristics analysis is applied to the file, using the set aggressiveness level. In addition to setting the aggressiveness level, the heuristic analysis can also comprise dynamically weighing lower prevalence files as being more likely to be malicious and higher prevalence files as being less likely. Based on the applied behavior based heuristics analysis, it is determined whether or not the file comprises malware. If it is determined that the file comprises malware, appropriate steps can be taken, such as blocking, deleting, quarantining and/or disinfecting the file. | 04-28-2011 |
20110099635 | SYSTEM AND METHOD FOR DETECTING EXECUTABLE MACHINE INSTRUCTIONS IN A DATA STREAM - Detecting executable machine instructions in a data is accomplished by accessing a plurality of values representing data contained within a memory of a computer system and performing pre-processing on the plurality of values to produce a candidate data subset. The pre-processing may include determining whether the plurality of values meets (a) a randomness condition, (b) a length condition, and/or (c) a string ratio condition. The candidate data subset is inspected for computer instructions, characteristics of the computer instructions are determined, and a predetermined action taken based on the characteristics of the computer instructions. | 04-28-2011 |
20110099636 | Read-only protection method for removable storage medium - A read-only protection method for removable storage medium has steps of establishing a copy prohibited list, receiving a write command for the removable storage medium, determining whether to allow duplication of data to the removable storage medium, allowing duplication of data to the removable storage medium when the data to be duplicated are not listed in the copy prohibited list and prohibiting duplication of data to the removable storage medium when the data to be duplicated are listed in the copy prohibited list. The method of the present invention prohibits copying of pre-designated data to the removable storage medium, but writing other data is allowed. | 04-28-2011 |
20110107423 | PROVIDING AUTHENTICATED ANTI-VIRUS AGENTS A DIRECT ACCESS TO SCAN MEMORY - A computer platform may support anti-virus agents that may be provided access to directly scan the memory. The computer platform may comprise a platform control hub, which may comprise a manageability engine and a virtualizer engine, wherein the manageability engine may allow the anti-virus agents to be downloaded to a platform hardware space that is isolated from an operating system. The manageability engine may authenticate the anti-virus agents and provide an access for the anti-virus agents to directly scan a memory or a storage device coupled to the platform hardware. | 05-05-2011 |
20110107424 | Rollback Feature - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for rolling back protection processes. In one aspect, a method includes determining that a file is a malicious file, storing a duplicate of the file in a quarantine area, performing one or more protection processes on the file, if the determination that the file is a malicious file is a false positive determination, restoring the file by a pre-boot rollback process to a state prior to the one or more protection processes performed on the file, and booting the computer with the restored file, and if the determination that the file is a malicious file is not a false positive determination, not restoring the file to a state prior to the one or more protection processes performed on the file, and booting the computer. | 05-05-2011 |
20110107425 | APPARATUS AND METHOD FOR PERFORMING VIRUS SCAN IN PORTABLE TERMINAL - An apparatus and method are provided in which, in order to avoid a situation where a vaccine installed in a portable terminal is damaged by a virus and thus a virus scan process cannot be normally performed, when the portable terminal operates as a removable disk or when an external memory is placed in the portable terminal, whether the vaccine installed in the portable terminal is damaged is determined to recover the damaged vaccine, and a version of the vaccine installed in the portable terminal is determined to update the vaccine to the latest version. The apparatus includes a memory divided into a storage area and a backup area to install a vaccine in the storage area and to back up the vaccine in the backup area. | 05-05-2011 |
20110113491 | COLLABORATIVE SYSTEM FOR PROTECTING AGAINST THE PROPAGATION OF MALWARES IN A NETWORK - The present invention is a system for using a collective computing power of a plurality of network stations in a communication network in order to overcome threats generated by malicious applications. Collaboratively, a large group of simple network stations implement a vaccination mechanism, proliferating information concerning malicious applications (malwares) throughout the network in an efficient manner. | 05-12-2011 |
20110119763 | DATA IDENTIFICATION SYSTEM - Disclosed is a method of operating a data storage system. The method comprises identifying changed segments of a primary storage volume, receiving a data request for a plurality of data items in a secondary storage volume, identifying changed data items of the plurality of data items in the secondary storage volume based on a correspondence between the plurality of data items in the secondary storage volume and the changed segments of the primary storage volume, and transferring the changed data items in response to the data request. | 05-19-2011 |
20110119764 | FINGERPRINT ANALYSIS FOR ANTI-VIRUS SCAN - Disclosed is a method of operating a data identification system. The method comprises identifying a first plurality of changed blocks in a first primary storage volume, processing the first plurality of changed blocks to generate a first plurality of fingerprints, scanning a first plurality of data items stored in a first secondary storage volume within the first primary storage volume corresponding to the first plurality of changed blocks to identify a first infected data item of the first plurality of data items, identifying a first reference fingerprint from the first plurality of fingerprints corresponding to the first infected data item, identifying a second plurality of changed blocks in a second primary storage volume corresponding to a second plurality of data items stored in a second secondary storage volume within the second primary storage volume, processing the second plurality of changed blocks to generate a second plurality of fingerprints, and identifying a first target fingerprint from the second plurality of fingerprints that corresponds to the first reference fingerprint. | 05-19-2011 |
20110126286 | SILENT-MODE SIGNATURE TESTING IN ANTI-MALWARE PROCESSING - Method and computer program product for signature testing used in anti-malware processing. Silent signatures, after being tested, are not updated into a white list and are sent directly to users instead. If the silent signature coincides with malware signature, a user is not informed. A checksum (e.g., hash value) of a suspected file is sent to a server, where statistics are kept and analyzed. Based on collected false positive statistics of the silent-signature, the silent-signature is either valid or invalid. Use of the silent signatures provides for effective signature testing and reduces response time to new malware-related threats. The silent signature method is used for turning off a signature upon first false positive occurrence. Use of silent signatures allows improving heuristic algorithms for detection of unknown malware. | 05-26-2011 |
20110126287 | ANTI-VIRUS PROTECTION SYSTEM AND METHOD THEREOF - An anti-virus protection system and method including receiving an address of a data server from a user, writing and transmitting a request message including the address received from the user, receiving the data from the data server, and determining whether the data contains malignant virus. Thus, a malignant web site is scanned/filtered by minimally using a restrictive memory and central process unit (CPU) resource of a mobile device, and a user uses a mobile device whose security is ensured even through a user moves to another country. | 05-26-2011 |
20110131655 | DETECTION OF FREQUENT AND DISPERSED INVARIANTS - A scalable method and apparatus that detects frequent and dispersed invariants is disclosed. More particularly, the application discloses a system that can simultaneously track frequency rates and dispersion criteria of unknown invariants. In other words, the application discloses an invariant detection system implemented in hardware (and/or software) that allows detection of invariants (e.g., byte sequences) that are highly prevalent (e.g., repeating with a high frequency) and dispersed (e.g., originating from many sources and destined to many destinations). | 06-02-2011 |
20110138467 | Method and System for Content Distribution Network Security - A content delivery system includes an upload module, a content delivery module, and a monitoring module. The upload module is configured to receive content from a content provider, detect content containing malicious software or proprietary information, and provide information about the content to a monitoring module. The content delivery module is configured to detect content containing malicious software or unauthorized changes, detect operational changes to the content delivery module, provide information about the content and the operational changes to the monitoring module, receive a request for the content from a client system, and provide the content to the client system. The monitoring module is configured to monitor a network for potentially malicious traffic, receive information from the content delivery module and the upload module, correlate the information and the potentially malicious traffic to identify a security event, and trigger a response to the security event. | 06-09-2011 |
20110138468 | Distributed Security Provisioning - Systems, methods and apparatus for a distributed security that provides security processing external to a network edge. The system can include many distributed processing nodes and one or more authority nodes that provide security policy data, threat data, and other security data to the processing nodes. The processing nodes detect and stop the distribution of malware, spyware and other undesirable content before such content reaches the destination network and computing systems. | 06-09-2011 |
20110145922 | METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR MITIGATING EMAIL ADDRESS HARVEST ATTACKS BY POSITIVELY ACKNOWLEDGING EMAIL TO INVALID EMAIL ADDRESSES - A method of detecting and responding to an email address harvest attack at an Internet Service Provider (ISP) email system includes counting a number of failed email address look-ups during a single Simple Mail Transfer Protocol (SMTP) session associated with an originating Internet Protocol (IP) address and responding to the originating IP address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold. | 06-16-2011 |
20110145923 | COMPUTER HAVING SPECIAL PURPOSE SUBSYSTEMS AND CYBER-TERROR AND VIRUS IMMUNITY AND PROTECTION FEATURES - A method or system for supporting a computer systems self repair, including the computer executed steps for booting from a first boot device, and booting from a second boot device in response to a signal indicating a need for repair. While booted from the second boot device the computer system is capable of repairing software on the first boot device. The signal may effect a logical or physical switch. Repairing software may be performed in part by copying, template, backup or archive software from a device other than the first boot device. Repairing software may be performed automatically without direction by a user or according to preset preferences. Computer architecture having special purpose subsystems that provides cyber-terror and virus immunity and protection features. | 06-16-2011 |
20110154495 | MALWARE IDENTIFICATION AND SCANNING - A method for automatically generating a genetic signature for a set of malware, comprising parsing (step S | 06-23-2011 |
20110154496 | Removable Apparatus and Method for Verifying an Executable File in a Computing Apparatus and Computer-Readable Medium Thereof - Apparatus and method for verifying an executable file in a computing apparatus by a removable apparatus and computer-readable medium thereof are provided. The removable apparatus boots up the computing apparatus and retrieves the executable file from the computing apparatus. After retrieving the executable file, a vendor-verify module and a digest-check module perform a vendor verification and a digest verification on the executable file, respectively. If the executable file fails in both the vendor verification and the digest verification, a file-link-detect module and an auto-run determination module check the behaviors of the executable file for deciding whether the executable file is suspicious. | 06-23-2011 |
20110167494 | METHODS, SYSTEMS, AND MEDIA FOR DETECTING COVERT MALWARE - Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: generating simulated user activity outside of the computing environment; conveying the simulated user activity to an application inside the computing environment; and determining whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity. | 07-07-2011 |
20110167495 | METHOD AND SYSTEM FOR DETECTING MALWARE - A system and method of analysis. NX domain names are collected from an asset in a real network. The NX domain names are domain names that are not registered. The real network NX domain names are utilized to create testing vectors. The testing vectors are classified as benign vectors or malicious vectors based on training vectors. The asset is then classified as infected if the NX testing vector created from the real network NX domain names is classified as a malicious vector. | 07-07-2011 |
20110167496 | ENHANCED HARDWARE COMMAND FILTER MATRIX INTEGRATED CIRCUIT - A semiconductor integrated circuit includes a hardware mechanism arranged to ensure that associations between instructions and data are enforced so that a processor cannot execute an instruction that is not authorized. A Command Filter Matrix stores entries comprising instructions and associated data memory ranges. A hardware arrangement denies command execution if the CPU attempts to make a data fetch from an instruction that is outside the range associated with data in the Command Filter Matrix. The Command Filter Matrix may be implemented in a Field Programmable Gate Array such that the memory cell content is pre-programmed with entrusted code by a separate trusted hardware source. In this way, an operating system may function normally but only execute trusted instructions, commands and memory operations. The Command Filter Matrix also contains external write-only capability to enable external monitoring of performance. | 07-07-2011 |
20110167497 | System and Method for Managing Wireless Devices in an Enterprise - Methods and systems are disclosed for managing wireless devices in an enterprise. A first exemplary method manages the physical access points of a wireless network in an enterprise. A second exemplary method manages the assets of wireless devices in an enterprise. A third exemplary method enables virus detection within wireless devices. A fourth exemplary method manages wireless device data backup. | 07-07-2011 |
20110179490 | Apparatus and Method for Detecting a Code Injection Attack - A code injection attack detecting apparatus and method are provided. The code injection attack may be detected based on characteristics occurring when a malicious code injected by the code injection attack is executed. For example, the code injection attack detecting apparatus and method may detect that a code injection attack occurs when a buffer miss is detected, a page corresponding to an address is updated, a mode of the page corresponding to the address is in user mode, and/or the page corresponding to the page is inserted by an external input. | 07-21-2011 |
20110179491 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR CONTEXT-DRIVEN BEHAVIORAL HEURISTICS - A system, method and computer program product are provided for detecting unwanted data. A scan for unwanted data is performed to generate results of the scan. A context of the scan is then identified. Further, the presence of unwanted data is conditionally indicated based on both the results of the scan and the context of the scan. | 07-21-2011 |
20110185427 | SAFELY PROCESSING AND PRESENTING DOCUMENTS WITH EXECUTABLE TEXT - Techniques for processing documents with executable text are disclosed. The techniques, among other things, can effectively address XSS attacks to Internet users when browsing web sites. Content deemed not to be trusted or fully trusted (“untrusted”) can be marked in a document that can include executable text. Remedial action, including not allowing execution of executable text marked as “untrusted” can be taken. In addition, when the document is processed, content deemed not to be trusted or fully trusted (“untrusted”) can be effectively monitored in order to identify executable text that may have been effectively produced by “untrusted” content and/or somehow may have been affected by “untrusted” content. | 07-28-2011 |
20110185428 | METHOD AND SYSTEM FOR PROTECTION AGAINST UNKNOWN MALICIOUS ACTIVITIES OBSERVED BY APPLICATIONS DOWNLOADED FROM PRE-CLASSIFIED DOMAINS - A method for monitoring an application includes the steps of detecting the download of an application that originates from a website, identifying the domain of the website, and querying a database to select one or more behavioral analysis rules to apply to the application. The behavioral analysis rules are selected based upon an evaluation of the domain of the website. The evaluation of the domain of the website indicates a possible association with malware. | 07-28-2011 |
20110185429 | METHOD AND SYSTEM FOR PROACTIVE DETECTION OF MALICIOUS SHARED LIBRARIES VIA A REMOTE REPUTATION SYSTEM - A method for proactively detecting shared libraries suspected of association with malware includes the steps of determining one or more shared libraries loaded on an electronic device, determining that one or more of the shared libraries include suspicious shared libraries by determining that the shared library is associated with indications that the shared library may have been maliciously injected, loaded, and/or operating on the electronic device, and identifying the suspicious shared libraries to a reputation server. | 07-28-2011 |
20110185430 | METHOD AND SYSTEM FOR DISCRETE STATEFUL BEHAVIORAL ANALYSIS - A method for analyzing a computing system includes the steps of at a first moment in time, scanning the resources of the computing system for indications of malware, at a second moment in time scanning the resources of the computing system for indications of malware and determining the system executable objects loaded on the computing system, determining malware system changes, identifying a relationship between the malware system changes and the system executable objects loaded on the computing system, and identifying as suspected malware the system executable objects loaded on the computing system which have a relationship with the malware system changes. The malware system changes include differences between the results of scanning the resources of the computing system for indications of malware at the second and first moment of time. | 07-28-2011 |
20110191850 | Malware detection - According to a first aspect of the present invention there is provided a method of operating a computer to detect malware, which malware writes a copy of an executable file to a non-volatile memory of the computer and creates a launch point that causes that executable file to be run at start-up of the computer. The method includes, during the shutdown procedures of the computer, monitoring the creation and/or modification of any launch points and, for any such modification or creation, saving a further copy of any executable file associated with the launch point to the non-volatile memory, and, following a subsequent start-up of the computer, examining said further copy to determine if it is potential malware. | 08-04-2011 |
20110191851 | COMPUTER AND METHOD FOR SAFE USAGE OF DOCUMENTS, EMAIL ATTACHMENTS AND OTHER CONTENT THAT MAY CONTAIN VIRUS, SPY-WARD, OR MALICIOUS CODE - System, method, computer, and computer program and computer program product for safe usage of potentially malicious code and documents or other content to may contain malicious code. System and method for a virus and hacker-resistant computer. Method and system for supporting a computer systems self repair. | 08-04-2011 |
20110197278 | CONTAINMENT MECHANISM FOR POTENTIALLY CONTAMINATED END SYSTEMS - A malware detection and response system based on traffic pattern anomalies detection is provided, whereby packets associated with a variety of protocols on each port of a network element are counted distinctly for each direction. Such packets include: ARP requests, TCP/SYN requests and acknowledgements, TCP/RST packets, DNS/NETBEUI name lookups, out-going ICMP packets, UDP packets, etc. When a packet causes an individual count or combination of counts to exceed a threshold, appropriate action is taken. The system can be incorporated into the fast path, that is, the data plane, enabling communications systems such as switches, routers, and DSLAMs to have built-in security at a very low cost. | 08-11-2011 |
20110197279 | MANAGEMENT METHODS OF STORAGE SYSTEM AND FILE SYSTEM - If a file infected with an unknown virus is stored in the file system provided by the NAS system, this invention prevents the invasion of the virus when recovering from the backup data. If the anti-virus program | 08-11-2011 |
20110197280 | Network Managed Antivirus Appliance - Data can be scanned using a network managed appliance. The network managed appliance may integrate commercial hardware elements connected through a basic or simplified operating system environment expressly developed for the appliance, thus being more malware resistant and less vulnerable to attacks from the scanned data or other sources. The network managed appliance may be a self-contained apparatus with an integrated chassis, designed and configured as “single-purpose” device. Such appliances may be connected to an appliance management network including central management servers in communication with appliances in remote locations. The central management servers may ensure that scanning software and the definitions lists for each of the appliances are current and match an enterprise-approved configuration. | 08-11-2011 |
20110197281 | SYSTEMS AND METHODS FOR MALWARE DETECTION - Various embodiments include a computer system comprising a computer network including at least one client computer, the at least one client computer operable to generate a request, and an anti-malware engine coupled to the computer system and operable to provide anti-malware protection for the computer network, wherein the anti-malware engine is operable to receive the request generated by the at least one client, and to determine if the request is classified as malware by determining whether the request includes one or more valid tags. | 08-11-2011 |
20110197282 | METHOD AND APPARATUS FOR DETECTING SCANS IN REAL-TIME - A method and apparatus for detecting scans are described. In one example, a plurality of flows is allocated into a plurality of bins associated with different source Internet protocol (SIP) addresses. A set of bin characteristics for at least one bin of the plurality of bins is generated if the at least one bin reaches a predefined flow capacity. Afterwards, the set of bin characteristics is compared to a scan characteristics list to determine if a potential scan exists. | 08-11-2011 |
20110202998 | Method and System for Recognizing Malware - The invention relates to a method for recognizing a piece of malware in a computer memory system, comprising the steps of: providing a master signature comprising a number of byte sequences, producing at least one first signature element, said first signature element comprising a subset of the number of byte sequences in the master signature, and applying the first signature element to data stored in the computer memory system in order to recognize a piece of malware stored in the computer memory system. | 08-18-2011 |
20110209220 | Malware removal - A method and apparatus for scanning for or removing malware from a computer device. Under normal circumstances, the computer device is controlled by a first operating system installed in a memory of the device. In order to scan for or remove the malware from the computer device, control of the computer device is passed from the first operating system to a second operating system and, under the control of the second operating system, the device is either scanned for malware or the malware is removed. This allows malware to be detected or removed, even if it has affected the first operating system in some way in order to evade detection or removal. | 08-25-2011 |
20110214184 | System and method for controlling applications to mitigate the effects of malicious software - Methods and systems for mitigating the effects of a malicious software application are disclosed. A dedicated module on the computing device receives from a malicious software detector a message indicating whether the application is malicious or has a malicious component. The dedicated module obtains a set of permissions to be granted to the application, and instructs software on the computing device that controls the permissions of the application to grant the set of permissions. | 09-01-2011 |
20110214185 | SYSTEM AND METHOD FOR TRACKING COMPUTER VIRUSES - A method for collecting and distributing data on computer viruses identified on a plurality of computers during virus scanning includes receiving virus scan results from the plurality of computers and collecting and storing the virus scan results in a database. The results include the type of virus identified. The method further includes aggregating at scheduled intervals the virus scan results over a specified time period at a publisher server to create a virus database and replicating the virus database to a subscriber server. A virus report is created from the virus database upon receiving a request from a user computer at the subscriber server and sent to the user computer. | 09-01-2011 |
20110214186 | TRUSTED OPERATING ENVIRONMENT FOR MALWARE DETECTION - Described herein are techniques and apparatuses for scanning a computing device for malware and/or viruses. In various embodiments, a trusted operating environment, which may include a trusted operating system and/or a trusted antivirus tool, may be utilized with respect to a computing device. More particularly, the trusted operating system may be used to boot the computing device. Moreover, the trusted antivirus tool may search the computing device for malware definition updates (e.g., virus signature updates) and use the trusted operating system to scan the computing device for malware. In other embodiments, the trusted antivirus tool may scan the computing device and remove any viruses detected by the trusted antivirus tool. The trusted operating system may then reboot the computing device into a clean environment once any detected viruses are removed. | 09-01-2011 |
20110219453 | Security method and apparatus directed at removeable storage devices - A method of protecting a computer against malware infection. The method includes during operation of the computer, reading master boot record code from a removable storage device into the computer and inspecting said code to identify any instructions associated with suspicious behaviour. In the event that suspicious instructions are identified, the master boot record code on the removable storage device is modified and/or the behaviour of the computer adapted in order to prevent said master boot record code installing malware into the computer. Examples of suspicious behaviour include hard disk read or write operations. | 09-08-2011 |
20110225654 | Write-Proof Protection Method of a Storage Device - The present invention is a write-proof protection method of a storage device. The storage device includes a buffer to store data temporarily, with a capacity of the buffer being adjustable; and a write-proof control unit. The write-proof protection method includes transmitting a write-in protection signal to the write-proof control unit from an operating unit; the write-proof control unit writing a file that is written into a computer into the buffer of the storage device, rather than a file system. When a stand-alone write-proof condition has been set by a user, an unknown program that has been written in can be a virus pattern, and the unknown program in the buffer can be analyzed to discover a new virus early, so as to achieve an antivirus effect. | 09-15-2011 |
20110225655 | Malware protection - According to a first aspect of the present invention there is provided a method of protecting a computer system from malware, which malware attempts to prevent detection or analysis when executed in an emulated computer system. The method comprises determining if an executable file should be identified as being legitimate and, if not, executing the executable file whilst providing indications to the executable file that it is being executed within an emulated computer system. | 09-15-2011 |
20110231934 | Distributed Virus Detection - A method and system for efficient virus protection in networks of computing resources. Virus definitions are ranked and distributed according to activity. Active viruses are scanned for by substantially every computing resource in the network but scanning for less active virus is distributed across the network according to computing resource capacity. | 09-22-2011 |
20110239302 | APPARATUS AND METHOD FOR PERFORMING SYSTEM EVALUATION IN PORTABLE TERMINAL - An apparatus and method for performing a system evaluation such as real-time virus scan/diagnosis/cure in order to improve system performance in a portable terminal are provided. The apparatus includes an operation monitoring unit for determining an idle state duration and an active state duration by monitoring an operation of the portable terminal, and a pattern analysis unit for defining the idle state duration as a system evaluation duration. | 09-29-2011 |
20110247071 | Automated Malware Detection and Remediation - Systems and methods for detecting malware in a selected computer that is part of a network of computers. The approach includes inspecting a predetermined set of operational attributes of the selected computer to detect a change in a state of the selected computer. In response to a detected change in state, the selected computer is scanned to create a snapshot of the overall state of the selected computer. The snapshot is transmitted to an analytic system wherein it is compared with an aggregated collection of snapshots previously respectively received from a plurality of computers in the computer network. Based on the comparison, anomalous state of the selected computer can be identified. In turn, a probe of the selected computer is launched to gather additional information related to the anomalous state of the selected computer so that a remediation action for the anomalous state of the selected computer can be generated. | 10-06-2011 |
20110247072 | Systems and Methods for Detecting Malicious PDF Network Content - Systems and methods for detecting malicious PDF network content are provided herein. According to some embodiments, the methods may include at least the steps of examining received PDF network content to determine if one or more suspicious characteristics indicative of malicious network content are included in the PDF network content, providing PDF network content determined to include at least one suspicious characteristic to one or more virtual machines, and analyzing responses received from the one or more virtual machines to verify the inclusion of malicious network content in the PDF network content determined to include at least one suspicious characteristic. | 10-06-2011 |
20110247073 | SYSTEM AND METHOD FOR ADAPTING AN INTERNET AND INTRANET FILTERING SYSTEM - According to the present invention, there is provided a system and method for continuously interfacing with a plurality of computer based event monitoring systems such as Internet and Intranet filtering systems and or virus scanning software to determine whether these systems have detected a non-threatening and or security threatening event that corresponds with an event pre-determined and recorded within the events list which contains a plurality of non-threatening and security threatening events that may occur within a computer which in turn triggers a classified, targeted and value-adding hypertext message or information to be instantly displayed to the computer user through a browser or user interface instead of an event monitoring system default hypertext security message, and preferably an editing function shall be provided that enables the login of authorised authors including computer administrator/s to edit and publish targeted and value-adding hypertext messages and information, and preferably a measuring function shall be provided that enables the login of authorised authors including computer administrator/s to define and set up a plurality of metrics that may enable them to measure the effectiveness of the displayed targeted and value-adding hypertext messages and information in terms of being useful, entertaining, educational, interesting or instructional to a computer user through an alternate browser or user interface at the unique point in time when their computer has detected an event. | 10-06-2011 |
20110252476 | EARLY DETECTION OF POTENTIAL MALWARE - Evidence of attempted malware attacks may be used to identify the location and nature of future attacks. A failed attack may cause a program to crash. Crash data may be sent to an analyzer for analysis. The analysis may reveal information such as the identity of the program that is being exploited, the specific way in which the program is being exploited, and the identity or location of the source of the attack. This information may be used to identify potential sources of attack and to identify the same type of attack from other sources. When the source and/or nature of an attempted attack is known, remedial action may be taken. Filters may warn users who are attempting to visit sites from which attacks have been attempted, and the makers of programs that are being exploited can be notified so that those program makers can release updates. | 10-13-2011 |
20110252477 | Dynamic Load Balancing In An Extended Self Optimizing Network - A method for performing load balancing in a wireless network. Operating conditions are determined in the wireless network. Network policies are dynamically adjusted based upon the operating conditions. Users are offloaded from an overloaded site to another site based upon the operating conditions. | 10-13-2011 |
20110252478 | SYSTEM AND METHOD OF ANALYZING WEB CONTENT - A system and method are provided for identifying inappropriate content in websites on a network. Unrecognized uniform resource locators (URLs) or other web content are accessed by workstations and are identified as possibly having malicious content. The URLs or web content may be preprocessed within a gateway server module or some other software module to collect additional information related to the URLs. The URLs may be scanned for known attack signatures, and if any are found, they may be tagged as candidate URLs in need of further analysis by a classification module. | 10-13-2011 |
20110258702 | SYSTEM AND METHOD FOR NEAR-REAL TIME NETWORK ATTACK DETECTION, AND SYSTEM AND METHOD FOR UNIFIED DETECTION VIA DETECTION ROUTING - A system includes a processor. The processor is configured to receive network traffic that includes a data block. The processor will generate a unique identifier (UID) for the file that includes a hash value corresponding to the file. The processor will determine whether the file is indicated as good or bad with the previously-stored UID. The processor will call a file-type specific detection nugget corresponding to the file's file-type to perform a full file inspection to detect whether the file is good or bad and store a result of the inspection together with the UID of the file, when the file is determined to be not listed in the previously-stored UIDs. The processor will not call the file-type specific detection nugget when the file's indicator is “good” or “bad” in the previously-stored UIDs. The processor will issue an alert about the bad file when the file's indicator is “bad”. | 10-20-2011 |
20110265182 | MALWARE INVESTIGATION BY ANALYZING COMPUTER MEMORY - Technology is described for malware investigation by analyzing computer memory in a computing device. The method can include performing static analysis on code for a software environment to form an extended type graph. A raw memory snapshot of the computer memory can be obtained at runtime. The raw memory snapshot may include the software environment executing on the computing device. Dynamic data structures can be found in the raw memory snapshot using the extended type graph to form an object graph. An authorized memory area can be defined having executable code, static data structures, and dynamic data structures. Implicit and explicit function pointers can be identified. The function pointers can be checked to validate that the function pointers reference a valid memory location in the authorized memory area and whether the computer memory is uncompromised. | 10-27-2011 |
20110265183 | SECURE VIRTUALIZATION ENVIRONMENT BOOTABLE FROM AN EXTERNAL MEDIA DEVICE - Methods and systems for creating a secure virtualization environment on a host device, without modifying the host device, the secure virtualization environment bootable from an external media device. A host computing device loads and boots a common operating system image stored on an external media device. A client agent stored on the external media device and executing in the common operating system image creates an adapted operating system image by copying the operating system of the host computing device, eliminating all unnecessary files and data and storing the adapted operating system image to the external media device. The host computing device provides a secure virtualized environment by booting the adapted operating system image. | 10-27-2011 |
20110271346 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR IDENTIFYING FUNCTIONS IN COMPUTER CODE THAT CONTROL A BEHAVIOR THEREOF WHEN EXECUTED - A security data structure, method and computer program product are provided. In use, computer code is received. Furthermore, functions in the computer code that control a behavior of the computer code when executed are statically identified. | 11-03-2011 |
20110271347 | PRE-BOOT FIRMWARE BASED VIRUS SCANNER - The present disclosure relates to allowing the utilization of a virus scanner and cleaner that operates primarily in the pre-boot phase of computer operation and, more particularly, to allowing the utilization of a virus scanner and cleaner that operates primarily during the loading of an operating system. | 11-03-2011 |
20110277033 | Identifying Malicious Threads - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for identifying and processing malicious threads In one aspect, a method includes identifying a memory heap block; identifying threads that reside in the memory heap block; determining whether at least one of the identified threads in the memory heap block is a malicious thread; and in response to determining that at least one of the identified threads is a malicious thread, terminating each of the identified threads | 11-10-2011 |
20110283360 | IDENTIFYING MALICIOUS QUERIES - A framework identifies malicious queries contained in search logs to uncover relationships between the malicious queries and the potential attacks launched by attackers submitting the malicious queries. A small seed set of malicious queries may be used to identify an IP address in the search logs that submitted the malicious queries. The seed set may be expanded by examining all queries in the search logs submitted by the identified IP address. Regular expressions may be generated from the expanded set of queries and used for detecting yet new malicious queries. Upon identifying the malicious queries, the framework may be used to detect attacks on vulnerable websites, spamming attacks, and phishing attacks. | 11-17-2011 |
20110283361 | METHOD AND SYSTEM FOR NETWORK-BASED DETECTING OF MALWARE FROM BEHAVIORAL CLUSTERING - A computerized system and method for performing behavioral clustering of malware samples, comprising: executing malware samples in a controlled computer environment fbr a predetermined time to obtain HTTP traffic; clustering the malware samples into at least one cluster based on network behavioral information from the HTTP traffic; and extracting, using the at least one processor, network signatures from the HTTP traffic information for each cluster, the network signatures being indicative of malware infection. | 11-17-2011 |
20110289584 | SYSTEMS AND METHODS TO SECURE BACKUP IMAGES FROM VIRUSES - A system and method provide for storing virus metadata with a backup image. Upon restoring files or data from the backup image, the virus metadata from the backup image is compared with current virus data. The comparison yields a list of new viruses that have been discovered after the backup image was created. The restore process may cause restored files to be scanned for the new viruses, while excluding previously known viruses from the scan. | 11-24-2011 |
20110289585 | Systems and Methods for Policy-Based Program Configuration - Disclosed are systems, methods and computer program products for adaptive policy-based configuration of programs. An example method comprises collecting from computer system configuration and performance information and rating system performance based on the collected information. The method further includes selecting based on the performance rating an operational policy for a computer program. The policy specifies program settings and limits of system resource utilization by the program. The method further includes monitoring system resource utilization during program execution on the computer system to determine whether system resource utilization exceeds the limit specified in the operational policy. If the system resource utilization exceeds the specified limit, the method selects another policy specifying different program settings and a different limit of system resource utilization. | 11-24-2011 |
20110289586 | METHODS, SYSTEMS, AND MEDIA FOR DETECTING AND PREVENTING MALCODE EXECUTION - A system for detecting and halting execution of malicious code includes a kernel-based system call interposition mechanism and a libc function interception mechanism. The kernel-based system call interposition mechanism detects a system call request from an application, determines a memory region from which the system call request emanates, and halts execution of the code responsible for the call request if the memory region from which the system call request emanates is a data memory region. The libc function interception mechanism maintains an alternative wrapper function for each of the relevant standard libc routines, intercepts a call from an application to one or more libc routines and redirects the call into the corresponding alternative wrapper function. | 11-24-2011 |
20110289587 | Method and system for detecting and removing hidden pestware files - A method and system for detecting and removing a hidden pestware file is described. One illustrative embodiment detects, using direct drive access, a file on a computer storage device; determines whether the file is also detectable by the operating system by attempting to access the file using a standard file Application-Program-Interface (API) function call of the operating system; identifies the file as a potential hidden pestware file, when the file is undetectable by the operating system; confirms through an automated pestware-signature scan of the potential hidden pestware file that the potential hidden pestware file is a hidden pestware file; and removes automatically, using direct drive access, the hidden pestware file from the storage device. | 11-24-2011 |
20110296526 | APPARATUS AND METHOD FOR PREEMPTIVELY PROTECTING AGAINST MALICIOUS CODE BY SELECTIVE VIRTUALIZATION - An apparatus for preemptively protecting against malicious code by selective virtualization comprises: a compulsory resource storage unit which selects and stores compulsory resources required for executing a vulnerable program having an interface with an external source in a separated space; a modified resource-generating unit which generates a new resource by modifying the content of a resource accessed by the vulnerable program in the event the vulnerable program accesses a resource other than said compulsory resources; and a resource control unit which performs an operating system-level virtualization when the vulnerable program accesses the compulsory resource, and permits the vulnerable program to access the modified resource when the vulnerable program accesses a resource other than the compulsory resource. | 12-01-2011 |
20110296527 | INTEGRATED FIREWALL, IPS, AND VIRUS SCANNER SYSTEM AND METHOD - A system, method and computer program product are provided including a router and a security sub-system coupled to the router. Such security sub-system includes a plurality of virtual firewalls, a plurality of virtual intrusion prevention systems (IPSs), and a plurality of virtual virus scanners. Further, each of the virtual firewalls, IPSs, and virus scanners is assigned to at least one of a plurality of user and is configured in a user-specific. | 12-01-2011 |
20110302655 | Anti-virus application and method - A method of performing an anti-virus scan on an electronic file. An anti-virus application running at a computer device determines that an electronic file requires scanning. The electronic file is placed in a queue for analysis, and the state of the electronic file is altered such that it can be written to a memory but not accessed before analysis is complete. An icon associated with the electronic file is altered to indicate that the analysis is not yet complete, the icon being displayable on a display device. Once the electronic file has been analysed, the icon associated with the electronic file is altered again to indicate that it has been analysed. | 12-08-2011 |
20110302656 | DETECTING MALICIOUS BEHAVIOUR ON A COMPUTER NETWORK - A malicious behaviour detector ( | 12-08-2011 |
20110307956 | SYSTEM AND METHOD FOR ANALYZING MALICIOUS CODE USING A STATIC ANALYZER - Analyzing computer code using a tree is described. For example, a client device generates a data request for retrieving data from a non-trusted entity via a network. A gateway is communicatively coupled to the client device and to the network. The gateway is configured to receive computer code from the non-trusted entity via the network. The gateway builds a tree representing the computer code. The tree has one or more nodes. A node of the tree represents a statement from the computer code. The gateway analyzes the statement to identify symbol data. The symbol data describes a name of the variable and the value of the variable. The gateway stores the symbol data in a symbol table. | 12-15-2011 |
20110314546 | Electronic Message Analysis for Malware Detection - An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system. | 12-22-2011 |
20110314547 | ANTI-MALWARE SYSTEM AND OPERATING METHOD THEREOF - An anti-malware device and an operating method thereof are provided. The operating method includes: filtering by a first logic unit of the processor, input data based on a rule; and scanning by a second logic unit of the processor, for malware in the data, the filtering and the scanning being performed at the same time. Accordingly, the security of the packet data is tightened. | 12-22-2011 |
20110314548 | ANTI-MALWARE DEVICE, SERVER, AND METHOD OF MATCHING MALWARE PATTERNS - An efficient virus detection, malware detection, and packet filtering system in a mobile device by providing optimized hash functions from a server to a mobile device that reduce hash collisions during the virus detection, malware detection, and packet filtering in a system-on-chip configuration. | 12-22-2011 |
20110321163 | PLATFORM FOR A COMPUTER NETWORK - A platform for a computer network for managing and sharing mostly unstructured data passing through said network, and having an infrastructure including an information system having a database and/or data servers, as well as terminals from which the users generate, modify or consult data of the information system, where the information system includes unique data to be shared and is insulated from the terminals of the users by an application that manages the accessibility to said information system and/or the security of the unique data contained by the same by a physical disconnection of the network protocol used for communication between the information system and the terminals of the users. | 12-29-2011 |
20120005754 | METHOD FOR RECORDING, RECOVERING, AND REPLAYING REAL TRAFFIC - A recording, recovering, and replaying method for real traffic is used for processing a plurality of network packets of a plurality of network connections. A recording procedure of the method includes the following steps. A recording parameter (N, M, P) is received. A header and a payload of each network packet of the network connections are completely recorded, and a payload accumulation value of each network connection is accumulated. When one of the payload accumulation values exceeds N, the header of each network packet and first M bytes of the payload are recorded for P consecutive network packets corresponding to the payload accumulation value. When one of the payload accumulation values exceeds N and after the P consecutive network packets of the network connection corresponding to the payload accumulation value are recorded, the header of each network packet is recorded for the network connection corresponding to the payload accumulation value. | 01-05-2012 |
20120005755 | INFECTION INSPECTION SYSTEM, INFECTION INSPECTION METHOD, STORAGE MEDIUM, AND PROGRAM - When detecting a traffic abnormality, an abnormality detection apparatus | 01-05-2012 |
20120005756 | NETWORK SECURITY ARCHITECTURE - A network security system is deployed between an internet backbone and intranets that belong to subscribing organizations. The system includes a scanning system that scans incoming electronic mail for malicious code and an anti-virus server for downloading anti-virus code to clients on the intranets. A switch is provided for directing incoming electronic mail from the internet backbone to the scanning system so that the electronic mail can be scanned. In one embodiment, a decoy server is also provided for masquerading as a legitimate server and logging suspicious activity from communications received from the internet backbone. | 01-05-2012 |
20120011588 | METHOD AND APPARATUS FOR ENHANCED BROWSING WITH SECURITY SCANNING - A method and apparatus for enhanced browsing with security scanning. Within a document (e.g., a web page, a word processing document, a list of electronic mail messages), a link to other content or another document is selected by a computing device and the content is identified before a user clicks on the link to open the content. The content is placed into a safe cache that prevents the content from adversely affecting the user's computing device. The content is scanned and/or its behavior is analyzed to detect any security threats or undesirable content (e.g., viruses, worms, scripts, adware, spyware, pornography). Results of the analysis may be collected at a central server. The link or an associated indicator may be configured to indicate whether a threat is present; more information may be provided as desired. A user may be provided with various options to ignore a threat, disable the link, etc. | 01-12-2012 |
20120011589 | METHOD, APPARATUS, AND SYSTEM FOR DETECTING A ZOMBIE HOST - The present invention relates to the communications field, and in particular, to a detection method, an apparatus, and a network with detection functions. The present invention solves the problem that the Botnet cannot be detected on a current communication network. The detection method is used to detect a Botnet and includes: obtaining a network address translation (NAT) table; detecting a behavior plane and a communication plane of a host according to the NAT table; and performing cluster analysis on results of detection on the communication plane and the behavior plane. | 01-12-2012 |
20120017275 | Identifying polymorphic malware - A method and apparatus for identifying an electronic file as polymorphic malware. A server receives from a client device a hash value and metadata associated with an electronic file. The server determines that the received metadata relates to corresponding metadata stored at a database, the corresponding stored metadata being associated with a further hash value that differs from the received hash value. A determination is made that each of the received hash values have been reported by fewer than a predetermined number of clients and, as a result, it is determined that the electronic file is likely to be polymorphic malware. | 01-19-2012 |
20120017276 | SYSTEM AND METHOD OF IDENTIFYING AND REMOVING MALWARE ON A COMPUTER SYSTEM - A system and accompanying method of identifying and removing malware on a computer system is disclosed. The system comprises a source file containing reference attributes and properties of components of a local computer system in a state unaffected by malware, and exact copies of the system control files. The components of the local computer system may comprise executable and script files such as operating system files, application programs, system controls, registry files and all other executable and script files and their related relevant files. Current status of executables are checked against the reference attributes. All executables on local compute system failing certain match criteria are removed from the local system, or alternatively, replaced with reference copies from source file. Thereby, the system and method identifies malware based on previous system state, method of entry into local computer system, and intention to automatically execute either upon booting or upon launching of a computer program which a user has intentionally installed and which the user would normally believe to be free of malware. | 01-19-2012 |
20120017277 | SYSTEMS AND METHODS FOR UPDATING CONTENT DETECTION DEVICES AND SYSTEMS - A method of updating a content detection module includes obtaining content detection data, and transmitting the content detection data to a content detection module, wherein the transmitting is performed not in response to a request from the content detection module. A method of sending content detection data includes obtaining content detection data, selecting an update station from a plurality of update stations, and sending the, content detection data to the selected update station. A method of building a content detection system includes establishing a first communication link between a central station and an update station, the central station configured to transmit content detection data to the update station, and establishing a second communication link between the update station and a content detection module. | 01-19-2012 |
20120017278 | ALERT MESSAGE CONTROL OF SECURITY MECHANISMS IN DATA PROCESSING SYSTEMS - An authenticated secure network communication link is established between an alert message generating computer | 01-19-2012 |
20120017279 | METHOD AND APPARATUS FOR VIRUS THROTTLING WITH RATE LIMITING - A method for traffic control of a network device in a network are disclosed. The network device determines potentially malicious behavior by a host device in the network. A permissible rate of traffic from the host device through a port of the network device is reduced in response to determining the potentially malicious behavior. A rate of traffic through the port of the network device is measured. The measured traffic rate is compared with a threshold rate. The permissible rate of traffic is adjusted based on the comparison. | 01-19-2012 |
20120023583 | SYSTEM AND METHOD FOR PROACTIVE DETECTION OF MALWARE DEVICE DRIVERS VIA KERNEL FORENSIC BEHAVIORAL MONITORING AND A BACK-END REPUTATION SYSTEM - A method for detecting malware device drivers includes the steps of identifying one or more device drivers loaded on an electronic device, analyzing the device drivers to determine suspicious device drivers, accessing information about the suspicious device drivers in a reputation system, and evaluating whether the suspicious device driver include malware. The suspicious device drivers are not recognized as not including malware. The reputation system is configured to store information about suspicious device drivers. The evaluation is based upon historical data regarding the suspicious device driver. | 01-26-2012 |
20120023584 | DEVICE AND METHOD FOR PROVIDING SOC-BASED ANTI-MALWARE SERVICE, AND INTERFACE METHOD - A device in which a system-on-chip (SOC) providing an anti-malware service is mounted and a method of performing the anti-malware service are provided. The device includes: a storage unit which stores a function library which is a collection of operations provided for use in the SOC providing the anti-malware service; and a scanning data sender which forms SOC transmission data with data to be scanned for viruses by calling at least one of the operations, and transmits the SOC transmission data to the SOC. Accordingly, a mobile device scans files for viruses and filters packets at a high speed. | 01-26-2012 |
20120023585 | Method and Systems for Computer Security - A method for computer security, includes intercepting an incoming communication, placing the communication into a quarantine queue, selecting a communication from the quarantine queue, determining whether the selected communication contains undesirable code, determining whether a quarantine time for the selected communication has lapsed if the selected communication does not contain undesirable code and placing the selected communication back in the quarantine queue if the quarantine time has not elapsed. | 01-26-2012 |
20120030765 | OPERATION METHOD OF AN ANTI-VIRUS STORAGE DEVICE HAVING A STORAGE DISK AND A READ-ONLY MEMORY - An operation method of an anti-virus storage device having a storage disk and a read-only memory includes connecting the storage device to a host and displaying a single disk name on an interface of an operating system of the host, executing an anti-virus application program corresponding to the operating system, wherein the anti-virus application program is stored in the read-only memory, generating a hidden partition in the storage disk, wherein the hidden partition comprises an anti-virus engine and a virus pattern, and starting up the anti-virus engine, enabling a main storage partition and only displaying a disk name of the main storage partition on the interface of the operating system. If the anti-virus application program has no an execution file corresponding to the operating system, a user using the anti-virus storage device decides whether enables and displays the main storage partition without executing the anti-virus application program. | 02-02-2012 |
20120030766 | METHOD AND SYSTEM FOR DEFINING A SAFE STORAGE AREA FOR USE IN RECOVERING A COMPUTER SYSTEM - A method for defining an area to record changes made to a computer system is disclosed. The method includes defining a safe area on a primary storage device of the computer system and storing information on the location of the safe area on a secondary storage device. The method further includes booting the computer system utilizing a backup device and changing data on the primary storage device. The changes are recorded in the safe area of the primary storage device and are accessible when the computer system is booted from the backup device. | 02-02-2012 |
20120047580 | METHOD AND APPARATUS FOR ENFORCING A MANDATORY SECURITY POLICY ON AN OPERATING SYSTEM (OS) INDEPENDENT ANTI-VIRUS (AV) SCANNER - An antivirus (AV) application specifies a fault handler code image, a fault handler manifest, a memory location of the AV application, and an AV application manifest. A loader verifies the fault handler code image and the fault handler manifest, creates a first security domain having a first security level, copies the fault handler code image to memory associated with the first security domain, and initiates execution of the fault handler. The loader requests the locking of memory pages in the guest OS that are reserved for the AV application. The fault handler locks the executable code image of the AV application loaded into guest OS memory by setting traps on selected code segments in guest OS memory. | 02-23-2012 |
20120047581 | EVENT-DRIVEN AUTO-RESTORATION OF WEBSITES - An event-driven auto-restoration system for websites comprises a processing system. The processing system is configured to detect an event associated with a website indicative of a change in the website to an undesired state. The processing system is further configured to dynamically generate a restoration process and employ the restoration process to restore the website to a desired state. The processing system is further configured to employ a verification process to verify that the website has been restored to the desired state. | 02-23-2012 |
20120060220 | SYSTEMS AND METHODS FOR COMPUTER SECURITY EMPLOYING VIRTUAL COMPUTER SYSTEMS - A method, system, and computer program product for computer protection, including a protected computer having a protected operating system; and a secure operating system having a first virtual copy of at least a portion of the protected operating system and one or more security mechanisms configured to analyze potentially malicious code before the code is used by the protected computer. | 03-08-2012 |
20120072988 | DETECTION OF GLOBAL METAMORPHIC MALWARE VARIANTS USING CONTROL AND DATA FLOW ANALYSIS - Malware feature extraction derives semantic summaries of executable malware using global, inter-procedural program analysis techniques. A combination of global, inter-procedural program analysis techniques constructs semantic summaries of malware which automatically detect and discard any noise introduced by transformations and capture the essence of the underlying computations in a succinct form. This is achieved in two ways. First, global control flow analysis techniques are used to derive a high level representation of malware code that, for instance, removes the effects of subroutine calls. Second, global data flow analysis techniques are employed to detect and remove all spurious elements of malware that do not contribute towards its underlying computation, thereby preventing the resulting summaries from being “corrupted” with unnecessary, extraneous elements. | 03-22-2012 |
20120072989 | INFORMATION PROCESSING SYSTEM, MANAGEMENT APPARATUS, AND INFORMATION PROCESSING METHOD - In an information processing system, a management apparatus reads all data from a storage device connected to an information processing apparatus, and stores the data as one image file in a backup storage device. A virus detection apparatus performs a virus detection process on the image file stored in the backup storage device in response to a request from the management apparatus, and if a computer virus is detected, performs a virus removal process on the image file. When the virus removal process is completed, the management apparatus reads and writes the image file from the backup storage device back to the storage device. | 03-22-2012 |
20120079596 | METHOD AND SYSTEM FOR AUTOMATIC DETECTION AND ANALYSIS OF MALWARE - A method of detecting malicious software (malware) includes receiving a file and storing a memory baseline for a system. The method also includes copying the file to the system, executing the file on the system, terminating operation of the system, and storing a post-execution memory map. The method further includes analyzing the memory baseline and the post-execution memory map and determining that the file includes malware. | 03-29-2012 |
20120079597 | MOBILE COMMUNICATION SYSTEM AND MOBILE TERMINAL HAVING FUNCTION OF INACTIVATING MOBILE COMMUNICATION VIRUSES, AND METHOD THEREOF - A mobile communication system for inactivating a virus includes: a database associated with the mobile communication system, for storing at least one virus vaccine program; and a virus monitoring unit associated with the mobile communication system, for checking virus infection of received data, analyzing virus information, choosing one of virus vaccine programs that are stored in the database and inactivating the virus. Virus vaccine programs are timely updated over the air (OTA) whenever a new version of vaccine program is available. | 03-29-2012 |
20120084864 | SYSTEM AND METHOD FOR A MOBILE CROSS-PLATFORM SOFTWARE SYSTEM - The present invention is a system and method for creating, developing and testing cross-platform software for mobile communications devices. The invention enables mobile device software that must be highly-integrated with the operating system on which it runs to be implemented in a cross-platform manner. Security software for mobile devices is a prime beneficiary of the present invention, as a substantial proportion of its functionality is identical between different platforms yet integrated very specifically into each platform it supports. The cross-platform system includes a core platform-independent component, a platform-specific component, and an abstraction layer component, each of which may communicate with each other using a common defined API. The present invention enables the platform-independent component to be completely re-used between platforms and allows the platform-specific and abstraction components to contain minimal amounts of code on each platform. | 04-05-2012 |
20120084865 | False Alarm Detection For Malware Scanning - A method of scanning files for malware on a computer system. The method includes receiving a file to be scanned in the system, and using at least one malware scanning engine to determine whether or not the file possesses properties that are indicative of malware. If it is determined that the file does possess properties that are indicative of malware, then at least one cleanliness scanning engine is used to determine whether or not the file possesses properties that are indicative of a clean file. If it is determined that the file possesses properties that are indicative of a clean file, then a false alarm is signalled. | 04-05-2012 |
20120090031 | DETECTION OF UNDESIRED COMPUTER FILES IN ARCHIVES - Systems and methods for content filtering are provided. According to one embodiment, a self-extracting archive is received with an electronic mail (email) message. Prior to delivery of the email message, a determination is made regarding whether a file contained in the archive may be malicious or undesired. A type of archive and associated structure of the archive are determined by examining identification bytes stored within a header portion of the archive that identify the type of archive. Based on the type and associated structure, for each contained file, descriptive information, including a checksum of the file in uncompressed form, a size of the file in uncompressed form and/or a size of the file in the compressed form, is extracted from the header portion. A file is identified as potentially malicious or undesired when the descriptive information matches a detection signature of a known malicious or undesired file. | 04-12-2012 |
20120096553 | Social Engineering Protection Appliance - Methods and systems for detecting social engineering attacks comprise: extracting one or more non-semantic data items from an incoming email; determining whether the one or more non-semantic data items match information stored in a data store of previously collected information; performing behavioral analysis on the one or more non-semantic data items; analyzing semantic data associated with the email to determine whether the non-semantic data matches one or more patterns associated with malicious emails; and based on the determining, performing, and analyzing, identifying the email as potentially malicious or non-malicious. The system also includes processes for collecting relevant information for storage within the data store and processes for harvesting information from detected social engineering attacks for entry into the data store and seeding of the collection processes. | 04-19-2012 |
20120096554 | Malware identification - A method for identifying a data collection as malware, comprising the steps of parsing the data collection to generate program code and to verify conformance to a language syntax, emulating the interaction between the program code and a processor, detecting presence of a portion of the program code that is likely to have been added to the program code for the purpose of avoiding detection by malware detection programs, and, in the presence of such code, identifying the data collection as malware. | 04-19-2012 |
20120096555 | SYSTEM AND METHOD FOR ATTACK AND MALWARE PREVENTION - The present invention is a system and method for detecting and preventing attacks and malware on mobile devices such as a cell phones, smartphones or PDAs, which are significantly limited in power consumption, computational power, and memory. The invention enables mobile devices to analyze network data, executable data files, and non-executable data files in order to detect and prevent both known and unknown attacks and malware over vectors that are not typically protected by desktop and server security systems. Security analysis is performed by a combination of “known good,” “known bad,” and decision components. The invention identifies known good executables and/or known characteristics of network data or data files that must be present in order for the data to be considered good. Furthermore, known good and known bad identifier databases may be stored on a server which may be queried by a mobile device. | 04-19-2012 |
20120096556 | SYSTEM AND METHOD FOR IDENTIFYING MALICIOUS ACTIVITIES THROUGH NON-LOGGED-IN HOST USAGE - A method for identifying malware activities, implemented within a computer infrastructure, includes receiving a data communication via a data channel and determining a user is not interactively logged in to a host. Additionally, the method includes identifying the data communication as a potential malware communication in response to the determining the user is not interactively logged in to the host. | 04-19-2012 |
20120102569 | Computer system analysis method and apparatus - A method of analysing a computer on which are installed a plurality of applications each comprising a set of inter-related objects. The method first comprises identifying a local dependency network for each of one or more of said applications, a local dependency network comprising at least a set of object paths and inter-object relationships. The (or each) local application dependency network is then compared against a database of known application dependency networks to determine whether the application associated with the local dependency network is known. The results of the comparison are then used to identify malware and/or orphan objects. | 04-26-2012 |
20120110667 | System and Method for Server-Based Antivirus Scan of Data Downloaded From a Network - Aspect of the invention are directed to antivirus scanning, by a proxy server, of data downloaded from the network onto a PC workstation. The antivirus scanning is optimized for each scan by selecting an algorithm for that scan based on a determined overall likelihood that the downloaded data contains malicious code. Determination of the overall likelihood is augmented by the strength, or confidence, of statistical data relating to malware screening of results of previous downloads having similar parameters to the instant download. | 05-03-2012 |
20120117649 | INTERNET-BASED PROXY SECURITY SERVICES - A proxy server receives from a client device a request to perform an action on an identified resource that is hosted at an origin server for a domain. The proxy server receives the request as a result of a DNS request for the domain resolving to the proxy server. The origin server is one of multiple origin servers that belong to different domains that resolve to the proxy server and are owned by different entities. The proxy server and the origin servers are owned by different entities. The proxy server analyzes the request to determine whether a visitor belonging to that request poses a threat. If the proxy server determines that the visitor poses a threat, the proxy server blocks the request and transmits a block page to the client device that indicates that the request has been blocked. | 05-10-2012 |
20120117650 | IP-BASED BLOCKING OF MALWARE - A security module on a client monitors file download activities at the client and reports hosting website data to a security server. A download analysis module at the security server receives a hosting website data report from the client, where the hosting website data report describes a domain name and an IP address of a website hosting a file the client is attempting to download. The download analysis module analyzes the domain name and IP address of the website to generate file download control data indicating whether to allow downloading of the file to the client. The download analysis module reports the file download control data to the security module of the client. The security module uses the file download control data to selectively block downloading of the file. | 05-10-2012 |
20120117651 | Malicious Mobile Code Runtime Monitoring System and Methods - Protection systems and methods provide for protecting one or more personal computers (“PCs”) and/or other intermittently or persistently network accessible devices or processes from undesirable or otherwise malicious operations of Java TN applets, ActiveX™ controls, JavaScript™ scripts, Visual Basic scripts, add-ins, downloaded/uploaded programs or other “Downloadables” or “mobile code” in whole or part. A protection engine embodiment provides for monitoring information received, determining whether received information does or is likely to include executable code, and if so, causes mobile protection code (MPC) to be transferred to and rendered operable within a destination device of the received information. An MPC embodiment further provides, within a Downloadable-destination, for initiating the Downloadable, enabling malicious Downloadable operation attempts to be received by the MPC, and causing (predetermined) corresponding operations to be executed in response to the attempts. | 05-10-2012 |
20120117652 | Network-Based Binary File Extraction and Analysis for Malware Detection - A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware. | 05-10-2012 |
20120117653 | MALWARE DETECTION SYSTEM AND METHOD - Methods and systems are presented for detection of malware such as worms in which a network switch entices the malware into sending scan packets by allocating one or more ports as bait addresses, sending outgoing bait packets, and identifying compromised hosts that send unexpected incoming packets to a bait address. | 05-10-2012 |
20120124667 | MACHINE-IMPLEMENTED METHOD AND SYSTEM FOR DETERMINING WHETHER A TO-BE-ANALYZED SOFTWARE IS A KNOWN MALWARE OR A VARIANT OF THE KNOWN MALWARE - A machine-implemented method for determining whether a to-be-analyzed software is a known malware or a variant of the known malware includes the steps of: (A) configuring a processor to execute the to-be-analyzed software, and obtain a to-be-analyzed system call sequence that corresponds to the to-be-analyzed software with reference to a plurality of system calls made in sequence as a result of executing the to-be-analyzed software; (B) configuring the processor to determine a degree of similarity between the to-be-analyzed system call sequence and a reference system call sequence that corresponds to the known malware; and (C) configuring the processor to determine that the to-be-analyzed software is neither the known malware nor a variant of the known malware when the degree of similarity determined in step (B) is not greater than a predefined similarity threshold value. | 05-17-2012 |
20120124668 | Method for Immunizing Data in Computer Systems from Corruption - A system for immunizing a computer network against adverse effects caused by the receipt of a corrupting message. Each message transfers into a protocol-based controlled environment for a specific recipient where message criteria determine whether the incoming message is deemed to be a valid or suspicious message. Transmission criteria determine the final message disposition. If the message is valid, it is delivered to a recipient computer system in the network. If the incoming message is suspicious, the message is isolated in the controlled environment where the transmission criteria may provide remote access to the recipient. | 05-17-2012 |
20120131675 | SERVER, USER DEVICE AND MALWARE DETECTION METHOD THEREOF - A server, a user device, and a malware detection method thereof are provided. The server connects with the user device via a network, and records execution records of the user device. Based on the history of the execution records of the user device, the server can detect whether the user device has malwares or not accordingly. | 05-24-2012 |
20120131676 | SECURITY MANAGEMENT METHOD IN VIRTUALIZED ENVIRONMENT, VIRTUAL SERVER MANAGEMENT SYSTEM, AND MANAGEMENT SERVER - Disclosed are a security management method in a virtualized environment, virtual server management system, and management server capable of improving security in the virtualized environment. A management server ( | 05-24-2012 |
20120144488 | COMPUTER VIRUS DETECTION SYSTEMS AND METHODS - Systems and methods for computer virus detection are presented. In one embodiment; an computer virus detection method includes: receiving an indication of a change to a file; performing a virus analysis process, including executing the changes to the file in a virtual machine and examining results of the executing the changes; and handling the file based upon the virus analysis. The virus analysis can be performed in a system in which the change to the file occurs. Handling the file can include treating the file as potentially infected with a virus based upon the virus analysis. In one exemplary implementation, examining the results includes comparing the results of executing the changes to the file to other results from executing changes to another file, wherein the file is identified as potentially infected with a virus if the examining results indicates the results of executing the changes to the file are similar to results from executing changes to another file. Examining results includes examining behavior resulting from executing the file (e.g., examining system calls, etc.). Outcome of the examining results can be forwarded for utilization in developing virus data sets. | 06-07-2012 |
20120144489 | Antimalware Protection of Virtual Machines - The subject disclosure is directed towards protecting virtual machines on guest partitions from malware in a resource-efficient manner. Antimalware software is divided into lightweight agents that run on each malware-protected guest partition, a shared scanning and signature update mechanism, and a management component. Each agent provides the scanning mechanism with files to scan for malware, such as by running a script, and receives results from the scanning mechanism including possible remediation actions to perform. The management component provides the scanning mechanism with access to virtual machine services, such as to pause, resume, snapshot and rollback guest partitions as requested by the scanning mechanism. | 06-07-2012 |
20120144490 | MALICIOUS CODE INFECTION CAUSE-AND-EFFECT ANALYSIS - A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis. | 06-07-2012 |
20120151585 | Method and System for Identifying Malicious Messages in Mobile Communication Networks, Related Network and Computer Program Product Therefor - A system for identifying malicious messages transmitted over a mobile communication network includes: sentinel modules associated with respective mobile terminals in the network for monitoring messages passing therethrough, wherein the sentinel modules identify as a candidate malicious message, any message passing through the mobile terminals and failing to comply with a first set of patterns and issue a corresponding sentinel identification message; a set of probe modules for monitoring messages transmitted over the network, wherein the probe modules identify as a candidate malicious message any message transmitted over the network and failing to comply with a second set of patterns and issue a corresponding probe identification message; and preferably at least one client honeypot module for receiving and processing any messages sent thereto to produce corresponding processing results, wherein the client honeypot module identifies as a candidate malicious message any message producing a processing result failing to comply with a third set of patterns and issues a corresponding client honeypot identification message. | 06-14-2012 |
20120151586 | Malware detection using feature analysis - A method of identifying sections of code that can be disregarded when detecting features that are characteristic of malware, which features are subsequently used for detecting malware. The method includes, for each of a multiplicity of sample files, subdividing file code of the sample file into a plurality of code blocks and then removing duplicate code blocks to leave a sequence of unique code blocks. The sequence of unique code blocks is then compared with those obtained for other sample files in order to identify standard sections of code. The standard sections of code identified are then included within a database such that those sections of code can subsequently be disregarded when identifying features characteristic of malware. | 06-14-2012 |
20120151587 | Devices, Systems, and Methods for Detecting Proximity-Based Mobile Malware Propagation - Devices, systems, and methods are disclosed which leverage an agent that resides in a mobile communication device to detect Proximity based Mobile Malware Propagation (PMMP). The agent injects one or several trigger network connections in the candidate connection list. These connections appear as legitimate networks and devices. However, the triggers connect to an agent server on a service provider's network. Essentially, the method is based on the assumption that malware lacks the intelligence to differentiate the trigger network connection from a normal one. Therefore, by attempting to connect through the trigger network connection, the malware reveals itself. The system helps collect the malware signature within a short period of time after the malware outbreak in local areas, and such attacks typically bypass network based security inspection in the network. | 06-14-2012 |
20120151588 | Malware Detection for SMS/MMS Based Attacks - Devices, systems, and methods are disclosed which utilize lightweight agents on a mobile device to detect message-based attacks. In exemplary configurations, the lightweight agents are included as contacts on the mobile device addressed to an agent server on a network. A malware onboard the mobile device, intending to propagate, unknowingly addresses the lightweight agents, sending messages to the agent server. The agent server analyzes the messages received from the mobile device of the deployed lightweight agents. The agent server then generates attack signatures for the malware. Using malware propagation models, the system estimates how many active mobile devices are infected as well as the total number of infected mobile devices in the network. By understanding the malware propagation, the service provider can decide how to deploy a mitigation plan on crucial locations. In further configurations, the mechanism may be used to detect message and email attacks on other devices. | 06-14-2012 |
20120151589 | INTELLIGENT SYSTEM AND METHOD FOR MITIGATING CYBER ATTACKS IN CRITICAL SYSTEMS THROUGH CONTROLLING LATENCY OF MESSAGES IN A COMMUNICATIONS NETWORK - A system and method are provided for controlling the latency of messages to enable a network of devices to detect and respond to potential malware. The system and method receiving a message at a device and determining whether the message represents potential malware and requires a delay to allow time to detect and respond to potential malware. The amount of the delay associated with the message is determined and the message is processed based on the delay amount. | 06-14-2012 |
20120151590 | Analyzing Traffic Patterns to Detect Infectious Messages - Managing electronic messages comprises receiving a message, forwarding the message, determining that the forwarded message is infectious after the message has been forwarded and preventing the infectious forwarded message from spreading. | 06-14-2012 |
20120151591 | SYSTEM AND METHOD FOR NETWORK EDGE DATA PROTECTION - Disclosed are systems and methods which examine information communication streams to identify and/or eliminate malicious code, while allowing the good code to pass unaffected. Embodiments operate to provide spam filtering, e.g., filtering of unsolicited and/or unwanted communications. Embodiments provide network based or inline devices that scan and scrub information communication in its traffic pattern. Embodiments are adapted to accommodate various information communication protocols, such as simple mail transfer protocol (SMTP), post office protocol (POP), hypertext transfer protocol (HTTP), Internet message access protocol (IMAP), file transfer protocol (FTP), domain name service (DNS), and/or the like, and/or routing protocols, such as hot standby router protocol (HSRP), border gateway protocol (BGP), open shortest path first (OSPF), enhanced interior gateway routing protocol (EIGRP), and/or the like. | 06-14-2012 |
20120159628 | MALWARE DETECTION APPARATUS, MALWARE DETECTION METHOD AND COMPUTER PROGRAM PRODUCT THEREOF - A malware detection apparatus, a malware detection method, and a computer program product thereof are provided. The malware detection apparatus is used to detect a program. The program executes a first process. The malware detection apparatus comprises a storage unit and a processing unit. The storage unit is configured to store a malicious behavior profile of a malware. The processing unit is configured to construct a first behavior profile according to the first process, compare the first behavior profile with the malicious behavior profile and generate a comparison result. The processing unit updates a behavior record table according to the comparison result, and determines that the program is the malware according to the behavior record table. | 06-21-2012 |
20120159629 | METHOD AND SYSTEM FOR DETECTING MALICIOUS SCRIPT - A method for detecting a malicious script is provided. A plurality of distribution eigenvalues are generated according to a plurality of function names of a web script. After the distribution eigenvalues are inputted to a hidden markov model (HMM), probabilities respectively corresponding to a normal state and an abnormal state are calculated. Accordingly, whether the web script is malicious or not can be determined according to the probabilities. Even an attacker attempts to change the event order, insert a new event or replace an event with a new one to avoid detection, the method can still recognize the intent hidden in the web script by using the HMM for event modeling. As such, the method may be applied in detection of obfuscated malicious scripts. | 06-21-2012 |
20120159630 | PROGRAM EXECUTION INTEGRITY VERIFICATION FOR A COMPUTER SYSTEM - A computer system may be employed to verify program execution integrity by receiving a request to launch a program that has been instrumented to include at least one integrity marker, instantiating the program with an integrity marker value, and verifying the execution integrity of the program based on the integrity marker value and information received from the program during execution. A computer system may also be employed for program instrumentation by modifying the program to include at least one instruction for passing an integrity marker value to an operating system kernel during execution of the instruction. | 06-21-2012 |
20120159631 | Anti-Virus Scanning - A method and apparatus for performing an anti-virus scan of a file system. Intermediate scanning results are obtained for a file in the file system, prior to a scan of the file being completed. The intermediate scanning results are then stored in a database. The intermediate scanning results can be used to speed up subsequent scans, and to provide other useful information to an on-line anti-virus server. In a subsequent scan of the file system, a determination is made whether intermediate scanning results relating to the file are available in the database. If they are available for a particular type of intermediate scan, then a scan need not be performed for the file. If they are not, then the scan can be performed. | 06-21-2012 |
20120159632 | Method and Arrangement for Detecting Fraud in Telecommunication Networks - Method and arrangement in a mediating function ( | 06-21-2012 |
20120159633 | System and Method for Updating Antivirus Cache - Disclosed are systems, methods and computer program products for updating antivirus cache during malware scan of a computer system. In particular, an antivirus cache stored in a non-volatile system memory may be updated with information from an antivirus database during execution of malware detection processes launched on the computer system. If a malware detection process use one or more sections of the antivirus cache which require updating, the system replicates those sections of the antivirus cache and updates them. Each update contains different types of data and code associated with different types of malware. During update, the same types of data for each type of malware is collected and stored as data files in corresponding sections of the antivirus cache and executable code sections are converted into platform-specific dynamic libraries and also stored in the antivirus cache. | 06-21-2012 |
20120167217 | SYSTEMS AND METHODS TO DETECT AND NEUTRALIZE MALWARE INFECTED ELECTRONIC COMMUNICATIONS - Systems and methods to detect and neutralize malware infected electronic communications are described. The system may receive a request for interface information from over a network from a client machine. In response to receiving the request the system may generate the interface information to include at least one input mechanism to receive user information from the user and countermeasure information for utilization on the client machine to detect whether the interface information is modified on the client machine to receive user information from the user that is not authorized. Finally, the system may communicate the interface information, over the network, to the client machine. | 06-28-2012 |
20120167218 | SIGNATURE-INDEPENDENT, SYSTEM BEHAVIOR-BASED MALWARE DETECTION - A method, system, and computer program product for detecting malware based upon system behavior. At least one process expected to be active is identified for a current mode of operation of a processing system comprising one or more resources. An expected activity level of the one or more resources of the processing system is calculated based upon the current mode of operation and the at least one process expected to be active. An actual activity level of the plurality of resources is determined. If a deviation is detected between the expected activity level and the actual activity level, a source of unexpected activity is identified as a potential cause of the deviation. Policy guidelines are used to determine whether the unexpected activity is legitimate. If the unexpected activity is not legitimate, the source of the unexpected activity is classified as malware. | 06-28-2012 |
20120167219 | OPTIMIZATION OF ANTI-MALWARE PROCESSING BY AUTOMATED CORRECTION OF DETECTION RULES - A system, method and computer program product for optimization of execution of anti-malware (AV) applications. A number of false-positive determinations by an AV system are reduced by correcting malware detection rules using correction coefficients. A number of malware objects detected by the AV system are increased by correction of ratings determined by the rules using correction coefficients. An automated testing of new detection rules used by the AV system is provided. The new rules having zero correction coefficients are added to the rules database and results of application of the new rules are analyzed and the rules are corrected or modified for further testing. | 06-28-2012 |
20120167220 | SEED INFORMATION COLLECTING DEVICE AND METHOD FOR DETECTING MALICIOUS CODE LANDING/HOPPING/DISTRIBUTION SITES - Provided is seed information collecting device for detecting malicious code landing/hopping/distribution sites. The device comprises: a seed information collecting module collecting social issue keywords from a seed information collecting channel and collecting address information of potential malicious code landing/hopping/distribution sites using the collected social issue keywords; a web source code collecting module collecting web source code of the potential malicious code landing/hopping/distribution sites using the address information of the potential malicious code landing/hopping/distribution sites collected by the seed information collecting module; and a policy management module managing collection policies of the seed information collecting module and the web source code collecting module. | 06-28-2012 |
20120167221 | APPARATUS FOR ANALYZING TRAFFIC - An apparatus for analyzing traffic is provided. The apparatus may precisely identify and analyze web traffic through 5 tuple-, HTTP-, and request/response pair-based packet analysis by monitoring the correlation between sessions. | 06-28-2012 |
20120167222 | METHOD AND APPARATUS FOR DIAGNOSING MALICOUS FILE, AND METHOD AND APPARATUS FOR MONITORING MALICOUS FILE - An apparatus for diagnosing malicious files includes a information transferring unit configured to receive information regarding a malicious file distributed in a management network and an execution file generated by assembling packets collected from the management network; an anti-virus engine configured to determine whether or not the execution file is malicious to generate information regarding a new malicious file; and a management unit configured to transfer the information regarding the malicious file and the information regarding the new malicious file to a terminal device on the management network through the information transferring unit. | 06-28-2012 |
20120167223 | Virus Localization Using Cryptographic Hashing - Methods for using integrity checking techniques to identify and locate computer viruses are provided. A method for virus localization for each of three types of virus infections is provided, including the steps of computing a sequence of file blocks, calculating hashes for the sequences of file blocks from a host file and calculating hashes for the same or related sequences of file blocks from an infected file, and comparing the hashes from host file to the hashes from the infected file from the same or related sequences of file blocks such that when some of said first hashes and said second hashes do not match, a location of a virus is output. Methods for computing the sequence of file blocks depending on the type of virus infection, and for calculating the hashes using a collision resistant hash function, a digital signature scheme, a message authentication code, or a pseudo-random function. | 06-28-2012 |
20120174224 | Systems and Methods for Malware Detection and Scanning - Systems and methods are provided for malware scanning and detection in a computing system. In one exemplary embodiment, the method includes launching, in a computing device of the computing system, a virtual machine, and launching, in the virtual machine of the computing device, an internet browser. The method also includes requesting, by the internet browser, data from a web page, and performing, using one or more analysis tools, analysis on the web page. In the method, performing analysis on the web page includes performing monitoring and recording of system application programming interface (API) calls, and creating software objects associated with the web page. The method also includes performing antivirus scanning of the software objects, de-obfuscating JavaScript associated with the software objects, and correlating data associated with the performed analysis to determine if the web page is a malicious web page. | 07-05-2012 |
20120174225 | Systems and Methods for Malware Detection and Scanning - Systems and methods are provided for malware scanning and detection. In one exemplary embodiment, the method includes a hub computing device that receives, from a controller computing device, a scan request, and identifies spoke computing devices for performing the scan request. The method performed by the hub computing device also includes sending to the identified spoke computing devices, the scan request, receiving, from the spoke computing devices, results associated with the scan request, and sending, to the controller computing device, the results associated with the scan request. | 07-05-2012 |
20120174226 | System and Methods for Launching Antivirus Application Tasks during Computer Downtime - Disclosed are systems, methods and computer program products that enable deployment of an antivirus application on a computer system in a manner that reduce interference of the antivirus application with activities of system users. In particular, the computers system is provided with a plurality of detection devices that may be used to detect when the computers system is being used by the user or when it is in downtime mode. The detection devices may include data input device, such as a mouse or keyboard, temperature sensors, pressure sensors, digital camera, sound wave source and sound wave receiver or other detection devices. The computer system also includes a software agent associated with an antivirus application. The software agent collects and analyses data from the detection devices, determines when the computer system is in a downtime mode, and then launches various antivirus application tasks. | 07-05-2012 |
20120174227 | System and Method for Detecting Unknown Malware - The present disclosure relates generally to the field of computer security and, in particular, to systems for detecting unknown malware. A method comprises generating genes for known malicious and dean objects; analyzing object genes using different malware analysis methods; computing a level of successful detection of malicious objects by one or a combination of malware analysis methods based on analysis of genes of the known malicious objects; computing a level of false positive detections of malicious objects by one or a combination of malware analysis methods based on analysis of genes of known clean objects; measuring effectiveness of each one or the combination of malware analysis methods as a function of the level of successful detections and the level of fake positive detections; and selecting one or a combination of the most effective malware analysis methods for analyzing unknown object for malware. | 07-05-2012 |
20120180131 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR IDENTIFYING UNWANTED ACTIVITY UTILIZING A HONEYPOT DEVICE ACCESSIBLE VIA VLAN TRUNKING - A system, method, and computer program product are provided for identifying unwanted activity utilizing a honeypot accessible via virtual local area network (VLAN) trunking. In use, a honeypot device is allowed to be accessed via VLAN trunking. Furthermore, unwanted data is identified, utilizing the honeypot device. | 07-12-2012 |
20120180132 | METHOD, SYSTEM AND PROGRAM PRODUCT FOR OPTIMIZING EMULATION OF A SUSPECTED MALWARE - A method, system and program product for optimizing emulation of a suspected malware. The method includes identifying, using an emulation optimizer tool, whether an instruction in a suspected malware being emulated by an emulation engine in a virtual environment signifies a long loop and, if so, generating a first hash for the loop. Further, the method includes ascertaining whether the first hash generated matches any long loop entries in a storage and, if so calculating a second hash for the long loop. Furthermore, the method includes inspecting any long loop entries ascertained to find an entry having a respective second hash matching the second hash calculated. If an entry matching the second hash calculated is found, the method further includes updating one or more states of the emulation engine, such that, execution of the long loop of the suspected malware is skipped, which optimizes emulation of the suspected malware. | 07-12-2012 |
20120185939 | Malware detection - A computer-implemented method of scanning a plurality of files stored in a memory of a computer for malware. The computer includes a processor. The method includes, for each respective file of said plurality of files in said memory determining, using said processor, whether a relationship between the respective file and stored data satisfies a predetermined criterion. The stored data indicates one or more files determined not to contain malware and for which data associated with each of said one or more files has a predetermined characteristic. If the relationship satisfies the predetermined criterion, the respective file is processed according to said first processing method and if said relationship does not satisfy said predetermined criterion, the respective file is processed according to said second processing method. | 07-19-2012 |
20120185940 | COMPUTER SYSTEM AND METHOD FOR SCANNING COMPUTER VIRUS - According to the present invention, a timeout caused by executing a virus scan is avoided. A computer system has a first computer, a second computer coupled to the first computer, and a storage system coupled to the first computer and the second computer. The first computer receives a request to write data, writes the requested data in the storage system, and sends a virus scan request of the written data to the second computer. The second computer receives the virus scan request from the first computer, reads the written data out of the storage system, and partially executes a virus scan of the read data. After the partial virus scan of the read data is finished, the first computer sends a response to the received write request. After the first computer sends the response, the second computer executes the remainder of the virus scan of the read data. | 07-19-2012 |
20120185941 | Multi-Network Virus Immunization - An apparatus, device, methods, computer program product, and system are described that determine a virus associated with a communications network, and distribute an anti-viral agent onto the communications network using a bypass network, the bypass network configured to provide transmission of the anti-viral agent with at least one of a higher transmission speed, a higher transmission reliability, a higher transmission security, and/or a physically-separate transmission path, relative to transmission of the virus on the communications network. | 07-19-2012 |
20120185942 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR PRESENTING AN INDICIA OF RISK ASSOCIATED WITH SEARCH RESULTS WITHIN A GRAPHICAL USER INTERFACE - A system, method, and computer program product comprise presenting a plurality of search results within a graphical user interface. Further, an indicia of risk associated with the search results is presented, in real-time, within the graphical user interface. | 07-19-2012 |
20120192275 | REPUTATION CHECKING OF EXECUTABLE PROGRAMS - The reputation of an executable computer program is checked when a user input to a computing device initiates a program launch, thus triggering a check of a local cache of reputation information. If the local cache confirms that the program is safe, it is permitted to launch, typically without notifying the user that a reputation check has been made. If the local cache cannot confirm the safety of the program, a reputation check is made by accessing a reputation service in the cloud. If the reputation service identifies the program as safe, it returns an indication to the computing device and the program is permitted to be launched, again without notifying the user that a reputation check has been made. If the reputation service identifies the program as unsafe or potentially unsafe, or does not recognize it at all, a warning is displayed to the user. | 07-26-2012 |
20120192276 | SELECTING ONE OF A PLURALITY OF SCANNER NODES TO PERFORM SCAN OPERATIONS FOR AN INTERFACE NODE RECEIVING A FILE REQUEST - Provided are a computer program product, system, and method for selecting one of a plurality of scanner nodes to perform scan operations for an interface node receiving a file request. A list includes a plurality of scanner nodes in a network and for each scanner node a performance value. A file request is received with respect to a file. In response to the file request, one of the scanner nodes in the list is selected based on the performance values of the scanner nodes. The file is transmitted to the selected scanner node to perform a scan operation with respect to the file. Indication is received from the selected scanner node performing the scan operation whether a subset of code in the file matches code in a definition set. The file request is processed to result in execution of the file request based on the indication of whether the subset of code in the file matches a definition in the definition set. | 07-26-2012 |
20120192277 | SYSTEM AND METHODS FOR PROTECTING USERS FROM MALICIOUS CONTENT - A method, system and device for allowing the secure collection of sensitive information is provided. The device includes a display, and a user interface capable of receiving at least one user-generated interrupt in response to a stimulus generated in response to content received by the device, wherein the action taken upon receiving the user-generated interrupt depends on a classification of the content, the classification identifying the content as trusted or not trusted. The method includes detecting a request for sensitive information in content, determining if an interrupt is generated, determining if the content is trusted, allowing the collection of the sensitive information if the interrupt is generated and the content is trusted, and performing an alternative action if the interrupt is generated and the content is not trusted. The method may include instructions stored on a computer readable medium. | 07-26-2012 |
20120192278 | UNAUTHORIZED PROCESS DETECTION METHOD AND UNAUTHORIZED PROCESS DETECTION SYSTEM - Provided is a system whereby information on activities obtained by way of monitoring system access to input and output devices and storage devices in a terminal as well as information on activities executed by way of a terminal and obtained by way of monitoring communications through a network are associated with processes in the terminal that generated the activities, and if the activities are predetermined activities executed by the same or related processes, the system detects that unauthorized processes are running on the terminal. | 07-26-2012 |
20120192279 | MALWARE DETECTION USING EXTERNAL CALL CHARACTERISTICS - A malware scanner | 07-26-2012 |
20120198553 | SECURE AUDITING SYSTEM AND SECURE AUDITING METHOD - Disclosed is a technique that audits security of a terminal connected to a network and executes a given program wherein a computer-virus free file is permitted to execute a program in a manner such that a computer virus is not activated. As a result, the terminal is maintained in a secure state. | 08-02-2012 |
20120198554 | Obfuscated Malware Detection - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting obfuscated malware. In one aspect, a method includes identifying call instructions in a binary executable; executing the call instruction; executing instructions subsequent to a target of the call instruction; determining that an address identified by a stack pointer is different from the return address; in response to the determination that the address is different, determining if there is a non-obfuscation signal; if there is a non-obfuscation signal, identifying the call instruction as a non-obfuscated call instruction; if there is not a non-obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; determining whether the call instructions identified as possibly obfuscated call instructions exceeds a threshold; in response to the determination that the call instructions identified as possibly obfuscated call instructions exceeds the threshold, identifying the executable as an obfuscated executable. | 08-02-2012 |
20120204265 | Systems and Methods For Message Threat Management - The present invention is directed to systems and methods for detecting unsolicited and threatening communications and communicating threat information related thereto. Threat information is received from one or more sources; such sources can include external security databases and threat information data from one or more application and/or network layer security systems. The received threat information is reduced into a canonical form. Features arc extracted from the reduced threat information; these features in conjunction with configuration data such as goals are used to produce rules, in some embodiments, these rules are tested against one or more sets of test data and compared against the same or different goals; if one or more tests fail, the rules are refined until the tests succeed within ah acceptable margin of error. The hues are then propagated to one or more application layer security systems. | 08-09-2012 |
20120204266 | METHOD FOR PROVIDING AN ANTI-MALWARE SERVICE - The present invention relates to a method for providing an anti-malware service based on a server, wherein at least one server manages ‘local malware information’ associated with a predetermined region, and the server generates ‘malware component information’ for a device, on the basis of the ‘local malware information’ if the device is located in the predetermined region, and the server transmits the ‘malware component information’ to the device. Thus, the method of the present invention permits minimum data traffic to be transceived during malware DB update performed in the device so as to prevent waste of communication resources, permits the device to effectively use a limited resource, and effectively deals with malwares generated from areas of the world. | 08-09-2012 |
20120210431 | Detecting a trojan horse - A method and apparatus for detected a Trojan in a suspicious software application in the form of at least one electronic file. A computer device determines the source from which the suspicious software application was obtained. A comparison is then made between the source from which the suspicious software application was obtained and a source from which an original, clean version of the software application was obtained. If the sources differ, then it is determined that the suspicious application is more likely to contain a Trojan horse than if the sources were the same. | 08-16-2012 |
20120216283 | METHOD AND SYSTEM FOR DISABLING MALWARE PROGRAMS - Disabling malware programs. At least some of the various embodiments are methods including disabling a malware program on a computer system that comprises a native operating system on a long term storage device. In some cases, the disabling by: booting a non-native operating system on the computer system; identifying, by a scan program executed under the non-native operating system, the malware program on the long term storage device; modifying, by the scan program, a file system coupled to the native operating system with respect to the malware program, the file system on the long term storage device; and then booting the native operating system on the computer system. | 08-23-2012 |
20120216284 | METHOD AND SYSTEM OF POSTING ACHIEVEMENTS REGARDING SCANS FOR MALWARE PROGRAMS - Posting achievements regarding scans for malware programs. At least some of the illustrative embodiments are methods including: initiating a scan for malware programs on a computer system, the initiating by a first user, and the scan by a scan program executed on the computer system; identifying malware programs on the computer system by the scan program, where identifying meets a predetermined achievement; and posting to a social network, the posting comprises an indication of meeting the predetermined achievement, and the posting associated with the first user. | 08-23-2012 |
20120222120 | MALWARE DETECTION METHOD AND MOBILE TERMINAL REALIZING THE SAME - A malware detection method and a mobile terminal realizing the same are provided. The method monitors execution of applications on the mobile terminal, notifies a user of perceived malicious behavior and guides handling of a detected malicious application. The malware detection method includes extracting, when a platform Application Programming Interface (API) is called by an application, an action of the application from the platform API, determining, when the extracted action is a preset trigger action, whether the application is a malware program by comparing the extracted action with a malware pattern file, and outputting, when the application is a malware program, an alert message. | 08-30-2012 |
20120222121 | Systems and Methods for Detecting Malicious PDF Network Content - Systems and methods for detecting malicious PDF network content are provided herein. According to some embodiments, the methods may include at least the steps of examining received PDF network content to determine if one or more suspicious characteristics indicative of malicious network content are included in the PDF network content, providing PDF network content determined to include at least one suspicious characteristic to one or more virtual machines, and analyzing responses received from the one or more virtual machines to verify the inclusion of malicious network content in the PDF network content determined to include at least one suspicious characteristic. | 08-30-2012 |
20120227109 | System And Method For Packet Profiling - Systems and methods for packet profiling are disclosed. According to one embodiment, a method for profiling incoming data packets for an organization includes the steps of (1) receiving, at an interface for a transport provider, a data packet; (2) using a computer processor, analyzing the data packet; (3) using the computer processor, based on the analysis, marking the data packet; and (4) transmitting the data packet to the organization. | 09-06-2012 |
20120227110 | NETWORK BROWSER SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR SCANNING DATA FOR UNWANTED CONTENT AND ASSOCIATED UNWANTED SITES - A system, method, and computer program product are provided for scanning data for unwanted content and unwanted sites in response to a user request. In use, a user request is received via a network to scan data prior to downloading the data utilizing a network browser. In addition, the data is scanned for unwanted content and associated unwanted sites in response to the user request. Further, a response is sent to the user via the network. | 09-06-2012 |
20120233696 | METHOD AND SYSTEM FOR ANTIVIRUS BY SIM CARD COMBINED WITH CLOUD COMPUTING - The invention provides a method and a system of antivirus solution by using a SIM card combined with cloud antivirus. The method comprises that the signature data of a file of a present mobile device is sent to a cloud server; the cloud server receives the file the signature data and checks the received file the signature data by using a cloud virus database stored at the cloud server; and the cloud server sends the checking result back to the SIM card of the mobile device via OTA (Over-the-Air). | 09-13-2012 |
20120233697 | Method and Apparatus Reducing Malware Detection Induced Delay - Methods and apparatuses for network | 09-13-2012 |
20120240229 | SYSTEMS AND METHODS FOR LOOKING UP ANTI-MALWARE METADATA - A computer-implemented method for looking up anti-malware metadata may include identifying a plurality of executable objects to be scanned for malware before execution. The computer-implemented method may also include, for each executable object within the plurality of executable objects, assessing an imminence of execution of the executable object. The computer-implemented method may further include prioritizing, based on the assessments, a retrieval order for anti-malware metadata corresponding to the plurality of executable objects. The computer-implemented method may additionally include retrieving anti-malware metadata corresponding to an executable object within the plurality of executable objects based on the retrieval order. Various other methods, systems, and computer-readable media are also disclosed. | 09-20-2012 |
20120240230 | MEMORY STORAGE DEVICE AND MEMORY CONTROLLER AND VIRUS SCANNING METHOD THEREOF - A memory storage device, a memory controller, and a virus scanning method are provided. In the method, a virus signature database recording a predetermined file segment and a corresponding virus signature is provided. A plurality of logical addresses is mapped to a part of a plurality of physical addresses in a rewritable non-volatile memory chip of the memory storage device, a host system accesses the logical addresses by using a file system including a file allocation table (FAT). At lease one binary code is received. The FAT is analyzed to identify a file segment containing the at least one binary code. If the file segment matches the predetermined file segment, the at least one binary code is not written into the memory storage device or transmitted back to the host system when the at least one binary code matches the virus signature corresponding to the predetermined file segment. | 09-20-2012 |
20120240231 | APPARATUS AND METHOD FOR DETECTING MALICIOUS CODE, MALICIOUS CODE VISUALIZATION DEVICE AND MALICIOUS CODE DETERMINATION DEVICE - An apparatus for detecting a malicious code includes: a malicious code visualization device for generating a graph for a malicious file by using strings in the malicious file, a connection among the strings and entropies for the strings and establishing a malicious code database with the generated graph for the malicious file. The apparatus further includes a malicious code determination device for generating a graph for a specific executable file and comparing the graph for the executable file with graphs for malicious files stored in the malicious code database to detect a malicious code in the executable file. | 09-20-2012 |
20120240232 | QUARANTINE NETWORK SYSTEM AND QUARANTINE CLIENT - A quarantine network system includes a quarantine control apparatus and a quarantine client connectable with each other. The quarantine control apparatus includes a receiving unit to receive verification information of the quarantine client, an identification unit to identify a security policy that the quarantine client is required to conform to, and an inspection request unit to transmit an inspection request to the quarantine client, requesting the quarantine client to inspect conformance/non-conformance to the identified security policy. The quarantine client includes a receiver to receive the inspection request from the quarantine control apparatus, a storage unit storable inspection information to inspect conformance/non-conformance to the security policy, a reading unit to read out the inspection information from the storage unit, an inspection unit to inspect the quarantine client using the read-out inspection information, and an inspection result reporting unit to transmit an inspection result to the quarantine control apparatus. | 09-20-2012 |
20120240233 | Method and system for detecting malicious web content - A method for determining whether web content intended for transmission from a second device to a first device via a routing device comprises malware is proposed. The method, to be carried out by the routing device, includes receiving at least a part of the web content from the second device, providing to an antivirus service a representation of N bits of the received part of the web content, and receiving, from the antivirus service, test information based on the representation of the N bits provided by the router and indicating whether the web content may comprise malware. An appropriate representation of the N bits of web content serves as a “fingerprint,” sufficiently identifying the entire piece of the web content for the purpose of determining whether or not this piece of web content may contain malware. | 09-20-2012 |
20120240234 | USB FIREWALL APPARATUS AND METHOD - Apparatus and methods prevent malicious data in Universal Serial Bus (USB) configurations by providing a hardware firewall. A hardware device interconnected between a host and the USB monitors communication packets and blocks packets having unwanted or malicious intent. The device may act as a hub, enabling multiple devices to connect to a single host. The device may only allow mass storage packets from a device recognized as a mass storage device. The device may block enumeration of unwanted devices by not forwarding packets between the device and the host. The device may be operative to assign a bogus address to a malicious device so as not to transfer communications from the device further up the chain to the host. The device may provide shallow or deep packet inspection to determine when a trusted device is sending possible malicious data, or provide packet validation to block packets that are malformed. | 09-20-2012 |
20120246729 | DATA STORAGE DEVICES INCLUDING INTEGRATED ANTI-VIRUS CIRCUITS AND METHOD OF OPERATING THE SAME - A data storage device includes a storage medium and a controller circuit configured to be coupled to an external host to provide an interface between the external host and the storage medium, the controller circuit configured to detect a virus carried by a data file transferred to and/or stored in the storage medium. The controller circuit may be further configured to cure the detected virus. | 09-27-2012 |
20120255010 | SYSTEM AND METHOD FOR FIRMWARE BASED ANTI-MALWARE SECURITY - A system for securing an electronic device includes a non-volatile memory, a processor coupled to the non-volatile memory, a resource of the electronic device, firmware residing in the non-volatile memory and executed by the processor, and a firmware security agent residing in the firmware. The firmware is communicatively coupled to the resource of an electronic device. The firmware security agent is configured to, at a level below all of the operating systems of the electronic device accessing the resource, intercept a request for the resource and determine whether the request is indicative of malware. | 10-04-2012 |
20120255011 | SYSTEMS AND METHODS FOR IDENTIFYING HIDDEN PROCESSES - A security module may be configured to execute on the electronic device at a level below all of the operating systems of an electronic device accessing the one or more system resources. The security module may be configured to: trap one or more attempts to access system resources of the electronic device, the one or more attempts made from a less privileged ring of execution than the first security module; record information identifying one or more processes attempting to access the system resources of the electronic device; compare the information identifying one or more processes attempting to access the system resources with the enumerated one or more processes visible to the operating system; and based on the comparison, determine one or more hidden processes, the hidden processes determined by at least identifying processes whose information was recorded by first security module but were not enumerated by the second security module. | 10-04-2012 |
20120255012 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM REGULATION AND CONTROL OF SELF-MODIFYING CODE - A system for securing an electronic device may include a memory, a processor; one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to: (i) trap attempted accesses to the memory, wherein each of such attempted accesses may, individually or in the aggregate, indicate the presence of self-modifying malware; (ii) in response to trapping each attempted access to the memory, record information associated with the attempted access in a history; and (iii) in response to a triggering attempted access associated with a particular memory location, analyze information in the history associated with the particular memory location to determine if suspicious behavior has occurred with respect to the particular memory location. | 10-04-2012 |
20120255013 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM MODIFICATION OF MALICIOUS CODE ON AN ELECTRONIC DEVICE - A system for securing an electronic device, may include a memory, a processor, one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to detect presence of malicious code, and in response to detecting presence of the malicious code, modify the malicious code. | 10-04-2012 |
20120255014 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM REPAIR OF RELATED MALWARE-INFECTED THREADS AND RESOURCES - A security agent may be configured to: (i) execute on an electronic device at a level below all of the operating systems of the electronic device accessing a memory or processor resources of the electronic device; (ii) trap attempted accesses to the memory or the processor resources associated with function calls for thread synchronization objects associated with creation, suspension, or termination of one thread by another thread; (iii) in response to trapping each attempted access, record information associated with the attempted access in a history, the information including one or more identities of threads associated with the attempted access; (iv) determine whether a particular thread is affected by malware; and (iv) in response to a determining that the particular thread is affected by malware, analyze information in the history associated with the particular memory location or processor resource to determine one or more threads related to the particular thread. | 10-04-2012 |
20120255015 | METHOD AND APPARATUS FOR TRANSPARENTLY INSTRUMENTING AN APPLICATION PROGRAM - Generally, this disclosure describes systems and methods for transparently instrumenting a computer process. The systems and methods are configured to allow instrumenting executable code while permitting legacy memory scanning tools to monitor corresponding uninstrumented executable code stored in memory. | 10-04-2012 |
20120255016 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM PROTECTION OF AN OPERATING SYSTEM KERNEL - A below-operating system security agent may be configured to: (i) trap attempted accesses to the components of the operating system and the set of drivers executing on the electronic device; (ii) in response to trapping an attempted access, compare contextual information associated with the attempted access to an access map; and (iii) determine if the attempted access is trusted based on the comparison. The access map may be generated by: (i) trapping, at a level below all of the operating systems of a second electronic device accessing components of the second operating system and the second set of drivers executing on the second electronic device and each substantially free of malware, accesses to components of the second operating system and the second set of drivers executing on the second electronic device; and (ii) in response to trapping the accesses, recording contextual information regarding the accesses to the access map. | 10-04-2012 |
20120255017 | SYSTEM AND METHOD FOR PROVIDING A SECURED OPERATING SYSTEM EXECUTION ENVIRONMENT - In one embodiment, a system for launching a security architecture includes an electronic device comprising a processor and one or more operating systems, a security agent, and a launching module. The launching module comprises a boot manager and a secured launching agent. The boot manager is configured to boot the secured launching agent before booting the operating systems, and the secured launching agent is configured to load a security agent. The security agent is configured to execute at a level below all operating systems of the electronic device, intercept a request to access a resource of the electronic device, the request originating from the operational level of one of one or more operating systems of the electronic device, and determine if a request is indicative of malware. In some embodiments, the secured launching agent may be configured to determine whether the security agent is infected with malware prior to loading the security agent. | 10-04-2012 |
20120255018 | SYSTEM AND METHOD FOR SECURING MEMORY AND STORAGE OF AN ELECTRONIC DEVICE WITH A BELOW-OPERATING SYSTEM SECURITY AGENT - A security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory or a storage of the electronic device may be further configured to: (i) access one or more security rules to determine a criteria by which an attempted access involving a transfer of content between the memory and the storage of an electronic device will be trapped; (ii) if the criteria is met, trap, at a level below all of the operating systems of the electronic device, attempted access of data between memory and storage of an electronic device; and (iii) analyze, at a level below all of the operating systems of the electronic device, information associated with the attempted access to determine if the attempted access was affected by malware | 10-04-2012 |
20120255019 | METHOD AND SYSTEM FOR OPERATING SYSTEM IDENTIFICATION IN A NETWORK BASED SECURITY MONITORING SOLUTION - A method and system for providing network based malware detection in a service provider network is disclosed. Transmission control protocol (TCP) packets defining originating from an access device coupled to the service provider network defining a TCP session between a computing device coupled to the access device, and a destination coupled to the service provider network are received. An operating system identifier (OS ID) associated with the TCP session and the computing device is determined. If malware is present in the TCP session and an associated malware ID is determined by comparing a malware signature to the one or more TCP packets. An alert identifying a network address associated with the access device, the malware ID and the OS ID associated with TCP session that generated the alert can then be generated. | 10-04-2012 |
20120260342 | Malware Target Recognition - A method, apparatus and program product are provided to recognize malware in a computing environment having at least one computer. A sample is received. An automatic determination is made by the at least one computer to determine if the sample is malware using static analysis methods. If the static analysis methods determine the sample is malware, dynamic analysis methods are used by the at least one computer to automatically determine if the sample is malware. If the dynamic analysis methods determine the sample is malware, the sample is presented to a malware analyst to adjudicate the automatic determinations of the static and dynamic analyses. If the adjudication determines the sample is malware, a response action is initiated to recover from or mitigate a threat of the sample. | 10-11-2012 |
20120260343 | AUTOMATED MALWARE SIGNATURE GENERATION - Automated malware signature generation is disclosed. Automated malware signature generation includes monitoring incoming unknown files for the presence of malware and analyzing the incoming unknown files based on both a plurality of classifiers of file behavior and a plurality of classifiers of file content. An incoming file is classified as having a particular malware classification based on the analyzing of incoming unknown files and a malware signature is generated for the incoming unknown file based on the particular malware classification. Access is provided to the malware signature. | 10-11-2012 |
20120266243 | Emulation for malware detection - According to a first aspect of the present invention there is provided a method of performing emulation of at least part of a program using an emulated computer system implemented on a computer system. The method comprises includes, during execution of the program within the emulated computer system, when the program attempts to access a unit of data, copying the unit of data from a memory of the computer system into an emulated memory, and allowing the program to access the unit of data within emulated computer system. A unit of data may be a memory page. | 10-18-2012 |
20120266244 | Detecting Script-Based Malware using Emulation and Heuristics - The subject disclosure is directed towards running script through a malware detection system including an emulator environment to detect any malware within the script. Statistics are collected as part of processing the script, with parameterized heuristic analysis used to determine whether to run the emulation. The processing through the malware detection system may be iterative, to de-obfuscate layers of obfuscated malware. The emulator may be updated via signatures. | 10-18-2012 |
20120266245 | Multi-Nodal Malware Analysis - A computer-implemented method includes accessing, by an analysis console, information related to a first file received at a first host of a plurality of hosts. Each host is capable of running a corresponding set of malware detection processes. The information includes: an identifier of the first file; and data indicating a first result of the first host applying the set of malware detection processes to the first file. The identifier is generated by the first host and is usable by each of the hosts to determine whether a second file comprises content substantially equivalent to content of the first file. The analysis console generates a first output including: the identifier of the first file; and a second result indicating whether the first file comprises malware. The second result is usable by each of the hosts to determine whether the second file comprises malware. The first output is propagated to the hosts. | 10-18-2012 |
20120272318 | SYSTEM AND METHOD FOR DYNAMIC GENERATION OF ANTI-VIRUS DATABASES - A method for reducing the size of the AV database on a user computer by dynamically generating an AV database according to user parameters is provided. Critical user parameters that affect the content of the AV database required for this user are determined. The AV database for the single user is generated based on the user parameters. When the parameters of the user computer change or when new malware threats are detected, the user AV database is dynamically updated according to the new parameters and the new malware threats. The update procedure becomes more efficient since a need of updating large volumes of data is eliminated. The AV system, working with a small AV database, finds malware objects more efficiently and uses less of computer system resources. | 10-25-2012 |
20120272319 | Apparatus, and system for determining and cautioning users of Internet connected clients of potentially malicious software and method for operating such - A system at a central server and at a plurality of web filters is installed to observe traffic and to protect users from attempting connection to suspicious, malicious, and/or infectious targets. Targets are defined as Uniform Resource Identifiers (URI) and Internet Protocol (IP) addresses. Traffic is collected, analyzed, and reported for further analysis. Behavior is analyzed for each client attempting a connection to an uncategorized target. IP addresses and URIs are evaluated toward placement in either a Trusted target store or an Anomalous target store. The accumulated content of Anomalous target store is provided back to the Network Service Subscriber Clients. Warnings and tools are presented when appropriate. | 10-25-2012 |
20120272320 | METHOD AND SYSTEM FOR PROVIDING MOBILE DEVICE SCANNING - An approach for providing mobile device scanning is described. A file stored within a mobile device is received. A scan of the received file is initiated to determine a status relating to presence of an unauthorized code or to execution of an unauthorized activity. A notification message is generated based on the scan, wherein the notification message specifies information relating to the determined status. | 10-25-2012 |
20120272321 | ANTIVIRUS COMPUTING SYSTEM - An antivirus computing system includes: a storage device having an operating partition that has stored therein a to-be-scanned file, and a hidden partition that has stored therein a virus code; and an antivirus device operatively associated with the storage device, and configured to perform a virus scan on the to-be-scanned file in the operating partition based on the virus code in the hidden partition. | 10-25-2012 |
20120278892 | Updating anti-virus software - A method of updating an anti-virus application including an updatable module running on a client terminal. The method includes receiving an update at the client terminal, initialising the updatable module within a sandbox environment and applying the update to the updatable module. Control tests are then run on the updated sandboxed module and if the control tests are passed, the updated module is brought out of the sandbox environment and normal scanning is allowed to proceed using the updated module. If the control tests are not passed, however, normal scanning using the updated module is prevented. | 11-01-2012 |
20120278893 | RING OSCILLATOR BASED DESIGN-FOR-TRUST - A ring oscillator (RO) based Design-For-Trust (DFTr) technique is described. Functional paths of integrated circuit (IC) are included in one or more embedded ROs by (1) selecting a path in the IC, based on path selection criteria, that has one or more unsecured gates, and (2) embedding one or more ROs on the IC until a stop condition is met. An input pattern to activate embedded RO is determined. Further, a golden frequency which is a frequency at which the embedded RO oscillates, and a frequency range of the embedded RO are determined. A Trojan in the IC may be detected by activating the embedded RO (by applying the input pattern), measuring a frequency at which the embedded RO oscillates, and determining whether or not a Trojan is present based on whether or not the measured frequency of the RO is within a predetermined operating frequency range of the RO. | 11-01-2012 |
20120278894 | RESISTING THE SPREAD OF UNWANTED CODE AND DATA - A method or system of receiving an electronic file containing content data in a predetermined data format, the method comprising the steps of: receiving the electronic file, determining the data format, parsing the content data, to determine whether it conforms to the predetermined data format, and if the content data does conform to the predetermined data format, regenerating the parsed data to create a regenerated electronic file in the data format. | 11-01-2012 |
20120278895 | METHODS AND APPARATUS FOR DEALING WITH MALWARE - In one aspect, a method of classifying a computer object as malware includes receiving at a base computer data about a computer object from each of plural remote computers on which the object or similar objects are stored. The data about the computer object received from the plural computers is compared in the base computer. The computer object is classified as malware on the basis of said comparison. In one embodiment, the data about the computer object includes one or more of: executable instructions contained within or constituted by the object; | 11-01-2012 |
20120278896 | SYSTEMS AND METHODS FOR UPDATING CONTENT DETECTION DEVICES AND SYSTEMS - A method of updating a content detection module includes obtaining content detection data, and transmitting the content detection data to a content detection module, wherein the transmitting is performed not in response to a request from the content detection module. A method of sending content detection data includes obtaining content detection data, selecting an update station from a plurality of update stations, and sending the, content detection data to the selected update station. A method of building a content detection system includes establishing a first communication link between a central station and an update station, the central station configured to transmit content detection data to the update station, and establishing a second communication link between the update station and a content detection module. | 11-01-2012 |
20120284796 | PROTECTION OF A VOLATILE MEMORY AGAINST VIRUSES BY MODIFICATION OF THE CONTENT OF AN INSTRUCTION - A method for protecting a volatile memory against a virus, wherein: rights of writing, reading, or execution are assigned to certain areas of the memory; and a first list of opcodes for which the access to the areas is authorized or forbidden is associated with each of these areas. | 11-08-2012 |
20120291131 | Malware detection - A method and apparatus for detecting malware in which a computer device that has an operating system and a memory executes an untrusted computer program. In the event that the untrusted program directly accesses a region of the memory used to store information relating to the operating system, a determination is made that the untrusted program is likely to be malware. | 11-15-2012 |
20120297486 | Look ahead malware scanning - According to a first aspect of the present invention there is provided a method of scanning for malware during execution of an application on a computer system. The method includes detecting accesses by the application to files within a common directory, using the detected accesses to identify one or more groups of files within said common directory that the application may subsequently want to access, and scanning said one or more groups of files for malware prior to the application attempting to access files of the group or groups. | 11-22-2012 |
20120297487 | DISTRIBUTING UPDATE INFORMATION BASED ON VALIDATED LICENSE INFORMATION - Example embodiments disclosed herein relate to distributing updated execution information to a cluster of nodes. Licensing information about whether the nodes are licensed to receive the updated execution information is generated. The licensing information is validated. The validated licensing information is used to distribute the updated execution information to the nodes. | 11-22-2012 |
20120297488 | Discovering Malicious Input Files and Performing Automatic and Distributed Remediation - The subject disclosure is directed towards detecting malware or possible malware in an input file by allowing the input file to be opened, and by monitoring for one or more behaviors corresponding to the open file that likely indicate malware. Only certain executable files and/or file types opened thereby may be monitored, with various collected event data used for antimalware purposes when improper behavior is observed. Example behaviors include writing of a file to storage, generation of network traffic, injection of a process, running of script, and/or writing system registry data. Telemetry data and/or a sample of the file may be sent to an antimalware service, and malware remediation may be performed. Data (e.g., the collected events) may be distributed to other nodes for use in antimalware detection, e.g., to block execution of a similar file. | 11-22-2012 |
20120297489 | COMPUTER NETWORK INTRUSION DETECTION - A method and system of identifying an attacker device attempting an intrusion into a network. At least one managed device of the network detects an incoming TCP/IP connection by the attacker device to the network. It is determined that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the NetBIOS TCP/IP connection, retrieving event log information from a security event log of the network, and determining (i) that a userid of the invalid logon is a local userid defined on a local device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid nor is in the list of userids. The retrieved event log information is stored in a central violation database. | 11-22-2012 |
20120304298 | METHOD FOR ANTIVIRUS IN A MOBILE DEVICE BY USING A MOBILE STORAGE AND A SYSTEM THEREOF - A method for antivirus in a mobile device is performed by using a mobile storage and a system thereof. The method includes a mobile storage that is connected to a mobile device. The control module in the mobile storage automatically runs. The control module obtains root privilege of the operation system of the mobile device, and calls virus-killing module in the mobile storage to eliminate a file(s) or program(s) threatening security of the mobile device. The advantage is to obtain the newest antivirus method by using a mobile storage when a mobile device is unable to update antivirus software through internet. | 11-29-2012 |
20120311708 | SYSTEM AND METHOD FOR NON-SIGNATURE BASED DETECTION OF MALICIOUS PROCESSES - Systems and methods for detecting malicious processes in a non-signature based manner are disclosed. The system and method may include gathering features of processes running on an electronic device, applying a set of rules to the features, and applying a statistical analysis to the results of the rules application to determine whether a process should be classified into one or more of a plurality of process categories. | 12-06-2012 |
20120311709 | AUTOMATIC MANAGEMENT SYSTEM FOR GROUP AND MUTANT INFORMATION OF MALICIOUS CODES - An automatic management system includes a malicious code group-mutant storage module that receives a malicious codes analysis result from a malicious code collection-analysis system and extracts group information and mutant information of the malicious codes based on the malicious code analysis result, a malicious code group-mutant DB that stores the extracted group information and mutant information, a malicious code group-mutant management module that provides interface to allow a user to detect the group information and mutant information stored in the malicious code group-mutant DB, and a visualizing module that outputs the detection result to the user, wherein the malicious code group-mutant management module that groups malicious codes having action associations using the group information and mutant information stored in the malicious code group-mutant DB, outputs the group information through the visualizing module and outputs the mutant information based on CFG similarity and string similarity through the visualizing module. | 12-06-2012 |
20120311710 | COMPUTER PROGRAM, METHOD, AND SYSTEM FOR PREVENTING EXECUTION OF VIRUSES AND MALWARE - Preventing execution of viruses or malware on a computing device includes compiling an inventory recordation of legitimate applications while in a training mode and terminating execution of any application not on the inventory recordation while in a protected mode. A user may train the computer program to identify legitimate applications routinely accessed by the user and to be updated to the inventory recordation, such that the inventory recordation is personal to the user. After training, the protected mode is activated. While an Internet browser or e-mail client application is activated while in the protected mode, execution of any accessed application that is not uniquely identified on the inventory recordation is terminated. | 12-06-2012 |
20120317644 | Applying Antimalware Logic without Revealing the Antimalware Logic to Adversaries - The subject disclosure is directed towards a technology by which antimalware detection logic is maintained and operated at a backend service, with which a customer frontend machine communicates (queries) for purposes of malware detection. In this way, some antimalware techniques are maintained at the backend service rather than revealed to antimalware authors. The backend antimalware detection logic may be based upon feature selection, and may be updated rapidly, in a manner that is faster than malware authors can track. Noise may be added to the results to make it difficult for malware authors to deduce the logic behind the results. The backend may return results indicating malware or not malware, or return inconclusive results. The backend service may also detect probing-related queries that are part of an attempt to deduce the unrevealed antimalware detection logic, with noisy results returned in response and/or other actions taken to foil the attempt. | 12-13-2012 |
20120317645 | THREAT LEVEL ASSESSMENT OF APPLICATIONS - An application safety system is described herein that provides a scoring system of how dangerous an application is based on behavioral inspection of the application. Upon detecting installation of an application or first execution of the application, the application safety system performs static analysis before the new application is executed by the operating system. The system allows the user to approve running the application after displaying information about what the application does. Next, the system performs dynamic analysis as the application runs and alerts the user to any potentially harmful behavior. Over time, the system determines when the application may be acting in a manner that is out of character and informs the user. The system also allows users to restrict behavior that a particular application can perform. | 12-13-2012 |
20120317646 | VIRUS CO-PROCESSOR INSTRUCTIONS AND METHODS FOR USING SUCH - Circuits and methods for detecting, identifying and/or removing undesired content are provided. According to one embodiment, a method for virus processing is provided. A general purpose processor receives and stores a data segment to a first memory at a virtual address. The first memory contains paging data structures for translating virtual addresses to physical addresses. The general purpose processor directs a virus processing hardware accelerator to scan the data segment based on virus signatures compiled for the virus processing hardware accelerator and stored in a second memory. The first memory includes a first virus signature compiled for the general purpose processor. The virus processing hardware accelerator retrieves the data segment by accessing the first memory based on the virtual address and cached information, stored within one or more translation lookaside buffers local to the virus processing hardware accelerator, relating to most recently used entries of the paging data structures. | 12-13-2012 |
20120324577 | DETECTING MALICIOUS SOFTWARE ON A COMPUTING DEVICE WITH A MOBILE DEVICE - Systems, methods, devices, and machine readable media for detecting malicious software on a computing device with a mobile device are provided. One method includes causing a mobile device to mount a non-volatile memory of the computing device, scanning the non-volatile memory of the computing device with the mobile device using a low-level read operations scan, collecting data on the mobile device from the low-level read operations scan, and evaluating the data collected on the mobile device for malicious software on the computing device. | 12-20-2012 |
20120324578 | MOBILE DEVICE OPERATIONS WITH BATTERY OPTIMIZATION - Techniques for conserving battery power in devices are provided. One or more deferrable tasks are queued for later execution. An initiation of a subsequent charging event for a battery of the device is detected. The queued deferrable task(s) are enabled to be executed during the charging event. For instance, the queued deferrable task(s) may be enabled to be executed if the charging event is predicted to be a long duration charging event, such as by referring to a charging profile of the mobile device. In this manner, battery power is conserved while the device is in use and not connected to a battery charger. | 12-20-2012 |
20120324579 | CLOUD MALWARE FALSE POSITIVE RECOVERY - Methods, systems, and computer program products are provided for recovering from false positives of malware detection. Malware signatures that are defective may be causing false positives during software scanning for malware. Such defective malware signatures may be detected (e.g., by user feedback, etc.) and revoked. Computers that are using the malware signatures to detect malware may be notified of the revoked signatures, and may be enabled to re-scan content identified as containing malware using malware signatures that do not include the revoked malware signatures. As such, if the content is determined during the re-scan to not be infected, the content may be re-enabled for usage on the computer (e.g., may be restored from quarantine storage). | 12-20-2012 |
20120324580 | Method and Apparatus for Selective E-Mail Processing - Disclosed is a system and method for selective email processing. A traffic separator includes an interface for receiving electronic mail traffic from a source network address. The traffic separator also includes a processor for comparing the source network address to a stored list of network addresses to determine a categorization of the network source address. The traffic separator also includes at least one interface for forwarding the electronic mail traffic to one of many message transfer agents (MTAs) based upon said determination. A database stores the list of network addresses. In one embodiment, one or more network addresses in the stored list are network address ranges. | 12-20-2012 |
20130007882 | METHODS OF DETECTING AND REMOVING BIDIRECTIONAL NETWORK TRAFFIC MALWARE - An exemplary method for bi-directional detection and removal of network traffic malware may comprise receiving a request for website content, removing any server-directed malware from the content request, transmitting the scrubbed content request to the website's hosting server, receiving the responsive website content, removing and client-directed malware from the content, and transmitting the scrubbed content to the requesting client. | 01-03-2013 |
20130007883 | Portable Security Device and Methods for Detection and Treatment of Malware - Disclosed is a portable security device and method for detection and treatment of computer malware. The security device includes a communication interface for connecting to a computer, a memory for storing a set of data for use in malware detection experiments, and an antivirus engine configured to perform one or more malware detection experiments on the computer. A malware detection experiment includes simulating a connection to the computer of a data storage device containing a predefined set of data. The antivirus engine further configured to identify modifications in the set of data contained in the data storage device after termination of one or more malware detection experiments, analyze a modified set of data for presences of computer malware, determine a treatment mechanism for the detected malware, perform treatment of the detected malware on the computer, and generate user reports. | 01-03-2013 |
20130007884 | INTERDICTING MALICIOUS FILE PROPAGATION - An approach is provided for interdicting malicious file propagation. Packets of a message being transferred to a destination device are received. In response to packet(s) of the message being received, the packet(s) are scanned by determining whether the packet(s) match a corresponding portion of a malicious file. If any of the scanned packet(s) do not match the corresponding portion of the malicious file, a transfer of subsequent packet(s) of the message to the destination device is permitted without performing a scan of the subsequent packet(s). If the scanned packet(s) including a last one or more packets of the message match corresponding portions of the malicious file, a transfer of the scanned packet(s) to the destination device is permitted, except a transfer of the last one or more packets of the message to the destination device is not permitted. | 01-03-2013 |
20130014258 | Controlling Network-Based Applications With Social Media Postings - A content posting associated with a user of the social media service is received. The posting can be submitted to the social media service as a status update or message to the social media account associated with the application. The content posting contains an embedded command. The content posting is processed to generate a request to one or more data sources. The request can be a query for information or an instruction to perform an action (e.g. update a data record). The request is sent to one or more data sources, and a response comprising data from the data source is received. The response is parsed to extract data values which are inserted into pre-configured templates in accordance with the characteristics of the response delivery method preference set by the user and stored in a application user profile. The response delivery method can be a social media service and/or other response delivery method (e.g. SMS or RSS feed). In some embodiments, the formatted response is then sent to the social media service and/or other response delivery method for delivery. | 01-10-2013 |
20130014259 | DETECTION OF SPYWARE THREATS WITHIN VIRTUAL MACHINE - A system analyzes content accessed at a network site to determine whether it is malicious. The system employs a tool able to identify spyware that is piggy-backed on executable files (such as software downloads) and is able to detect “drive-by download” attacks that install software on the victim's computer when a page is rendered by a browser program. The tool uses a virtual machine (VM) to sandbox and analyze potentially malicious content. By installing and running executable files within a clean VM environment, commercial anti-spyware tools can be employed to determine whether a specific executable contains piggy-backed spyware. By visiting a Web page with an unmodified browser inside a clean VM environment, predefined “triggers,” such as the installation of a new library, or the creation of a new process, can be used to determine whether the page mounts a drive-by download attack. | 01-10-2013 |
20130014260 | APPARATUS, SYSTEM, AND METHOD FOR PREVENTING INFECTION BY MALICIOUS CODE - The invention relates to an apparatus for preventing infection by malicious code, comprising: a database in which files installed in an agent system, DNA values for each part of the files, and index information for indicating whether each file is normal or malicious are stored; a calculation unit which calculates a DNA value for a part of a file for which an execution is requested in the agent system; and a file inspection unit which searches the database to extract, in a group, files having the DNA value calculated by the calculation unit, inspects whether an object file is normal or malicious on the basis of the index information on the files extracted in a group, and allows the execution of the object file or makes a request for the calculation of DNA values of other parts which selectively include one part of the object file. | 01-10-2013 |
20130014261 | HASH-BASED SYSTEMS AND METHODS FOR DETECTING AND PREVENTING TRANSMISSION OF POLYMORPHIC NETWORK WORMS AND VIRUSES | 01-10-2013 |
20130014262 | MOBILE COMMUNICATION TERMINAL HAVING A BEHAVIOR-BASED MALICIOUS CODE DETECTION FUNCTION AND DETECTION METHOD THEREOF - A mobile communication terminal comprises: a system unit which performs application installation and removal, outputs an installation completion message upon completion of the application installation, and provides, upon receipt of request for authority information on the application, the requested authority information; a behavior information database in which behavior information data is stored; and an inspection unit which makes a request for the authority information to the system unit and receives the authority information, upon receipt of the installation completion message from the system unit, and which compares the authority information and the behavior information data stored in the behavior information database to examine whether the application is a malicious code or not. | 01-10-2013 |
20130019313 | GRANULAR VIRUS DETECTIONAANM Piccinini; SandroAACI RomeAACO ITAAGP Piccinini; Sandro Rome ITAANM Pichetti; LuigiAACI RomeAACO ITAAGP Pichetti; Luigi Rome ITAANM Secchi; MarcoAACI RomeAACO ITAAGP Secchi; Marco Rome ITAANM Sidoti; StefanoAACI RomeAACO ITAAGP Sidoti; Stefano Rome IT - A group of files for an application installed on a computer system is identified in response to a request to scan the application for malware. The group of files for the application is scanned for the malware. A result is obtained. An action is performed based on the result. | 01-17-2013 |
20130024939 | Conditional security response using taint vector monitoring - An embodiment or embodiments of a computing system can conditionally trap based on a taint vector. A computing system can comprise at least one taint vector operable to list at least one of a plurality of taints indicative of potential security risk originating from at least one of a plurality of resources, and response logic operable to monitor the at least one taint vector and respond to a predetermined taint condition. | 01-24-2013 |
20130024940 | OFFLOADING OPERATIONS TO A REPLICATE VIRTUAL MACHINE - A method for detecting malicious code within a first virtual machine comprising creating a snapshot of the first virtual machine and transferring the snapshot to a second machine. A scan operation is run on the snapshot using resources of the second machine. In response to detecting malicious code during the scan operation, action is taken at the first virtual machine to address the detection of the malicious code. Thus, the action in response to detecting the malicious code may include placing the first virtual machine in quarantine. | 01-24-2013 |
20130024941 | WINDOWS REGISTRY MODIFICATION VERIFICATION - A method and system is provided by which unauthorized changes to the registry may be detected and that provides the capability to verify whether registry, or other system configuration data, changes that occur on a computer system are undesirable or related to possible malware attack before the changes become effective or are saved on the system. A method for verifying changes to system configuration data in a computer system comprises generating an identifier representing an entry in the system configuration data, packaging the identifier, and sending the packaged identifier to a client for verification. The identifier may be generated by hashing the first portion of the entry and the second portion of the entry to generate the identifier, or by filtering the first portion of the entry and hashing the filtered first portion of the entry and the second portion of the entry to generate the identifier. | 01-24-2013 |
20130036472 | Computer Worm Defense System and Method - A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems. | 02-07-2013 |
20130047256 | METHOD FOR PREVENTING A MOBILE COMMUNICATION DEVICE FROM LEAKING SECRET AND SYSTEM THEREOF - The invention provides a method for preventing a mobile communication device from leaking secret and a system thereof. In the method, by adopting a mobile communication device side and PC side structure, a controlling module installation package is transferred from a PC side to the mobile communication device; a controlling module runs automatically and obtains root privilege of the operating system of the mobile communication device; the controlling module forbids functions of silently dialing, silently answering, photo taking, video recording, voice recording, Bluetooth and infrared connection. The advantages of the present invention are that the present invention is suitable for on-site operation and possibility of leaking secret by any mobile communication device is eliminated by a PC terminal. | 02-21-2013 |
20130047257 | Systems and Methods for Computer Worm Defense - A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems. | 02-21-2013 |
20130055394 | NETWORK SECURITY RISK ASSESSMENT - A security risk of a computer network is assessed by simulating a threat environment of the computer network, wherein the threat environment includes a vulnerability and a website, simulating a protection environment of the computer network and a computer system in the computer network, and simulating network activity of the computer system. The security risk of the computer network is assessed based at least in part on the simulated threat environment, the simulated protection environment, and the simulated network activity of the computer system. | 02-28-2013 |
20130055395 | ENHANCED BROWSING WITH SECURITY SCANNING - A method scans a second web page linked to a first web page being displayed by a browser in a browser window. The method identifies, in the first web page, a target link to the second web page. Prior to receiving a user selection of the target link, the method prefetches content from the second web page and loads it into a safe cache according to a prefetching order before receiving the user selection of the target link and before the content of the second web page is opened by an application configured to provide access to the content of the second web page. The method scans the prefetched content from the second web page for a security threat, within the safe cache, which is configured to prevent the prefetched content from altering a memory location or storage location external to the safe cache. | 02-28-2013 |
20130055396 | SECURING ANTI-VIRUS SOFTWARE WITH VIRTUALIZATION - The subject disclosure relates to systems and methods that secure anti-virus software through virtualization. Anti-virus systems can be maintained separate from user applications and operating system through virtualization. The user applications and operating system run in a guest virtual machine while anti-virus systems are isolated in a secure virtual machine. The virtual machines are partially interdependent such that the anti-virus systems can monitor user applications and operating systems while the anti-virus systems remain free from possible malicious attack originating from a user environment. Further, the anti-virus system is secured against zero-day attacks so that detection and recovery may occur post zero-day. | 02-28-2013 |
20130061325 | Dynamic Cleaning for Malware Using Cloud Technology - A method for providing malware cleaning includes detecting potential malware on a first device connected to a network. A request including information to allow a second device connected to the network to determine an appropriate cleaning response is sent from the first device to the second device over the network. Upon receiving the request, the second device attempts to identify an appropriate cleaning response and, if a response is identified, sends the cleaning response over the network to the first device. The cleaning response is usable by the first device to address the detected potential malware. | 03-07-2013 |
20130061326 | BROWSING SUPPORT INFRASTRUCTURE WITH TIERED MALWARE SUPPORT - A network browser has a Malware detection manager for direct or indirect scanning of files during an upload or download processes for viruses, adware, spyware, etc. The malware detection manager defines and employs a quarantine bin, which is an isolated and secure memory space or directory for temporary placement of file packets during the file transmission while malware detection can commence. The malware detection manager scans for malware code associated with the packet sequence encountered during a file transmission to and from the Internet, during which it quarantines all the scanned packets in the quarantine bin. Quarantined files can be released if there is a human challenge authorizing the release of the file. Exchanging a Malware free signature between server and client via a trusted download center may be done so the client device need not scan the files for malware if content is certified and guaranteed as malware-free. | 03-07-2013 |
20130067576 | Restoration of file damage caused by malware - In accordance with an example embodiment of the present invention, there is provided a method including: detecting a malware in a computer system and in response to the detection of the malware in the computer system initiating a deactivation of malware; detecting a file altered by the malware in response to a successful deactivation of the malware; and initiating a restoration of the altered file in response to the detection of the file altered by the malware. | 03-14-2013 |
20130067577 | Malware scanning - According to a first aspect of the present invention there is provided a method of scanning a computer device in order to detect potential malware when an operating system running on the computer device prevents applications installed on the device from accessing installed files of other applications installed on the device. The method includes the steps of detecting installation of an application on the device, identifying one or more installation files that are required to perform the installation of the application, and performing a malware scan of the identified installation files and/or information obtained from the installation files. | 03-14-2013 |
20130067578 | Malware Risk Scanner - A technique for improving the installation of anti-malware software performs an analysis of a computer on which anti-malware software is to be installed prior to complete installation of the anti-malware software. If the analysis determines that the computer may already contain malware, then an attempt may be made to scan and clean the computer prior to the installation of a portion of the anti-malware software. Otherwise, the pre-installation scan and clean may be bypassed, allowing the installation of that portion of the anti-malware software. | 03-14-2013 |
20130067579 | System and Method for Statistical Analysis of Comparative Entropy - In accordance with one embodiment of the present disclosure, a method for determining the similarity between a first data set and a second data set is provided. The method includes performing an entropy analysis on the first and second data sets to produce a first entropy result, wherein the first data set comprises data representative of a first one or more computer files of known content and the second data set comprises data representative of a one or more computer files of unknown content; analyzing the first entropy result; and if the first entropy result is within a predetermined threshold, identifying the second data set as substantially related to the first data set. | 03-14-2013 |
20130067580 | Computer Virus Screening Methods and Systems - A method includes receiving a status update from a client device, the status update reflects at least one change associated with the client device, updating a model of the client deice based on the status update, receiving data to be screened for a virus, the data is received after an updating of the model of the client device, and screening the model of the client device for the virus. Systems and articles of manufacture are also disclosed. | 03-14-2013 |
20130074185 | Providing a Network-Accessible Malware Analysis - In certain embodiments, a computer-implemented method comprises receiving, via a computer network and from a first computer system, a first malware analysis request. The first malware analysis request comprises a file to be analyzed for malware by a malware analysis system. The method includes initiating a malware analysis by the malware analysis system of the first file for malware. The method includes communicating to the first computer system a response for the first file determined by the malware analysis system to the first computer system. The response comprises an indication of whether the first file comprises malware. | 03-21-2013 |
20130074186 | DEVICE-TAILORED WHITELISTS - A particular set of attributes of a particular computing device is identified. A first plurality of whitelisted objects is identified in a global whitelist corresponding to the particular set of attributes. A particular whitelist is generated to include the identified set of whitelisted objects, the particular whitelist tailored to the particular computing device. In some aspects, device-tailored updates to the particular whitelist are also generated. | 03-21-2013 |
20130074187 | HACKER VIRUS SECURITY-INTEGRATED CONTROL DEVICE - A hacker virus security-integrated control device separately operated by implementing existing security programs for viruses, malicious spyware and cloaker programs as an embedded device that is integrated hardware. The hacker virus security-integrated control device can protect computers and external storage devices from malicious programs that may infect data transmitted from Internet, data transmitted between the computers and data in the external storage devices by implementing, as integrated hardware, a protection and disinfection program for various malicious programs, a protection and disinfection program for spyware, a defense programs for cloaker's intrusion and a program for actively coping with new malicious programs, etc., so as to defend intrusion of existing malicious programs and perform disinfection on the existing malicious program, to actively cope with newly generated malicious programs, to defend cloakers' malicious access to the computers, and to warn the cloakers of their malicious actions. | 03-21-2013 |
20130081142 | System, Method, and Logic for Classifying Communications - In accordance with particular embodiments, a method includes intercepting a communication and extracting metadata associated with the communication. The extracted metadata comprises a plurality of different fields from communication metadata and file metadata. The method further includes determining a score, based on previous communications, for each field of the extracted metadata. The score is indicative of a likelihood that the communication is a malicious communication. The method additionally includes combining the scores to generate a combined score for the communication based on an algorithm developed from the previous communications. The method also includes generating, based on the combined score at a first time, a predicted classification as to whether the communication is a malicious communication. The method further includes receiving, at a second time subsequent to the first time, an indication of whether the communication is a malicious communication and updating the algorithm based on the indication. | 03-28-2013 |
20130086683 | SELECTIVELY SCANNING OBJECTS FOR INFECTION BY MALWARE - Techniques are described herein that are capable of selectively scanning objects for infection by malware (i.e., to determine whether one or more of the objects are infected by malware). For instance, metadata that is associated with the objects may be reviewed to determine whether update(s) have been made with regard to the objects since a determination was made that the objects were not infected by malware. An update may involve increasing a number of the objects, modifying one of the objects, etc. Objects that have been updated (e.g., added and/or modified) since the determination may be scanned. Objects that have not been updated since the determination need not necessarily be scanned. For instance, an allowance may be made to perform operations with respect to the objects that have not been updated since the determination without first scanning the objects for infection by malware. | 04-04-2013 |
20130086684 | CONTEXTUAL VIRTUAL MACHINES FOR APPLICATION QUARANTINE AND ASSESSMENT METHOD AND SYSTEM - Described are embodiments that provide for the use of multiple quarantine partitions and/or multi-partition spaces (e.g., virtual machines) for initially installing and running downloaded content. The downloaded content can be run securely in the quarantine partitions and/or multi-partition spaces. Each quarantine partition and/or multi-partition space can be configured differently with different capabilities. Based on the configuration and capabilities of the quarantine partitions and/or multi-partition spaces, the downloaded content may have limited capabilities to access secure data, applications, or other code limiting the damage that the content can potentially cause. | 04-04-2013 |
20130091574 | INCIDENT TRIAGE ENGINE - An incident triage engine performs incident triage in a system by prioritizing responses to incidents within the system. One prioritization method may include receiving attributes of incidents and assets in the system, generating cumulative loss forecasts for the incidents, and prioritizing the responses to the incidents based on the cumulative loss forecasts for the incidents. Another prioritization method may include determining different arrangements of incidents within a response queue, calculating cumulative queue loss forecasts for the different arrangements of incidents within the response queue, and arranging the incidents in the response queue based on the arrangement of incidents that minimizes the total loss to the system over the resolution of all of the incidents present in the response queue. | 04-11-2013 |
20130091575 | ANTIVIRUS SYSTEM AND METHOD FOR REMOVABLE MEDIA DEVICES - A removable media device, which may be a USB attached device or other type of removable media device, includes a software program located on the device which upon startup or access, the software program scans one or more of electronic files stored on the removable media device and electronic files being transferred to or from the electronic media device and to or from a host computing system for the detection of viruses therein. The software program is further configured to block the transfer of detected virus-containing electronic files and to disallow the copy or writing of files to or from the removable media device to or from a host computing system that can not be scanned. The software program is further configured to block the encryption of files being written to a removable media device if such device contains hardware or software encryption if such files can not be scanned. | 04-11-2013 |
20130091576 | WIRELESS COMMUNICATION SYSTEM CONGESTION REDUCTION SYSTEM AND METHOD - A messaging server forwards emails to mobile communication devices of users to whom the emails were respectively addressed. An antivirus server determines whether an email addressed to a user of a mobile communication device, to be forwarded by the messaging server to the mobile communication device, is infected with a virus. In response to determining the email is infected with a virus, a bulletin generator transmits, to the mobile communication devices besides the mobile communication device of the addressee of the email determined to be infected, an all points bulletin message disclosing the existence of the virus. The bulletin message is transmitted directly to, instead of via email to, the wireless mobile communication devices. | 04-11-2013 |
20130097705 | IDENTIFICATION OF ELECTRONIC DOCUMENTS THAT ARE LIKELY TO CONTAIN EMBEDDED MALWARE - The present invention provides a method for determining the likelihood that an electronic document contains embedded malware. After parsing or sequencing an electronic document, the metadata structures that make up the document are analyzed. A number of pre-established rules are then applied with respect to certain metadata structures that are indicative of embedded malware. The application of these rules results in the generation of a score for the electronic document being tested for embedded malware. The score is then compared to a threshold value, where the threshold value was previously generated based on a statistical model relating to electronic documents having the same format as the document being tested. The result of the comparison can then be used to determine whether the document being tested is or is not likely to contain embedded malware. | 04-18-2013 |
20130097706 | AUTOMATED BEHAVIORAL AND STATIC ANALYSIS USING AN INSTRUMENTED SANDBOX AND MACHINE LEARNING CLASSIFICATION FOR MOBILE SECURITY - The present system includes a computer-networked system that allows mobile subscribers, and others, to submit mobile applications to be analyzed for anomalous and malicious behavior using data acquired during the execution of the application within a highly instrumented and controlled environment for which the analysis relies on per-execution as well as comparative aggregate data across many such executions from one or more subscribers. | 04-18-2013 |
20130097707 | TERMINAL AND METHOD FOR TERMINAL TO DETERMINE FILE DISTRIBUTOR - Provided are a terminal and a file distributor determining method of the terminal. According to embodiments of the present invention, files pre-executed in the terminal and distributor information of the files are cached. When a new file is generated in the terminal, the new file and the cached files are compared, and distributor information of the new file is extracted so as to prevent the spread of a malicious code in advance. | 04-18-2013 |
20130104234 | Defensive Techniques to Increase Computer Security - Among other disclosed subject matter, a computer-implemented method includes initializing a first descriptor table and a second descriptor table. The first descriptor table is associated with a first permission level and the second descriptor table is associated with a second permission level that is different from the first permission level. The first descriptor table and the second descriptor table are associated with a hardware processor and initialized by an operating system kernel. The method also includes providing a memory address associated with the first descriptor table, in response to a descriptor table address request. The descriptor table address request is provided by a software process. The method also includes updating the second descriptor table, in response to an update request. | 04-25-2013 |
20130104235 | DETECTION OF UNDESIRED COMPUTER FILES IN ARCHIVES - Systems and methods for content filtering are provided. According to one embodiment, a type and structure of an archive file are determined. The archive file includes identification bytes that identify the type of archive file and header information both in unencrypted and uncompressed form and a file data portion containing contents of files in encrypted form, compressed form or both. The determination is based solely on the identification bytes and/or the header information. Based thereon, descriptive information, describing characteristics of the files, is extracted from the header information for each file. The descriptive information includes a checksum of the file in uncompressed form, a size of the file in uncompressed form and/or a size of the file in compressed form. A file is identified as being potentially malicious or undesired when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match. | 04-25-2013 |
20130111591 | Fuzzy Whitelisting Anti-Malware Systems and Methods | 05-02-2013 |
20130117854 | System and Method for Bidirectional Trust Between Downloaded Applications and Mobile Devices Including a Secure Charger and Malware Scanner - A system and method are described that will enable mobile smart devices, such as a cellular phones, PDAs, or iPads, smartphones, mobile payment systems, mobile healthcare systems, handheld law enforcement systems, and other types of tablet devices, to trust download applications and for the download applications to trust the mobile smart devices onto which they are downloaded. The system and method enables charging a mobile smart device and while charging the mobile smart device scans for malware and other viruses in the applications and the operating system on the mobile smart device. | 05-09-2013 |
20130117855 | APPARATUS FOR AUTOMATICALLY INSPECTING SECURITY OF APPLICATIONS AND METHOD THEREOF - An apparatus automatically inspects security of mobile applications. The apparatus includes a static analyzer to perform a static analysis by reversing an execution file of the mobile application, and an automatic execution processor to generate an automatic execution script used to automatically execute the execution file and execute the automatic execution script automatically to generate a log. The apparatus further includes a dynamic analyzer to analyze whether a pattern of malicious codes was executed in the execution file using the result of the static analysis and the log resulted from the automatic execution. | 05-09-2013 |
20130125238 | CONTENT FILTERING OF REMOTE FILE-SYSTEM ACCESS PROTOCOLS - Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, a first set of Server Message Block/Common Internet File System (SMB/CIFS) protocol requests originated by a first process running on a client and relating to a file associated with a share of a server and a second set of SMB/CIFS protocol requests originated by a second process running on the client and relating to the file are transparently proxied by a gateway device. The existence or non-existence of malicious, dangerous or unauthorized content contained within the file is determined by the gateway device by (i) buffering data being read from or written to the file as a result of the first and second set of SMB/CIFS protocol requests into a shared file buffer; and (ii) performing content filtering on the shared file buffer when a scanning condition is satisfied. | 05-16-2013 |
20130139264 | APPLICATION SANDBOXING USING A DYNAMIC OPTIMIZATION FRAMEWORK - A method for preventing malware attacks includes, launching an application on an electronic device, intercepting one or more instructions from the application, determining whether the one or more instructions includes an attempt to access a sensitive system resource of the electronic device, rewriting the one or more instructions to access the secured system resource of the electronic device, executing the rewritten instructions on the electronic device, and observing the results of the rewritten instructions. The application is attempting to execute the one or more instructions. | 05-30-2013 |
20130139265 | SYSTEM AND METHOD FOR CORRECTING ANTIVIRUS RECORDS TO MINIMIZE FALSE MALWARE DETECTIONS - Disclose are system, method and computer program product for correcting antivirus records. In an example method, during analysis of a software object for malware, an antivirus application retrieves from an antivirus database an antivirus record associated with the analyzed object, which identifies the object as malicious or clean. The application also checks if there is a correction for the antivirus record in an antivirus cache and use the correction for analysis of the software object. If no correction is found in the cache, the application checks correctness of the antivirus record with an antivirus server. The antivirus server uses statistical information about software objects collected from antivirus applications deployed on different computers to validate correctness of antivirus records. If the antivirus server provides a correction for the antivirus record, the application uses the provided correction for analysis of the software object for malware. | 05-30-2013 |
20130145469 | PREVENTING AND DETECTING PRINT-PROVIDER STARTUP MALWARE - A method for preventing malware attacks includes detecting an attempt on an electronic device to modify a print service registry, determining an entity associated with the attempt to modify the print service registry, determining a malware status of the entity, and, based on the malware status of the entity, allowing or denying the modification to the print service registry. The print service registry is configured to store configuration information about mechanisms to be used when printing from the electronic device. | 06-06-2013 |
20130145470 | DETECTING MALWARE USING PATTERNS - In certain embodiments, a method includes receiving a first file. The method also includes accessing at least one storage module comprising a first malware pattern, a second malware pattern, and a third malware pattern. The second malware pattern is a first permutation of the first malware pattern. The third malware pattern is a second permutation of the second malware pattern and is different than the second malware pattern. The method includes comparing, by at least one processor, the first file to the third malware pattern. In addition, the method includes determining, by the at least one processor, that the first file comprises malware in response to comparing the file to the third malware pattern. | 06-06-2013 |
20130145471 | Detecting Malware Using Stored Patterns - In one embodiment, a method includes identifying a plurality of portions of a file and comparing the plurality of portions of the file to a plurality of stored patterns. The plurality of stored patterns include portions of known malware. The method also includes determining, from the plurality of portions of the file and based on the comparing of the plurality of portions of the file to the plurality of stored patterns, a set of matching portions. The set of matching portions include one or more of the plurality of portions of the file. In addition, the method includes determining a score for each portion in the set of matching portions and providing information regarding the set of matching portions. The information includes the scores determined for each portion of the set of matching portions. | 06-06-2013 |
20130152200 | Predictive Heap Overflow Protection - A method for preventing malware attacks includes identifying a set of data whose malware status is not known to be safe, launching an application using the data, determining that one or more prior memory allocations have been created by the application, determining that a new memory allocation has been created by the application, comparing the new memory allocation to the prior memory allocations, and based on the comparison, determining whether the data includes malware. | 06-13-2013 |
20130152201 | Adjunct Computing Machine for Remediating Malware on Compromised Computing Machine - Described is a technology by which a malware-compromised machine, such as a personal computer is cleaned through the use of a functional adjunct machine, such as a mobile device (or vice-versa). The functional adjunct machine performs actions on behalf of the malware-compromised machine and/or to assist the remediation. This may include downloading antimalware-related data (e.g., an application, antimalware code, signature updates and/or the like) via a marketplace/application store, and transferring at least some of the data and/or programs to the compromised machine. Other actions may include using the functional adjunct machine to boot the malware-compromised machine into a non-compromised state and providing the data or programs to allow remediation of the malware while in this state. | 06-13-2013 |
20130152202 | APPARATUS AND METHOD FOR ANALYZING MALWARE IN DATA ANALYSIS SYSTEM - An apparatus and method for analyzing malware in a data analysis system are provided. The apparatus includes a data analysis unit and a controller. The data analysis unit sorts data into primary harmful data and primary harmless data using screening data information of malicious code information and virus information. The controller screens or deletes the primary harmful data, and sends a request for precision analysis of the primary harmless data to a server. The data analysis unit sorts secondary harmful data from the primary harmless data using the precision analysis result received from the server. | 06-13-2013 |
20130152203 | OPERATION OF A DUAL INSTRUCTION PIPE VIRUS CO-PROCESSOR - Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a method for virus processing content objects is provided. A content object is stored within a system memory by a general purpose processor using a virtual address. Most recently used entries of a page directory and a page table of the system memory are cached within a translation lookaside buffer (TLB) of a virus co-processor. Instructions are read from a virus signature memory of the co-processor. Those of a first type are assigned to a first of multiple instruction pipes of the co-processor. The first instruction pipe executes an instruction including accessing a portion of the content object by performing direct virtual memory addressing of the system memory using a physical address derived based on the virtual address and the TLB and comparing it to a string associated with the instruction. | 06-13-2013 |
20130160124 | Disinfection of a File System - A method for determining appropriate actions to remedy potential security lapses following infection of a device by malware. Following detection of infection of the device the device undergoes a cleaning operation. As part of the cleaning operation infected electronic files and any other associated files or objects are removed from the device. From timestamps associated with the infected files and associated files and objects, either directly or from another source such as an anti-virus trace program, the time of infection can be estimated. This allows the system to reference timestamps on the device to determine the source of the infection. Additionally, if the type of infection is identified timestamps on the device can be used to determine where there are particular areas of vulnerability due to user actions on the device. | 06-20-2013 |
20130160125 | METHOD AND SYSTEM FOR RAPID SIGNATURE SEARCH OVER ENCRYPTED CONTENT - A method for detecting malware includes dividing data to be scanned for malware into at least a first data segment and a second data segment, dividing a signature corresponding to an indication of malware into at least a first signature segment and a second signature segment, performing a relationship function on the first signature segment and the second signature segment yielding a first result, performing the relationship function on the first data segment and the second data segment yielding a second result, comparing the first result and the second result, and, based on the comparison, determining that the data includes information corresponding to the signature. The relationship function characterizes the relationship between at least two information sets. | 06-20-2013 |
20130160126 | MALWARE REMEDIATION SYSTEM AND METHOD FOR MODERN APPLICATIONS - A system is described for remediating a malicious modern application installed on an end user device. In an embodiment, the system includes an antimalware program executing on the end user device that can detect and attempt to remediate the malicious modern application, an operating system executing on the end user device that is configured to interact with the antimalware program for the purpose of facilitating the establishment of a connection between the end user device and an application support system in response to determining that the antimalware program has detected and attempted to remediate the malicious modern application, and the application support system that can perform remediation operations beyond those that can be performed by the antimalware program. | 06-20-2013 |
20130160127 | SYSTEM AND METHOD FOR DETECTING MALICIOUS CODE OF PDF DOCUMENT TYPE - Disclosed herein is a PDF document type malicious code detection system for efficiently detecting a malicious code embedded in a document type and a method thereof. The present invention may perform a dynamic and static analysis on JavaScript within a PDF document, and execute the PDF document to perform a PDF dynamic analysis, thereby achieving an effect of efficiently extracting a malicious code embedded in the PDF document. | 06-20-2013 |
20130167235 | AUGMENTING SYSTEM RESTORE WITH MALWARE DETECTION - An anti-malware program monitors the behavior of a system after a system restore to determine the likelihood of a hidden infection of malicious code still existing after the system restore. The anti-malware program observes the dynamic behavior of the system by monitoring conditions that are likely to signify the possibility of an infection thereby necessitating the need to initiate anti-malware detection. The anti-malware program may observe the restoration history, system settings, malware infection history, to determine the likelihood of an existing hidden infection after a system restore. | 06-27-2013 |
20130167236 | METHOD AND SYSTEM FOR AUTOMATICALLY GENERATING VIRUS DESCRIPTIONS - Systems and methods for automatically generating information describing malware are disclosed. In accordance with certain embodiments, a client computer may be provided with an antivirus program capable of finding malware and a server for receiving malware information sent from the antivirus program via a network. In accordance with one embodiment, the antivirus program may checked the client computer for malware and, in the event that malware is found, the antivirus program may acquire information about the malware such as the type of malware, the form of identification of the malware, whether the malware has already been executed, and/or whether it has been possible to remove the malware. This malware information may be transmitted from the client computer to the server in an automatic, structured manner. When received by the server, the malware information may be fed into a database on the server and subsequently displayed, for example, in an automatic, structured manner on a web page or via an interface of the antivirus program. | 06-27-2013 |
20130174258 | Execution of Multiple Execution Paths - Techniques for execution of multiple execution paths are described. In one or more embodiments, an execution of a portion of executable code is conditioned upon a particular environment-specific value. For example, the execution of the executable code can cause one type of output if the value of the variable equals a particular value, and can cause a different type of output if the value of the variable equals a different value. Techniques discussed herein can enable the executable code to be executed such that multiple outputs are produced, e.g., by executing the code according to the different values for the variable. In implementations, the multiple outputs can be analyzed for various attributes, such as presence of malware, implementation and coding errors, and so on. | 07-04-2013 |
20130179972 | STORAGE DEVICE WITH INTERNALIZED ANTI-VIRUS PROTECTION - An approach to handling connection errors between an external antivirus server and a storage device is disclosed. The storage device is equipped with an internal antivirus server. Antivirus metadata that describes the antivirus scan is stored in an antivirus metadata repository on the storage device. The connection between the external antivirus server and the storage device is monitored. The external antivirus server executes the antivirus scan on the storage device. If the connection fails, control of the antivirus scan is passed from the external antivirus server to the internal antivirus server. The internal antivirus server determines where to begin based on the antivirus metadata. When the connection is restored, control is passed back to the external antivirus server. | 07-11-2013 |
20130179973 | DETECTING STATUS OF AN APPLICATION PROGRAM RUNNING IN A DEVICE - A detecting system includes a sense terminal and detecting circuitry coupled to the sense terminal. The sense terminal receives an indicative signal indicative of a supply current of a power source. The detecting circuitry calculates variation in the supply current based on the indicative signal, estimates power consumption of an application program residing on a computer-readable medium according to the variation, and detects whether an abnormal condition occurs by comparing the estimated power consumption with a reference. | 07-11-2013 |
20130179974 | INFERRING A STATE OF BEHAVIOR THROUGH MARGINAL PROBABILITY ESTIMATION - Systems, computer-readable media storing instructions, and methods can infer a state of behavior. Such a method can include constructing a graph including nodes representing hosts and domains based on an event dataset. The graph can be seeded with information external to the event dataset. A belief whether each of the nodes is in a particular state of behavior can be calculated based on marginal probability estimation. | 07-11-2013 |
20130179975 | Method for Extracting Digital Fingerprints of a Malicious Document File - A method for extracting the genetic fingerprinting of a malicious document file includes the steps of establishing a database to store a plurality of genetic fingerprinting data of the first malicious document, then retrieving a document file sent via the Internet, and then proceeding with multi-point detection and extraction to the document file, so as to obtain a multi-point section, then comparing and analyzing the multi-point section with the plurality of genetic fingerprinting data of the first malicious document to confirm whether the multi-point section program code of the document file matches a malicious feature, thereby achieves the goal of extracting the content information of the document file and converts it into the genetic fingerprinting data of a new malicious document. | 07-11-2013 |
20130179976 | PLANT SECURITY MANAGING DEVICE, MANAGING METHOD AND MANAGING PROGRAM - A technology is provided which ensures a high security without affecting a plant operation. A plant security managing device includes a determining unit that determines which one of control units multiplexed as a service system and a standby system associated with monitoring and controlling of a plant is the standby system, a security processing unit that performs a security process for detecting the presence/absence of a security abnormality on the control unit that is the standby system, and a change instructing unit that outputs an instruction for changing the control unit that is the standby system and the control unit that is the service system with each other after the completion of the security process by the security processing unit. | 07-11-2013 |
20130185798 | IDENTIFYING SOFTWARE EXECUTION BEHAVIOR - The present invention extends to methods, systems, and computer program products for identifying software execution behavior. Embodiments of the invention can be used to assist a user in a making a reasoned and informed decision about whether the behavior of executable code is malicious. Data indicative of executable code behavior can be collected statically without having to execute the executable code. Behavior data can be collected essentially automatically with little, if any, user involvement. A user initiates analysis of executable code and is provided a visual categorized representation of behavior data for the executable code. | 07-18-2013 |
20130185799 | TRUSTED INSTALLATION OF A SOFTWARE APPLICATION - The trust reputation of the combination of an installation package and installer, as a pair, and the combination of a file and an installer, as a pair, is used to store the identity of a file in a persistent cache. An entry in the persistent cache indicates the trust worthiness of a file that does not contain malware thereby avoiding a scan of the file for malware. The trust worthiness of a file may be determined from known trust reputations of the installation package, installer, and file from a network of computing resources. By relying on the known trust reputation of the combination of the installation package and installer and the combination of the file and installer, the identity of the file may be stored in persistent cache quickly. | 07-18-2013 |
20130185800 | ANTI-VIRUS PROTECTION FOR MOBILE DEVICES - A computing device, machine-readable medium, and method associated with identifying viruses on a mobile device are disclosed. In embodiments, a computing device may include a communication interface, one or more storage media containing instructions, and a processing unit coupled to the communication interface and the one or more storage media. The instructions, when executed by the processor, may configure the computing device to analyze files, received by the computing device, for the presence of a virus. The instructions, when executed by the processor, may further notify the mobile device when the presence of a virus is detected. | 07-18-2013 |
20130191918 | Identifying Trojanized Applications for Mobile Environments - Trojanized apps for mobile environments are identified. Multiple apps for a specific mobile environment are obtained from one or more external sources. Code and digital signers are extracted from the apps and stored. For each given specific one of the obtained apps, the code of the specific app is compared to the code of other obtained apps, to determine whether the specific app 1) contains at least a predetermined threshold amount of code in common with one of the other apps, and 2) contains additional code not contained therein. If so, the digital signer of the specific app is compared to the digital signer of the other app. If it is also the case that the digital signer of the specific app is not the same as the digital signer of the other app, the specific app is identified as being trojanized. | 07-25-2013 |
20130198843 | ANTIVIRUS SCAN DURING A DATA SCRUB OPERATION - For an antivirus scan during a data scrub operation, an antivirus scan is concurrently performed as an overlap with the data scrub operation, wherein the data scrub operation periodically inspects and corrects memory errors. | 08-01-2013 |
20130198844 | ANTIVIRUS SCAN DURING A DATA SCRUB OPERATION - For an antivirus scan during a data scrub operation, an antivirus scan is concurrently performed as an overlap with the data scrub operation, wherein the data scrub operation periodically inspects and corrects memory errors. | 08-01-2013 |
20130205395 | PRE-BOOT FIRMWARE BASED VIRUS SCANNER - The present disclosure relates to allowing the utilization of a virus scanner and cleaner that operates primarily in the pre-boot phase of computer operation and, more particularly, to allowing the utilization of a virus scanner and cleaner that operates primarily during the loading of an operating system. | 08-08-2013 |
20130205396 | Detecting Malicious Software - A computer implemented method, apparatus, and program code for detecting malicious software components. A series of calls made by a software component is monitored to identify an identified respective series of call types to components named in said calls. A determination is made as to whether the identified respective series of call types to components named in said calls is indicative of malicious behavior. | 08-08-2013 |
20130227691 | Detecting Malicious Network Content - Systems and methods for detecting malicious content on portable data storage devices or remote network servers are provided. In an exemplary embodiment, a system comprises a quarantine module configured to detect one or more portable data storage devices upon insertion of the devices into a security appliance, wherein the security appliance is configured to receive the portable data storage devices, a controller configured to receive from the security appliance, via a communication network, data associated with the portable data storage devices, an analysis module configured to analyze the data to determine whether the data includes malware, and a security module to selectively identify, based on the determination, the one or more portable data storage devices storing the malware. | 08-29-2013 |
20130227692 | SYSTEM AND METHOD FOR OPTIMIZATION OF ANTIVIRUS PROCESSING OF DISK FILES - A system and method for optimization of AV processing of disk files. The system includes an AV scanner, a data cache module, an AV service and file analysis module. The optimization allows for reduction of time needed for the AV processing. Trusted files associated with a trusted key file are found. The trusted files that have been found are cached and excluded from further AV processing and the AV processing time is reduced. | 08-29-2013 |
20130232576 | SYSTEMS AND METHODS FOR CYBER-THREAT DETECTION - Disclosed herein are systems and methods relating generally to computer system security and more specifically to scalable cyber-threat detection systems and methods that systematically and automatically execute and monitor code within a secure isolated environment to automatically identify and filter out malicious code so that it is not executed on a live system. | 09-05-2013 |
20130239214 | METHOD FOR DETECTING AND REMOVING MALWARE - A method for detecting and removing a suspicious software code in a computer system, according to which the installation process of the suspicious software code is monitored by a client agent residing within the computer system where predetermined operations of the suspicious software code are identified and registered during the installation process. The predetermined operations are compared with a known software code in order to define whether the software code is similar to the known software code. It is then determined if the suspicious software code is malware and if it is, the client agent is instructed to uninstall the suspicious software code from the OS, or to remove its entry from the boot registry. | 09-12-2013 |
20130239215 | DETECTING MALICIOUS COMPUTER CODE IN AN EXECUTING PROGRAM MODULE - Prior to execution of computer program instructions, the computer identifies one or more addresses in memory corresponding to the locations of one or more of the computer program instructions in the computer program. During execution of the computer program instructions, the computer identifies in the computer program another computer program instruction located in another address in the memory, and in response, the computer makes an indication that the computer program has an indicia of maliciousness. | 09-12-2013 |
20130239216 | System and Method for Bidirectional Trust Between Downloaded Applications and Mobile Devices Including a Secure Charger and Malware Scanner - A system and method are described that will enable mobile smart devices, such as a cellular phones, PDAs, or iPads, smartphones, mobile payment systems, mobile healthcare systems, handheld law enforcement systems, and other types of tablet devices, to trust download applications and for the download applications to trust the mobile smart devices onto which they are downloaded. The system and method enables charging a mobile smart device and while charging the mobile smart device scans for malware and other viruses in the applications and the operating system on the mobile smart device. | 09-12-2013 |
20130247197 | Security network processor system and method - A system, method and computer program product are provided for scanning data received from a computer network. Included is a central processing unit for processing data. Coupled between the central processing unit and a network is a network processor. Such network processor is capable of scanning data received from the network based on an update. Such network processor is further capable of receiving the update via the network. | 09-19-2013 |
20130247198 | Emulator updating system and method - One embodiment includes a method and computer program product for distributing and/or receiving a first emulator extension with respect to an emulator capable of performing an emulation using emulation code. The first emulator extension includes program instructions that aid in the process of emulating in order to detect potentially unwanted computer software. Such program instructions of the first emulator extension are additional beyond that associated with the emulator code, for assisting the emulator code in the emulation by patching the additional program instructions into the emulator in order to aid in detecting the potentially unwanted computer software within the suspect code. In use, an emulation is performed using the first emulator extension and the suspect code. The emulation is performed within an insulated environment in a computer system so that the computer system is insulated from potentially unwanted actions of the suspect code. | 09-19-2013 |
20130247199 | System, method and computer program product for removing null values during scanning - A system, method, and computer program product are provided for scanning data values. Initially, a set of data values are received. Null values between the data values are then removed such that the data values are contiguous. Further, the data values with the null values removed are scanned for the purpose of identifying unwanted data. | 09-19-2013 |
20130247200 | Scanning computer files for specified content - Scanning for computer viruses or E-mail and data content filtering is performed using a distributed programming approach. A master computer | 09-19-2013 |
20130247201 | SYSTEM AND METHOD FOR MALWARE AND NETWORK REPUTATION CORRELATION - A method is provided in one example embodiment and includes receiving a reputation value based on a hash of a file making a network connection and on a network address of a remote end of the network connection. The network connection may be blocked if the reputation value indicates the hash or the network address is associated with malicious activity. In more specific embodiments, the method may also include sending a query to a threat analysis host to request the reputation value. Additionally or alternatively the reputation value may be based on query patterns in particular embodiments. In yet more specific embodiments, the network connection may be an inbound connection and/or an outbound connection, and the reputation value may be based on a file reputation associated with the hash and a connection reputation associated with the network address of the remote end of the network connection. | 09-19-2013 |
20130247202 | DYNAMIC MANAGEMENT OF RESOURCE UTILIZATION BY AN ANTIVIRUS APPLICATION - System and method for dynamically managing utilization of computing capacity by an antivirus application having distinct security modules configurable by adjustment of operational parameters. An identification of the computing resources required by each of the security modules to perform certain corresponding security-related functionality is obtained. A current state of authorization granted to the antivirus application to access each of the plurality of computing resources is determined. The operational parameters are adjusted for the at least one of the security modules in response to a determination that the current state of authorization is insufficient for the antivirus application to access certain ones of the computing resources required by the at least one of the security modules to perform its corresponding functionality. The operational parameters are adjusted to disable the corresponding functionality and to thereby de-allocate a portion of the computing capacity needed to execute that corresponding functionality. | 09-19-2013 |
20130254892 | DETECTING MALICIOUS COMPUTER CODE IN AN EXECUTING PROGRAM MODULE - A computer program includes one or more computer program instructions, each computer program instruction being of one or more instruction types. Prior to execution of the computer program instructions, the computer determines respective counts for the instruction type(s) of the computer program instructions. At a time during execution of the computer program instructions, the computer determines respective counts for the instruction type(s) of the computer program instructions. The computer, in response to determining that the count for one of the instruction types determined prior to execution differs a predetermined amount from the count for the same instruction type determined during execution, makes a record that the computer program has an indicia of maliciousness. | 09-26-2013 |
20130254893 | APPARATUS AND METHOD FOR REMOVING MALICIOUS CODE - Disclosed are an apparatus and a method for removing a malicious code. Accordingly, the present invention provides a technology of mixing a cloud computing based network detecting scheme and a conventional malicious code detecting scheme for providing a detection engine to a client terminal according to a situation based on characteristics of the client terminal, helping efficiently cope with a malicious code. | 09-26-2013 |
20130263269 | Controlling Anti-Virus Software Updates - The present invention relates to a method of controlling the download of anti-virus software updates to a device. The device is configured to transmit an update query to a network device requesting information on whether any updates are available for the anti-virus software. When the device receives the response it stores the response in the cache. The cache can then be queried following a trigger and, if the cache indicates an update to the anti-virus software is available the device downloads an update to the anti-virus software. In an alternative embodiment the device may download and install an update upon receiving the response to the query if the response to the query indicates that an update is available. The query may be transmitted during a scan or upon determining a change in a connection at a device. | 10-03-2013 |
20130263270 | SYSTEMS AND METHODS FOR DETECTING MALICIOUS CODE - A system, method, and computer-readable medium for detecting malicious computer code are provided. Instructions, such as HTML or JavaScript instructions may be received from a server, parsed, and executed. During execution of the instructions, one or more functions of a software application, such as a web browser, may be hooked, and an event object may be created for each called function that is hooked, resulting in a collection of event objects. Rules may be matched with event objects of the collection of event objects to detect malicious code. Attributes from the matched event objects may then be used to locate original malicious script or code injected into a web page. | 10-03-2013 |
20130263271 | DETECTING NETWORK TRAFFIC CONTENT - A device for detecting network traffic content is provided. The device includes a memory configured for storing one or more signatures, each of the one or more signatures associated with content desired to be detected, and 5 defined by one or more predicates. The device a/so includes a processor configured to receive data associated with network traffic content, execute one or more instructions based on the one or more signatures and the data, and determine whether the network traffic content matches the content desired to be detected. | 10-03-2013 |
20130269034 | PROACTIVE CONTAINMENT OF NETWORK SECURITY ATTACKS - One embodiment disclosed relates to a method of proactive containment of network security attacks. Filtering parameters corresponding to a specific system vulnerability are determined. These parameters are distributed to network infrastructure components, and the network infrastructure components examine packets using these parameters to detect occurrence of an attack. Once an attack is detected, the network infrastructure components take action to inhibit the attack. Other embodiments are also disclosed. | 10-10-2013 |
20130276118 | System, method and computer program product for detecting encoded shellcode in network traffic - A system, method and computer program product are provided for detecting encoded shellcode. In use, network traffic that is encoded is identified. Further, it is determined whether the network traffic that is encoded includes shellcode. | 10-17-2013 |
20130276119 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR REACTING TO A DETECTION OF AN ATTEMPT BY A PROCESS THAT IS UNKNOWN TO CONTROL A PROCESS THAT IS KNOWN - A system, method, and computer program product are provided for reacting to a detection of an attempt by a process that is unknown to control a process that is known. In operation, an attempt by a first process that is unknown to control a second process that is known is detected. Furthermore, there is a conditional reaction based on the detection. | 10-17-2013 |
20130276120 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR DETERMINING WHETHER A SECURITY STATUS OF DATA IS KNOWN AT A SERVER - A system, method, and computer program product are provided for determining whether a security status of data is known at a server. In use, a request for a security status of data is received over a network at a server. Additionally, it is determined whether the security status is known at the server using at least one of a whitelist and a blacklist. Furthermore, a result of the determination is transmitted over the network. | 10-17-2013 |
20130276121 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR IDENTIFYING A FILE USED TO AUTOMATICALLY LAUNCH CONTENT AS UNWANTED - A system, method, and computer program product are provided for identifying a file utilized to automatically launch content as unwanted. In one embodiment, a file is identified in response to a detection of unwanted code, the file utilized to automatically launch content. Additionally, it is determined whether an identifier associated with the unwanted code is included in the file. Further, the file is identified as unwanted based on the determination. | 10-17-2013 |
20130276122 | SYSTEM AND METHOD FOR PROVIDING STORAGE DEVICE-BASED ADVANCED PERSISTENT THREAT (APT) PROTECTION - An embodiment of a system and method for providing storage device-based advanced persistent threat (APT) protection receives a file write request of a file object, writes the file object to a temporary storage device, computes a hash value of the file object in the temporary storage device, and compares the hash value of the file object to hash values stored in an APT database to determine if the hash value of the file object exists in the APT database. If the hash value of the file object exists in the APT database, an embodiment writes the file object to a quarantine storage location and clears the file object from the temporary storage device. If the hash value of the file object does not exist in the APT database, an embodiment executes an APT analysis on the file object to determine if the file object presents an APT. | 10-17-2013 |
20130276123 | MECHANISM FOR PROVIDING A SECURE ENVIRONMENT FOR ACCELERATION OF SOFTWARE APPLICATIONS AT COMPUTING DEVICES - A mechanism is described for facilitating a secure environment and acceleration of software applications according to one embodiment of the invention. A method of embodiments of the invention includes initiating a software application session at a computing device. The software application session includes an anti-virus/anti-malware software-based scanning session, and the scanning session includes scanning of a plurality of locations of a storage subsystem of the computing device. The method may further include accelerating the initiated session by performing session tasks relating to the initiated session without having to rely on an operating system of the computing device. | 10-17-2013 |
20130283383 | PLATFORM BASED VERIFICATION OF CONTENTS OF INPUT-OUTPUT DEVICES - A platform to support verification of the contents of an input-output device. The platform includes a platform hardware, which may verify the contents of the I/O device. The platform hardware may comprise components such as manageability engine and verification engine that are used to verify the contents of the I/O device even before the contents of the I/O device are exposed to an operating system supported by a host. The platform components may delete the infected portions of the contents of I/O device if the verification process indicates that the contents of the I/O device include the infected portions. | 10-24-2013 |
20130291112 | ARCHITECTURE FOR REMOVABLE MEDIA USB-ARM - A storage device is coupled to a computing system comprising an operating system and application software. Access to the storage device is blocked by a kernel filter driver, except exclusive access is granted to a first anti-virus engine. The first anti-virus engine is directed to scan the storage device for malicious software and report results. Exclusive access may be granted to one or more other anti-virus engines and they may be directed to scan the storage device and report results. Approval of all or a portion of the information on the storage device is based on the results from the first anti-virus engine and the other anti-virus engines. The storage device is presented to the operating system and access is granted to the approved information. The operating system may be a Microsoft Windows operating system. The kernel filter driver and usage of anti-virus engines may be configurable by a user. | 10-31-2013 |
20130298241 | Network Based Audience Measurement - Methods, systems, and computer-readable media for providing network-based audience measurement are provided. Data packets are intercepted between a client computer and a content server. Unique subscribers and content names are identified based on the data packets. One or more audience measurement metrics are computed based on the unique subscribers and the content names. | 11-07-2013 |
20130305373 | METHOD AND APPARATUS FOR INSPECTING NON-PORTABLE EXECUTABLE FILES - An apparatus for inspecting a non-PE file includes a data loading unit configured to load candidate malicious address information related to a malicious code of the non-PE file; and a program link unit configured to acquire normal address range information of a module being loaded on a memory when an application program adapted for the non-PE file is executed and set up a candidate malicious address corresponding to the candidate malicious address information to be a breakpoint of the application program. Further, the apparatus includes a malicious code determination unit configured to determine whether a next execution address is within the normal address range information when there occurs an event derived from the breakpoint. | 11-14-2013 |
20130305374 | CONTROLLING MALICIOUS ACTIVITY DETECTION USING BEHAVIORAL MODELS - Systems, methods, and computer program products are described for controlling malicious activity detection with respect to information technology assets based on behavioral models associated with the respective information technology assets. Protection rules and corresponding sensitivities associated with the behavioral models are applied by protection services to detect malicious activity with respect to the information technology assets. | 11-14-2013 |
20130305375 | METHOD FOR MALICIOUS ATTACKS MONITORING - A method monitors data affected by malware in a communication network. The malware detecting entity acts as a data retention source. The method includes receiving at a data retention system a query request specifying data affected by malware to be accessed. Retained data which matches the query request and received from the malware detecting entity is identified in the data retention system. The identified data is forwarded from the data retention system to an authorized organization. | 11-14-2013 |
20130312096 | ON-DEMAND DATA SCAN IN A VIRTUAL MACHINE - A system is provided to facilitate on-demand data scan operation in a guest virtual machine. During operation, the system generates an on-demand scan request at a scanning virtual machine, wherein the request specifies a scope for the on-demand scan. The system communicates the on-demand scan request to the guest virtual machine and receives data from the guest virtual machine in response to the request. The system identifies the data as candidate for on-demand scanning and scans the data in furtherance of a security or data integrity objective. | 11-21-2013 |
20130312097 | DETECTING MALICIOUS RESOURCES IN A NETWORK BASED UPON ACTIVE CLIENT REPUTATION MONITORING - Systems and methods for detecting malicious resources by analyzing communication between multiple resources coupled to a network are provided. According to one embodiment, a method is performed for client reputation monitoring. A monitoring unit within a network observes activities relating to multiple monitored devices within the network. For each observed activity, the monitoring unit assigns a score to the observed activity based upon a policy of multiple polices established within the monitoring unit. For each of the monitored devices, the monitoring unit maintains a current reputation score for the monitored device based upon the score and a historical score associated with the monitored device. The monitoring unit classifies one of the monitored devices as potentially being a malicious resource based upon its current reputation score. | 11-21-2013 |
20130312098 | NEGATIVE LIGHT-WEIGHT RULES - A method for securing an electronic device includes, at a level below all of the operating systems of an electronic device, trapping a first attempt and second attempt to access sensitive system resources of the electronic device. The method also includes identifying the first attempt and second attempt as representing a potential malware attack, comparing the sequence of the first attempt and second attempt against a first anti-malware rule, and, based on the comparison of the sequence of the first attempt and second attempt against the first anti-malware rule, allowing the second attempt. The first attempt and second attempt originate from code of the same operating entity. The first anti-malware rule includes a requirement of a sequence of attempts including the first attempt followed by the second attempt. | 11-21-2013 |
20130312099 | Realtime Kernel Object Table and Type Protection - A method for detecting malware includes determining one or more object-oriented components of an electronic device, trapping at a level below all of the operating systems of the electronic device an attempt to access an object-oriented component of the electronic device, determining an entity causing the attempt, accessing one or more security rules, and, based on the security rules, the entity causing the attempt, and the object-oriented component, determining whether the attempted access is indicative of malware. | 11-21-2013 |
20130312100 | ELECTRONIC DEVICE WITH VIRUS PREVENTION FUNCTION AND VIRUS PREVENTION METHOD THEREOF - In a virus prevention method of an electronic device, executable files that are being installed in the electronic device are compared with the virus characteristics in virus database of the electronic device. The electronic device communicates with a server through a network, and a virus database and a suspected virus database of the server are accessed when one or more suspected files are determined. The one or more suspected files are compared with virus characteristics of virus samples in the virus database and non-viral characteristic of non-virus samples in the suspected virus database of the server, so as to determine whether the one or more suspected files are virus files. The determined one or more virus files intruded in the executed files are deleted. | 11-21-2013 |
20130318610 | System and Method for Detection and Treatment of Malware on Data Storage Devices - Disclosed are systems and methods for detection and repair of malware on data storage devices. The system includes a controller, a communication interface for connecting an external data storage device, and a memory for storing antivirus software. The antivirus software is configured to scan the data contained in the data storage device, perform repair or removal of malicious files or programs found on the data storage device, identify suspicious files or programs on the data storage device and malicious files or programs that cannot be repaired or removed from the data storage device, send information about these files or programs to the antivirus software provider, receive updates for the antivirus software from the antivirus software provider, and rescan the suspicious files or programs and malicious files or programs that cannot be repaired or removed using updated antivirus software. | 11-28-2013 |
20130318611 | SYSTEM AND METHOD FOR DETECTING NETWORK ACTIVITY OF INTEREST - A network activity detection system is trained to detect network activities of interest such as threats by malicious computer data. The training involves distilling the characteristics of known network activities of interest (e.g., intrusion by computer viruses, exploits, worms, or the like) into a minimal set of meta-expressions. At run-time, the network activity detection system combines the minimal set of meta-expressions with efficient computer algorithms for evaluating meta-expressions to detect known network activities of interest, as well as their unknown variants, among an unknown set of network activity. The network activity detection system may produce appropriate responses upon the detection of network activities of interest. | 11-28-2013 |
20130318612 | ROOTKIT MONITORING AGENT BUILT INTO AN OPERATING SYSTEM KERNEL - An approach for detecting a kernel-level rootkit is presented. A changed entry in a System Service Descriptor Table (SSDT) or an Interrupt Descriptor Table (IDT) is detected. The changed entry results from an installation of suspect software. The changed entry is determined to be not referenced by a white list. A black list is updated to reference the changed entry to indicate the changed entry results from an installation of the kernel-level rootkit. The suspect software is determined to be the kernel-level rootkit based on the changed entry not being referenced by the white list. The changed entry is restored to an entry included in a first state of an operating system kernel. The first state is based on the SSDT and IDT referencing hooks indicated in the white list, where the hooks are not the result of an installation of any kernel-level rootkit. | 11-28-2013 |
20130326626 | ASYNCHRONOUS FILTERING AND PROCESSING OF EVENTS FOR MALWARE DETECTION - A method for asynchronous processing of system calls, including detecting a system call on a computer system; filtering the system call to determine when the system call call matches a filter parameter; making a copy of the system call and asynchronously asynchronously processing the system call copy, if the system call does not pass through at through at least one filter, and the filter parameter does not match the system call; placing placing the system call into a queue; releasing the system call after an anti-virus (AV) (AV) check of the system call copy and terminating an object that caused the system call call when the AV check reveals that the system call is malicious; and for an object associated with the system call that has behavior differences compared to a previous known known non-malicious version of the object but also similarities to the previous known non-known non-malicious object, classifying the object as non-malicious. | 12-05-2013 |
20130333039 | Evaluating Whether to Block or Allow Installation of a Software Application - A programmable device for which an application is to be installed analyzes permissions requested by the application and other application information to assist the user in deciding whether to allow installation of the application. The analysis may either block or allow the installation, or may provide a calculated risk level to the user and request a decision. Application information, such as a category of application, typical permissions requested by similar applications, and trustworthiness of the application source, in addition to whitelists and blacklists may be employed as part of the analysis and evaluation of the permissions. As a result, the user need not be burdened with overly technical information and may make a better informed decision on installation. | 12-12-2013 |
20130333040 | Kernel-Level Security Agent - A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities. | 12-12-2013 |
20130333041 | Method and Apparatus for Automatic Identification of Affected Network Resources After a Computer Intrusion - Methods and apparatus are provided for automatic identification of affected network resources after a computer intrusion. The network resources affected by a computer intrusion can be identified by collecting information about an external system from an external source; deriving a list of one or more affected internal systems on an internal network by correlating the information with internal information about internal systems that interacted with the external system; and identifying one or more user accounts associated with the one or more affected internal systems. Data residing on systems accessible by the one or more user accounts can also optionally be identified. A list can optionally be presented of the network resources that may be affected by the computer intrusion. The affected network resources can be, for example, servers, services and/or client machines. | 12-12-2013 |
20130333042 | STORAGE SYSTEM AND STORAGE SYSTEM MANAGEMENT METHOD - The present invention removes a computer virus-infected benchmark file by re-creating the benchmark file referenced by a reference-source file. One or more clone files, which serve as reference files, reference a clone-source file, which serves as the benchmark file. In a case where it has been determined that the clone-source file is infected with a computer virus, only the clone file referencing the infected area is subjected to a virus check and repaired. A new clone-source file is configured based on the repaired clone file and the clone-source file (b). The old clone-source file, which is infected with the computer virus, is deleted (c). | 12-12-2013 |
20130340080 | System and Method for Preventing Spread of Malware in Peer-to-Peer Network - Disclosed are systems, methods and computer program products for detecting and preventing spread of malware in a peer-to-peer (P2P) network. The system includes a P2P server receiving from a peer client computer a request for a metadata object and determining if the requested metadata object is associated with one of a verified clean data object, a verified malicious data, or an unverified data object. If the requested metadata object is associated with a verified clean data object, transmitting the requested metadata object to the peer client computer. If the requested metadata object is associated with an unverified data object, determining if the peer client computer has an antivirus software for testing the unverified data object for malware. If the peer client computer has an antivirus software, transmitting to the peer client computer the requested metadata object, otherwise denying client' request. | 12-19-2013 |
20130340081 | Reporting Malicious Activity to an Operating System - An apparatus includes a memory that is accessible by an operating system; and a basic input/output system (BIOS) handler. The BIOS handler, in response to detected malicious software activity, stores data in the memory to report the activity to the operating system. | 12-19-2013 |
20130347113 | DETERMINING POPULATED IP ADDRESSES - A service log of a service provider is analyzed to identify IP addresses used by account holders that are populated IP addresses. Existing information about legitimate and malicious accounts of the service provider is leveraged to determine likely good and bad populated IP addresses based on the accounts that use the populated IP addresses. Features of the good and bad populated IP addresses are used to train a classifier that can identify good and bad populated IP addresses based on features of the populated IP addresses. The classifier may be used to provide security services to the same service provider or different service providers. The services include identifying malicious accounts. | 12-26-2013 |
20130347114 | SYSTEM AND METHOD FOR MALWARE DETECTION - Systems and methods for malware detection techniques, which detect malware by identifying the C&C communication between the malware and the remote host. In particular, the disclosed techniques distinguish between request-response transactions that carry C&C communication and request-response transactions of innocent traffic. Individual request-response transactions may be analyzed rather than entire flows, and fine-granularity features examined within the transactions. As such, these methods and systems are highly effective in distinguishing between malware C&C communication and innocent traffic, i.e., in detecting malware with high detection probability and few false alarms. | 12-26-2013 |
20130347115 | TAGGING OBTAINED CONTENT FOR WHITE AND BLACK LISTING - A system and method for providing enhanced security with regard to obtained files is presented. Upon obtaining a file from an external location, the obtained file is tagged with tagging information regarding the origin of the obtained file. Additionally, an operating system suitable for execution on a computing device is also presented. The operating system includes at least one application-callable function (API) for obtaining content from an external location. Each application-callable function for obtaining content from an external location is configured to associate tagging information with each obtained file, the tagging information comprising the origin of the obtained file. The origin of the obtained file can be used for subsequent security policy decisions, such as whether to allow or block execution or rendering of the content, as well as whether the content will be accessed in a constrained environment such as a “sandbox” or virtual machine. | 12-26-2013 |
20140007238 | Collective Threat Intelligence Gathering System | 01-02-2014 |
20140007239 | PERFORMING ANTI-VIRUS CHECKS FOR A DISTRIBUTED FILESYSTEM | 01-02-2014 |
20140013434 | SYSTEM AND METHOD FOR STRATEGIC ANTI-MALWARE MONITORING - The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network. | 01-09-2014 |
20140013435 | Social Network Protection System - A method of inhibiting the spread of malware across a network of interconnected computer terminals. The method includes detecting malware or suspicious behaviour at a first computer terminal and inspecting the first computer terminal, before and/or after said step of detecting malware or suspicious behaviour, to identify contacts forming part of a social network. Identities of the identified contacts are sent to a backend security system, and at the backend security system, said identities are received and instructions sent to one or more second computer terminals associated with respective identities to cause those second computer terminals to implement an increased level of security. | 01-09-2014 |
20140033311 | METHOD AND APPARATUS FOR DETERMINING VIRUS-INFECTED FILES - Disclosed in the present invention are a method and apparatus for determining a virus-infected file, which belong to the field of computer security. The method includes: locating data in a file being scanned according to the file offset address associated with a virus signature of a virus; making a comparison of the virus signature with the data located in the file being scanned; and determining that the file being scanned is a virus-infected file when the virus signature matches the located data. The apparatus includes: a locating module, a comparison module and a determination module. | 01-30-2014 |
20140041034 | PERFORMING VIRUS SCAN DURING DECOMPRESSION OF AN APPLICATION INSTALLATION PACKAGE - Disclosed in the present invention are a method and apparatus for checking a process of decompressing an application installation package. The present invention belongs to the technical field of security. The method comprises: decompressing a sub-portion of data in an application installation package to acquire decompressed data, the sub-portion of data being not greater than a threshold size; checking the decompressed data according to the virus samples in a virus feature library; and determining that the application installation package is a virus-infected file or rogue software when the decompressed data includes any of the virus samples. The technical solution of the present invention can effectively save the internal memory, shorten the checking time, and improve the checking efficiency in determining whether an application installation package is a virus-infected file or rogue software. | 02-06-2014 |
20140041035 | METHOD AND SYSTEM FOR FILE SCANNING - The invention relates to method and system for file scanning The method includes performing specified scanning on files of terminal equipment to determine suspicious files infected by viruses; repairing the suspicious files infected by the viruses and recording repair actions; and checking the recorded repair actions after the specified scanning is finished. The system includes a scanning module, a repairing module, and a checking module. According to the invention, repair actions performed during the repair procedure are recorded when suspicious files infected by viruses are repaired, and these recorded repair actions are checked after the repairs are finished so as to confirm the repair effect and reinforce the repair, thereby preventing suspicious files infected by various viruses from damaging and infecting the system. | 02-06-2014 |
20140053272 | Multilevel Introspection of Nested Virtual Machines - Described systems and methods allow software introspection and/or anti-malware operations in a hardware virtualization system comprising a nested hierarchy of hypervisors and virtual machines, wherein introspection is carried out to any level of the hierarchy from a central location on a host hypervisor. An introspection engine intercepts a processor event occurring in a virtual machine exposed by a nested hypervisor, to determine an address of a software object executing on the respective virtual machine. The address is progressively translated down through all levels of the virtualization hierarchy, to an address within a memory space controlled by the host hypervisor. Anti-malware procedures can thus be performed from the level of the host hypervisor, and may comprise techniques such as signature matching and/or protecting certain areas of memory of the nested virtual machine. | 02-20-2014 |
20140059687 | FILE SCANNING - For file scanning, a division module divides a file into plurality of subfiles. An access module maintains a status of each subfile and scans each subfile with a separate server. | 02-27-2014 |
20140059688 | DETECTION AND MITIGATION OF SIDE-CHANNEL ATTACKS - Methods, systems, and computer readable storage media for preventing side-channel attacks are disclosed. A computing resource, such as a virtual machine, operating on a computing device or within a computing environment may be duplicated. Properties associated with the computing resource and the duplicate computing resource may be monitored for discrepancies. The discrepancies may be indicative of a security event, such as a virus or side-channel attack. Detected security events may be handled by replacing a computing resource with a duplicate computing resource. | 02-27-2014 |
20140059689 | SYSTEMS AND METHODS FOR UPDATING CONTENT DETECTION DEVICES AND SYSTEMS - Systems, methods, and software for processing received network traffic in view of content detection data and configuration data that defines policies to either block, permit, or to further evaluate network traffic content on the policies when network traffic is entering a network. | 02-27-2014 |
20140068773 | METHODS, SYSTEMS AND MEDIA FOR DETECTING NON-INTENDED TRAFFIC USING CO-VISITATION INFORMATION - A non-transitory processor-readable medium stores code representing instructions to be executed by a processor to receive data associated with access by a first plurality of entities to a first website location and to receive data associated with access by a second plurality of entities to a second website location. The processor is also caused to define a co-visitation factor for each of the first website location and the second website location based on the received data. The processor is also caused to, if the co-visitation factor of the first website location and/or the co-visitation factor of the second website location is over a predefined threshold, select the first website location and/or the second website location as target website locations. The processor is caused to send a signal to set a flag associated with each target website location indicating the target website location as a suspicious website location. | 03-06-2014 |
20140068774 | DETECTING A MALWARE PROCESS - Detecting a malware process is disclosed, including: monitoring a launch of a process; in response to a completion of the launch of the process, determining a base address associated with the process; determining a permission of a memory block associated with the base address; and determining whether the process is potentially associated with a malware process based at least in part on the determined permission. | 03-06-2014 |
20140068775 | HISTORICAL ANALYSIS TO IDENTIFY MALICIOUS ACTIVITY - Systems and methods may use historical analysis to identify malicious activity. A discovery/recovery system may comprise a processor in communication with a network and in communication with a database. The discovery/recovery system may gather filtered historical network data associated with an asset associated with the network. The discovery/recovery system may analyze the filtered historical network data to determine whether a subset of the filtered historical network data is associated with a malware infection of the asset. | 03-06-2014 |
20140068776 | USER INTERFACE HIJACKING PREVENTION DEVICE AND METHOD - This discloses a device for preventing a user interface from being hijacked. The device can include: an information collecting module that collects information regarding a scheduled task; a monitoring module that monitors the scheduled task in accordance with the collected information to obtain a running status of the scheduled task and generates a control command in accordance with the running status; a user operation obtaining module that obtains a user operation after the monitoring module issues the control command; a window constructing module that constructs a window in accordance with the control command issued by the monitoring module and/or the user operation obtained by the user operation obtaining module; and a message generating module that generates a message and transmits the message to the window constructing module to display the message in the window. This also discloses a method of preventing a user interface from being hijacked. | 03-06-2014 |
20140075559 | METHOD AND DEVICE FOR PROCESSING VIRUS-INFECTED APPLICATIONS - The present disclosure relates to a virus-infected application processing method. The method comprises: obtaining identification information associated with a virus-infected application; cleaning the virus-infected application; sending the identification information to a recommended application search module; receiving recommendation information from the recommended application search module, the recommendation information comprising introduction to one or more applications relevant to the virus-infected application; and displaying the recommendation information. According to the virus-infected application processing method, relevant applications are recommended to a user at the same time as the virus-infected application is cleaned, thereby allowing the user to easily install a same but virus-free application or a similar substitute application. The entire operational process is simple and convenient, and can effectively make up for the functional loss due to the cleaning of the virus-infected application. In addition, the present disclosure provides a virus-infected application processing device. | 03-13-2014 |
20140082732 | System and Method for Bidirectional Trust Between Downloaded Applications and Mobile Devices Including a Secure Charger and Malware Scanner - A system and method are described that will enable mobile smart devices, such as a cellular phones, PDAs, or iPads, smartphones, mobile payment systems, mobile healthcare systems, handheld law enforcement systems, and other types of tablet devices, to trust download applications and for the download applications to trust the mobile smart devices onto which they are downloaded. The system and method enables charging a mobile smart device and while charging the mobile smart device scans for malware and other viruses in the applications and the operating system on the mobile smart device. | 03-20-2014 |
20140090061 | SYSTEM AND METHOD FOR AUTOMATED MACHINE-LEARNING, ZERO-DAY MALWARE DETECTION - Improved systems and methods for automated machine-learning, zero-day malware detection. Embodiments include a method for improved zero-day malware detection that receives a set of training files which are each known to be either malign or benign, partitions the set of training files into a plurality of categories, and trains category-specific classifiers that distinguish between malign and benign files in a category of files. The training may include selecting one of the plurality of categories of training files, identifying features present in the training files in the selected category of training files, evaluating the identified features to determine the identified features most effective at distinguishing between malign and benign files, and building a category-specific classifier based on the evaluated features. Embodiments also include by a system and computer-readable medium with instructions for executing the above method. | 03-27-2014 |
20140090062 | METHOD AND APPARATUS FOR VIRUS SCANNING - Method and apparatus for virus scanning, and a non-transitory computer-readable medium that stores instructions for performing virus scanning. The method includes detecting a status of a system; and when the status of the system is idle, if current virus scanning has begun, continuing the current virus scanning, and if the current virus scanning has not begun, acquiring a scanning progress of previous virus scanning, beginning the current virus scanning according to the acquired scanning progress, and recording a scanning progress of the current virus scanning. | 03-27-2014 |
20140096254 | EFFICIENT DATA TRANSFER IN A VIRUS CO-PROCESSING SYSTEM - Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a method for virus co-processing is provided. A general purpose processor stores a data segment to its system memory using a virtual address. The system memory has stored therein a page directory and a page table containing information for translating virtual addresses to physical addresses within a physical address space of the system memory. A virus processing hardware accelerator translates the virtual address of the data segment to a physical address of the data segment based on the page directory and the page table. The hardware accelerator accesses the data segment based on the physical address. The hardware accelerator scans the data segment for viruses by executing multiple pattern comparisons against the data segment. The hardware accelerator returns a result of the scanning to the general purpose processor via the system memory. | 04-03-2014 |
20140109226 | Kernel-Level Security Agent - A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities. | 04-17-2014 |
20140123290 | METHOD, DEVICE AND SYSTEM FOR PROCESSING COMPUTER VIRUS - A method, an apparatus and a system for processing a computer virus. The method comprises: obtaining the file type of a file which is infected with a computer virus and the process information of a process which is used by the virus when accessing the file; monitoring whether a malicious event occurs in s system, wherein the malicious event is an event which is triggered when the process corresponding to the process information accesses the file of the file type; and refusing the process to access the file of the file type when it is monitored that the malicious event occurs. | 05-01-2014 |
20140130167 | SYSTEM AND METHOD FOR PERIODICALLY INSPECTING MALICIOUS CODE DISTRIBUTION AND LANDING SITES - A system and method for periodically inspecting malicious code distribution and landing sites, which receives a malicious-suspected URL from a management server; collects a file which is created when the malicious-suspected URL is connected and self-inspecting existence of the malicious code in the collected file using a commercial vaccine; traces, if a malicious code is detected in the collected file, a final distribution site distributing the detected malicious code; confirms information on a landing site connected to the final distribution site and registering the final distribution site and the landing site in a landing/distribution site database; confirms whether or not the final distribution site and the landing site registered in the landing/distribution site database are connectible; and updates the landing/distribution site database according to whether or not the final distribution site and the landing site are connectible. | 05-08-2014 |
20140130168 | ANTIVIRUS SYSTEM AND METHOD FOR REMOVABLE MEDIA DEVICES - A removable media device, which may be a USB attached device or other type of removable media device, includes a software program located on the device which upon startup or access, the software program scans one or more of electronic files stored on the removable media device and electronic files being transferred to or from the electronic media device and to or from a host computing system for the detection of viruses therein. The software program is further configured to block the transfer of detected virus-containing electronic files and to disallow the copy or writing of files to or from the removable media device to or from a host computing system that can not be scanned. The software program is further configured to block the encryption of files being written to a removable media device if such device contains hardware or software encryption if such files can not be scanned. | 05-08-2014 |
20140130169 | IDENTIFICATION OF MALICIOUS ACTIVITIES THROUGH NON-LOGGED-IN HOST USAGE - A system and associated computer program product for identifying malware. The system includes one or more processors, one or more computer-readable memories, one or more computer-readable storage devices, and program instructions stored on the one or more storage devices for execution by the one or more processors via the one or more memories. The program instructions include program instructions to receive a data communication simulating manual interaction between a user of the computer and the computer. The program instructions may determine that no user was interactively logged on to the computer approximately at a time the data communication was received by the computer, and in response, classify the data communication as a potential malware communication. | 05-08-2014 |
20140137252 | METHOD AND SYSTEM FOR UNLOCKING AND DELETING FILE AND FOLDER - A method and system for unlocking and deleting a file or a folder. The method for unlocking the file or the folder comprises: receiving an unlock request of a file or a folder, wherein the unlock request includes an input parameter; verifying whether the input parameter complies with a preset condition; if the input parameter complies with the preset condition, correcting a deformed path format of the file or the folder and/or the special file name of the file or the special folder name of the folder according to a preset rule; determining whether restrictive setting of the corrected file or folder is present; and if yes, cleaning the restrictive setting of the file or the folder. The embodiments of the present invention relieves layer by layer the protections arranged by files infected with a virus by employing a plurality of means such as removing the read-only lock, removing the routine lock, adding the authority and closing the handle, thereby increasing the confrontation capacity of a security software against a malignant program. | 05-15-2014 |
20140137253 | SECURITY METHOD AND APPARATUS - In accordance with an example embodiment of the present invention, there is provided an apparatus, comprising: at least one processor; and at least one memory including executable instructions. The at least one memory and the executable instructions are configured to, in cooperation with the at least one processor, cause the apparatus to perform at least the following: during the loading of an operating system, loading a boot time driver installed by an anti-virus application; reading a master boot record data by the boot time driver as soon as the operating system is ready to handle the request for reading the master boot record data; analyzing the collected master boot record data to identify any malicious entities; and in the event that malicious entities are identified, controlling the behavior of the processing system in order to disable the malicious entity. | 05-15-2014 |
20140137254 | MALICIOUS WEBSITE IDENTIFYING METHOD AND SYSTEM - The present disclosure discloses a method of identifying malicious websites. The method includes: filtering a target website using a local website-filtering list; if the target website is not on the local website-filtering list, filtering the target website using a server website-filtering list. The present disclosure also discloses, based on the above-described method, a system for identifying malicious websites. By using the disclosed malicious website identifying method and system, the number of times needed to access a network to identify malicious websites can be reduced effectively. That is, the number of times that the identification calculation is performed by a network server can be reduced and, thus, increasing the speed of the identification process and reducing network traffic. As a result, the efficiency of the malicious website identifying process can be improved. | 05-15-2014 |
20140137255 | Method, System, and Apparatus for Detecting Malicious Code - A method, a system, and an apparatus for detecting malicious code to solve the problem that detection efficiency is low and that more resources are occupied. The method includes: monitoring execution of an instruction in a virtual machine supervisor of a host computer, where the instruction is generated in escape mode when a read-write request generated during execution of program code in a virtual machine of the host computer is delivered to the virtual machine supervisor; obtaining execution characteristics of the program code according to execution of the instruction; and comparing the obtained execution characteristics with pre-stored execution characteristics of known malicious code, and determining that the program code is malicious code when the obtained execution characteristics and the pre-stored execution characteristics are the same. This improves the detection efficiency, and saves the storage resources and the processing resources in the host computer. | 05-15-2014 |
20140143875 | Detecting Application Behavior - There is provided a method including generating, by a security application executed in a processing device, an application list including one or more applications which are currently running in the processing device; identifying at least one network address fulfilling predetermined criteria; determining which of the at least one network address fulfilling the predetermined criteria has been connected to by the processing device within a predefined time period; and providing a post-processing entity with the application list and an indication on which of the at least one network address fulfilling the predetermined criteria has been connected to by the processing device within the predefined time period. | 05-22-2014 |
20140143876 | VIRUS CO-PROCESSOR INSTRUCTIONS AND METHODS FOR USING SUCH - Circuits and methods for detecting, identifying and/or removing undesired content are provided. According to one embodiment, a method for virus processing is provided. A data segment is received by a general purpose processor coupled to a virus co-processor and a memory via an interconnect bus. The memory includes a first signature and a second signature. The first includes a primitive instruction and a Content Pattern Recognition (CPR) instruction stored at contiguous locations in the memory and compiled for hardware execution on the co-processor. The second is compiled for software execution. The data segment is scanned by the general purpose processor by applying the second signature against the data segment. The co-processor is directed by the general purpose processor to scan the data segment by applying the first signature against the data segment by storing the data segment to the memory and indicating a request for a scan to the co-processor. | 05-22-2014 |
20140143877 | DATA IDENTIFICATION SYSTEM - Disclosed is a method of operating a data storage system. The method comprises identifying changed segments of a primary storage volume, receiving a data request for a plurality of data items in a secondary storage volume, identifying changed data items of the plurality of data items in the secondary storage volume based on a correspondence between the plurality of data items in the secondary storage volume and the changed segments of the primary storage volume, and transferring the changed data items in response to the data request. | 05-22-2014 |
20140150105 | CLUSTERING PROCESSING METHOD AND DEVICE FOR VIRUS FILES - A method and device for clustering virus files is provided. The method involves statically analyzing binary data of virus files to be clustered, so as to obtain PE structure data of the virus files. Further, based on a comparison of the PE structure data, those virus files with PE structure data meeting a specific similarity may be categorized into the same category. The device may include a first data analyzing module configured to extract PE structure data of virus files to be clustered by static analysis of binary data of the virus files. A first clustering module of the device may compare the PE structure data and cluster the virus files having the PE structure data meeting a specific similarity into the same category. The solution may improve efficiency of clustering computer virus files, reduce resource consumption, and avoid the risk of virus infection caused by dynamically running the virus files. | 05-29-2014 |
20140150106 | COMPUTER PROGRAM, METHOD, AND SYSTEM FOR PREVENTING EXECUTION OF VIRUSES AND MALWARE - Preventing execution of viruses or malware on a computing device includes compiling an inventory recordation of legitimate applications and terminating execution of any application not on the inventory recordation while in a protected mode. An instantaneous and unprompted inventory recordation known as a “snapshot” can be performed by the computer program. A user may further train the computer program to identify legitimate applications routinely accessed by the user and to be updated to the inventory recordation, such that the inventory recordation is personal to the user. After training, the protected mode can be activated. A smart icon graphical user interface is utilized, that automatically toggles between locked and unlocked depending on if the computing device is at risk or not, to place the computing device in a protected or unprotected mode. | 05-29-2014 |
20140165203 | Method and Apparatus for Retroactively Detecting Malicious or Otherwise Undesirable Software As Well As Clean Software Through Intelligent Rescanning - The present invention relates to the security of general purpose computing devices, such as laptop or desktop PCs, and more specifically to the detection of malicious software (malware) on a general purpose computing device. A challenge in detecting malicious software is that files are typically scanned for the presence of malicious intent only once (and subsequent rescanning is typically performed in a simplistic manner). Existing methods in the art do not address how to most effectively rescan collections of files in a way that tries to optimize performance and efficacy. Accordingly we present novel methods, components, and systems for intelligently rescanning file collections and thereby enabling retroactive detection of malicious software and also retroactive identification of clean software. These methods may also be useful if additional information is now available regarding a file that might be useful to an end-user or an administrator, even though the file's core disposition might not have changed. More specifically, we describe methods, components, and systems that perform data analytics to intelligently rescan file collections for the purpose of retroactively identifying malware and retroactively identifying clean files. The disclosed invention provides a significant improvement with regard to efficacy and performance compared to previous approaches. | 06-12-2014 |
20140173735 | COMPUTER PROGRAM, METHOD, AND SYSTEM FOR PREVENTING EXECUTION OF VIRUSES AND MALWARE - Preventing execution of viruses or malware on a computing device includes compiling an inventory recordation of legitimate applications and terminating execution of any application not on the inventory recordation while in a protected mode. An instantaneous and unprompted inventory recordation known as a “snapshot” can be performed by the computer program. A user may further train the computer program to identify legitimate applications routinely accessed by the user and to be updated to the inventory recordation, such that the inventory recordation is personal to the user. After training, the protected mode can be activated. A smart icon graphical user interface is utilized, that automatically toggles between locked and unlocked depending on if the computing device is at risk or not, to place the computing device in a protected or unprotected mode. | 06-19-2014 |
20140173736 | Method and system for detecting webpage Trojan embedded - The present disclosure is applicable to the field of computer security technology and provides a method and system for detecting webpage Trojan embedded. The method includes: obtaining webpage contents; parsing the obtain webpage contents, and extracting script objects; constructing an object execution engine to simulate the execution of the contents of the script objects; monitoring the simulation execution of the contents of the objects, and when an abnormal behaviour occurs, determining that the contents of the objects contain dangerous data. The present disclosure can effectively improve the efficiency of webpage Trojan embedded detection, and reduce the undetected rate and the error rate of webpage Trojan embedded detection. | 06-19-2014 |
20140181978 | DESIGN AND EVALUATION OF A FAST AND ROBUST WORM DETECTION ALGORITHM - A method and computer product are presented for identifying Internet worm propagation based upon changes in packet arrival rates at a network connection. First, unsolicited (i.e., packets that were not requested by the receiver) traffic is separated from solicited traffic at the network connection. The unsolicited traffic arrival patterns are monitored and analyzed for any changes. Once changes in the unsolicited traffic arrival patterns are detected, the changes are mathematically analyzed to detect growth trends. The presence of growth trends that follow certain key characteristics indicate whether the changes are due to worm propagation. | 06-26-2014 |
20140181979 | CONTENT FILTERING OF REMOTE FILE-SYSTEM ACCESS PROTOCOLS - Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, a remote file-system access protocol request issued by a client to a server is received at a network device logically interposed between the client and the server. The request is issued to the server by the network device. A single shared holding buffer, used for both read and write accesses to the file and used by multiple processes running on the client, is implemented by the network device for the file during a remote file-system access protocol session. Data being read from or written to the file as a result of the request is buffered into the buffer. Responsive to a predetermined event in relation to the remote file-system access protocol or the buffer, the existence or non-existence of malicious, dangerous or unauthorized content is determined by performing content filtering on the buffer. | 06-26-2014 |
20140189871 | Identifying Code Signatures Using Metamorphic Code Generation - The identification of semantically equivalent code is aided by leveraging multiple authorities to produce equivalent groups of instructions given an input group of instructions. Thus, such authorities include hardware only authorities such as processors, software only authorities such as compilers and virtual non-virtual runtime environments that utilize both software and hardware. | 07-03-2014 |
20140189872 | METHOD AND DEVICE FOR MONITORING VIRUS TREND ABNORMALITY - A method and device for monitoring virus trend abnormality are provided which may enable timely and effective monitoring of computer viruses. The method may include measuring a frequency of hits of a virus being found and/or removed. The frequency may be used for calculating an M-day moving average value of the number of hits of the virus. Method may also involve calculating a standardized residual of the number of hits of the virus. When the standardized residual is larger than a first preset threshold, the time at which the virus was encounter the last may be identified as an abnormality point on a trendline of the virus. | 07-03-2014 |
20140196149 | ANTI-MALWARE SYSTEM, METHOD OF PROCESSING DATA IN THE SAME, AND COMPUTING DEVICE - Provided are an anti-malware (AM) system, a method of processing data in the AM system, and a computing device including the AM system. The AM system includes a hardware-based AV engine configured to perform hash matching on data for AV scanning of the data, and an AV function module configured to determine whether or not the data includes a virus pattern on the basis of a result of the hash matching. | 07-10-2014 |
20140201839 | IDENTIFICATION AND ALERTING OF NETWORK DEVICES REQUIRING SPECIAL HANDLING MAINTENANCE PROCEDURES - Identifying and performing maintenance operations on computer network devices may include accessing an agent portal via an administrator machine operating on a network and receiving an application user interface. The user interface may be used to request a device list of active network devices currently operating on the network and identify a number of devices that require a remote maintenance operation and at least one flagged device which requires an alternative type of remote maintenance, and perform the remote maintenance operation on at least one of the devices while omitting the flagged device at least temporarily. | 07-17-2014 |
20140215627 | SYSTEM AND METHOD FOR CORRECTING ANTIVIRUS RECORDS TO MINIMIZE FALSE MALWARE DETECTIONS - Disclose are system, method and computer program product for correcting antivirus records. In an example aspect, an antivirus application analyzes a software object for a presence of malware. The antivirus application includes an antivirus database and an antivirus cache. The antivirus application retrieves from the antivirus database an antivirus record associated with the analyzed object. The antivirus record indicates whether the object is clean or malicious and further includes at least a test antivirus record status indicator. The antivirus application checks at least in the antivirus cache for correction of the test antivirus record. The correction includes a change in the test status of the antivirus record. When a correction for the retrieved antivirus record is found in the antivirus cache, the antivirus application uses said correction for the antivirus record for a further processing of the software object. | 07-31-2014 |
20140223566 | SYSTEM AND METHOD FOR AUTOMATIC GENERATION OF HEURISTIC ALGORITHMS FOR MALICIOUS OBJECT IDENTIFICATION - A server-based system for generation of heuristic scripts for malware detection includes an automatic heuristics generation system for generating heuristic scripts for curing malware infections; a log database containing logs of events from user computers, including detection of known malicious objects and detection of suspicious objects; a safe objects database accessible containing signatures of known safe objects; a malicious objects database containing signatures of known malicious objects. The system retrieves suspect object metadata from the log database and generates the heuristic script based on data from the safe and malicious objects databases. For multiple computers having the same configuration and having the same logs, only one log common to all the multiple computers is transmitted and only one heuristic script is distributed to the multiple computers. A different and specific heuristic script is distributed to those computers that have a different log than the common log. | 08-07-2014 |
20140237598 | Reducing the Spread of Viruses and Errors in Social Networks and Affinity Groups - An approach is provided to reduce the spread of malware within a group of users. In the approach, a malware program (e.g., virus, Trojan, worm, etc.) is detected at a system that is utilized by one of the users that is a member of a peer affinity group. Event data pertaining to the detected malware program is gathered at the user's system. A notification is provided to the other users included in the peer affinity group. The notification identifies the detected malware program and the event data that was gathered at the user's system. | 08-21-2014 |
20140237599 | DISTRIBUTED AGENT BASED MODEL FOR SECURITY MONITORING AND RESPONSE - An architecture is provided for a widely distributed security system (SDI-SCAM) that protects computers at individual client locations, but which constantly pools and analyzes information gathered from machines across a network in order to quickly detect patterns consistent with intrusion or attack, singular or coordinated. When a novel method of attack has been detected, the system distributes warnings and potential countermeasures to each individual machine on the network. Such a warning may potentially include a probability distribution of the likelihood of an intrusion or attack as well as the relative probabilistic likelihood that such potential intrusion possesses certain characteristics or typologies or even strategic objectives in order to best recommend and/or distribute to each machine the most befitting countermeasure(s) given all presently known particular data and associated predicted probabilistic information regarding the prospective intrusion or attack. If any systems are adversely affected, methods for repairing the damage are shared and redistributed throughout the network. | 08-21-2014 |
20140237600 | SYSTEM AND METHOD FOR DETECTING EXECUTABLE MACHINE INSTRUCTIONS IN A DATA STREAM - Detecting executable machine instructions in a data is accomplished by accessing a plurality of values representing data contained within a memory of a computer system and performing pre-processing on the plurality of values to produce a candidate data subset. The pre-processing may include determining whether the plurality of values meets (a) a randomness condition, (b) a length condition, and/or (c) a string ratio condition. The candidate data subset is inspected for computer instructions, characteristics of the computer instructions are determined, and a predetermined action taken based on the characteristics of the computer instructions. | 08-21-2014 |
20140237601 | OPERATION OF A DUAL INSTRUCTION PIPE VIRUS CO-PROCESSOR - Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a content object is stored by a general purpose processor to a system memory. The memory has stored therein a page directory containing information for translating virtual addresses to physical addresses. Multiple most recently used entries of the page directory are cached, by a virus co-processor, within translation lookaside buffers (TLBs) implemented within an on-chip cache of the co-processor. Instructions are read by the co-processor, from a virus signature memory of the co-processor. The instructions contain op-codes of a first and second instruction type. Instructions of the first type are assigned to a first instruction pipe of the co-processor. An instruction assigned to the first instruction pipe is executed including accessing the content object by performing direct virtual memory addressing of the system memory and comparing the content object against a string. | 08-21-2014 |
20140245444 | Memory Introspection Engine for Integrity Protection of Virtual Machines - Described systems and methods allow protecting a computer system from malware, such as viruses and rootkits. In some embodiments, a hypervisor configures a hardware virtualization platform hosting a set of operating systems (OS). A memory introspection engine executing at the processor privilege level of the hypervisor dynamically identifies each OS, and uses an protection priming module to change the way memory is allocated to a target software object by the memory allocation function native to the respective OS. In some embodiments, the change affects only target objects requiring malware protection, and comprises enforcing that memory pages containing data of the target object are reserved exclusively for the respective object. The memory introspection engine then write-protects the respective memory pages. | 08-28-2014 |
20140245445 | Preventing Propagation Of Hardware Viruses In A Computing System - Preventing propagation of hardware viruses in a computing system, including: determining, by a hardware virus detection module, whether an empty connector in the computing system is damaged, wherein the empty connector is blocked from receiving an attachable computing device by a bumper; determining, by the hardware virus detection module, whether a connector for the attachable computing device is damaged; and responsive to determining that the empty connector is not damaged and that the connector for the attachable computing device is not damaged, moving the bumper such that the empty connector is not blocked from receiving the attachable computing device. | 08-28-2014 |
20140245446 | PERFORMING SECURITY OPERATIONS USING BINARY TRANSLATION - In an embodiment, a processor includes a binary translation engine to receive a code segment, to generate a binary translation of the code segment, and to store the binary translation in a translation cache, where the binary translation includes at least one policy check routine to be executed during execution of the binary translation on behalf of a security agent. Other embodiments are described and claimed. | 08-28-2014 |
20140245447 | METHOD, DEVICE AND SYSTEM FOR TROJAN HORSE INTERCEPTION - A method, a device and a system for Trojan horse interception are provided. The method includes: intercepting input information from a user, and determining whether the input information is identical to saved information to be protected; and sending a warning prompt, when the input information is identical to the saved information to be protected and it is determined that an input target object of the input information is not a legitimate object. According to the above scheme, all the input information can be intercepted, and a warning is sent if the input information is identical to the saved information to be protected and the input target object of the input information is not legitimate; the above scheme is not limited to monitor a certain input target object, and thus has increased applicability. | 08-28-2014 |
20140250532 | A RENDER ENGINE, AND METHOD OF USING THE SAME, TO VERIFY DATA FOR ACCESS AND/OR PUBLICATION VIA A COMPUTER SYSTEM - A method and system to verify active content at a server system include receiving, at the server system a communication (e.g., an e-mail message or e-commerce listing) that includes active content that is to be made accessible via the server system. At the server system, the active content is rendered to generate rendered active content. The rendered active content presents a representation of information and processes to which an end user will be subject. At the server system, the rendered active content is verified as not being malicious. | 09-04-2014 |
20140283076 | PROFILING CODE EXECUTION - Technologies for securing an electronic device may include determining a plurality of rules, monitoring execution of the electronic device, generating a notification that one of the operations has occurred based upon the rules, and, based on the notification and the pattern of the operations, determining whether the operations are indicative of malware. The rules may include an identification of a plurality of entities of the electronic device to be monitored, an identification of one or more operations between the entities to be monitored, and an identification of a pattern of the operations to be monitored. | 09-18-2014 |
20140283077 | PEER-AWARE SELF-REGULATION FOR VIRTUALIZED ENVIRONMENTS - Technologies for self-regulation for virtualized environments may include, by a virtual machine on an electronic device, detecting an attempted anti-malware operation by a monitored module, determining anti-malware operation levels of one or more other virtual machines on the electronic device, and, based on the attempted anti-malware operation and upon the anti-malware operation levels, determining whether to allow the attempted operation. | 09-18-2014 |
20140283078 | SCANNING AND FILTERING OF HOSTED CONTENT - A system includes a server computer configured to host a plurality of web pages. A scanner is configured to scan the plurality of web pages to identify malicious links contained in the plurality of web pages. A proxy server is configured to filter the malicious links from content of the plurality of web pages served from the server computer to a user in response to a request from the user. | 09-18-2014 |
20140283079 | STEM CELL GRID - A stem cell grid is disclosed. The stem cell grid includes the ability to incorporate characteristics of a stem cell into a network device. In the event that the network device fails or otherwise becomes unavailable for use by other network devices, the network device is automatically replicated within a virtualized environment and then the replica of the network device is used instead of the failed and/or unavailable network device. | 09-18-2014 |
20140289857 | COMPUTER VIRUS PROTECTION - A network is protected from e-mail viruses through the use of a sacrificial server. Any executable programs or other suspicious parts of incoming e-mail messages are forwarded to a sacrificial server, where they are converted to non-executable format such as Adobe Acrobat PDF and sent to the recipient. The sacrificial server is then checked for virus activity. After the execution is completed, the sacrificial server is rebooted. | 09-25-2014 |
20140289858 | ANTIVIRUS SCAN DURING A DATA SCRUB OPERATION - For an antivirus scan during a data scrub operation, an antivirus scan is concurrently performed as an overlap with the data scrub operation, wherein the data scrub operation periodically inspects and corrects memory errors. The antivirus scan concurrently performing as an overlap with the data scrub operation is increased if a reduction in disk access by a host application is detected. A number of antivirus scan input/output (I/O) operations and data scrub I/O operations is reduced. | 09-25-2014 |
20140298470 | System and Method for Adaptive Modification of Antivirus Databases - Disclosed are systems, methods and computer program products for adaptively modifying antivirus databases. In one example, a system stores in an antivirus database a list of file types and antivirus records for different file types. When the system receives files for performing antivirus analysis, it retrieves from the database the list of file types and uses it to determine file types of the received files. The system then retrieves from the database antivirus lists for the determined file types and uses them to perform antivirus analysis of the files. The system then identifies files with an unknown file type and attempts to determine the file type of these files. The system then updates the antivirus database by (i) adding to the list of file types a new file type corresponding to said unknown file type, and (ii) adding a new empty antivirus list corresponding to said unknown file type. | 10-02-2014 |
20140304818 | Method and Device for Multiple Engine Virus Killing - The present invention discloses a method and device for detecting and killing computer viruses using multiple antivirus engines. The method includes: receiving a request for scanning a file to be scanned; sending the information of the file to multiple antivirus engines for scanning, receiving the scanning information returned by the antivirus engines; determining the scanning result of the file, and sending the scanning result of the file, thereby supporting virus killing by using multiple antivirus engines. The present invention integrates the scanning result of multiple antivirus engines according to specific strategies, and utilizes characteristics of different antivirus engines to completely detect and kill various computer viruses based on the scanning result, thereby improving accuracy of virus killing and security of the system. | 10-09-2014 |
20140304819 | SYSTEMS, METHODS AND APPARATUSES FOR PROTECTION OF ANTIVIRUS SOFTWARE - The systems, methods and apparatuses described herein provide a computing system for executing an antivirus software program. In one aspect, a non-transitory computer-readable medium may comprise an antivirus software program to be executed in a first virtual machine by a computer processor that supports multiple virtual machines. The antivirus software program may obtain access to a memory of a second virtual machine on the computer processor that supports multiple virtual machines, and use the access to the memory of the second virtual machine to monitor the memory of the second virtual machine and take a corrective action. In a further aspect, the corrective action may be to remove any malware found on a computer operating system that is running on the second virtual machine. | 10-09-2014 |
20140304820 | Devices, Systems, and Methods for Detecting Proximity-Based Mobile Malware Propagation - Devices, systems, and methods are disclosed. An agent resides in a mobile communication device. The agent detects Proximity-based Mobile Malware Propagation. The agent injects one or more trigger network connections in the candidate connection list. These connections appear as legitimate networks and devices, but instead trigger connection to an agent server on a service provider's network. By attempting to connect through the trigger network connection, the malware reveals itself. The system helps collect the malware signature within a short period of time after the malware outbreak in local areas, though such attacks typically bypass network based security inspection in the network. | 10-09-2014 |
20140317745 | METHODS AND SYSTEMS FOR MALWARE DETECTION BASED ON ENVIRONMENT-DEPENDENT BEHAVIOR - The present disclosure is directed to methods and systems for malware detection based on environment-dependent behavior. Generally, an analysis environment is used to determine how input collected from an execution environment is used by suspicious software. The methods and systems described identify use of environmental information to decide between execution paths leading to malicious behavior or benign activity. In one aspect, one embodiment of the invention relates to a method comprising monitoring execution of suspect computer instructions; recognizing access by the instructions of an item of environmental information; identifying a plurality of execution paths in the instructions dependant on a branch in the instructions based on a value of the accessed item of environmental information; and determining that a first execution path results in benign behavior and that a second execution path results in malicious behavior. The method comprises classifying the computer instructions as evasive malware responsive to the determination. | 10-23-2014 |
20140317746 | System and Method for the Protection of Computers and Computer Networks Against Cyber Threats - Systems and methods for protecting against cyber threats are disclosed. The system includes an external network accessing layer (ENAL) and a core computing asset overlaid by the ENAL. The ENAL comprises at least one external network access cell (ENAC), wherein the at least one ENAC contains at least one communications port, one or more processors, working and storage memories and is configured to be connectable to an external network and to inspect data received from the external network. The core computing asset is overlaid by the ENAL and comprises at least one core computer configured to not be connected to the external network but to be capable of being connected to the ENAL. The core computing asset contains data and software that are to be protected from cyber threat. | 10-23-2014 |
20140325654 | METHOD FOR NEUTRALIZING PC BLOCKING MALWARE USING A SEPARATE DEVICE FOR AN ANTIMALWARE PROCEDURE ACTIVATED BY USER - The invention relates to the field of anti-virus protection. The technical result of the invention lies in providing possibility for unblocking the computer with no data loss and computer resetting, for increasing the antivirus systems operation efficiency and consequently improving the computer systems security. A method for neutralizing malicious software blocking computer operation, the method being performed by means of a separate antivirus activation device developed for the antimalware procedure activation to be run by a PC user, the device comprising connectors for connection to a control bus, a controller and an activation unit. Computer unblocking and malware neutralizing procedure is activated after receiving an activation signal from the antivirus activation device. Whereby said unblocking and malware neutralizing procedure includes: examining OS graphics subsystem state, searching for all the created windows and desktops viewed by the user; analyzing all the processes and flows executed with the PC at the time of infection; creating bindings on the collected data basis for each said window and desktop to a particular process and/or process hierarchy; analyzing the obtained data on the processes and identifying in each of them loaded modules involved in the process running; searching for the software automatically run in the course of OS start-up; compiling a list of the objects considered as malicious; isolating each malicious object, deleting its links out of OS configuration files, and aborting the malicious process produced by the object. | 10-30-2014 |
20140325655 | PROXY GATEWAY ANTI-VIRUS METHOD, PRE-CLASSIFIER, AND PROXY GATEWAY - A proxy gateway anti-virus method, a pre-classifier, and a proxy gateway are provided. The method includes: receiving a resource obtaining request for obtaining a to-be-transmitted resource; sending a pre-detection request to a network element that stores the to-be-transmitted resource, to obtain attribute information of the to-be-transmitted resource; judging, based on an anti-virus policy and according to the attribute information, whether the to-be-transmitted resource needs anti-virus scanning; if judged yes, performing anti-virus scanning on the to-be-transmitted resource that is subsequently obtained; and if judged no, transparently transmitting the to-be-transmitted resource that is subsequently obtained. A technical solution of pre-detecting whether a to-be-transmitted resource needs anti-virus scanning according to attribute information is provided, and a resource that needs no anti-virus scanning can be transmitted transparently and directly before the resource is sent to a proxy layer, thereby implementing an anti-virus function, improving transmission efficiency, and reducing the waste of resources. | 10-30-2014 |
20140325656 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM REGULATION AND CONTROL OF SELF-MODIFYING CODE - A system for securing an electronic device may include a memory, a processor; one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to: (i) trap attempted accesses to the memory, wherein each of such attempted accesses may, individually or in the aggregate, indicate the presence of self-modifying malware; (ii) in response to trapping each attempted access to the memory, record information associated with the attempted access in a history; and (iii) in response to a triggering attempted access associated with a particular memory location, analyze information in the history associated with the particular memory location to determine if suspicious behavior has occurred with respect to the particular memory location. | 10-30-2014 |
20140337980 | METHOD, DEVICE AND TERMINAL FOR SCANNING VIRUS - Described are a method and a device for processing price, a method and an electronic commerce system for processing order sheet. The method for processing price includes: obtaining attribute information of a commodity in an electronic commerce system; distributing a charging mark to the commodity according to the attribute information of the commodity; and setting price information corresponding to the charging mark of the commodity according to a predetermined price processing rule. The information price of the commodity is pertinently customized according to the attribute information of the electronic commerce system. The commodity of the electronic commerce system is strong pertinence that price may be adjusted flexibly and efficiently, and an intelligence of the electronic commerce system is improved. | 11-13-2014 |
20140337981 | FINGERPRINT ANALYSIS FOR ANTI-VIRUS SCAN - Disclosed are systems and methods for fingerprint analysis for anti-virus scanning In an embodiment, a method of scanning for infected data items is disclosed. The method provides identifying a plurality of changed data items on a server machine. The method further provides, from a data system in communication with the server machine, performing a virus scan on the plurality of changed data items. The method further provides that the data system maintains a list of data items that the virus scan found to be infected. | 11-13-2014 |
20140344934 | BLOOM FILTER WITH MEMORY ELEMENT - Techniques are provided for determining if an element is contained in a set of elements. In one aspect, an element may be received and inserted into a bloom filter. The element may also be inserted into a memory associative on the bloom filter indexes. In another aspect, a search element may be received and compared to a bloom filter. If the search element is included in the bloom filter, a memory may be used to determine if the search element is included in the set of elements. | 11-20-2014 |
20140344935 | TROJAN DETECTION METHOD AND DEVICE - A trojan detection method and device, used to solve the problem in the prior art of being unable to effectively detect a trojan in a network, the method comprising: when a trojan heartbeat is detected in a session, according to whether the trojan heartbeat detection frequency is fixed, increasing the recorded session weight by a corresponding weight and recording the increased weight, and checking whether each packet transmitted from a controlling end to a controlled end complies with the characteristics of a trojan control command packet; if yes, then increasing by a third weight onto the recorded session weight and recording the same, and when the session weight reaches an alarm threshold, generating an alarm to notify that the session is initiated by a trojan. An embodiment of the present invention achieves trojan detection by detecting the packet in the session, thereby the trojan in a network can be detected. The detection to the packet in the session is not simply string matching, thus reducing false alarm rate and effectively detecting the trojan in the network. | 11-20-2014 |
20140351936 | FREQUENCY-VARIABLE ANTI-VIRUS TECHNOLOGY - A frequency-variable anti-virus technology relates to a method and apparatus for dynamically adjusting an amount of system resources occupied by security protection software running on a user device. The method comprises: collecting, by the security protection software, state information associated with the user device; calculating the expected operating intensity of the security protection software based on the state information; and operating the security protection software based on the calculated expected operating intensity, so as to adjust the amount of system resources occupied by the security protection software. The apparatus may comprise means for performing the abovementioned steps, respectively. The method and apparatus may be used to dynamically adjust an operating policy of the security protection software, so as to more rationally allocate system resources among the software of the user device, thus improving the usage efficiency of the system resources and improving the usage experience of the user. | 11-27-2014 |
20140351937 | VIRUS CO-PROCESSOR INSTRUCTIONS AND METHODS FOR USING SUCH - Circuits and methods for detecting, identifying and/or removing undesired content are provided. According to one embodiment, a method for virus processing is provided. A virus signature file that includes multiple virus signatures capable of detecting and identifying a variety of known viruses is downloaded by a general purpose processor. It is determined by the general purpose processor whether a virus co-processor is coupled to the general purpose processor. When the virus co-processor is determined to be coupled to the general purpose processor, then it is further determined by the general purpose processor which virus signatures are supported by the virus co-processor (“CP-supported virus signatures”). The CP-supported virus signatures are transferred to a memory associated with the virus co-processor. The virus co-processor is directed by the general purpose processor to perform a virus scan based on the supported virus signatures. | 11-27-2014 |
20140351938 | SERVER BASED MALWARE SCREENING - An Internet infrastructure is provided to transfer a packet of data between a client device and source device. The infrastructure consists of a support server that screens the packet for malware codes on behalf of a registered client. In order to scan for malware, the support server contains hardware and/or software modules to perform malware detection and quarantine functions. The modules identify malware bit sequence in the packet(s), malware bit sequences or entire contaminated code is quarantined or repaired as appropriate. After identification of malware code (if any), the support server sends warning messages to affected parties, providing information regarding the malware codes that were detected. | 11-27-2014 |
20140359772 | Detecting sensitive data access by reporting presence of benign pseudo virus signatures - An owner of sensitive data is provided with a notification that the sensitive data has been located. To achieve this, the sensitive data is first modified to include one or more data strings that may appear to be suspect but are otherwise benign. These data strings, which are referred to herein as benign pseudo virus signatures (BPVSs), preferably are embedded throughout a piece of sensitive data according to a frequency distribution. When the sensitive data is examined by virus checking software, the benign pseudo virus signatures are detected as potential computer viruses. By using information associated with the signatures, the owner is identified, preferably using the assistance of an intermediary entity that acts as a registry for the BPVSs. Once the owner is identified, a notification is provided to the owner that the sensitive data has been located. Appropriate remedial action can then be taken. | 12-04-2014 |
20140359773 | INTRA STACK FRAME RANDOMIZATION FOR PROTECTING APPLICATIONS AGAINST CODE INJECTION ATTACK - A method of randomizing locations of variables in a stack includes: identifying a plurality of stack locations corresponding to a plurality of variables; shuffling the stack locations of the variables to produce shuffled stack locations; and updating the stack locations of the variables with the shuffled stack locations. | 12-04-2014 |
20140359774 | Protecting Anti-Malware Processes - Anti-malware process protection techniques are described. In one or more implementations, an anti-malware process is launched. The anti-malware process is verified based at least in part on an anti-malware driver that contains certificates which contain an identity that is signed with the trusted certificate from a verified source. After the anti-malware process is verified, the anti-malware process may be assigned a protection level, and an administrative user may be prevented from altering the anti-malware process. | 12-04-2014 |
20140359775 | Protecting Anti-Malware Processes - Anti-malware process protection techniques are described. In one or more implementations, an anti-malware driver is signed using a hash that identifies a manufacturer of the anti-malware driver. The anti-malware driver is then provided to a computing device. The anti-malware driver may be assigned a protection level based on an agreement between the anti-malware manufacturer and an operating system manufacturer, and this protection level effects the operation of the anti-malware program on the computing device. | 12-04-2014 |
20140366137 | System and Method for Detecting Malicious Executable Files Based on Similarity of Their Resources - Disclosed are systems, methods and computer program products for detection of malicious executable files based on the similarity of various types of extractable resources of the executable files. In one aspect, the system determines a type of an executable file being analyzed and determines types of extractable resources of the executable file based on the type of the executable file. The system then extracts the identified extractable resources of the executable file and compares the extracted resources to known resources of malicious executable files. The system then determines a degree of similarity between the compared resources. The system then determines whether the executable file is malicious based on a degree of similarity of the one or more compared resources. | 12-11-2014 |
20140366138 | METHOD, DEVICE AND STORAGE MEDIUM FOR PROCESSING VIRUS - The present disclosure relates to a method, a device and a storage medium for processing virus which can automatically distinguish which of processing mode is best for the current status of the electronic apparatus. The method includes: detecting a virus scan operation; in response to the virus scan operation, determining whether conditions (i) and (ii) are true, wherein the condition (i) is true when a time interval between a last time of processing virus using a first virus processing mode and the current time is larger than a preset interval, the condition (ii) is true when at least one of risk situations exist during a time period between the last time of processing virus using the first virus processing mode and the current time; if one of conditions (i) and (ii) being true, calling the first virus processing mode to scan files in the electronic apparatus. | 12-11-2014 |
20140366139 | DATA CENTER INFRASTRUCTURE MANAGEMENT SYSTEM INCORPORATING SECURITY FOR MANAGED INFRASTRUCTURE DEVICES - A system is disclosed for enhancing detection of a security threat to a managed infrastructure device operating within a data center. The system may have a data center infrastructure management (DCIM) system for monitoring operation of the managed infrastructure device. The DCIM system may include a remote access appliance for communicating with the managed infrastructure device. The managed infrastructure device may include an on-board computer. The remote access appliance may include an engine configured to detect if information to be communicated to the on-board computer poses a security threat to the managed infrastructure device. | 12-11-2014 |
20140373151 | System and Method for Operating Malicious Marker Detection Software on Management Controller of Protected System - An information handling system includes a processor and a management controller separate from the processor. The management controller is operable to store an anti-virus program and a malicious marker detection program in a memory of the management controller, and to execute the malicious marker detection program. The malicious marker detection program operates to detect a state of a device of the information handling system, determine that the information handling system is under attack from a malicious program in response to detecting the state of the device, and send an alert to a management system coupled to the information handling system, the alert indicating that the information handling system is under attack from the malicious program. | 12-18-2014 |
20140373152 | METHOD AND DEVICE FOR SEARCHING FOR PARENT VIRUS - A method and a device for searching for a parent virus file are disclosed. The method includes: determining an arbitrary virus file as a child virus file; obtaining a computer containing the child virus file; identifying a time when the child virus file first appeared in the computer; identifying times when other virus files contained in the computer that are different from the child virus file are first executed; determining suspect parent virus files from among the other virus files, the suspect parent virus files being first executed within a predetermined time period before the time when the child virus file first appeared in the computer; and determining the parent virus file from among the suspect parent virus files. Based on a principle that the time when the parent virus file is first executed is earlier that the time when the child virus file first appears, the suspect parent virus files are determined, and the parent virus file is found from among the suspect parent virus files. | 12-18-2014 |
20140373153 | Anti-Malware Tool for Mobile Apparatus - A method, apparatus, and computer program for monitoring security of a mobile apparatus are disclosed. The method includes executing a security application in a mobile apparatus; monitoring, by the security application, user interface locking status of the mobile apparatus; determining, as a result of said monitoring, that the user interface has been locked; identifying an application that has caused said locking of the user interface; checking a reputation status of the identified application; upon detecting, as a result of said reputation status check, that the identified application has a bad reputation status, restricting operation of the identified application and unlocking the user interface. | 12-18-2014 |
20140373154 | Defensive Techniques to Increase Computer Security - Among other disclosed subject matter, a computer-implemented method includes initializing a first descriptor table and a second descriptor table. The first descriptor table is associated with a first permission level and the second descriptor table is associated with a second permission level that is different from the first permission level. The first descriptor table and the second descriptor table are associated with a hardware processor and initialized by an operating system kernel. The method also includes providing a memory address associated with the first descriptor table, in response to a descriptor table address request. The descriptor table address request is provided by a software process. The method also includes updating the second descriptor table, in response to an update request. | 12-18-2014 |
20140373155 | SYSTEM AND METHOD FOR CONTROLLING APPLICATIONS TO MITIGATE THE EFFECTS OF MALICIOUS SOFTWARE - Methods and systems for mitigating the effects of a malicious software application are disclosed. A dedicated module on the computing device receives from a malicious software detector a message indicating whether the application is malicious or has a malicious component. The dedicated module obtains a set of permissions to be granted to the application, and instructs software on the computing device that controls the permissions of the application to grant the set of permissions. | 12-18-2014 |
20140373156 | NOTIFICATION FOR REASSEMBLY-FREE FILE SCANNING - Techniques for notification of reassembly-free file scanning are described herein. According to one embodiment, a first request for accessing a document provided by a remote node is received from a client. In response to the first request, it is determined whether a second request previously for accessing the document of the remote node indicates that the requested document from the remote node contains offensive data. If the requested document contains offensive data, a message is returned to the client, without accessing the requested document of the remote node, indicating that the requested document is not delivered to the client. | 12-18-2014 |
20140380480 | METHOD, DEVICE AND SYSTEM FOR IDENTIFYING HARMFUL WEBSITES - The present disclosure provides a method for identifying harmful websites, which comprises receiving, by a terminal device having a processor, at least one input address of a target website; receiving, by the terminal device, a local blacklist comprising at least an address of at least one harmful website; determining, by the terminal device, whether the input address of the target website matches any address in the local blacklist; if the input address of the target website match one address in the local blacklist, identify the target website as a harmful website; if the input address of the target website does not match any address in the local blacklist, uploading the input address to a security detection server. | 12-25-2014 |
20140380481 | PORTABLE SECURITY DEVICE AND METHODS FOR DETECTION AND TREATMENT OF MALWARE - Disclosed is a portable security device and method for detection and treatment of computer malware. An example method includes performing a malware detection experiment by the security device on the computer by simulating a connection to the computer of a simulated data storage device containing a predefined set of data. The method further includes determining if there are any modifications in the set of data contained in the simulated data storage device after termination of the malware detection experiment. The method further includes, based on whether there are any modifications in the set of data, determining whether to perform one or more subsequent malware detection experiments by the security device on the computer. In one example aspect, each of the one or more subsequent malware detection experiments are configured to simulate a different connection to the computer of a different simulated data storage device containing the predefined set of data. | 12-25-2014 |
20140380482 | SYSTEMS AND METHODS FOR MALWARE DETECTION AND SCANNING - Systems and methods are provided for malware scanning and detection in a computing system. In one exemplary embodiment, the method includes launching, in a computing device of the computing system, a virtual machine, and launching, in the virtual machine of the computing device, an internet browser. The method also includes requesting, by the internet browser, data from a web page, and performing, using one or more analysis tools, analysis on the web page. In the method, performing analysis on the web page includes performing monitoring and recording of system application programming interface (API) calls, and creating software objects associated with the web page. The method also includes performing antivirus scanning of the software objects, de-obfuscating JavaScript associated with the software objects, and correlating data associated with the performed analysis to determine if the web page is a malicious web page. | 12-25-2014 |
20140380483 | OPERATION OF A DUAL INSTRUCTION PIPE VIRUS CO-PROCESSOR - Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a content object that is to be virus processed is stored by a general purpose processor to a system memory. Virus scan parameters for the content object are set up by the general purpose processor. Instructions from a virus signature memory of a virus co-processor are read by the virus co-processor based on the virus scan parameters. The instructions contain op-codes of a first instruction type and op-codes of a second instruction type. Those of the instructions containing op-codes of the first instruction type are assigned to a first instruction pipe of multiple instruction pipes of the virus co-processor for execution. An instruction of the assigned instructions containing op-codes of the first instruction type is executed by the first instruction pipe including accessing a portion of the content object from the system memory. | 12-25-2014 |
20150020201 | ANTI-VIRAL COMPILER - In one general embodiment, a computer program product for compiling code includes a computer readable storage medium having computer readable code stored/encoded thereon. The computer readable code is readable/executable by a processor to: receive computer readable code to compile, the code including one or more functions, each function including one or more call functions; and build a stack frame for one of the call functions in the code. The stack frame includes: a return address sequence, logic configured to define local variables, logic configured to define a first guard variable and a second guard variable, logic configured to compare the first guard variable to the second guard variable, logic configured to execute the return address sequence when the first and second guard variables match, and logic configured to abort prior to executing the return address sequence when the first and second guard variables do not match. | 01-15-2015 |
20150020202 | SYSTEM AND METHOD FOR BYPASSING A MALWARE INFECTED DRIVER - Aspects of the present disclosure relate to setting up an alternate communication path to a device, resource, file, etc., in order to avoid a potentially infected driver. New drivers may be established as part of the alternate communications path, thereby providing access to a device, resource, etc. using drivers that are known to be clean or, in other words, not infected by a rootkit. In doing so, a rootkit hunter, e.g., antivirus software, antimalware software, etc., may access an infected device, resource, etc. without alerting a rootkit, thereby avoiding activation of the rootkit's defensive mechanisms. In one aspect, an I/O request may be serviced by using the new communications path bypassing any potentially infected drivers while another request may be serviced using a previously established communications path. The responses (e.g., data returned, action performed, etc.) of the requests may then be compared. | 01-15-2015 |
20150020203 | METHOD AND DEVICE FOR PROCESSING COMPUTER VIRUSES - Disclosed is a method for multiple antivirus engines to clear viruses in parallel. The multiple antivirus engines include at least one first antivirus engine and at least one second antivirus engine. The method for multiple antivirus engines to clear viruses in parallel includes: invoking a first antivirus engine, and scanning a first classified file in a file to be checked for and rid of viruses to obtain a first scanning result which includes a target file in the first classified file ( | 01-15-2015 |
20150026812 | METHOD AND DEVICE FOR DETECTING VIRUS OF INSTALLATION PACKAGE - Examples of the present disclosure provide a method and device for detecting virus of an installation package. The method includes: An installation package is unpacked, and description information obtained by unpacking the installation package is cached; after a virus detection startup instruction is received, the cached description information is read; the installation package is analyzed according to read description information, and whether there is a virus in the installation package is determined. Technical solutions of the present disclosure can increase the speed of installation package virus detection. | 01-22-2015 |
20150033344 | INTERNET-BASED PROXY SECURITY SERVICES - A proxy server receives from a client device a request to perform an action on an identified resource that is hosted at an origin server for a domain. The proxy server receives the request as a result of a DNS request for the domain resolving to the proxy server. The origin server is one of multiple origin servers that belong to different domains that resolve to the proxy server and are owned by different entities. The proxy server and the origin servers are owned by different entities. The proxy server analyzes the request to determine whether a visitor belonging to that request poses a threat. If the proxy server determines that the visitor poses a threat, the proxy server blocks the request and transmits a block page to the client device that indicates that the request has been blocked. | 01-29-2015 |
20150033345 | RESISTING THE SPREAD OF UNWANTED CODE AND DATA - A method or system of receiving an electronic file containing content data in a predetermined data format, the method comprising the steps of: receiving the electronic file, determining the data format, parsing the content data, to determine whether it conforms to the predetermined data format, and if the content data does conform to the predetermined data format, regenerating the parsed data to create a regenerated electronic file in the data format. | 01-29-2015 |
20150047044 | SYSTEM AND METHODS FOR PROTECTING AND USING DIGITAL DATA - Embodiments of the invention include a computer-implemented method of securing data transfer to a computing device by accessing a secure data transfer module and performing a security threat assessment of the hardware and software of the device by scanning for a security threat. The security threat can include absence of antivirus software, presence of unapproved antivirus software, out-of-date virus definitions, presence of a malicious software code, and an operating system of the computing device that has been modified, or has not received recent operating system updates, or threats related to digital content. Moreover, the computer-implemented method includes using a processor of the computing device to access a secure data transfer module to process a secure data transfer to the computing device in the absence of any security threats. Embodiments also include a removeable non-transitory computer-readable storage device for storing and executing files for the computer-implemented method within a computing device. | 02-12-2015 |
20150052610 | GLOBAL PLATFORM HEALTH MANAGEMENT - The use of one or more device health values to indicate the health status of a computing device may enable operating system developers to directly manage the security configuration of the computing device. The generation of a device health value involves initializing hardware components of a computing device and loading the operating system according to configuration settings during boot up of the computing device. The device health value is then generated based on a state of the hardware component and/or a state of a software stack that includes the operating system at boot up. The device health value may be compared to a reference health value to determine whether the computing device is in a secured state. | 02-19-2015 |
20150052611 | METHOD AND DEVICE FOR EXTRACTING CHARACTERISTIC CODE OF APK VIRUS - Disclosed are a method and a device for extracting a characteristic code of an APK virus. The method comprises: scanning a designated file in an Android installation package APK; extracting an operation instruction in the designated file, and judging whether the operation instruction contains virus information; and if yes, generating a characteristic code of the virus according to the operation instruction. In the application, the characteristic code of the virus APK can be accurately and effectively extracted, so as to facilitate improvement of efficiency and accuracy of identification of the virus APK and a variation thereof, thereby improving the security of an APK application. | 02-19-2015 |
20150052612 | METHOD AND DEVICE FOR IDENTIFYING VIRUS APK - Disclosed are a method and a device for identifying a virus APK. The method comprises: presetting a virus database comprising a virus characteristic code; detecting whether a designated file in a target Android installation package APK contains the virus characteristic code; and if yes, determining that the target Android installation package APK is a virus APK. In the application, the virus APK and a variation thereof can be rapidly, accurately and effectively identified, thereby improving the security of an APK application. | 02-19-2015 |
20150052613 | DATABASE ANTIVIRUS SYSTEM AND METHOD - A system and method for analyzing a file for a virus for databases through an antiviral apparatus. | 02-19-2015 |
20150058991 | METHOD AND APPARATUS FOR MONITORING AND FILTERING UNIVERSAL SERIAL BUS NETWORK TRAFFIC - In one embodiment, a method includes obtaining at least one packet from a first element on a Universal Serial Bus (USB) bus. The at least one packet is intended for a second element. The method also includes processing the at least one packet to determine whether the at least one packet is associated with unsafe content, and providing the at least one packet to the second element if it is determined that the at least one packet is not associated with the unsafe content. The at least one packet is provided to the second element on the USB bus. Finally, the method includes blocking the at least one packet from being provided to the second element when it is determined that the at least one packet is associated with the unsafe content. | 02-26-2015 |
20150058992 | METHOD AND SYSTEM FOR MALICIOUS CODE DETECTION - Embodiments of the invention are directed towards detecting and identifying malicious code injected into other legitimate web pages. The detection is divided into two processes. The first process is to detect a malicious code string within received web page code using a set of one or more criteria. The criteria include length of the string, as well as whether the string changes between received instances, and the status of the string within the web page code, particularly whether it is encapsulated between scripting tags, or otherwise indicated as being executable. The second process is based on using a proxy that will help in extracting and scanning the decrypted code against any malicious content. In particular, the second phase acts to remove the armour and evasion features that may be built into the malicious code, so that the code may then be inspected by the existing anti-virus or other host intrusion detection system (HIDS) present on the target system. Inspection may take place by dumping the memory contents to a file and then passing the file for inspection to the existing anti-virus or other HIDS. | 02-26-2015 |
20150067860 | Virus Detector Controlled Backup Apparatus and File Restoration - A store for virus and malware fingerprints is coupled to a backup server apparatus which receives hashes and file shards from backup clients through a network. A circuit compares hashes received from backup clients to determine matches with file shards previously stored and matches with file shards with virus or malware infections. File shards not previously stored are received for backup and inspection by a virus filter. When a received file shard is determined to match a virus or malware fingerprint, a process is initiated to restore the file on the backup client to a clean version and notify the user and the network security administrator. The hashes of file shards determined to match a virus or malware fingerprint are stored for future reference. The data of a file shard which has been determined to be infected is also stored in case of a false-positive determination. | 03-05-2015 |
20150067861 | DETECTING MALWARE USING REVISION CONTROL LOGS - Methods, systems, computer-readable media, and apparatuses for detecting malware using revision control logs are presented. In some embodiments, a computing device may gather one or more revision control logs, and the one or more revision control logs may identify one or more code changes. Subsequently, the computing device may determine, based on one or more risk factors, that at least one code change identified in the one or more revision control logs is potentially malicious. Based on determining that the at least one code change is potentially malicious, the computing device may generate a notification indicating that the at least one code change is potentially malicious. | 03-05-2015 |
20150067862 | MALWARE ANALYSIS METHODS AND SYSTEMS - Methods of analyzing malware and other suspicious files are presented, where some embodiments include analyzing the behavior of a first malware sample on both a virtual machine and a physical computing device, the physical device having been booted from a secondary boot source, and determining whether the behavior of the malware sample was different on the virtual machine and the physical computing device. In certain embodiments, a notification indicating that the behavior was different may be generated. In other embodiments, a malware analysis computing device that is configured to receive a base hard drive image may be networked booted, and the behavior of the malware sample on the malware analysis computing device may be analyzed. In certain embodiments, a malware-infected hard drive image may then be copied off the malware analysis computing device for further forensic analysis. | 03-05-2015 |
20150067863 | METHOD AND APPARATUS FOR PROCESSING FINITE AUTOMATA - A method and corresponding apparatus for run time processing use a Deterministic Finite Automata (DFA) and Non-Deterministic Finite Automata (NFA) to find the existence of a pattern in a payload. A subpattern may be selected from each pattern in a set of one or more regular expression patterns based on at least one heuristic. The DFA may be generated from selected subpatterns from all patterns in the set, and at least one NFA may be generated for at least one pattern in the set, optimizing run time performance of the run time processing. | 03-05-2015 |
20150067864 | SECURED AUTOMATED OR SEMI-AUTOMATED SYSTEMS - Secured automated or semi-automated systems are provided herein. In one embodiment, a sensor system includes a sensor, a legacy computing environment that is configured to communicate with the sensor and process sensor raw data output, and transmit the processed sensor output to a first network node over the network, and a trusted computing environment configured to receive raw sensor output directly from the sensor and transmit the raw sensor output to an additional network node or the first network node over the network. | 03-05-2015 |
20150082440 | DETECTION OF MAN IN THE BROWSER STYLE MALWARE USING NAMESPACE INSPECTION - Methods and systems for detecting fraudulent activity are described. A user types in a web address in his or her browser to request a webpage from a server, and the server communicates the webpage to the user. The communicated webpage includes a document object model (DOM) inspector and/or a JavaScript (JS) namespace inspector. The DOM inspector and JS namespace inspector detect anomalous DOM elements and anomalous JS namespace elements respectively. The DOM inspector and JS namespace inspector discover objects on the rendered webpage that should not be there. | 03-19-2015 |
20150089655 | SYSTEM AND METHOD FOR DETECTING MALWARE BASED ON VIRTUAL HOST - A system and method for detecting malware based on a virtual host are provided. The system for detecting malware based on a virtual host includes a terminal network behavior analysis server and a virtual host. The terminal network behavior analysis server extracts network behavior information by monitoring the network behavior of an actual host, and outputs the extracted the network behavior information. The virtual host detects malware corresponding to abnormal behavior in the actual host, by receiving the network behavior information and then performing corresponding behavior. | 03-26-2015 |
20150096031 | SYSTEM AND METHOD FOR PROVIDING SIMPLIFIED END-TO-END SECURITY FOR COMPUTING DEVICES IN STANDALONE, LAN, WAN OR INTERNET ARCHITECTURES - The present invention generally relates to systems and methods for end-to-end security for computing devices in standalone, LAN, WAN or Internet architectures. Specifically, the present invention relates to a computer implemented system and method for providing simplified end-to-end security for computing devices in standalone, LAN, WAN or Internet architectures. | 04-02-2015 |
20150101052 | METHOD FOR FUNCTION CAPTURE AND MAINTAINING PARAMETER STACK - A system and method for capturing and re-calling an application function. The method of function re-call during anti-virus check includes the following steps: function intercept (capture); anti-virus analysis of the parameters used to call the function; preparing of an application stack for function re-call (when the analysis did not detect any malicious functionality); and calling the function again. The exemplary method can be used with browsers and other applications. | 04-09-2015 |
20150101053 | SYSTEM AND METHOD FOR DETECTING INSIDER THREATS - An approach for detecting an insider threat is described. Embodiments include determining one or more features from one or more network transfers among a plurality of network entities, determining a baseline behavioral profile of the plurality of network entities based on the one or more features; and determining at least one malicious network entity from among the plurality of network entities based on a systematic deviation from the baseline behavioral profile of at least one of the one or more features. | 04-09-2015 |
20150101054 | OPERATION OF A DUAL INSTRUCTION PIPE VIRUS CO-PROCESSOR - Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a system includes a system memory, a general purpose processor, an instruction memory and a virus co-processor. The processor is coupled to the system memory and operable to store a data segment therein. The instruction memory includes a virus signature, having a first instruction of a first instruction type and a second instruction of a second instruction type, for detection of a computer virus. The co-processor is coupled to the instruction memory and the system memory and is operable to access the data segment. The co-processor includes first and second instruction pipes operable to execute the first and second instruction types, respectively. The first and second instruction pipes include first and second write back circuits, respectively, that are linked to ensure a ordered write back of instructions. | 04-09-2015 |
20150101055 | METHOD, SYSTEM AND TERMINAL DEVICE FOR SCANNING VIRUS - A method, a system and a terminal device for virus scanning are described and related to the field of internet technology. The method includes: monitoring whether a terminal device performs a lock screen operation; determining whether a virus scan has been performed on the terminal device during a period from a time at which a security software program is installed to a current time; and if the virus scan has never been performed on the terminal device during the period from the time at which the security software program is installed to the current time, enabling the security software program to perform the virus scan. In the method, the system and the terminal device, a virus can be scanned in time and the efficiency of virus scanning can be relatively improved. | 04-09-2015 |
20150106937 | Multi-Network Virus Immunization - An apparatus, device, methods, computer program product, and system are described that determine a virus associated with a communications network, and distribute an anti-viral agent onto the communications network using a bypass network, the bypass network configured to provide transmission of the anti-viral agent with at least one of a higher transmission speed, a higher transmission reliability, a higher transmission security, and/or a physically-separate transmission path, relative to transmission of the virus on the communications network. | 04-16-2015 |
20150106938 | EMAIL DELIVERY SYSTEM USING METADATA ON EMAILS TO MANAGE VIRTUAL STORAGE - E-mail system which organizes e-mails into queues based on their locations and characterizes the e-mails. Metadata, indicative of the e-mail, is appended to the e-mail. The queues are organized based on the metadata, and processed. The metadata is always stored in local storage; and the message body may be stored in local storage, or in remote storage, depending on how long it will be until the message is sent. A special server manages whether the information is stored in local or remote storage. | 04-16-2015 |
20150113651 | SPAMMER GROUP EXTRACTION APPARATUS AND METHOD - The present invention relates to a spammer group extraction apparatus and method, which extract spammer groups that interfere with fair trade and unbiased decision making by sending messages aimed at intentionally slandering other companies (other persons, other products, etc.) on social network services. The spammer group extraction apparatus includes a data collection unit for collecting pieces of data corresponding to social network services. A natural language processing unit preprocesses the pieces of data using a natural language processing algorithm based on big data. An abnormal behavior detection unit detects abnormal behavior based on user identifications (IDs) respectively corresponding to pieces of data, preprocessing of which has been completed. A spammer extraction unit extracts a spammer group using a user ID causing the abnormal behavior and an ID of a user group including the user ID. | 04-23-2015 |
20150113652 | DETECTION OF ROGUE SOFTWARE APPLICATIONS - Software applications are analyzed to determine if they are legitimate applications and warnings are provided to users to avoid installation and/or purchases of unnecessary and/or potentially harmful software based on comparisons of user-interface characteristics of the software applications to visual characteristics of authentic applications to determine to what extent they match (or do not match) or are attempting to mirror the legitimate application. | 04-23-2015 |
20150113653 | SCANNING METHOD AND DEVICE, AND CLIENT APPARATUS - Disclosed are a scanning method and device, and a client apparatus. The method comprises: when a specified scanning is started, enumerating at least one disk file in an area corresponding to the specified scanning; determining, according to the at least one disk file and at least one suspicious file obtained in a real-time protection process, a file scanning queue; and scanning the determined file scanning queue according to a virus scanning engine. The present invention redetermines a file scanning queue according to the suspicious file obtained in advance from the real-time protection process, so that the possible threats are scanned throughout, thus thoroughly removing the threats. With scanning method according to the present embodiment, the files can be thoroughly scanned, thus improving the capability of removing the threats and the efficiency of searching and removing the viruses, as compared with the prior art. | 04-23-2015 |
20150113654 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR MANAGING A PLURALITY OF APPLICATIONS VIA A SINGLE INTERFACE - A system, method and computer program product are provided for managing a plurality of applications via a single interface. It is initially identified as to which of a plurality of applications are installed on a computer. A status of each of the applications is then presented via a single graphical user interface. | 04-23-2015 |
20150121530 | System and Method for Sharing Files Between a Removable Device and a Target System - A method for sharing one or more files from a removable medium to a target computer includes sending a request for an application for converting the one or more files to a format compatible for use in the target computer; using the application, converting the files into the compatible format; emulating a file system, the emulated file system corresponding to the removable medium; storing the converted files in the emulated file system; and providing the target computer access to the converted files through the emulated file system. | 04-30-2015 |
20150121531 | SYSTEM AND METHOD FOR PRESERVING AND SUBSEQUENTLY RESTORING EMULATOR STATE - Disclosed are systems, methods, and computer program products for preserving and subsequently restoring a state of a program emulator. In one aspect, the system loads a file into an emulator of the computer system and determines whether an emulation is being performed for the first time. When the emulation is performed for the first time, the system loads into the emulator an initial image of the emulator state and emulates the file using the loaded initial image of the emulator state. During emulation, the system creates and stores new images of the emulator state upon occurrence of predefined conditions. When the emulation is not performed for the first time, the system identifies new images of the emulator state created during initial emulation of the file, loads into the emulator the identified images, and resume emulating the file using the new images of the emulator state. | 04-30-2015 |
20150128276 | METHOD AND APPARATUS FOR A CENTRALLY MANAGED NETWORK VIRUS DETECTION AND OUTBREAK PROTECTION - A method, non-transitory computer readable medium, and apparatus for configuring a virus detection of a plurality of network elements in a communication network are disclosed. For example, the method monitors an attribute of each one of the plurality of network elements, detects the attribute of one or more of the plurality of network elements breaches at least one respective threshold, configures each one of the one or more of the plurality of network elements to reduce a number of virus detection processes of the virus detection in accordance with a respective type of network element and resumes a normal virus detection for each one of the one or more of the plurality of network elements when the attribute of a respective one of the one or more network elements does not breach the respective threshold. | 05-07-2015 |
20150128277 | SCANNING COMPUTER FILES FOR SPECIFIED CONTENT - Scanning for computer viruses or E-mail and data content filtering is performed using a distributed programming approach. A master computer | 05-07-2015 |
20150128278 | SYSTEM AND METHOD FOR CORRECTING ANTIVIRUS RECORDS USING ANTIVIRUS SERVER - Disclose are system, method and computer program product for correcting antivirus records. In an example aspect, an antivirus application receives a software object for malware detections using an antivirus database and an antivirus cache. The antivirus database comprising antivirus records and the antivirus cache comprising corrections of the antivirus records. The antivirus application determines that software objection is malicious by activating an antivirus record based on information in the antivirus database or the antivirus cache. The antivirus application transmits information relating to the antivirus record to a server prior to executing actions associated with the antivirus record in response to detecting a selected status indicator of the antivirus record. The antivirus application then receives a correction of the antivirus record from the server for processing the software object. | 05-07-2015 |
20150135320 | METHODS AND APPARATUS TO IDENTIFY MALICIOUS ACTIVITY IN A NETWORK - Methods, apparatus, systems and articles of manufacture are disclosed to learn malicious activity. An example method includes assigning weights of a distance function to respective statistical features; iteratively calculating, with a processor, the distance function to adjust the weights (1) to cause a reduction in a first distance calculated according to the distance function for a first pair of entities in a reference group associated with malicious activity and (2) to cause an increase in a second distance calculated according to the distance function for a first one of the entities included in the reference group and a second entity not included in the reference group; and determining whether a first statistical feature is indicative of malicious activity based on a respective adjusted weight of the first statistical feature determined after calculating the distance function for a number of iterations. | 05-14-2015 |
20150135321 | MEMORY CONTENT PROTECTION - A method of protection of memory contents in a computer which includes the steps of loading a program into the computer and executing such program so that the memory contents of the computer are used to create and store on the same computer cryptographic hash tags uniquely identifying the contents for each of blocks of memory content of selected and consistent size and their location and applying this to all of the memory contents, analysing the hash tags so as to identify those that have an identical memory content, recording such results of such analysis, then effecting a transfer to an independent memory a copy of the hash tags and the associated memory blocks as well as the other information regarding their location this being with the exception where the contents of a block are identical, and then transferring only one copy of such contents. | 05-14-2015 |
20150135322 | METHOD FOR SAFEGUARDING WINDOWS OPERATING SYSTEM AGAINST COMPUTER VIRUSES, SPYWARE AND/OR HACKERS, AND HARD DISK USED IN SAID METHOD - The invention relates to a method for safeguarding a Windows operating system against computer viruses, spyware, and/or hackers and to the hard drive used in the method. The method includes the following steps: any version of Windows, the programs and corresponding files associated with the operating system and the drivers associated with the equipment are installed in a first partition of the hard drive. The files of all of the utility associated to the programs contained and installed in the first partition are redirected to a second partition. The information contained in the first partition is copied to a third backup partition in a USB flash memory integrated in a logic board belonging to the hard drive containing it. The hard disk includes a logic board and storage plates. First and second partitions are included in the storage plates. The first partition containing the Windows Operating System with its associated drivers plus the programs installed. The second partition containing all of the files redirected from the first partition. In addition, a third backup partition is included, defined by a USB flash memory disposed integrally in the logic board in the hard drive. | 05-14-2015 |
20150135323 | METHOD AND DEVICE FOR OBTAINING VIRUS SIGNATURES - A method and a device for obtaining virus signatures in the field of computer security have been disclosed. The method includes: obtaining text strings contained in each virus sample within a virus sample set; selecting text strings for use as virus signatures candidate according to a first frequency at which each text string occurs in a non-virus sample set and a second frequency at which each text string occurs in the virus sample set; calculating an information entropy of the virus signatures candidate according to a quantity of virus samples containing the virus signatures candidate and a quantity of non-virus samples containing the virus signatures candidate; and selecting virus signatures from the virus signatures candidate according to the information entropy. The present disclosure may timely identify the latest virus signatures and ensure that the obtained virus signatures are optimal signatures and may identify a wide range of virus variants. | 05-14-2015 |
20150143523 | VIRUS PROCESSING METHOD AND APPARATUS - Embodiments of the present disclosure provide a virus processing method and apparatus. In embodiments of the present disclosure, attribute analysis on the threads contained in the target process is performed to determine whether at least one of the threads contained in the target process matches virus attribute information. If at least one of the threads contained in the target process matches virus attribute information, virus type information is determined based on the matched virus attribute information, so that execution of process creation operation is prohibited based on the virus type information. Due to the measures of prohibiting execution of process creation operation, replication of virus in the system can be effectively prevented so as to improve security performance of the system. | 05-21-2015 |
20150150135 | CONTENT FILTERING OF REMOTE FILE-SYSTEM ACCESS PROTOCOLS - Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, a remote file-system access protocol response is received at a network device logically interposed between one or more clients and a server. The response represents a response to a request from one of the clients relating to a file associated with a share of the server. A determination is made whether a holding buffer corresponding to the file exists. If not, then one is created; otherwise, the existing holding buffer is used for any of the clients or processes running on the clients that access the file. Data read from or written to the file as a result of the request is buffered into the holding buffer. The existence or non-existence of malicious, dangerous or unauthorized content contained within the holding buffer is determined by performing content filtering on the holding buffer. | 05-28-2015 |
20150150136 | SIGNATURE COMPILATION ON A SECURITY DEVICE - Signature compilation on a security device is disclosed. A first set of malware signatures is received. The first set of signatures is compiled at a first time. A second set of malware signatures is received. The second set of signatures is compiled at a second time that is different from the first time. A determination of whether a file is malicious is made based at least in part by performing a scan using the first and second compiled signatures. | 05-28-2015 |
20150294112 | SYSTEM AND METHOD FOR EMULATION OF FILES USING MULTIPLE IMAGES OF THE EMULATOR STATE - Disclosed are systems, methods, and computer program products for emulation of files using multiple images of the emulator state. In one example, the method includes loading the file into an emulator of the computer system; initiating emulation of the file by the emulator; storing an initial image of an initial state of the emulator; continuing the emulation of the file and detecting occurrence of a condition that results during the emulation of the file; creating and storing a new image of a next state of the emulator when an occurrence of the condition is detected; determining whether the emulation of the file has terminated correctly or incorrectly; and upon determining that the emulation of the file has terminated incorrectly, loading the new image of the next state into the emulator and resuming the emulation of the file from the next state of the emulator. | 10-15-2015 |
20150295943 | SYSTEM AND METHOD FOR CYBER THREATS DETECTION - A system and method for detecting a cyber-threat according to embodiments of the present invention comprise automatically discovering resources on a network, by a resource detection unit, emulating, by a faked asset creation unit, at least one resource discovered on the network, associating a malware trap sensor with the emulated resource and detecting by the malware trap sensor, a malware related to the emulated resource. The system and method may further comprise uploading data related to the detected malware to a server, analyzing, by the server, uploaded data to produce an analysis result and perform one or more actions based on the analysis result. | 10-15-2015 |
20150295944 | CONTROL SYSTEM, CONTROL METHOD, AND CONTROLLER - In case a security abnormality has been detected in a control system, ensuring the safety of the control system is accomplished. In a control system including field equipment that executes a controlled process and a controller that controls execution of a controlled process by the field equipment, the controller detects a security abnormality in the control system and determines and executes a security countermeasure method against the security abnormality based on a status of a controlled process when the security abnormality has been detected in the control system. | 10-15-2015 |
20150302192 | SYSTEM AND METHODS OF PERFORMING ANTIVIRUS CHECKING IN A VIRTUAL ENVIRONMENT USING DIFFERENT ANTIVIRUS CHECKING TECHNIQUES - Disclosed are methods, systems and computer program products for antivirus checking of software objects in a virtual environment. An example method includes monitoring and identifying, by an antivirus agent running on a virtual machine in the virtual environment, an event occurring in the virtual machine, an object related to the event, and a type of the object; upon determining that the object needs an antivirus checking, sending, by the antivirus agent, to a control module in the virtual environment, information of the object and the event; determining, by the control module, priorities of executing one or more antivirus checking methods determined for the object; and distributing, by the control module, among one or more selected components of an antivirus system in the virtual environment, the one or more antivirus checking methods to be performed on the object based on the priorities. | 10-22-2015 |
20150310212 | Detecting Script-Based Malware using Emulation and Heuristics - The subject disclosure is directed towards running script through a malware detection system including an emulator environment to detect any malware within the script. Statistics are collected as part of processing the script, with parameterized heuristic analysis used to determine whether to run the emulation. The processing through the malware detection system may be iterative, to de-obfuscate layers of obfuscated malware. The emulator may be updated via signatures. | 10-29-2015 |
20150312266 | ADVANCED PERSISTENT THREAT DETECTION - A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection. | 10-29-2015 |
20150319182 | SYSTEMS AND METHODS FOR DYNAMIC CLOUD-BASED MALWARE BEHAVIOR ANALYSIS - A cloud-based method, a behavioral analysis system, and a cloud-based security system can include a plurality of nodes communicatively coupled to one or more users, wherein the plurality of nodes each perform inline monitoring for one of the one or more users for security comprising malware detection and preclusion; and a behavioral analysis system communicatively coupled to the plurality of nodes, wherein the behavioral analysis system performs offline analysis for any suspicious content from the one or more users which is flagged by the plurality of nodes; wherein the plurality of nodes each comprise a set of known malware signatures for the inline monitoring that is periodically updated by the behavioral analysis system based on the offline analysis for the suspicious content. | 11-05-2015 |
20150326585 | Fuzzy Whitelisting Anti-Malware Systems and Methods - In some embodiments, an anti-malware system accounts for benign differences between non-malicious data objects, such as differences introduced by compilers and other polymorphisms. A target object is separated into a multitude of code blocks, and a hash is calculated for each code block. The obtained set of target hashes is then compared against a database of hashes corresponding to code blocks extracted from whitelisted objects. A target object may be labeled as whitelisted (trusted, non-malicious) if it has a substantial number of hashes in common with a whitelisted object. Objects which are slightly different from known whitelisted objects may still receive whitelisting status. By allowing a certain degree of mismatch between the sets of hashes of distinct objects, some embodiments of the present invention increase the efficiency of whitelisting without an unacceptable decrease in safety. | 11-12-2015 |
20150326592 | EMULATING SHELLCODE ATTACKS - A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. In the case of shellcode attacks, unsuccessful attacks may be emulated by selecting a corresponding emulator that will receive and execute instructions, as would a successful shellcode attack. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code. | 11-12-2015 |
20150332046 | OPERATION OF A DUAL INSTRUCTION PIPE VIRUS CO-PROCESSOR - Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a content object that is to be virus processed is stored by a general purpose processor to a system memory. Virus scan parameters for the content object are set up by the general purpose processor. Instructions from a virus signature memory of a virus co-processor are read by the virus co-processor based on the virus scan parameters. The instructions contain op-codes of a first instruction type and op-codes of a second instruction type. Those of the instructions containing op-codes of the first instruction type are assigned to a first instruction pipe of multiple instruction pipes of the virus co-processor for execution. An instruction of the assigned instructions containing op-codes of the first instruction type is executed by the first instruction pipe including accessing a portion of the content object from the system memory. | 11-19-2015 |
20150334125 | IDENTIFYING THREATS BASED ON HIERARCHICAL CLASSIFICATION - A system and a method are disclosed for identifying network threats based on hierarchical classification. The system receives packet flows from a data network and determines flow features for the received packet flows based on data from the packet flows. The system also classifies each packet flow into a flow class based on flow features of the packet flow. Based on a criterion, the system selects packet flows from the received packet flows and places the selected packet flows into an event set that represents an event on the network. The system determines event set features for the event set based on the flow features of the selected packet flows. The system then classifies the event set into a set class based on the determined event set features. Based on the set class, the computer system may report a threat incident on an internetworking device that originated the selected packet flows. | 11-19-2015 |
20150347753 | MALWARE DETECTION SYSTEM AND METHOD FOR MOBILE PLATFORMS - In one example, a management server is configured to provide malware protection for one or more client mobile platforms in communication with the management server via a mobile network. In the example, the management server includes a processor configured to detect malware in the mobile network, select a client mobile platform having a malware scanning agent, and, manage the malware scanning agent of the client mobile platform using a device independent secure management protocol based at least in part on the malware detected in the mobile network. | 12-03-2015 |
20150347754 | WEB MALWARE BLOCKING THROUGH PARALLEL RESOURCE RENDERING - Apparatus and method for transforming Web resources into safe versions such that malicious code on the resources cannot attack the client viewing the resources. The invention separates the processing of insecure code from the processing of benign code. For Web pages, the benign code is displayed immediately to the client while insecure code is processed on a separate machine. Once insecure code is processed, benign outputs of that code are passed to the client for display. The invention safeguards the client against known and zero day exploits without requiring a catalog of malware/virus signatures, heavyweight code checkers, complete page re-writing or highly restrictive access policies. The invention provides the client with complete malware blocking while retaining most of the original functionality of the Web resource. | 12-03-2015 |
20150356291 | SYSTEM AND METHODS FOR DETECTING HARMFUL FILES OF DIFFERENT FORMATS IN VITUAL ENVIRONMENT - Disclosed are systems, methods and computer program products for detection of harmful files of different formats. An example method includes: receiving a suspicious file; determining a file format of the suspicious file; determining, using antivirus software, if the suspicious file is dean or harmful; and when the antivirus software fails to determine whether the suspicious file is clean or harmful, selecting, based on at least the file format of the suspicious file, a configuration of a virtual machine for analyzing a maliciousness of the suspicious file by at least: selecting a program associated with the file format of the suspicious file, opening the suspicious file using the associated program in the virtual machine, collecting data of at least one activity on the virtual machine, and analyzing the data to determine the maliciousness of the suspicious file. | 12-10-2015 |
20150356298 | METHOD AND SYSTEM FOR UNLOCKING AND DELETING FILE AND FOLDER - A method and system for unlocking and deleting a file or a folder. The method for unlocking the file or the folder comprises: receiving an unlock request of a file or a folder, wherein the unlock request includes an input parameter; verifying whether the input parameter complies with a preset condition; if the input parameter complies with the preset condition, correcting a deformed path format of the file or the folder and/or the special file name of the file or the special folder name of the folder according to a preset rule; determining whether restrictive setting of the corrected file or folder is present; and if yes, cleaning the restrictive setting of the file or the folder. The embodiments of the present invention relieves layer by layer the protections arranged by files infected with a virus by employing a plurality of means such as removing the read-only lock, removing the routine lock, adding the authority and closing the handle, thereby increasing the confrontation capacity of a security software against a malignant program. | 12-10-2015 |
20150365429 | METHOD AND AN APPARATUS TO PERFORM MULTI-CONNECTION TRAFFIC ANALYSIS AND MANAGEMENT - A method and an apparatus to perform multi-connection traffic analysis and management are described. In one embodiment, the method includes analyzing data packets in the first data flow of a client application for a pattern of interest, where the client application communicates data using first and second data flows. In response to the method detecting a pattern of interest in the first data flow, the method identifies the second data flow and identifies a traffic policy for the second data flow. The method applies the identified traffic policy to the second data flow. Other embodiments have been claimed and described. | 12-17-2015 |
20150371041 | DEFENSIVE TECHNIQUES TO INCREASE COMPUTER SECURITY - Among other disclosed subject matter, a computer-implemented method includes changing access permission level associated with a descriptor table responsive to request to update the descriptor table. In some implementation, before receiving the request to update, the descriptor table is maintained in a read-only state; and changing the access permission level comprises: allowing write access to the descriptor table responsive to determining that the update request is authorized. | 12-24-2015 |
20150381635 | Method and System for Analysis of Security Events in a Managed Computer Network - An event retrieval and analysis system compares counts of event data for a device to stored profile counts to determine if alerts should be triggered. Event data can be retrieved by a sensor. Rules for analyzing the event data can be retrieved based on the device. The event data is analyzed based on the rules to determine recordable events. Recordable events are organized into categories representing a type or severity of attack. Current event counts are calculated by summing the recordable events for each category. A normal profile is retrieved for the device and compared to the current event count. A percentage change trigger can be retrieved from a threshold matrix based on the current event count. The percentage increase of the current event count over the normal profile is calculated and compared to the percentage change trigger to determine if an alert is triggered by the analysis system. | 12-31-2015 |
20160012225 | SYSTEM AND METHOD FOR THE DETECTION OF MALWARE | 01-14-2016 |
20160014144 | METHOD AND DEVICE FOR PROCESSING COMPUTER VIRUSES | 01-14-2016 |
20160026795 | MALICIOUS CODE INFECTION SYSTEM AND MALICIOUS CODE INFECTION METHOD - Provided are a malicious code diagnosing system and a method of diagnosing malicious codes. According to embodiments of the present disclosure, a malicious code diagnosing operation is performed only on files that are likely to be infected by malicious codes by utilizing file change log information recorded in a file system. Accordingly, malicious code diagnosing operation can be performed more quickly and reliably than conventional diagnosing method. | 01-28-2016 |
20160026796 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR DETECTING A COMPROMISED COMPUTING HOST - Methods, systems, and computer readable media for detecting a compromised computing host are disclosed. According to one method, the method includes receiving one or more domain name system (DNS) non-existent domain (NX) messages associated with a computing host. The method also includes determining, using a host score associated with one or more unique DNS zones or domain names included in the one or more DNS NX messages, whether the computing host is compromised. The method further includes performing, in response to determining that the computing host is compromised, a mitigation action. | 01-28-2016 |
20160028746 | MALICIOUS CODE DETECTION - A system, method, and computer-readable medium for detecting malicious computer code are provided. A dataset may be accessed and converted to a binary dataset according to a predefined conversion algorithm. One or more cycles in the binary dataset may be identified. Statistical analysis may be performed on the identified one or more cycles. A determination that the set of dataset includes malicious software code may be made based on the performed statistical analysis. | 01-28-2016 |
20160028747 | Propagation Of Viruses Through An Information Technology Network - Requests to send data from a first host within a network of hosts are monitored against a record of destination hosts that have been sent data in accordance with a predetermined policy. Destination host identities (not the record) are stored in a buffer. The buffer size is monitored to determine whether requests from the first host are pursuant to viral activity therein. | 01-28-2016 |
20160028748 | PREBOOT ENVIRONMENT WITH SYSTEM SECURITY CHECK - Booting an operating system that includes a secure preboot environment that performs integrity checks against security threats. A computer system boots to a preboot environment, which performs integrity checks and other anti-malware operations. Once the preboot environment finishes, the system reboots into a regular environment. The preboot environment can reside on a secure portion of a flash memory, with a computer system booting therefrom; or the preboot environment can reside securely in the computer system. The preboot environment includes integrity checks for a regular environment, and anti-malware programming. Once the preboot environment is done, the computer system reboots into a regular environment, such as from the flash memory or on the computer system. The integrity checks confirm that files in the regular environment are unchanged or uninfected. The integrity checks include determining the accuracy of a trusted system configuration on the computer system, such as using a TPM. | 01-28-2016 |
20160036830 | Web Redirection for Content Scanning - This specification generally relates to using redirect messages to implement content scanning. One example method includes receiving from a client a first request for a network resource, the first request including an original location of the network resource; determining that a response to the first request is to be analyzed; sending a redirect response to the client including a modified location for the network resource different than the original location; receiving a second request for the network resource from the client, the second request including the modified location; in response to receiving the second request for the network resource from the client: retrieving the network resource from the original location; determining that the retrieved network resource is suitable to send to the client; and in response to determining that the retrieved network resource is suitable, sending the retrieved network resource to the client. | 02-04-2016 |
20160036840 | INFORMATION PROCESSING APPARATUS AND PROGRAM - It is difficult to prevent virus infection, information leakage or the like for example when a user carelessly manipulates a file. An electronic file manipulating section that obtains an instruction about manipulation of an electronic file; a remote manipulation section that establishes a communication path enabling remote manipulation with an execution environment in which manipulation of the electronic file is to be executed, and transmits an execution instruction to instruct the execution environment to execute manipulation of the electronic file thereon to the execution environment via the communication path enabling remote manipulation; and an electronic file transmitting section that transmits the electronic file to the execution environment in response to the instruction are included. | 02-04-2016 |
20160044051 | COMPUTER PROGRAM, METHOD, AND SYSTEM FOR PREVENTING EXECUTION OF VIRUSES AND MALWARE - Preventing execution of viruses or malware on a computing device includes compiling an inventory recordation of legitimate applications and terminating execution of any application not on the inventory recordation while in a protected mode. An instantaneous and unprompted inventory recordation known as a “snapshot” can be performed by the computer program. A user may further train the computer program to identify legitimate applications routinely accessed by the user and to be updated to the inventory recordation, such that the inventory recordation is personal to the user. After training, the protected mode can be activated. A smart icon graphical user interface is utilized, that automatically toggles between locked and unlocked depending on if the computing device is at risk or not, to place the computing device in a protected or unprotected mode. | 02-11-2016 |
20160044054 | NETWORK APPLIANCE FOR DYNAMIC PROTECTION FROM RISKY NETWORK ACTIVITIES - Electronic appliances, computer-implemented systems, non-transitory media, and methods are provided to identify risky network activities using intelligent algorithms. The appliances, systems, media, and methods enable rapid detection of risky activities. | 02-11-2016 |
20160057165 | SYSTEM AND METHOD TO DETECT DOMAIN GENERATION ALGORITHM MALWARE AND SYSTEMS INFECTED BY SUCH MALWARE - Systems and methods for detection of domain generated algorithms (DGA) and their command and control (C&C) servers are disclosed. In one embodiment, such an approach includes examining DNS queries for DNS resolution failures, and monitoring certain set of parameters such as number of levels, length of domain name, lexical complexity, and the like for each failed domain. These parameters may then be compared against certain thresholds to determine if the domain name is likely to be part of a DGA malware. Domain names identified as being part of a DGA malware may then be grouped together. Once a DGA domain name has been identified, activity from that domain name can be monitored to detect successful resolutions from the same source to see if any of the successful domain resolutions match these parameters. If they match specific thresholds, then the domain is determined to be a C&C server of the DGA malware and may be identified as such. | 02-25-2016 |
20160063248 | METHOD TO SCAN A FORENSIC IMAGE OF A COMPUTER SYSTEM WITH MULTIPLE MALICIOUS CODE DETECTION ENGINES SIMULTANEOUSLY FROM A MASTER CONTROL POINT - A multi-engine malicious code scanning method for scanning data sets from a storage device is provided. The method includes, among other steps obtaining at least one data set from a storage device and generating a single forensic image of the data set and also applying a recover data application to the data set to generate a single recovered data set. A scanning is initiated of the single forensic image and the single recovered data set using the selected plurality of malware engines, where each of the malware engines, installed on the indepenent operating systems of the virtual operating system may be run concurrently on the single forensic image and the single recovered data set. A report is generated combining each of the malware engines reporting the results of the scans. | 03-03-2016 |
20160065432 | INFORMATION PROCESSING SYSTEM, SETTING STATUS MANAGEMENT METHOD, AND APPARATUS - An information processing system includes a terminal, an apparatus, and a status management apparatus that includes a communication unit, a detection unit that detects network status change via the communication unit, and a notification unit that notifies the apparatus of status change information via the communication unit. The apparatus includes a communication unit, initial configuration information initialized as an operational configuration, a configuration information storing unit that stores changed status configuration information that indicates the operational configuration corresponding to the status change information, a configuration modifying unit that modifies a current operational configuration based on the initial configuration information, the status change information, and the changed status configuration information in the configuration information storing unit after the communication unit receives the status change information, and a control unit that controls one or more operational process executed by the information processing system based on the operational configuration. | 03-03-2016 |
20160070910 | PLATFORM BASED VERIFICATION OF CONTENTS OF INPUT-OUTPUT DEVICES - A platform to support verification of the contents of an input-output device. The platform includes a platform hardware, which may verify the contents of the I/O device. The platform hardware may comprise components such as manageability engine and verification engine that are used to verify the contents of the I/O device even before the contents of the I/O device are exposed to an operating system supported by a host. The platform components may delete the infected portions of the contents of I/O device if the verification process indicates that the contents of the I/O device include the infected portions. | 03-10-2016 |
20160078228 | METHOD AND APPARATUS FOR PROCESSING FILE - The embodiments of the present invention provide a method and apparatus for processing a file. By means of acquiring a target file to be scanned and then using recognition data of a deletable file to recognize the target file, so as to obtain a recognition result, the recognition result comprising the target file being a deletable file, the target file being an undeletable file or the target file being an unknown file, the embodiments of the present invention enable the deletion of the deletable file according to the recognition result. Since the recognized deletable file can be directly deleted without the need to perform virus scanning processing thereon and then pop up a corresponding alarm prompt regarding a confirmed virus file to remind a user to delete the virus file, the occupation of system resources of a terminal can be reduced, thereby improving the processing performance of the terminal. | 03-17-2016 |
20160078229 | System And Method For Threat Risk Scoring Of Security Threats - A system configured to generate a risk score for a threat activity including a digital device. The digital device configured to extract one or more threat events on a network based on metadata for one or more targeted digital devices on the network. Further, the digital device is configured to detect one or more incidents based on a correlation between at least a first threat event of the one or more threat events and a second threat event of the one or more threat events. And, the digital device is configured to generate a risk score for each of said one or more incidents. | 03-17-2016 |
20160080394 | METHOD, APPARATUS AND COMPUTER DEVICE FOR SCANNING INFORMATION TO BE SCANNED - The present invention provides a method for scanning information to be scanned in a computer device, the information to be scanned needing multiple scans, and the method comprising the steps of: a. determining a delay duration from the end of a scan for the information to be scanned to the start of a next scan according to current performance information about the CPU of the computer device; and b. scanning the information to be scanned according to the delay duration. According to the solution of the present invention, by determining a delay duration from the end of a scan for the information to be scanned to the start of a next scan according to current performance information about the CPU of a computer device, and scanning according to the delay duration, problems such as slow running due to high occupancy ratio of CPU resources during scanning can be avoided. | 03-17-2016 |
20160088004 | TIERED OBJECT-RELATED TRUST DECISIONS - Adware and viruses are examples of objects that may be embedded in a web page or linked to a web page. When such an object is detected to be associated with a web page loading on a browser, an analysis may be performed to determine a trust level for the object. The object is suppressed based on the trust level. A prompt is displayed to advise a user that the object has been suppressed, and to provide an opportunity to interactively accept or decline activation of an action for the object. | 03-24-2016 |
20160092683 | Scanning Content Items Based on User Activity - In some embodiments, a content management system can initiate a scan of a content item when the content management system detects that activity associated with the content item triggers a scan policy. In some embodiments, a content management system can initiate a scan of a user's account when the content management system detects that activity associated with the content item triggers a scan policy. A scan policy can specify, for example, a number of shares, downloads and/or previews of the content item allowable in a period of time. When the number of shares, downloads, and/or previews exceeds the specified number in the policy in the specified period of time, the content management system can initiate a scan (e.g., virus scan, malware scan, etc.) of the content item and/or the user's account. | 03-31-2016 |
20160094564 | TAXONOMIC MALWARE DETECTION AND MITIGATION - In an example, a classification engine compares two binary objects to determine whether they can be classified as belonging to a common family. As an example application, the classification engine may be used to detect malware objects derived from a common ancestor. To classify the object, the binary is disassembled and the resulting assembly code is normalized. Known “clean” functions, such as compiler-generated library code, are filtered out. Normalized blocks of assembly code may then be characterized, such as by forming N-grams, and checksumming each N-gram. These may be compared to known malware routines. | 03-31-2016 |
20160094565 | TARGETED ATTACK DISCOVERY - A device may receive usage information, associated with a group of client networks, including particular usage information associated with a particular client network. The device may receive threat information, associated with the group of client networks, including particular threat information associated with the particular client network. The device may determine a baseline based on the usage information. The device may determine a normalization function, associated with the particular client network, based on the baseline and the particular usage information. The device may determine normalized threat information, associated with the particular client network, based on the normalization function and the particular threat information. The device may determine overall normalized threat information associated with the group of client networks. The device may compare the normalized threat information and the overall normalized threat information. The device may provide information associated with comparing the normalized threat information and the overall normalized threat information. | 03-31-2016 |
20160094569 | BEHAVIORAL DETECTION OF MALWARE AGENTS - In an example, a detection engine identifies potential malware objects according to behavior. In order to circumvent blacklists and fingerprint-based detection, a malware server may frequently change domain names, and change the fingerprints of distributed malware agents. A malware agent may perform only an initial DNS lookup, and thereafter communicate with the malware command-and-control server via “naked” HTTP packets using the raw IP address of the server. The detection engine identifies malware agents by this behavior. In one example, if an executable object makes repeated HTTP requests to an address after the DNS lookup “time to live” has expired, the object may be flagged as potential malware. | 03-31-2016 |
20160094570 | CROSS-VIEW MALWARE DETECTION - In an example, a cross-view detection engine is disclosed for detecting malware behavior. Malware may attempt to avoid detection by remaining in volatile memory for as long as possible, and writing to disk only when necessary. To avoid detection, the malware may also provide a pseudo-driver at a file system level that performs legitimate-looking dummy operations. A firmware-level driver may simultaneously perform malicious operations. The cross-view detection engine detects this behavior by deconstructing call traces from the file system-level operations, and reconstructing call traces from firmware-level operations. If the traces do not match, the object may be flagged as suspicious. | 03-31-2016 |
20160098559 | VIRUS CO-PROCESSOR INSTRUCTIONS AND METHODS FOR USING SUCH - Circuits and methods for detecting, identifying and/or removing undesired content are provided. According to one embodiment, a virus processing system includes a virus co-processor, a first memory, a general purpose processor (GPP) and a second memory. The first memory is communicably coupled to the co-processor via a first memory interface. The first memory includes a first signature compiled for execution on the co-processor. The GPP is communicably coupled to the co-processor. The second memory is communicably coupled to the co-processor via a second memory interface and to the GPP. The second memory includes a second signature compiled for execution on the GPP. The co-processor is operable to retrieve the first signature stored within the first memory through an instruction cache. The co-processor is operable to retrieve a data segment to be scanned from second memory through a data cache that is separate from the instruction cache. | 04-07-2016 |
20160098561 | DETECTION OF MALICIOUS SOFTWARE, FIRMWARE, IP CORES AND CIRCUITRY VIA UNINTENDED EMISSIONS - An apparatus for testing, inspecting or screening an electrically powered device for modified or unmodified hardware, firmware or software modifications including Malware, Trojans, adware, improper versioning, worms, or virus and the like, includes an antenna positioned at a distance from the electrically powered device and a signal receiver or sensor for examining a signal from the electrically powered device. The receiver or sensor collects unintended RF energy components emitted by the electrically powered device and includes one or more processors and executable instructions that perform analysis in a response to the acquired signal input while the electrically powered device is active or powered. The characteristics of the collected RF energy may be compared with RF energy characteristics of an unmodified device. The comparison determines one of a modified, unmodified or score of certainty of modified condition of the electrically powered device. | 04-07-2016 |
20160098565 | SYSTEM, METHOD AND COMPUTER-ACCESSIBLE MEDIUM FOR SECURITY VERIFICATION OF THIRD PARTY INTELLECTUAL PROPERTY CORES - An exemplary system, method and computer-accessible medium for detecting the presence of a Trojan(s) in a circuit(s), can include, for example, receiving information related to a property(s) configured to determine the presence of the Trojan(s), and determining the presence of the Trojan(s) based on the property(s) and a design(s) of the circuit(s) using a bounded model checking tool. | 04-07-2016 |
20160125183 | Determining Malware Status of File - Determining malware status of a file is disclosed. An apparatus obtains information about an unknown target file, obtains system context of the unknown target file, and determines the unknown target file as clean if the system context matches with one or more predetermined conditions indicative of cleanliness. The predetermined conditions of cleanliness include at least the target file being located in a directory which contains other clean files. | 05-05-2016 |
20160127400 | MANAGING INFECTIOUS FORWARDED MESSAGES - Systems and methods for managing forwarded infectious messages are provided. Managing electronic message comprises receiving a message, forwarding the message, determining that the forwarded message is infectious after the message has been forwarded and preventing the infectious forwarded message from spreading. | 05-05-2016 |
20160142423 | ENDPOINT TRAFFIC PROFILING FOR EARLY DETECTION OF MALWARE SPREAD - According to one exemplary embodiment, a method for detecting malware in a network stream to at least one host computer is provided. The method may include initializing a browser profile corresponding with a first website having a first website source and a first plurality of content features. The method may include recording the first plurality of content features and a trusted source based on the first website source. The method may include scanning the network stream for a second content feature within a second plurality of content features associated with a second website. The method may include determining if the second content feature matches a first content feature. The method may include determining if the second plurality of content features is consistent with the first plurality of content features. The method may include determining if a second website source matches the trusted source. The method may include generating an alert. | 05-19-2016 |
20160142424 | SYSTEM AND METHOD THEREOF FOR IDENTIFYING AND RESPONDING TO SECURITY INCIDENTS BASED ON PREEMPTIVE FORENSICS - A system is connected to a plurality of user devices coupled to an enterprise's network. The system continuously collects, stores, and analyzes forensic data related to the enterprise's network. Based on the analysis, the system is able to determine normal behavior of the network and portions thereof and thereby identify abnormal behaviors within the network. Upon identification of an abnormal behavior, the system determines whether the abnormal behavior relates to a security incident. Upon determining a security incident in any portion of the enterprise's network, the system extracts forensic data respective of the security incident and enables further assessment of the security incident as well as identification of the source of the security incident. The system provides real-time damage assessment respective of the security incident as well as the security incident's attributions. | 05-19-2016 |
20160147995 | Method and System for Discrete Stateful Behavioral Analysis - A method for analyzing a computing system includes the steps of at a first moment in time, scanning the resources of the computing system for indications of malware, at a second moment in time scanning the resources of the computing system for indications of malware and determining the system executable objects loaded on the computing system, determining malware system changes, identifying a relationship between the malware system changes and the system executable objects loaded on the computing system, and identifying as suspected malware the system executable objects loaded on the computing system which have a relationship with the malware system changes. The malware system changes include differences between the results of scanning the resources of the computing system for indications of malware at the second and first moment of time. | 05-26-2016 |
20160156645 | METHOD AND APPARATUS FOR DETECTING MACRO VIRUSES | 06-02-2016 |
20160156658 | METHOD AND SYSTEM FOR AUTOMATIC DETECTION AND ANALYSIS OF MALWARE | 06-02-2016 |
20160173508 | DYNAMIC MALICIOUS APPLICATION DETECTION IN STORAGE SYSTEMS | 06-16-2016 |
20160180087 | SYSTEMS AND METHODS FOR MALWARE DETECTION AND REMEDIATION | 06-23-2016 |
20160188900 | PROTECTION OF A NON-VOLATILE MEMORY BY CHANGE OF INSTRUCTIONS - A method for protecting a volatile memory against a virus, wherein: rights of writing, reading, or execution are assigned to certain areas of the memory; and a first list of opcodes authorized or forbidden as a content of the areas is associated with each of these areas. | 06-30-2016 |
20160197940 | MULTI-NETWORK VIRUS IMMUNIZATION | 07-07-2016 |
20160255100 | FILTER FOR NETWORK INTRUSION AND VIRUS DETECTION | 09-01-2016 |
20160255101 | System and Method for Detection of Malware on a User Device Using Corrected Antivirus Records | 09-01-2016 |
20160378985 | Malware Protection - According to a first aspect of the present invention there is provided a method of protecting a computer system from malware, which malware attempts to prevent detection or analysis when executed in an emulated computer system. The method comprises determining if an executable file should be identified as being legitimate and, if not, executing the executable file whilst providing indications to the executable file that it is being executed within an emulated computer system. | 12-29-2016 |
20160378988 | ANTI-RANSOMWARE - According to an aspect of the present disclosure, a digital processing system, in response to identifying multiple files opened with write permission by a process, creates a corresponding backup copy of each of the opened files. The system computes a frequency of opening of the files with write permission by the process, and then determines whether the computed frequency is greater than a threshold. If the frequency is determined to be greater than the threshold, the system provides control to a user to recover any of the files (opened by the process) based on the corresponding backup copy (previously created in response to opening). Thus, the execution of a ransomware in the system may be potentially detected and the associated maladies (such as unavailability of personal data, requirement to make payment for recovering the personal data, etc.) may be avoided. | 12-29-2016 |
20160381042 | EMULATOR-BASED MALWARE LEARNING AND DETECTION - Methods and systems are described for malware learning and detection. According to one embodiment, an antivirus (AV) engine includes a training mode for internal lab use, for example, and a detection mode for use in commercial deployments. In training mode, an original set of suspicious patterns is generated by scanning malware samples. A set of clean patterns is generated by scanning clean samples. A revised set of suspicious patterns is created by removing the clean patterns from the original set. A further revised set of suspicious patterns is created by: (i) applying a statistical filter to the first revised set; and (ii) removing any suspicious patterns therefrom that do not meet a predefined frequency of occurrence. A detection model, based on the further revised set, can then be used in detection mode to flag executables as malware when the presence of one or more of the suspicious patterns is identified. | 12-29-2016 |
20160381045 | HARDWARE BASED DETECTION DEVICES FOR DETECTING NETWORK TRAFFIC CONTENT AND METHODS OF USING THE SAME - A device for detecting network traffic content is provided. The device includes a first input port configured to receive one or more signatures, each of the one or more signatures associated with content desired to be detected, a second input port configured to receive data associated with network traffic content. The device also includes a processor configured to process the one or more signatures and the data to determine whether the network traffic content matches the content desired to be detected, and an output port configured to couple the device to a computer system of an intended recipient of the network traffic content. The output port passes the network traffic content to the computer system when it is determined that the network traffic content does not match the content desired to be detected. | 12-29-2016 |
20170235949 | Security of Computer Resources | 08-17-2017 |
20170235950 | SELF-HEALING VIRTUALIZED FILE SERVER | 08-17-2017 |
20170235951 | VIRTUAL MACHINE SECURITY | 08-17-2017 |
20170235953 | Systems and Methods for Providing Dynamic File System Awareness on Storage Devices | 08-17-2017 |
20180025157 | AUTOMATED BEHAVIORAL AND STATIC ANALYSIS USING AN INSTRUMENTED SANDBOX AND MACHINE LEARNING CLASSIFICATION FOR MOBILE SECURITY | 01-25-2018 |
20190147164 | NOVEL METHODOLOGY, PROCESS AND PROGRAM FOR THE REPAIR OF DISABLED, BADLY INFECTED OR SLOW WINDOWS COMPUTERS | 05-16-2019 |
20220138320 | Detection of Unauthorized Encryption Using Deduplication Efficiency Metric - Techniques are provided for detection of unauthorized encryption using one or more deduplication efficiency metrics. One method comprises obtaining a deduplication efficiency value for a deduplication operation in a storage system; evaluating the deduplication efficiency value for the deduplication operation relative to an expected deduplication efficiency value; and performing one or more automated remedial actions, such as generating an alert notification, in response to the evaluating satisfying one or more deduplication criteria. A count of a number of concurrent users may be compared to an expected number of concurrent users, and/or (ii) a count of a number of concurrent sessions for a given user may be compared to an expected number of concurrent sessions for the given user. A ransomware alert or an unauthorized encryption alert may be generated when the evaluating and/or the comparison satisfy predefined attack criteria. | 05-05-2022 |