| MCAFEE, INC. Patent applications |
| Patent application number | Title | Published |
|---|
| 20160142442 | System and Method for Intelligent State Management - A method is provided in one example embodiment and it includes receiving a state request and determining whether a state exists in a translation dictionary for the state request. The method further includes reproducing the state if it is not in the dictionary and adding a new state to the dictionary. In more specific embodiments, the method includes compiling a rule, based on the state, into a given state table. The rule affects data management for one or more documents that satisfy the rule. In yet other embodiments, the method includes determining that the state represents a final state such that a descriptor is added to the state. In one example, if the state is not referenced in the algorithm, then the state is released. If the state is referenced in the algorithm, then the state is replaced with the new state. | 05-19-2016 |
| 20160140335 | ACCOUNT RECOVERY PROTOCOL - The present disclosure relates to receiving a request for recovery of an account associated with a user, sending a CAPTCHA challenge to a user device associated with the user, receiving an answer to the CAPTCHA challenge and a confirmation code wrapped by an encryption key derived from a provisional master password, sending a notification of the request for recovery to one or more trusted entities associated with the user, and receiving a confirmation of the request from one or more of the trusted entities. The confirmation includes a recovery token associated with the particular trusted entity and an encrypted confirmation code. | 05-19-2016 |
| 20160119379 | SECURITY ORCHESTRATION FRAMEWORK - In an example, there is disclosed a computing apparatus, including: a network interface; one or more logic elements providing a security orchestration server engine operable for: receiving contextual data from a client via a network interface; providing the contextual data to a security orchestration state machine, the security orchestration state machine operable for deriving a policy decision from the contextual data; and receiving the policy decision from the policy orchestration state machine. There is also disclosed one or more tangible, non-transitory computer-readable mediums having stored thereon executable instructions for providing a security orchestration engine, and a method of providing a security orchestration engine. | 04-28-2016 |
| 20160112450 | MOBILE RISK ASSESSMENT - A query is received from a particular endpoint device identifying a particular wireless access point encountered by the particular endpoint device. Pre-existing risk assessment data is identified for the identified particular wireless access point and query result data is sent to the particular endpoint device characterizing pre-assessed risk associated with the particular wireless access point. In some instances, the query result data is generated based on the pre-existing risk assessment data. In some instances, pre-existing risk assessment data can be the result of an earlier risk assessment carried-out at least in part by an endpoint device interfacing with and testing the particular wireless access point. | 04-21-2016 |
| 20160105444 | ENFORCING ALIGNMENT OF APPROVED CHANGES AND DEPLOYED CHANGES IN THE SOFTWARE CHANGE LIFE-CYCLE - On a host, host content change requests are intercepted in real-time. In a tracking mode, the change requests are logged and allowed to take effect on the host. In an enforcement mode, the change requests are logged and additionally compared against authorized change policies and a determination is made whether to allow the change to take effect or to block the changes, thereby enforcing the authorized change policies on the host. Tracking and enforcement can be done in real-time. In either mode and at any time, the logged changes can be reconciled against a set of approved change orders in order to identify classes of changes, including changes that were deployed but not approved and changes that were approved but not deployed. | 04-14-2016 |
| 20160092469 | CONTEXT-AWARE REPUTATION OF A PLACE - In an example, one or more computing devices operate to provide a context-aware reputation of a place, such as in relation to a human user. Context may include the user's identity and purpose, as well as environmental factors such as time of day, weather, and political drivers. The device may communicate with a server to receive globalized safety intelligence. When the user enters a zone, the device may determine a context-sensitive reputation, such as “Green,” “Yellow,” or “Red.” Depending on the reputation, the device may then take an appropriate action, such as warning the user or providing additional information. | 03-31-2016 |
| 20160057101 | ASSET DETECTION SYSTEM - A pluggable asset detection engine is used to identify devices within a network. The pluggable asset detection engine includes a set of pluggable discovery sensors and is adapted to identify particular address information of a particular computing device within a network, using a first pluggable discovery sensor in the set of discovery sensors, and send an identification of the particular address information of the particular computing device to an asset management system for inclusion of the particular address information in an asset repository managed by the asset management system. | 02-25-2016 |
| 20160021129 | ROLLBACK FEATURE - A file stored in a first portion of a computer memory of a computer is determined to be a malicious file. A duplicate of the file is stored in a quarantine area in the computer memory, the quarantine area being in a second portion of the computer memory that is different from the first portion of the computer memory. One or more protection processes are performed on the file. The determination that the file is a malicious file is determined to be a false positive and the file is restored, during a boot sequence, to a state prior to the one or more protection processes being performed on the file. | 01-21-2016 |
| 20160019392 | ROLLBACK FEATURE - A file stored in a first portion of a computer memory of a computer is determined to be a malicious file. A duplicate of the file is stored in a quarantine area in the computer memory, the quarantine area being in a second portion of the computer memory that is different from the first portion of the computer memory. One or more protection processes are performed on the file. The determination that the file is a malicious file is determined to be a false positive and the file is restored, during a boot sequence, to a state prior to the one or more protection processes being performed on the file. | 01-21-2016 |
| 20160006757 | DETECTION AND PREVENTION OF INSTALLATION OF MALICIOUS MOBILE APPLICATIONS - A combination of shim and back-end server applications may be used to identify and block the installation of malicious applications on mobile devices. In practice, a shim application registers with a mobile device's operating system to intercept application installation operations. Upon intercepting an attempted installation operation, the shim application identifies the application seeking to be installed, generates a key uniquely identifying the application, and transmits the key over a network connection to a back-end server. The back-end server may be configured to crawl the Internet to identify malicious applications and compile and maintain a database of such applications. Upon receiving a key from the shim application, the back-end server can search its database to locate a matching application and, if found, respond to the mobile device with the application's status (e.g., malicious or not). The shim application can utilize this information to allow or block installation of the application. | 01-07-2016 |
| 20150382191 | IDENTIFICATION OF CALL PARTICIPANTS - In an example, an audio stream such as a voice call or live-streaming service may have mixed therein a user identification, which may identify the user as an authorized participant in the audio stream. For example, a user may identify himself to a smart phone, and then initiate a call with his bank. The smart phone may mix a user identification into the voice stream. A receiving device at the bank may demix the identification, and determine that the user is authorized to call about this account. In another example, identification may be used for DRM purposes, to identify a user as a legitimate participant in an audio stream. When a user is not authorized, an appropriate action may be taken, such as dropping the user, degrading the quality of the audio stream, or providing a notification that the user is not authorized. | 12-31-2015 |
| 20150381658 | PREMISES-AWARE SECURITY AND POLICY ORCHESTRATION - A tracking station detects a mobile data processing system (DPS) within communication range of a short range wireless module of the tracking station. In response to detecting the mobile DPS, the tracking station obtains identification data for the mobile DPS from a security module of the mobile DPS. The tracking station uses the identification data to obtain credentials to access secure storage on the mobile DPS. The tracking station automatically generates security configuration data for the mobile DPS, based on multiple factors pertaining to the mobile DPS, such as identity of the mobile DPS, a location of the mobile DPS, capabilities of the mobile DPS, etc. The tracking station uses the credentials to write the security configuration data to the secure storage of the mobile DPS. The security configuration data calls for the mobile DPS to automatically disable or enable at least one component. Other embodiments are described and claimed. | 12-31-2015 |
| 20150379264 | MITIGATION OF MALWARE - Systems and methods are provided in example embodiments for mitigating malicious calls. The system can be configured to determine a series of checksums for a file, compare the series of checksums to a checksum tree, where the checksum tree includes a plurality of nodes that each include a fuzzy checksum of known malware, and assign one or more classifications to the file, where each of the one or more classifications is based on each node of the checksum tree that matches a checksum in the series of checksums and includes whether the file includes malware or benign checksums. | 12-31-2015 |
| 20150373542 | SIMPLIFIED MOBILE COMMUNICATION DEVICE - A first communication device is detected as being substantially collocated with a second communication device using a short-range wireless network. A connection is established between the first and second communication devices over the short-range wireless network. In some instances, authentication data can be sent from the second communication device to the first communication device to authenticate a user to the first communication device. Further, input is received from the first communication device over the short-range wireless network specifying a telephone number for a telephone call using the second communication device. A connection is established between the second communication device and a cellular base station to initiate the telephone call with a third communication device associated with the telephone number. In some instances, the second communication device is a wireless headset device. | 12-24-2015 |
| 20150365380 | SYSTEM AND METHOD FOR INTERLOCKING A HOST AND A GATEWAY - A method is provided in one example embodiment and includes exchanging a session descriptor associated with a network connection and an application on a host, correlating the session descriptor with a network policy, and applying the network policy to the network connection. In alternative embodiments, the session descriptor may be exchanged through an out-of-band communication channel or an in-band communication channel. | 12-17-2015 |
| 20150363598 | DETECTION OF MALICIOUS SCRIPTING LANGUAGE CODE IN A NETWORK ENVIRONMENT - A method is provided in one example embodiment and includes initiating an execution of a compiled script, evaluating a function called in the compiled script, detecting an execution event based on at least a first criterion, and storing information associated with the execution event in an execution event queue. The method also includes verifying a correlation signature based on information associated with at least one execution event in the execution event queue. In specific embodiments, the method includes evaluating an assignment statement of a script during compilation of the script by a compiler, detecting a compilation event based on at least a second criterion, and storing information associated with the compilation event in a compilation event queue. In yet additional embodiments, the verification of the correlation signature is based in part on information associated with one or more compilation events in the compilation event queue. | 12-17-2015 |
| 20150347755 | ROLLBACK FEATURE - A file stored in a first portion of a computer memory of a computer is determined to be a malicious file. A duplicate of the file is stored in a quarantine area in the computer memory, the quarantine area being in a second portion of the computer memory that is different from the first portion of the computer memory. One or more protection processes are performed on the file. The determination that the file is a malicious file is determined to be a false positive and the file is restored, during a boot sequence, to a state prior to the one or more protection processes being performed on the file. | 12-03-2015 |
| 20150334129 | USER BEHAVIORAL RISK ASSESSMENT - A particular activity performed by a particular user of a computing device is identified, for instance, by an agent installed on the computing device. It is determined that the particular activity qualifies as a particular use violation in a plurality of pre-defined use violations. A behavioral risk score for the particular score for the user is determined based at least in part on the determination that the particular activity of the particular user qualifies as a particular use violation. Determining that the particular activity qualifies as a particular use violation can include determining that the particular activity violates a particular rule or event trigger corresponding to a particular pre-defined use violation. | 11-19-2015 |
| 20150317178 | SYSTEM AND METHOD FOR KERNEL ROOTKIT PROTECTION IN A HYPERVISOR ENVIRONMENT - A system and method for rootkit protection in a hypervisor environment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page of a guest operating system in a hypervisor environment, wherein each entry is a duplicate page of the corresponding guest kernel page, generating a page fault when a process attempts to access a guest kernel page, and redirecting the process to the corresponding duplicate page. If the page fault is a data page fault, the method includes fixing the page fault, and marking a page table entry corresponding to the guest kernel page as non-executable and writeable. If the page fault is an instruction page fault, the method includes marking a page table entry corresponding to the guest kernel page as read-only. Redirecting changing a machine page frame number in a shadow page table of the hypervisor to point to the corresponding duplicate page. | 11-05-2015 |
| 20150310091 | SYSTEM AND METHOD FOR SELECTIVELY GROUPING AND MANAGING PROGRAM FILES - A method in one embodiment includes determining a frequency range corresponding to a subset of a plurality of program files on a plurality of hosts in a network environment. The method also includes generating a first set of counts including a first count that represents an aggregate amount of program files in a first grouping of one or more program files of the subset, where each of the one or more program files of the first grouping includes a first value of a primary attribute. In specific embodiments, each program file is unknown. In further embodiments, the primary attribute is one of a plurality of file attributes provided in file metadata. Other specific embodiments include either blocking or allowing execution of each of the program files of the first grouping. More specific embodiments include determining a unique identifier corresponding to at least one program file of the first grouping. | 10-29-2015 |
| 20150304339 | CLOUD EMAIL MESSAGE SCANNING WITH LOCAL POLICY APPLICATION IN A NETWORK ENVIRONMENT - A method for applying policies to an email message includes receiving, by an inbound policy module in a protected network, message metadata of an email message. The method also includes determining, based on the message metadata, whether receiving the email message in the protected network is prohibited by at least one metadata policy. The method further includes blocking the email message from being forwarded to the protected network if receiving the email message in the protected network is prohibited by the metadata policy. In specific embodiments, the method includes requesting scan results data for the email message if receiving the email message in the protected network is not prohibited by one or more metadata policies. In further embodiments, the method includes receiving the scan results data and requesting the email message if receiving the email message in the protected network is not prohibited by one or more scan policies. | 10-22-2015 |
| 20150271191 | Embedded Anti-Virus Scanner for a Network Adapter - A network adapter system and associated method are provided. The network adapter system includes a processor positioned on a network adapter coupled between a computer and a network. Such processor is configured for scanning network traffic transmitted between the computer and the network. | 09-24-2015 |
| 20150249680 | Electronic Message Manager System, Method, and Computer Program Product for Scanning an Electronic Message for Unwanted Content and Associated Unwanted Sites - A system, method, and computer program product are provided for scanning an electronic message for unwanted content and associated unwanted sites in response to a request. In use, a request is received via a network to scan an electronic message prior to opening the electronic message, utilizing an electronic message manager. In addition, the electronic message is scanned for unwanted content and associated unwanted sites, in response to the request. Further, a response to the request is sent via the network. | 09-03-2015 |
| 20150161381 | DETECTING JAVA SANDBOX ESCAPING ATTACKS BASED ON JAVA BYTECODE INSTRUMENTATION AND JAVA METHOD HOOKING - By injecting bytecode into a predetermined method of a sandbox environment, an application that uses an exploit to attempt to escape from the sandbox environment may be detected without knowledge of the application or the exploit used to attempt to escape from the sandbox environment. Upon indicating that the application has escaped the sandbox, the application may be terminated or the escape may be reported, allowing further monitoring of the application. | 06-11-2015 |
| 20150113650 | METHOD AND SYSTEM FOR PROACTIVE DETECTION OF MALICIOUS SHARED LIBRARIES VIA A REMOTE REPUTATION SYSTEM - A method for proactively detecting shared libraries suspected of association with malware includes the steps of determining one or more shared libraries loaded on an electronic device, determining that one or more of the shared libraries include suspicious shared libraries by determining that the shared library is associated with indications that the shared library may have been maliciously injected, loaded, and/or operating on the electronic device, and identifying the suspicious shared libraries to a reputation server. | 04-23-2015 |
| 20140331119 | Indicating website reputations during user interactions - An aspect of the present invention relates to methods and systems involving receiving an indicator of an attempted interaction of a user with an item of website content and presenting one or more indicia of a website's reputation to the user attempting to interact with the website content. The act of presenting the indicia may be in response to the user's attempted interaction with the website. | 11-06-2014 |
| 20140196146 | System, method and computer program product for inserting an emulation layer in association with a COM server DLL - A system, method and computer program product are provided. In use, a COM server dynamic link library is identified. Further, an emulation layer is inserted in association with the COM server dynamic link library to emulate interfaces exported by the COM server dynamic link library. As an option, it may be determined whether the COM server DLL is loaded, and the emulation layer may be inserted in response to the determination. | 07-10-2014 |
| 20140189859 | HERD BASED SCAN AVOIDANCE SYSTEM IN A NETWORK ENVIRONMENT - A method in one example embodiment includes generating a signature for an object in a compute node in a network, searching a memory element for the signature, and responsive to determining the memory element does not contain the signature, scanning the object. The method also includes updating the memory element with a scan result, and synchronizing the memory element of the compute node with one or more memory elements of one or more other compute nodes in the network. In specific embodiments, the scan result includes the signature of the object and a threat level of the object. In further embodiments, the synchronizing includes sending the scan result to one or more other compute nodes in the network. In more specific embodiments, the scan result is sent with one or more other scan results after a predetermined interval of time from a previous synchronization. | 07-03-2014 |
| 20140185237 | Opacity Baffle to Prevent Viewing of Internal Structures in Secure Electronic Equipment - An opacity baffle is disclosed that can be permanently secured to the back face of an electronic apparatus to cover ventilation openings or other openings that render the apparatus visually unsecure. The opacity baffle in one example comprises a grill and ventilation material that are secured together at their edges resulting in a rigid structure. The grill contains openings to promote ventilation within the apparatus, and the ventilation materials allows for air flow despite being visually opaque. One-way fasteners can be used to secure the baffle to the back face, which when inserted in place cannot be removed without evident tampering. The baffle and fasteners can be provided with the apparatus when sold or can be sold separately, allowing a particular customer to affix the baffle if needed to meet security requirements, or not if such security measures are unnecessary. | 07-03-2014 |
| 20140181998 | AUTOMATIC SANITIZATION OF DATA ON A MOBILE DEVICE IN A NETWORK ENVIRONMENT - A method is provided in one example embodiment and includes establishing a network connection to a central security system in a central network, receiving a message from the central security system, activating a grace window based on the message, and determining whether the grace window has expired. The method further includes deleting, when the grace window expires, one or more objects from the mobile device based on a sanitization policy. In specific embodiments, the network connection is terminated before the grace window expires, and the grace window expires unless the mobile device establishes another network connection with the central security system. In further embodiments, the method includes receiving the sanitization policy from the central security system. The sanitization policy identifies the one or more objects to be deleted from the mobile device when the grace window expires. | 06-26-2014 |
| 20140181216 | Just-In-Time, Email Embedded URL Reputation Determination - A system allows just-in-time checking of information about an email in which a hyperlink is embedded. Upon receipt of the email containing the hyperlink, the resource locator of the hyperlink is modified to allow checking the reputation of the email upon traversal of the hyperlink. At traversal of the hyperlink, the current reputation of the resource locator and the current reputation of the email are both determined, and one or more actions are performed responsive to the determination. | 06-26-2014 |
| 20140172495 | SYSTEM AND METHOD FOR AUTOMATED BRAND PROTECTION - Brand threat information is identified relating to potential threats to one or more brands of one or more organizations. A characteristic of one or more operating environments is identified and a relation is determined between a particular one of the potential threats and the characteristic. The determined relation is used to determine risk associated with a particular brand of an organization. | 06-19-2014 |
| 20140096252 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR DYNAMICALLY ADJUSTING A LEVEL OF SECURITY APPLIED TO A SYSTEM - A system, method, and computer program product are provided for dynamically adjusting a level of security applied to a system. In use, predetermined activity that is at least potentially associated with unwanted activity is identified on a system. Further, a level of security applied to the system is dynamically adjusted, in response to the identification of the predetermined activity. | 04-03-2014 |
| 20140090072 | System, Method, and Computer Program Product for Isolating a Device Associated with At Least Potential Data Leakage Activity, Based on User Input - A system, method, and computer program product are provided for isolating a device associated with at least potential data leakage activity, based on user input. In operation, at least potential data leakage activity associated with a device is identified. Furthermore, at least one action is performed to isolate the device, based on user input received utilizing a user interface. | 03-27-2014 |
| 20140082711 | CREDENTIAL PROVIDER THAT ENCAPSULATES OTHER CREDENTIAL PROVIDERS - Systems, methods, and computer readable media for encapsulating multiple Windows® based credential providers (CPs) within a single wrapping CP are described. In general, CP credentials and fields from two or more encapsulated or wrapped CPs may be enumerated and aggregated in such a way that the order of fields from each CP is preserved, fields that may be used only once are identified and appear only once, and fields are given a new unique field identifier. The union of all such fields (minus duplicates of any one-use-only fields) may be used to generate a mapping so that the wrapping CP and CP credential may “pass-through” calls from the operating system's logon interface to the correct wrapped CP and CP credential. The disclosed techniques may be used, for example, to provide single sign-on functionality where a plurality of sign-on credentials may be used (e.g., user name/password and smart card PIN). | 03-20-2014 |
| 20140075505 | SYSTEM AND METHOD FOR ROUTING SELECTED NETWORK TRAFFIC TO A REMOTE NETWORK SECURITY DEVICE IN A NETWORK ENVIRONMENT - A method provided in one example includes receiving a request for configuration information for a host in a first network, determining whether the request was sent over a quarantine virtual local area network (VLAN) in the first network, and providing to the host a network address of a first domain name system (DNS) server if the request was sent over the quarantine VLAN in the first network. In addition, the first DNS server translates a domain name in a query from the host to a network address of a network security device in a second network. In more specific embodiments, the domain name in the query is mapped to a different network address in a second DNS server. The method may also include providing a network address of the second DNS server if the request was sent over a production virtual local area network (VLAN) in the first network. | 03-13-2014 |
| 20140059693 | ANONYMOUS SHIPMENT BROKERING - A request is received for a brokered shipment from a particular entity to an anonymous user. A shipping identifier is obtained from a shipping entity, on behalf of the particular entity, for the shipment from the particular entity to the anonymous user. The shipping identifier is communicated to the particular entity and the shipping identifier is associated with a unique user identifier unique, within a system, to a pairing of the anonymous user with the particular entity. Address information of the anonymous user is unknown to the particular entity, and address information is obtained from the shipping entity for the anonymous user. In some aspects, address information of the particular user is received from a second entity and applied to the shipment identifier in connection with delivery of the shipment to the particular user. | 02-27-2014 |
| 20140059658 | PRIVACY BROKER - A brokered authentication request is received corresponding to an interaction between a particular user and a particular online entity. An identity provider corresponding to the particular user is identified that stores user data identifying the particular user. Confirmation is received that the identity provider has authenticated the particular user to a user profile maintained by the identity provider and a unique persistent user identifier is generated for the particular user that is unique within a system to a pairing of the first user with the first entity. The user identifier is caused to be communicated to the first entity for authenticating the first user in interactions with the first entity. | 02-27-2014 |
| 20140058945 | ANONYMOUS PAYMENT BROKERING - A payment brokering request is received from a first entity corresponding to a particular payment requested of an anonymous user, the payment brokering request including banking information of the first entity. A payment partner is identified that is associated with the anonymous user and it is communicated, to the payment partner, that the particular payment from the anonymous user has been requested. Confirmation data is received from the payment partner confirming that the particular payment was authorized by the anonymous user and that the payment partner will transfer funds to the broker banking system. In some instances, the payment request is forwarded by the privacy broker from the first entity, the payment request including a user identifier paired to the anonymous user and the first entity. The user can be identified, for instance, by the payment partner, from the user identifier. | 02-27-2014 |
| 20140047547 | STEALTH NETWORK ATTACK MONITORING - A particular failed connection attempt initiated by a particular source asset in a network is identified and subsequent failed connection attempts initiated by the particular source asset in the network during a time period are tracked. A low frequency sequence of failed connection attempts involving the particular source asset is detected during the time period and the source asset is designated as a potential security risk based on the detected low frequency sequence of failed connection attempts. | 02-13-2014 |
| 20140047267 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR RECONSTRUCTING DATA RECEIVED BY A COMPUTER IN A MANNER THAT IS INDEPENDENT OF THE COMPUTER - A data reconstruction system, method and computer program product are provided. In use, one of a plurality of computers receiving data over a network is identified. In addition, the data received by the computer is reconstructed in a manner that is independent of the computer. | 02-13-2014 |
| 20140026218 | ROLLBACK FEATURE - A file stored in a first portion of a computer memory of a computer is determined to be a malicious file. A duplicate of the file is stored in a quarantine area in the computer memory, the quarantine area being in a second portion of the computer memory that is different from the first portion of the computer memory. One or more protection processes are performed on the file. The determination that the file is a malicious file is determined to be a false positive and the file is restored, during a boot sequence, to a state prior to the one or more protection processes being performed on the file. | 01-23-2014 |
| 20140019798 | AUTOMATED COMPUTING APPLIANCE CLONING OR MIGRATION - A system and method for automatically cloning or migrating a computing appliance while maintaining its operational state. A configuration bundle that includes configuration data, software revision level and a list of system updates is used to recover or duplicate a device's operation state. The system and method can also be utilized to migrate a computing appliance between different operating system while maintaining or replicating the previous operational state. | 01-16-2014 |
| 20140013394 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR A PRE-DEACTIVATION GRACE PERIOD - A system, method, and computer program product are provided for a pre-deactivation grace period on a processing device (e.g., mobile device). In operation, a deactivation request is detected for a deactivation event. Further, the commencement of the deactivation event is delayed for a predetermined time period, in response to the deactivation request. Additionally, the deactivation event is commenced, after the predetermined time period. To return to full functionality of the processing device while in the deactivation grace period all that may be required is entry of a authentication information (e.g., password) that is weaker than a stronger authentication information initially used to log into the processing device. | 01-09-2014 |
| 20140007234 | PREVENTING ATTACKS ON DEVICES WITH MULTIPLE CPUs | 01-02-2014 |
| 20130333039 | Evaluating Whether to Block or Allow Installation of a Software Application - A programmable device for which an application is to be installed analyzes permissions requested by the application and other application information to assist the user in deciding whether to allow installation of the application. The analysis may either block or allow the installation, or may provide a calculated risk level to the user and request a decision. Application information, such as a category of application, typical permissions requested by similar applications, and trustworthiness of the application source, in addition to whitelists and blacklists may be employed as part of the analysis and evaluation of the permissions. As a result, the user need not be burdened with overly technical information and may make a better informed decision on installation. | 12-12-2013 |
| 20130312099 | Realtime Kernel Object Table and Type Protection - A method for detecting malware includes determining one or more object-oriented components of an electronic device, trapping at a level below all of the operating systems of the electronic device an attempt to access an object-oriented component of the electronic device, determining an entity causing the attempt, accessing one or more security rules, and, based on the security rules, the entity causing the attempt, and the object-oriented component, determining whether the attempted access is indicative of malware. | 11-21-2013 |
| 20130312098 | NEGATIVE LIGHT-WEIGHT RULES - A method for securing an electronic device includes, at a level below all of the operating systems of an electronic device, trapping a first attempt and second attempt to access sensitive system resources of the electronic device. The method also includes identifying the first attempt and second attempt as representing a potential malware attack, comparing the sequence of the first attempt and second attempt against a first anti-malware rule, and, based on the comparison of the sequence of the first attempt and second attempt against the first anti-malware rule, allowing the second attempt. The first attempt and second attempt originate from code of the same operating entity. The first anti-malware rule includes a requirement of a sequence of attempts including the first attempt followed by the second attempt. | 11-21-2013 |
| 20130312095 | IDENTIFYING ROOTKITS BASED ON ACCESS PERMISSIONS - A method for monitoring for malware includes, during a boot process on an electronic device, determining a portion of memory, determining that the portion of memory is reserved for exclusive access by an entity on the electronic device, and, based on the determination that a portion of memory is reserved for exclusive access during the boot process, determining that the reservation is indicative of malware. | 11-21-2013 |
| 20130283377 | DETECTION AND PREVENTION OF INSTALLATION OF MALICIOUS MOBILE APPLICATIONS - A combination of shim and back-end server applications may be used to identify and block the installation of malicious applications on mobile devices. In practice, a shim application registers with a mobile device's operating system to intercept application installation operations. Upon intercepting an attempted installation operation, the shim application identifies the application seeking to be installed, generates a key uniquely identifying the application, and transmits the key over a network connection to a back-end server. The back-end server may be configured to crawl the Internet to identify malicious applications and compile and maintain a database of such applications. Upon receiving a key from the shim application, the back-end server can search its database to locate a matching application and, if found, respond to the mobile device with the application's status (e.g., malicious or not). The shim application can utilize this information to allow or block installation of the application. | 10-24-2013 |
| 20130276132 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR UTILIZING CODE STORED IN A PROTECTED AREA OF MEMORY FOR SECURING AN ASSOCIATED SYSTEM - A security system, method, and computer program product are provided. In use, code is stored in a protected area of memory. In addition, the stored code is utilized for securing a system associated with the protected area of memory. | 10-17-2013 |
| 20130276118 | System, method and computer program product for detecting encoded shellcode in network traffic - A system, method and computer program product are provided for detecting encoded shellcode. In use, network traffic that is encoded is identified. Further, it is determined whether the network traffic that is encoded includes shellcode. | 10-17-2013 |
| 20130276113 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR REMOVING MALWARE FROM A SYSTEM WHILE THE SYSTEM IS OFFLINE - A system, method, and computer program product are provided for removing malware from a system while the system is offline. In use, a system is identified as being infected with malware. Additionally, it is determined whether the malware can be fully removed from the system while the system is online. Further, at least part of the malware is conditionally removed from the system while the system is offline, based on the determining. | 10-17-2013 |
| 20130276109 | System, method and computer program product for detecting activity in association with program resources that has at least a potential of an unwanted effect on the program - A system, method and computer program product are provided. In use, at least one resource utilized by a program is monitored. In addition, activity in association with the at least one resource that has at least a potential of an unwanted effect on the program is detected. Further, a reaction is performed in response to detecting the activity to prevent the unwanted effect. | 10-17-2013 |
| 20130276107 | BEHAVIORAL TRACKING SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR UNDOING EVENTS BASED ON USER INPUT - A behavioral tracking system, method, and computer program product are provided for undoing events based on user input. In use, a plurality of unclassified events is identified on a system utilizing behavioral tracking. Additionally, input associated with at least one of the unclassified events is received from a user of the system for classifying the at least one of the unclassified events as an unwanted event. Further, the at least one unwanted event is undone in response to the receipt of the input. | 10-17-2013 |
| 20130276104 | System, method and computer program product for displaying security actions for undo purposes - A security system, method and computer program product are provided. In use, a plurality of security actions is conducted. The plurality of security actions are further displayed to a user. In addition, a selection of one or more of the security actions is received from the user. Further, the selected one or more security actions are undone. | 10-17-2013 |
| 20130276053 | SYSTEM ASSET REPOSITORY MANAGEMENT - A plurality of system entities described in an asset repository are identified, the asset repository defining a particular hierarchical organization of the plurality of system entities within a computing environment. A particular system entity in the plurality of system entities is tagged with a particular tag. The particular system entity is associated with a particular security policy based on the particular system entity being tagged with the particular tag. The particular security policy is applied to system entities in the asset repository tagged with one or more tags in a particular set of tags including the particular tag. | 10-17-2013 |
| 20130275999 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR INTERFACING A PLURALITY OF RELATED APPLICATIONS - A system, method and computer program product are provided for interlacing a plurality of applications. Initially, a signal is received at an interface indicating that a first application has responded to an event with a first response. The interface, in turn, prompts a second response to die event by a second application. | 10-17-2013 |
| 20130275998 | Automated local exception rule generation system, method and computer progam product - A system, method and computer program product are provided for automatically generating a rule exception. An event is identified that at least potentially violates a rule. Thereafter, an exception to the rule is automatically generated. | 10-17-2013 |
| 20130275981 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR MONITORING AN EXECUTION FLOW OF A FUNCTION - A system, method, and computer program product are provided for monitoring an execution flow of a function. In use, data associated with a function is identified within a call stack. Additionally, a call stack frame is determined from freed memory in the call stack. Further, an execution flow of the function is monitored, utilizing the call stack frame from the freed memory. | 10-17-2013 |
| 20130275950 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR MONITORING AND/OR ANALYZING AT LEAST ONE ASPECT OF AN INVOCATION OF AN INTERFACE - A system, method and computer program product are provided. In use, execution of a portion of internal code of an interface is identified. Further, in response to the execution of the portion of internal code, at least one aspect of an invocation of the interface is monitored and/or analyzed. | 10-17-2013 |
| 20130275575 | NETWORK ADDRESS REPOSITORY MANAGEMENT - A first Internet protocol version 6 (IPv6) address of a particular computing device within a network is identified using a first passive discovery sensor performing a first discovery task. A second discovery task is caused to be performed using the first IPv6 address and an attribute of the particular computing device is identified from results of the second discovery task. The first IPv6 address and attribute of the particular device is added to a repository maintaining a record of detected IPv6 addresses within the network. In some instances, a first passive discovery sensor can be one of an event-based discovery sensor, a latent-type discovery sensor, and an indirect-type discovery sensor. | 10-17-2013 |
| 20130275574 | ASSET DETECTION SYSTEM - A pluggable asset detection engine is used to identify devices within a network. The pluggable asset detection engine includes a set of pluggable discovery sensors and is adapted to identify particular address information of a particular computing device within a network, using a first pluggable discovery sensor in the set of discovery sensors, and send an identification of the particular address information of the particular computing device to an asset management system for inclusion of the particular address information in an asset repository managed by the asset management system. | 10-17-2013 |
| 20130275573 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR DEFERRING INTERFACE MONITORING BASED ON WHETHER A LIBRARY ASSOCIATED WITH THE INTERFACE IS LOADED - An interface monitoring system, method and computer program product are provided. In use, an interface is identified. In addition, monitoring of the interface is deferred based on whether a library associated with the interface is loaded. | 10-17-2013 |
| 20130269029 | UNIFIED SCAN ENGINE - A scan engine receives a request to perform a particular scan on at least a portion of a computing environment. The scan engine identifies a particular language interpreter in a set of available language interpreters for use in performing the particular scan and performs the particular scan using the particular language interpreter. The scan engine returns results of the particular scan. In some implementations, the scan engine is implemented on an agent enabling communication between the scan engine and an asset management system. | 10-10-2013 |
| 20130268994 | SYSTEM AND METHOD FOR DETERMINING AND USING LOCAL REPUTATIONS OF USERS AND HOSTS TO PROTECT INFORMATION IN A NETWORK ENVIRONMENT - A method in an example embodiment includes correlating a first set of event data from a private network and determining a local reputation score of a host in the private network based on correlating the first set of event data. The method further includes providing the local reputation score of the host to a security node, which applies a policy, based on the local reputation score of the host, to a network communication associated with the host. In specific embodiments, the local reputation score of the host is mapped to a network address of the host. In further embodiments, the first set of event data includes one or more event indicators representing one or more events, respectively, in the private network. In more specific embodiments, the method includes determining a local reputation score of a user and providing the local reputation score of the user to the security node. | 10-10-2013 |
| 20130268767 | WIRELESS TOKEN AUTHENTICATION - Authentication data is received, from a first computing device, based on data received by the first computing device from a wireless token device, the authentication data used to authenticate a first user to a particular computing session hosted remote from the first computing device. The first computing device is authenticated to the particular computing session based on the received authentication data. The first computing device is permitted to consume resources of the particular computing session. In some instances, the data received by the first computing device from the wireless token device includes the authentication data. | 10-10-2013 |
| 20130268766 | WIRELESS TOKEN DEVICE - A first computing device is detected as substantially collocated with a wireless token device, using a short-range wireless communication network and a connection is established between the first computing device and the token device over the short-range wireless network. Authentication data is sent to the first computing device from the token device over the short-range wireless network to authenticate the token device at the first computing device. Authentication of the token device permits data accessible through the first computing device to be made available to a holder of the token device and to be presented on a user interface of the first computing device. In some instances, the wireless token device may otherwise lack user interfaces for presenting the data itself. | 10-10-2013 |
| 20130268758 | WIRELESS STORAGE DEVICE - A first computing device is detected as substantially collocated with a wireless storage device, using a short-range wireless communication network. A connection is established between the first computing device and the wireless storage device over the short-range wireless network. Data stored in memory of the wireless storage device is sent from the wireless storage device to the first computing device over the short-range wireless network for a presentation of the data using a user interface of the first computing device. The wireless storage device lacks user interfaces for the presentation of the data. In some instances, authentication of either or both of the first computing device or wireless storage device can be accomplished through communication between the first computing device and wireless storage device over the short-range wireless communication network. | 10-10-2013 |
| 20130268687 | WIRELESS TOKEN DEVICE - A first computing device is detected as substantially collocated with a wireless token device, using a short-range wireless communication network, and a connection is established between the first computing device and the wireless token device over the short-range wireless network. Authentication data stored in memory of the wireless token device is sent from the wireless token device to the first computing device over the short-range wireless network. The first computing device is authenticated to a particular computing session based on the authentication data and authenticating the first computing device permits the first computing device to participate in the particular computing session. | 10-10-2013 |
| 20130268652 | OPPORTUNISTIC SYSTEM SCANNING - Opportunistic scans can be performed by identifying, using at least one processing device, a detection of a particular computing device on a network of a computing environment. At least one scan to be performed on the detected particular computing device can be is identified and a particular scan engine, in a plurality of scan engines, is identified that is adapted to perform the at least one scan. The at least one scan is caused to be performed on the detected particular computing device while the detected particular computing device is on the network using the particular scan engine. | 10-10-2013 |
| 20130254884 | SYSTEMS AND METHODS FOR BEHAVIORAL SANDBOXING - Methods and system for behavioral sandboxing are described. In one example embodiment, a system for behavioral sandboxing can include a network and a computer. The network communicatively coupled to a source of an executable application. The computer communicatively couple to the network and including a behavioral analysis module and a plurality of execution environments. The behavioral analysis module is configured to perform behavioral analysis on the executable application downloaded over the network. The plurality of execution environments including a standard execution environment and a protected execution environment. The behavioral analysis module is configured to evaluate a plurality of behavioral characteristics of the executable application to determine whether the executable application should be executed within the protected execution environment prior to execution of the executable application. The behavioral analysis module also monitors execution of the executable application to determine whether the execution environment can be changed. | 09-26-2013 |
| 20130254880 | SYSTEM AND METHOD FOR CROWDSOURCING OF MOBILE APPLICATION REPUTATIONS - A system and method in one embodiment includes modules for obtaining a collection of attributes of a mobile application, comparing one or more of the attributes with crowdsourced data associated with other mobile applications to determine one or more trustworthiness indicators, and calculating a reputation score based on the one or more trustworthiness indicators. More specific embodiments include a collection of attributes comprising a manifest, and an application behavior. Other embodiments include determining a suitable action based on the reputation score, such as changing a configuration of the mobile application, deleting the mobile application from a mobile device, generating a security alert on a display of the mobile device, etc. | 09-26-2013 |
| 20130247206 | SYSTEM AND METHOD FOR GROUPING COMPUTER VULNERABILITIES - A system and method in one embodiment includes modules for creating a vulnerability set including one or more vulnerabilities, adding the vulnerability set to a program, and updating the program by adding a new vulnerability to the vulnerability set. More specific embodiments include a program that includes a scan, creating the vulnerability set by generating a query including one or more conditions associated with the vulnerabilities, and creating the vulnerability set by selecting one or more vulnerabilities from a plurality of vulnerabilities. Other embodiments include a program that includes a report template, adding a vulnerability set to the report template by generating a query to include a condition associated with the vulnerability set, running a scan, and generating a report including one or more results from the scan meeting the condition associated with the vulnerability set. | 09-19-2013 |
| 20130247205 | CALCULATING QUANTITATIVE ASSET RISK - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for generating quantitative risk metrics for assets and threats. Risk metrics are generated for individual assets and individual threats. These individual metrics can then be analyzed to generate aggregate risk metrics for assets, groups of assets, and threats. Assets and threats can be ordered according to their aggregate risk metrics. | 09-19-2013 |
| 20130247203 | Identifying Relationships Between Security Metrics - A security metrics system receives security information data for a network system of computers and metric definitions from metric sources. Each metric definition defines a heuristic for calculating a score for the network system from one or more security signal values at a time in the plurality of times, wherein the score quantifies a security metric for the network system. The system calculates each metric definition for a plurality of times and selecting metric definitions that are related to the performance of and are indicative of one or more other metric definitions as candidates to be key performance indicators. | 09-19-2013 |
| 20130247199 | System, method and computer program product for removing null values during scanning - A system, method, and computer program product are provided for scanning data values. Initially, a set of data values are received. Null values between the data values are then removed such that the data values are contiguous. Further, the data values with the null values removed are scanned for the purpose of identifying unwanted data. | 09-19-2013 |
| 20130247184 | Stealth Network Attack Monitoring - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for stealth attack monitoring. In one aspect, a method includes monitoring a network for failed connection attempts in the network, wherein each failed internal connection attempt is initiated by a source asset and is an attempt to connect to a destination asset; and only in response to detecting a failed connection attempt initiated by a source asset, instantiating a source asset tracking instance in a computer memory, and for each source asset tracking instance in the computer memory: monitoring the corresponding source asset for a threshold number of failed connection attempts to destination assets during a time period; and in response to detecting the threshold number of failed connection attempts from the source asset during the time period for the source asset tracking instance, designating the source asset as a security risk. | 09-19-2013 |
| 20130247183 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR PREVENTING A MODIFICATION TO A DOMAIN NAME SYSTEM SETTING - A system, method, and computer program product are provided for preventing a modification to a domain name system setting. In use, an attempt to modify a domain name system setting is detected. Additionally, a source of the attempt and an attribute of the modification are verified. Further, the modification to the domain name system setting is prevented, based on the verification. | 09-19-2013 |
| 20130247167 | SYSTEM, METHOD, AND COMPUTER PROGRAM FOR PREVENTING INFECTIONS FROM SPREADING IN A NETWORK ENVIRONMENT USING DYNAMIC APPLICATION OF A FIREWALL POLICY - A method for containing a threat in network environment using dynamic firewall policies is provided. In one example embodiment, the method can include detecting a threat originating from a first node having a source address in a network, applying a local firewall policy to block connections with the source address, and broadcasting an alert to a second node in the network. In more particular embodiments, an alert may be sent to a network administrator identifying the source address and providing remedial information. In yet other particular embodiments, the method may also include applying a remote firewall policy to the first node blocking outgoing connections from the first node. | 09-19-2013 |
| 20130247133 | SECURITY ASSESSMENT OF VIRTUAL MACHINE ENVIRONMENTS - Each virtual machine in a set of virtual machines managed by the virtual machine manager is identified. For each virtual machine in the set, it is determined whether the respective virtual machine is online. For at least the virtual machines determined to be offline, a machine image is collected for each offline virtual machine. Security of the offline virtual machines is assessed from the collected images. For virtual machines identified as online, an agent is loaded on each online virtual machine in the set via the virtual machine manager. The loaded agents are used to assess security of the online virtual machines in the set. | 09-19-2013 |
| 20130247129 | System, method and computer program product for obtaining a reputation associated with a file - A reputation system, method and computer program product are provided. In use, a file associated with a first computer is identified. Thereafter, a reputation associated with the file stored at a second computer is obtained. | 09-19-2013 |
| 20130246925 | SYSTEM AND METHOD FOR MANAGING DATA AND POLICIES - In one embodiment, a method is provided and includes capturing a plurality of packet streams, recreating a plurality of flows from the packet streams, and analyzing the flows to identify one or more incidents. The incidents indentify one or more pieces of data. The incidents are filtered and the incidents are rendered on a display for an end user that initiated the filtering operation. In other embodiments, the display allows the end user to view a selected one of a group of attributes for the incidents. The display allows the end user to open a captured object associated with a specific incident. In still other embodiments, the display allows a user to filter the incidents using a selected one of a group of group options such as content, destination IP, destination location, destination port, filename, host IP, etc. | 09-19-2013 |
| 20130246796 | SYSTEM AND METHOD FOR SECURING DATABASE ACTIVITY - A method is provided in one example embodiment that includes detecting database activity associated with a statement having a signature, validating the signature; and evaluating the statement as a signed statement if the signature is valid. In more particular embodiments, the signature may include a unique script identifier and a hash function of a shared key. In yet other embodiments, validating the signature may include checking a session variable and comparing the statement to a list of signed statements. | 09-19-2013 |
| 20130246685 | SYSTEM AND METHOD FOR PASSIVE THREAT DETECTION USING VIRTUAL MEMORY INSPECTION - A method in one example implementation includes synchronizing a first memory page set with a second memory page set of a virtual guest machine, inspecting the first memory page set off-line, and detecting a threat in the first memory page set. The method further includes taking an action based on the threat. In more specific embodiments, the method includes updating the first memory page set with a subset of the second memory page set at an expiration of a synchronization interval, where the subset of the second memory page set was modified during the synchronization interval. In other more specific embodiments, the second memory page set of the virtual guest machine represents non-persistent memory of the virtual guest machine. In yet other specific embodiments, the action includes at least one of shutting down the virtual guest machine and alerting an administrator. | 09-19-2013 |
| 20130246639 | SYSTEM AND METHOD FOR FLEXIBLE NETWORK ACCESS CONTROL POLICIES IN A NETWORK ENVIRONMENT - An example method includes capturing session attributes associated with a communication session initiated by a node in a network environment, querying external attributes associated with the node, deriving a response attribute according to an access control policy rule based on at least one of the session attributes and at least one of the external attributes, and applying the response attribute to the communication session. The session attributes can include remote authentication dial in user service RADIUS vendor specific attribute information from an unknown vendor. The method may further include auditing the communication session, enforcing the response attribute, or ignoring the access control policy. Enforcing the response attribute can include taking an access control action according to the response attribute. The access control action may include allowing the node to access a virtual local area network in the network environment, denying access to the network environment, etc. | 09-19-2013 |
| 20130246620 | EMBEDDED ANTI-VIRUS SCANNER FOR A NETWORK ADAPTER - A network adapter system and associated method are provided. The network adapter system includes a processor positioned on a network adapter coupled between a computer and a network. Such processor is configured for scanning network traffic transmitted between the computer and the network. | 09-19-2013 |
| 20130246605 | LOCAL REPUTATION TO ADJUST SENSITIVITY OF BEHAVIORAL DETECTION SYSTEM - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for adjusting the sensitivity of a behavior detection process on a per-device basis based on a local reputation for each device. | 09-19-2013 |
| 20130246603 | System, method, and computer program product for automatic router discovery - A system, method, and computer program product are provided for network device discovery. In use, information is received relating to a plurality of network devices on a network. Such information is then correlated, such that additional network devices on the network may be discovered utilizing the information. To this end, the discovery is enhanced as a result of the correlation. | 09-19-2013 |
| 20130246431 | SYSTEM AND METHOD FOR PROVIDING DATA PROTECTION WORKFLOWS IN A NETWORK ENVIRONMENT - A method is provided in one example and includes receiving sets of metadata elements and corresponding category information representing objects of a data storage location that are classified based on a category. The method further includes generating a summary of a subset of the classified objects and initiating a protection task for objects of the subset. In more specific embodiments, the protection task includes applying a remediation policy to the objects of the subset. Another protection task includes registering the objects of the subset. In other specific embodiments, the summary includes at least one of a total count and a total size of the objects in the subset. In yet other more specific embodiments, the method includes creating an Online Analytical Processing (OLAP) data structure to represent the sets of metadata elements and the corresponding category information with the summary of the subset being generated from the OLAP data. | 09-19-2013 |
| 20130246371 | System and Method for Concept Building - A method is provided in one example embodiment and it includes identifying a root term and determining one or more other terms belonging to a group associated with the root term. The method also includes selecting one or more of the terms from the group and generating a concept based on the selected terms from the group, wherein the concept is applied to a rule that affects data management for one or more documents that satisfy the rule. In more specific embodiments, the root term is identified via a search or via an incident list. In other embodiments, a collection of meaningful terms is provided to assist in determining the other terms for the group, the collection of meaningful terms being generated based on the root term. The concept can be used to automatically mark one or more documents that relate to the concept. | 09-19-2013 |
| 20130246337 | System and Method for Intelligent Term Grouping - A method is provided in one example embodiment and it includes identifying a root word for a tree to be used in managing data and creating a word stem to be included in the tree. A query is initiated to determine whether a stem node exists at one or more branch points of the word, and if the stem node does not exist, then the stem node is added to a branch point of the tree. In more specific embodiments, if the stem node does exist, then node statistics are updated. In other embodiments, the method includes updating a branch point list after creating the word stem. In yet other embodiments, the branch point is a word or a combination of words. The tree can be used to identify locations and frequencies within a document set where one or more words are present. | 09-19-2013 |
| 20130246336 | SYSTEM AND METHOD FOR PROVIDING DATA PROTECTION WORKFLOWS IN A NETWORK ENVIRONMENT - A method is provided in one example and includes crawling a storage location of a network environment to identify objects, fetching the identified objects, creating indexes corresponding to the identified objects, and classifying one or more objects of the identified objects based on a first category. The method further includes providing first sets of metadata elements and corresponding first category information representing the classified one or more objects of the identified objects, searching the indexes for a selected group of the classified one or more objects of the identified objects, and classifying one or more objects of the selected group based on a second category. In more specific embodiments, the method includes applying a remediation policy to the classified one or more objects of the selected group. In other more specific embodiments, the method includes registering the classified one or more objects of the selected group. | 09-19-2013 |
| 20130246335 | SYSTEM AND METHOD FOR PROVIDING DATA PROTECTION WORKFLOWS IN A NETWORK ENVIRONMENT - A method is provided in one example and includes receiving first sets of metadata elements representing an inventory of objects in a data storage location of a network environment and presenting an inventory view of the objects to a user. The inventory view includes a first summary of the inventory objects. The method further includes receiving a request from the user to manipulate the inventory view based on a first selected dimension group and presenting to the user a manipulated inventory view that includes a second summary of a first subset of the inventory objects. In more specific embodiments, the method includes receiving a request from the user to perform a protection task on objects of the first subset and initiating the protection task. The protection task includes one of applying a remediation policy to the objects of the first subset and registering the objects of the first subset. | 09-19-2013 |
| 20130246334 | SYSTEM AND METHOD FOR PROVIDING DATA PROTECTION WORKFLOWS IN A NETWORK ENVIRONMENT - A method is provided in one example and includes receiving first sets of metadata elements representing objects of an inventory and generating a first summary of a first subset of the objects. The method further includes receiving second sets of metadata elements and corresponding category information representing objects of the first subset that are classified based on a first category and generating a second summary of a second subset of the classified objects. In yet further embodiments, the method includes initiating a protection task for objects of the second subset of the classified objects. In more specific embodiments, the protection task includes applying a remediation policy to the objects of the second subset or registering the objects of the second subset. In yet other embodiments, the second summary includes at least one of a total count and a total size of the objects in the second subset. | 09-19-2013 |
| 20130212581 | System, Method and Computer Program Product for Performing a Security or Maintenance Operation in Association with Virtual Disk Data - A system, method and computer program product are provided for performing a security or maintenance operation in association with virtual disk data accessed independent of a virtual machine. In use, data stored on a virtual disk is accessed at least in part independent of a virtual machine. Further, a security or maintenance operation is performed in association with the accessed data. | 08-15-2013 |
| 20130198509 | SYSTEM AND METHOD FOR INNOVATIVE MANAGEMENT OF TRANSPORT LAYER SECURITY SESSION TICKETS IN A NETWORK ENVIRONMENT - An example method includes identifying a transport layer security (TLS) session between a client and a server, parsing one or more TLS messages to identify a session ticket associated with the session, transforming the session ticket into a fixed size session token, and managing the session using the session token to identify the session. The transforming may include computing a hash value of the session ticket using a hashing algorithm. If any of the TLS messages is spread across more than one TLS protocol record, the method can include computing a hash value of a portion of the session ticket encountered in a TLS protocol record using a hashing algorithm, incrementally computing another hash value of another portion of the session ticket encountered in a subsequent TLS protocol record from the previously computed hash value, and repeating the incremental computing until portions of the session ticket have been processed. | 08-01-2013 |
| 20130191919 | CALCULATING QUANTITATIVE ASSET RISK - A standardized vulnerability score is identified for a particular vulnerability in a plurality of known vulnerabilities, the standardized vulnerability score indicating a relative level of risk associated with the particular vulnerability relative other vulnerabilities. A vulnerability detection score is determined that indicates an estimated probability that a particular asset possess the particular vulnerability and a vulnerability composite score is determined for the particular asset to the particular vulnerability, the vulnerability composite score derived from the standardized vulnerability score and the vulnerability detection score. A countermeasure component score is identified that indicates an estimated probability that a countermeasure will mitigate risk associated with the particular vulnerability on the particular asset. A risk metric for the particular asset and the particular vulnerability is determined from the vulnerability composite score and the countermeasure component score. In some instances, aggregate risk scores can be calculated from a plurality of calculated risk metrics. | 07-25-2013 |
| 20130174259 | GEO-MAPPING SYSTEM SECURITY EVENTS - A particular security event is identified that has been detected as targeting a particular computing device included in a particular computing system. A particular grouping of assets in a plurality of asset groupings within the particular computing system is identified as including the particular computing device. A source of the particular security event is also identified and at least one of a geographic location and a grouping of assets in the plurality of asset groupings is associated with the identified source. Data is generated that is adapted to cause a presentation of a graphical representation of the particular security event on a display device, the graphical representation including a first graphical element representing the particular computing device as included in the particular grouping of assets and a second graphical element representing the source associated with the at least one of a geographic location and a grouping of assets. | 07-04-2013 |
| 20130174246 | SYSTEM AND METHOD FOR CLOUD BASED SCANNING FOR COMPUTER VULNERABILITIES IN A NETWORK ENVIRONMENT - A method in one embodiment includes establishing a first secure tunnel between a scanner and a configuration manager, and a second secure tunnel between the scanner and a scan controller, where the scanner is located in a public network and the configuration manager and the scan controller are located in a private network, communicating scanner configuration information between the scanner and the configuration manager over the first secure tunnel, and communicating scan information between the scanner and the scan controller over the second secure tunnel. The secure tunnels may be established from within the private network, by forwarding a first origination port and a second origination port to a first destination port and a second destination port, respectively. The first and second origination ports may be located in the public network, and the first and second destination ports may be located in the private network. | 07-04-2013 |
| 20130173569 | COLLABORATIVE SEARCHING - A collaborative search session is provided hosted by one or more computing devices. First query data is received from a first computing device in a collaborative search session. Further, second query data is received from a second computing device in the collaborative search session. A corpus of resources can be caused to be searched based at least in part on the first and second query data to identify a particular search result set for the collaborative search session. At least a portion of the particular search result set can be caused to be presented on each of the first and second computing devices participating in the collaborative search session. | 07-04-2013 |
| 20130171965 | SIMPLIFIED MOBILE COMMUNICATION DEVICE - A first communication device is detected as being substantially collocated with a second communication device using a short-range wireless network. A connection is established between the first and second communication devices over the short-range wireless network. In some instances, authentication data can be sent from the second communication device to the first communication device to authenticate a user to the first communication device. Further, input is received from the first communication device over the short-range wireless network specifying a telephone number for a telephone call using the second communication device. A connection is established between the second communication device and a cellular base station to initiate the telephone call with a third communication device associated with the telephone number. In some instances, the second communication device is a wireless headset device. | 07-04-2013 |
| 20130167238 | SYSTEM AND METHOD FOR SCANNING FOR COMPUTER VULNERABILITIES IN A NETWORK ENVIRONMENT - A method in one embodiment includes identifying a set of known vulnerabilities and a set of new vulnerabilities in an asset, selecting one or more scripts that include checks for vulnerabilities in a union of the set of known vulnerabilities and the set of new vulnerabilities, and using the selected scripts to scan the asset. Known vulnerabilities and new vulnerabilities may be identified by accessing results of previous scans on the asset. The method may also include identifying a plurality of assets to scan in a network, identifying a plurality of sets of known vulnerabilities and a plurality of sets of new vulnerabilities in substantially all assets in the plurality of assets, and inserting checks for vulnerabilities included in a union of the plurality of sets of known vulnerabilities and the plurality of sets of new vulnerabilities into the selected scripts. | 06-27-2013 |
| 20130152188 | PORT ALLOCATION IN A FIREWALL CLUSTER - A firewall cluster having three or more firewall processing nodes sharing the same shared IP address. Port numbers are assigned to the firewall processing nodes within the cluster and are used to distinguish between traffic sent to the cluster. Each network connection is assigned a destination port number. Each node receives the network connection and its assigned port number and determines if the assigned destination port number matches one of its assigned port numbers. If so, the node processes the network connection. If the assigned destination port number does not match one of its assigned port numbers, the network connection is discarded. | 06-13-2013 |
| 20130152156 | VPN SUPPORT IN A LARGE FIREWALL CLUSTER - A firewall cluster comprises three or more firewall processing nodes, at least one of which is operable to establish a Virtual Private Network (VPN) network connection. A node is further operable to share VPN state information with two or more receiving nodes by sending broadcast message to the two or more nodes. | 06-13-2013 |
| 20130124644 | REPUTATION SERVICES FOR A SOCIAL MEDIA IDENTITY - Reputation services can determine a “reputation” to associate with a Social Media Identity. For example, a social media identity may develop a trustworthy or an untrustworthy reputation. An untrustworthy reputation can be attained if a user (i.e., identity) posts content similar to email spam messages or links to inappropriate content. Inappropriate content can include illegal copies of material (e.g., violation of copyright) or malicious content among other types. Reputation can be used to inform other users of the potential “quality” of that identity's posts or to filter posts from a particular identity so as not to “bother” other users. An identity's reputation could also be calculated across a plurality of Social Media sites when identifying information from each site can be related to a real world entity. Individual users could set their own filtering options to enhance and refine their own experience on Social Media sites. | 05-16-2013 |
| 20130117823 | SYSTEM AND METHOD FOR ENFORCING SECURITY POLICIES IN A VIRTUAL ENVIRONMENT - A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary. | 05-09-2013 |
| 20130117397 | STOPPING AND REMEDIATING OUTBOUND MESSAGING ABUSE - Systems and methods are provided for allowing subscriber message sending profiles to be maintained and used in conjunction with behavior-based anomaly detection techniques and traditional content-based spam signature filtering to enable application of appropriate message disposition policies to outbound subscriber message traffic. According to one embodiment, subscriber profiles are constructed for multiple subscriber accounts associated with a service provider based on outbound message flow originated from the subscriber accounts. Then, possible subscriber account misuse may be discovered by performing behavior-based anomaly detection, including a comparison of a subscriber profile associated with the subscriber account with recent subscriber account usage information, to identify one or more behavioral anomalies in outbound message flow originated from a subscriber account, the behavior-based anomaly detection. | 05-09-2013 |
| 20130104230 | System and Method for Detection of Denial of Service Attacks - Systems and methods for detecting a denial of service attack are disclosed. These may include receiving a plurality of web log traces from one of a plurality of web servers; extracting a first set of features from the plurality of web log traces; applying a first machine learning technique to the first set of features; producing a first plurality of user classifications for communication to the web server; extracting a second set of features from the plurality of web log traces; applying a second machine learning technique to the second set of features; producing a second plurality of user classification for communication to the web server; communicating the first plurality of user classifications to the web server based at least on the plurality of web log traces; and communicating the second plurality of user classifications to the web server based at least on the plurality of web log traces. | 04-25-2013 |
| 20130097711 | MOBILE RISK ASSESSMENT - A query is received from a particular endpoint device identifying a particular wireless access point encountered by the particular endpoint device. Pre-existing risk assessment data is identified for the identified particular wireless access point and query result data is sent to the particular endpoint device characterizing pre-assessed risk associated with the particular wireless access point. In some instances, the query result data is generated based on the pre-existing risk assessment data. In some instances, pre-existing risk assessment data can be the result of an earlier risk assessment carried-out at least in part by an endpoint device interfacing with and testing the particular wireless access point. | 04-18-2013 |
| 20130097710 | MOBILE RISK ASSESSMENT - At least one available wireless access point is identified at a particular location and a connection is established with the available wireless access point. Communication is attempted with a trusted endpoint over the wireless access point and the attempted communication with the trusted endpoint over the wireless access point is monitored to assess risk associated with the wireless access point. Results of the assessment, in some instances, can be reported to an access point risk manager and risk associated with future attempts to use the wireless access point can be assessed based at least in part on the reported assessment results. | 04-18-2013 |
| 20130097709 | USER BEHAVIORAL RISK ASSESSMENT - A predetermined particular behavioral profile is identified associated with at least one particular user of a computing system, the particular behavioral profile identifying expected behavior of the at least one user within the computing system. Activities associated with use of the computing system by the particular user are identified and it is determined whether the identified activities correlate with the particular behavioral profile. Identifying an activity that deviates from the particular behavioral profile beyond a particular threshold triggers a risk event relating to the particular user. | 04-18-2013 |
| 20130097708 | SYSTEM AND METHOD FOR TRANSITIONING TO A WHITELIST MODE DURING A MALWARE ATTACK IN A NETWORK ENVIRONMENT - A method is provided in one example embodiment that includes receiving a signal to enable a whitelist mode on a host in a network, terminating a process executing on the host if the process is not verified, and blocking execution of software objects on the host if the software objects are not represented on the whitelist. In more particular embodiments, the method also includes identifying the process on a process list that enumerates one or more processes executing on the host. Yet further embodiments include quarantining the host if a second process on the process list is a critical process and if the second process is not verified. More specific embodiments include identifying and restarting another process on the process list if process memory was modified. | 04-18-2013 |
| 20130097701 | USER BEHAVIORAL RISK ASSESSMENT - A particular activity performed by a particular user of a computing device is identified, for instance, by an agent installed on the computing device. It is determined that the particular activity qualifies as a particular use violation in a plurality of pre-defined use violations. A behavioral risk score for the particular score for the user is determined based at least in part on the determination that the particular activity of the particular user qualifies as a particular use violation. Determining that the particular activity qualifies as a particular use violation can include determining that the particular activity violates a particular rule or event trigger corresponding to a particular pre-defined use violation. | 04-18-2013 |
| 20130097699 | SYSTEM AND METHOD FOR DETECTING A MALICIOUS COMMAND AND CONTROL CHANNEL - A method is provided in one example embodiment that includes detecting repetitive connections from a source node to a destination node, calculating a score for the source node based on the connections, and taking a policy action if the score exceeds a threshold score. In more particular embodiments, the repetitive connections use a hypertext transfer protocol and may include connections to a small number of unique domains, connections to small number of unique resources associated with the destination node, and/or a large number of connections to a resource in a domain. Moreover, heuristics may be used to score the source node and identify behavior indicative of a threat, such as a bot or other malware. | 04-18-2013 |
| 20130097692 | SYSTEM AND METHOD FOR HOST-INITIATED FIREWALL DISCOVERY IN A NETWORK ENVIRONMENT - A method is provided in one example embodiment that includes intercepting a network flow to a destination node having a network address and sending a discovery query based on a discovery action associated with the network address in a firewall cache. A discovery result may be received and metadata associated with the flow may be sent to a firewall before releasing the network flow. In other embodiments, a discovery query may be received from a source node and a discovery result sent to the source node, wherein the discovery result identifies a firewall for managing a route to a destination node. Metadata may be received from the source node over a metadata channel. A network flow from the source node to the destination node may be intercepted, and the metadata may be correlated with the network flow to apply a network policy to the network flow. | 04-18-2013 |
| 20130097662 | INTEGRATING SECURITY POLICY AND EVENT MANAGEMENT - A plurality of security events is detected in a computing system, each security event based on at least one policy in a plurality of security policies. Respective interactive graphical representations are presented in a graphical user interface (GUI) of either or both of the security events or security policies. The representations include interactive graphical elements representing the respective security events or security policies. User selection of a particular event element via the interactive GUI causes a subset of the security policies to be identified, each security policy in the subset serving as a basis for at least one particular security event represented by the particular event element. User selection of a particular policy element via the interactive GUI causes a subset of the security policies to be identified, each security event in the subset based at least in part on a particular security policy represented by the particular policy element. | 04-18-2013 |
| 20130097661 | SYSTEM AND METHOD FOR DETECTING A FILE EMBEDDED IN AN ARBITRARY LOCATION AND DETERMINING THE REPUTATION OF THE FILE - A method is provided in one example embodiment that includes identifying a file format identifier associated with a beginning of a file, parsing the file based on the file format identifier until an end of the file is identified, and calculating a hash from the beginning of the file to the end of the file. The method may also include sending the hash to a reputation system and taking a policy action based on the hash's reputation received from the reputation system. | 04-18-2013 |
| 20130097660 | SYSTEM AND METHOD FOR WHITELISTING APPLICATIONS IN A MOBILE NETWORK ENVIRONMENT - An application is identified as installed on a particular mobile device. An action involving the application is identified, the action to be performed using the particular mobile device. It is determined whether the action is an approved action based on at least one policy associated with the particular mobile device. A determination that the action is unapproved can results in an attempt to prevent the action. Further, in certain instances, a whitelist or blacklist can be generated based on determinations of whether identified application actions conform to one or more policies associated with the particular mobile device. | 04-18-2013 |
| 20130097659 | SYSTEM AND METHOD FOR WHITELISTING APPLICATIONS IN A MOBILE NETWORK ENVIRONMENT - One or more attributes of an application in a plurality of applications is identified. A reputation score of the application is determined based at least in part on the identified attributes to determining whether the application should be included in a whitelist. The whitelist can be applied against a request to download the application on a mobile device. In some aspects, the whitelist can be generated through automated collection and analysis of applications available for download by one or more different types of mobile devices in one or more networks. In some aspects, the whitelist can be applied by blocking attempts to download applications determined not to be included in the whitelist. | 04-18-2013 |
| 20130097658 | SYSTEM AND METHOD FOR REDIRECTED FIREWALL DISCOVERY IN A NETWORK ENVIRONMENT - A method is provided in one example embodiment that includes receiving metadata from a host over a metadata channel. The metadata may be correlated with a network flow and a network policy may be applied to the connection. In other embodiments, a network flow may be received from a host without metadata associated with the flow, and a discovery redirect may be sent to the host. Metadata may then be received and correlated with the flow to identify a network policy action to apply to the flow. | 04-18-2013 |
| 20130097652 | SYSTEM AND METHOD FOR PROFILE BASED FILTERING OF OUTGOING INFORMATION IN A MOBILE ENVIRONMENT - A system and method in one embodiment includes modules for detecting an access request by an application to access information in a mobile device, determining that the application is a potential threat according to at least one policy filter, and blocking a send request by the application to send the information from the mobile device without a user's consent. More specific embodiments include user selecting the information through a selection menu on a graphical user interface that includes information categories pre-populated by an operating system of the mobile device, and keywords that can be input by the user. Other embodiments include queuing the send request in a queue with other requests, and presenting an outbox comprising the queue to the user to choose to consent to the requests. The outbox includes graphical elements configured to permit the user to selectively consent to any requests in the queue. | 04-18-2013 |
| 20130097518 | COOPERATIVE MOBILE ANALYTICS - A first computing device running a particular program is used to identify a second computing device also running the particular program and substantially co-located with the first computing device in a particular physical location. The first computing device and the second computing device are joined in a use session of the particular program. It is determined that the first computing device displays a first user interface of the particular program at a first instance, the first user interface showing a first context in a plurality of contexts. The second computing device displays a second user interface of the particular program at the first instance based at least in part on the first user interface showing the first context, the second user interface showing a second context in the plurality of contexts. | 04-18-2013 |
| 20130097356 | SYSTEM AND METHOD FOR KERNEL ROOTKIT PROTECTION IN A HYPERVISOR ENVIRONMENT - A system and method for rootkit protection in a hypervisor environment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page of a guest operating system in a hypervisor environment, wherein each entry is a duplicate page of the corresponding guest kernel page, generating a page fault when a process attempts to access a guest kernel page, and redirecting the process to the corresponding duplicate page. If the page fault is a data page fault, the method includes fixing the page fault, and marking a page table entry corresponding to the guest kernel page as non-executable and writeable. If the page fault is an instruction page fault, the method includes marking a page table entry corresponding to the guest kernel page as read-only. Redirecting changing a machine page frame number in a shadow page table of the hypervisor to point to the corresponding duplicate page. | 04-18-2013 |
| 20130097355 | SYSTEM AND METHOD FOR KERNEL ROOTKIT PROTECTION IN A HYPERVISOR ENVIRONMENT - A system and method in one embodiment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page in a guest operating system in a hypervisor environment, generating a page fault when an access attempt is made to a guest kernel page, fixing the page fault to allow access and execution if the guest kernel page corresponds to one of the entries in the soft whitelist, and denying execution if the guest kernel page does not correspond to any of the entries in the soft whitelist. If the page fault is an instruction page fault, and the guest kernel page corresponds to one of the entries in the soft whitelist, the method includes marking the guest kernel page as read-only and executable. The soft whitelist includes a hash of machine page frame numbers corresponding to virtual addresses of each guest kernel page. | 04-18-2013 |
| 20130097203 | SYSTEM AND METHOD FOR PROVIDING THRESHOLD LEVELS ON PRIVILEGED RESOURCE USAGE IN A MOBILE NETWORK ENVIRONMENT - A system and method in one embodiment includes modules for detecting a request by an application in a mobile device to access a privileged resource, determining a cumulative usage of the privileged resource by the application, and performing an action according to a rule if a predefined threshold level of usage triggers the action based on the cumulative usage. More specific embodiments include blocking the request, and sending a notification to a user and updating a rules database to modify the predefined threshold level of usage associated with the rule. Other embodiments include monitoring permissions of the application to the privileged resource, and removing any permissions that have not been used for a predefined time period, logging the request into a log in a utilization database, reading the log, collating information in the log, and analyzing the log. | 04-18-2013 |
| 20130096980 | USER-DEFINED COUNTERMEASURES - A particular set of computing assets is identified on a particular computing system including a plurality of computing assets. A user definition is received of a particular countermeasure applied to the particular set of assets, the user definition of the countermeasure including identification of each asset in the particular set of assets and identification of at least one vulnerability or threat addressed by the particular countermeasure in a plurality of known vulnerabilities or threats. Based on the user definition, actual deployment of the particular countermeasure on the particular computing system is assumed in a risk assessment of at least a portion of the particular computing system. | 04-18-2013 |
| 20130091584 | Distributed System and Method for Tracking and Blocking Malicious Internet Hosts - Disclosed are systems and methods to perform coordinated blocking of source addresses, such as an Internet Protocol (IP) addresses, across a plurality of network appliances (e.g., gateways). In one disclosed embodiment the method and system temporarily alter a configuration of one or more network appliances (based on user defined configuration parameters) to allow communication from a “blocked” IP address for a period of time. A network appliance can then “receive” an email and perform analysis and provide results of the analysis to a reputation service. Thereby, the temporarily allowed communication can be used to learn information about a threat which would not have been available if all communication from that IP address had actually been blocked at the network appliance. | 04-11-2013 |
| 20130091580 | Detect and Prevent Illegal Consumption of Content on the Internet - Disclosed are systems and methods for preventing (or at least deterring) a user from inadvertently or directly consuming illegal content on the Internet. For example, determine when a user might visit a site distributing illegal content (i.e., material in violation of a copyright or otherwise inappropriately distributed) and presenting a warning to the user prior to navigating to the identified inappropriate distribution site. Optionally, alternative distribution sites (i.e., an authorized distribution site) for the same or similar material can be presented to the user. For example, a user might be likely to visit an inappropriate distribution site when sent a message containing a link or when search results from a search engine query identify a plurality of distributors for a requested movie, song, book, etc. By informing a user of illegal sources and possible alternatives, a user can obtain the desired electronic distribution without violating an author's intellectual property rights. | 04-11-2013 |
| 20130091318 | SYSTEM AND METHOD FOR CRITICAL ADDRESS SPACE PROTECTION IN A HYPERVISOR ENVIRONMENT - A system and method in one embodiment includes modules for detecting an access attempt to a critical address space (CAS) of a guest operating system (OS) that has implemented address space layout randomization in a hypervisor environment, identifying a process attempting the access, and taking an action if the process is not permitted to access the CAS. The action can be selected from: reporting the access to a management console of the hypervisor, providing a recommendation to the guest OS, and automatically taking an action within the guest OS. Other embodiments include identifying a machine address corresponding to the CAS by forcing a page fault in the guest OS, resolving a guest physical address from a guest virtual address corresponding to the CAS, and mapping the machine address to the guest physical address. | 04-11-2013 |
| 20130086632 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR APPLYING A RULE TO ASSOCIATED EVENTS - A system, method, and computer program product are provided for applying a rule to associated events. In use, a plurality of events is associated based on at least one identifier. Additionally, at least one rule is applied to the associated events. Further, a reaction is performed based on the application of the at least one rule. | 04-04-2013 |
| 20130080775 | SECURING EMAIL CONVERSATIONS - At least a portion of a transmission of an outgoing first email from a first email account to at least a second email account is encrypted. Second email address data is changed corresponding to the second email account to cause replies to the first email intended for the second email account to be sent to an intermediate device prior to being routed to the second email account. Replies to the first email are then sent to the intermediate device and sent over one or more encrypted channels. Replies to the first email including the changed email address data are decoded to identify the second email address data associated with the second email account. A reply to the first email is then sent to the second email account based on the identified second email address data. | 03-28-2013 |
| 20130074186 | DEVICE-TAILORED WHITELISTS - A particular set of attributes of a particular computing device is identified. A first plurality of whitelisted objects is identified in a global whitelist corresponding to the particular set of attributes. A particular whitelist is generated to include the identified set of whitelisted objects, the particular whitelist tailored to the particular computing device. In some aspects, device-tailored updates to the particular whitelist are also generated. | 03-21-2013 |
| 20130074143 | SYSTEM AND METHOD FOR REAL-TIME CUSTOMIZED THREAT PROTECTION - A method is provided in one example embodiment that includes receiving event information associated with reports from sensors distributed throughout a network environment and correlating the event information to identify a threat. A customized security policy based on the threat may be sent to the sensors. | 03-21-2013 |
| 20130067579 | System and Method for Statistical Analysis of Comparative Entropy - In accordance with one embodiment of the present disclosure, a method for determining the similarity between a first data set and a second data set is provided. The method includes performing an entropy analysis on the first and second data sets to produce a first entropy result, wherein the first data set comprises data representative of a first one or more computer files of known content and the second data set comprises data representative of a one or more computer files of unknown content; analyzing the first entropy result; and if the first entropy result is within a predetermined threshold, identifying the second data set as substantially related to the first data set. | 03-14-2013 |
| 20130067578 | Malware Risk Scanner - A technique for improving the installation of anti-malware software performs an analysis of a computer on which anti-malware software is to be installed prior to complete installation of the anti-malware software. If the analysis determines that the computer may already contain malware, then an attempt may be made to scan and clean the computer prior to the installation of a portion of the anti-malware software. Otherwise, the pre-installation scan and clean may be bypassed, allowing the installation of that portion of the anti-malware software. | 03-14-2013 |
| 20130061325 | Dynamic Cleaning for Malware Using Cloud Technology - A method for providing malware cleaning includes detecting potential malware on a first device connected to a network. A request including information to allow a second device connected to the network to determine an appropriate cleaning response is sent from the first device to the second device over the network. Upon receiving the request, the second device attempts to identify an appropriate cleaning response and, if a response is identified, sends the cleaning response over the network to the first device. The cleaning response is usable by the first device to address the detected potential malware. | 03-07-2013 |
| 20130061169 | COMPUTER SYSTEM SECURITY DASHBOARD - A computing system security dashboard is provided for presentation on a computer display device, the dashboard including a plurality of security view panes. Each security view pane, when expanded, presents a respective visualization of security conditions of a particular computing system. When the particular security view pane is collapsed it can hide at least a portion of particular visualizations of security conditions presented using the particular security view pane when expanded. The particular security view pane occupies a smaller area of the dashboard when collapsed than when expanded. A particular visual indicator is presented on the particular security view, at least when collapsed, summarizing at least a portion of the particular security conditions identified in the particular visualizations. A user interaction with the particular collapsed security view pane can prompt the particular security view pane to be expanded in area and present the particular visualizations. | 03-07-2013 |
| 20130060943 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR CONTROLLING NETWORK COMMUNICATIONS BASED ON POLICY COMPLIANCE - A policy management system, method and computer program product are provided. In use, information is received over a network relating to at least one subset of computers that are at least potentially out of compliance with a policy. Further, such information is sent to a plurality of the computers, utilizing the network. To this end, network communication involving the at least one subset of computers is capable of being controlled utilizing the information. | 03-07-2013 |
| 20130055369 | SYSTEM AND METHOD FOR DAY-ZERO AUTHENTICATION OF ACTIVEX CONTROLS - A system and method in one embodiment includes modules for verifying a digital signature of a Microsoft® ActiveX® control, identifying an executable file of the ActiveX control, authorizing the executable file as an updater configured to enable trust propagation, if the digital signature is from an authorized issuer, and installing the ActiveX control. More specific embodiments include hooking an exported function in the executable file and marking a thread calling the exported function as an updater. Hooking the exported function includes patching the executable function so that when the exported function is called during execution of the executable file, a second function is executed before the exported function is executed. Other embodiments include extracting a cabinet file wrapping the ActiveX control, parsing an information file in the cabinet file, and downloading additional components for installing the ActiveX control. | 02-28-2013 |
| 20130055365 | Credential Provider That Encapsulates Other Credential Providers - Systems, methods, and computer readable media for encapsulating multiple Windows® based credential providers (CPs) within a single wrapping CP are described. In general, CP credentials and fields from two or more encapsulated or wrapped CPs may be enumerated and aggregated in such a way that the order of fields from each CP is preserved, fields that may be used only once are identified and appear only once, and fields are given a new unique field identifier. The union of all such fields (minus duplicates of any one-use-only fields) may be used to generate a mapping so that the wrapping CP and CP credential may “pass-through” calls from the operating system's logon interface to the correct wrapped CP and CP credential. The disclosed techniques may be used, for example, to provide single sign-on functionality where a plurality of sign-on credentials may be used (e.g., user name/password and smart card PIN). | 02-28-2013 |
| 20130054748 | System, Method, and Computer Program Product for Receiving Security Content Utilizing a Serial Over Lan Connection - A system, method, and computer program product are provided for receiving security content utilizing a serial over LAN connection. In use, an unsuccessful attempt to connect to a network for accessing security content at a remote second device is indicated by a first device, where the unsuccessful attempt results from a malfunction at the first device. Further, the security content is received at the first device utilizing a serial over local area network (LAN) connection established with the remote second device, based on the indication. | 02-28-2013 |
| 20130031634 | SYSTEM AND METHOD FOR NETWORK-BASED ASSET OPERATIONAL DEPENDENCE SCORING - A system and method in one embodiment includes modules for identifying an asset with a vulnerability risk, identifying a service running on a port on the asset, identifying a connection to the port, calculating an operational dependence role of the asset as a function of the service and the connection, and modifying the vulnerability risk based on the operational dependence role. Other embodiments include identifying a protocol of a data packet at the port, classifying the protocol into a protocol category with a protocol importance score, calculating a connection average for the asset, classifying the connection average into a connection category with a connection score, and calculating a service dependence score. Other embodiments include calculating a host dependence score, assigning a data importance score to data communicated by the asset, and calculating the operational dependence role as a function of the host dependence score and data importance score. | 01-31-2013 |
| 20130031291 | SYSTEM AND METHOD FOR VIRTUAL PARTITION MONITORING - A method is provided in one example embodiment that includes rebasing a module in a virtual partition to load at a fixed address and storing a hash of a page of memory associated with the fixed address. An external handler may receive a notification associated with an event affecting the page. An internal agent within the virtual partition can execute a task and return results based on the task to the external handler, and a policy action may be taken based on the results returned by the internal agent. In some embodiments, a code portion and a data portion of the page can be identified and only a hash of the code portion is stored. | 01-31-2013 |
| 20130014020 | INDICATING WEBSITE REPUTATIONS DURING WEBSITE MANIPULATION OF USER INFORMATION - An aspect of the present invention relates to methods and systems involving receiving an indicator of an attempted interaction of a client computing facility with an item of content associated with a website and presenting an indicator of reputation to a client computing facility attempting to interact with the web content. The indicator of reputation may be based at least in part upon whether an entity associated with the web content seeks to manipulate a user in order to obtain information from the user. | 01-10-2013 |
| 20120324569 | RULE COMPILATION IN A FIREWALL - A firewall system comprises a rule compiler operable to use florets and factoring to produce a rule data structure that enables a rules engine to apply a rule from a rule set in phases, including rules applicable during a first scan with second factors not available and rules applicable during a second scan such that only the second factors need be applied. | 12-20-2012 |
| 20120324526 | SYSTEM AND METHOD FOR LIMITING DATA LEAKAGE - System and methods for connection processing with limited data leakage. The system records state associated with a connection request in a connection state engine, records state associated with a connection acknowledgement in the connection state engine, stores data sent after the connection acknowledgement in a buffer and determines, without a proxy, whether to allow or deny a connection as a function of the data stored in the buffer. | 12-20-2012 |
| 20120311708 | SYSTEM AND METHOD FOR NON-SIGNATURE BASED DETECTION OF MALICIOUS PROCESSES - Systems and methods for detecting malicious processes in a non-signature based manner are disclosed. The system and method may include gathering features of processes running on an electronic device, applying a set of rules to the features, and applying a statistical analysis to the results of the rules application to determine whether a process should be classified into one or more of a plurality of process categories. | 12-06-2012 |
| 20120311705 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR PRESENTING AN INDICIA OF RISK REFLECTING AN ANALYSIS ASSOCIATED WITH SEARCH RESULTS WITHIN A GRAPHICAL USER INTERFACE - A system, method, and computer program product comprise presenting a plurality of search results within a graphical user interface. Further, an indicia of risk is presented that reflects an analysis in association with at least one of the plurality of search results within the graphical user interface. | 12-06-2012 |
| 20120271890 | Systems And Methods For Classification Of Messaging Entities - Methods and systems for operation upon one or more data processors for assigning a reputation to a messaging entity. A method can include receiving data that identifies one or more characteristics related to a messaging entity's communication. A reputation score is determined based upon the received identification data. The determined reputation score is indicative of reputation of the messaging entity. The determined reputation score is used in deciding what action is to be taken with respect to a communication associated with the messaging entity. | 10-25-2012 |
| 20120270523 | SYSTEM AND METHOD FOR CONTROLLING MOBILE DEVICE ACCESS TO A NETWORK - The method may include intercepting a data stream from the mobile device attempting to access the network resource, extracting information from the intercepted data stream relating to at least one of the mobile device or a user of the mobile device, accessing at least one of enterprise service based information and third party information regarding at least one of the mobile device or the user of the mobile device, determining whether the mobile device is authorized to access the network resource, preparing an access decision that specifies whether the mobile device is authorized to access the network resource, and storing the access decision in a database on the network. | 10-25-2012 |
| 20120270522 | SYSTEM AND METHOD FOR CONTROLLING MOBILE DEVICE ACCESS TO A NETWORK - The method may include intercepting a data stream from the mobile device attempting to access the network resource, extracting information from the intercepted data stream relating to at least one of the mobile device or a user of the mobile device, accessing at least one of enterprise service based information and third party information regarding at least one of the mobile device or the user of the mobile device, determining whether the mobile device is authorized to access the network resource, preparing an access decision that specifies whether the mobile device is authorized to access the network resource, and storing the access decision in a database on the network. | 10-25-2012 |
| 20120260101 | ENCRYPTION OF MEMORY DEVICE WITH WEAR LEVELING - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for encryption of a memory device with wear leveling. In one aspect, a method includes accessing an address map of the memory device, the address map referencing first memory locations and second memory locations of the memory device, wherein the first memory locations store data that are to be encrypted by a full disk encryption operation on the memory device; designating the second memory locations as being encrypted without performing an encryption operation on the second memory locations; and encrypting only the data stored in the first memory locations of the memory device so that the data of the first memory locations and the second memory locations are designated as being disk encrypted. | 10-11-2012 |
| 20120255031 | SYSTEM AND METHOD FOR SECURING MEMORY USING BELOW-OPERATING SYSTEM TRAPPING - In one embodiment, a system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to identify one or more portions of memory for which attempted accesses will be trapped and comprising criteria by which the attempted access will be trapped, trap an attempted access of the memory that originates from the operational level of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device accessing the memory. | 10-04-2012 |
| 20120255021 | SYSTEM AND METHOD FOR SECURING AN INPUT/OUTPUT PATH OF AN APPLICATION AGAINST MALWARE WITH A BELOW-OPERATING SYSTEM SECURITY AGENT - A system for securing an electronic device may include a memory, a processor, one or more operating systems residing in the memory for execution by the processor, an input-output (I/O) device of the electronic device coupled to the operating system; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the I/O device. The security agent may be further configured to: (i) trap, at a level below all of the operating systems of the electronic device accessing an input/output (I/O) device, an attempted access of a facility for I/O operation with the I/O device; and (ii) using one or more security rules, analyze the attempted access to determine whether the attempted access is indicative of malware. | 10-04-2012 |
| 20120255018 | SYSTEM AND METHOD FOR SECURING MEMORY AND STORAGE OF AN ELECTRONIC DEVICE WITH A BELOW-OPERATING SYSTEM SECURITY AGENT - A security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory or a storage of the electronic device may be further configured to: (i) access one or more security rules to determine a criteria by which an attempted access involving a transfer of content between the memory and the storage of an electronic device will be trapped; (ii) if the criteria is met, trap, at a level below all of the operating systems of the electronic device, attempted access of data between memory and storage of an electronic device; and (iii) analyze, at a level below all of the operating systems of the electronic device, information associated with the attempted access to determine if the attempted access was affected by malware | 10-04-2012 |
| 20120255017 | SYSTEM AND METHOD FOR PROVIDING A SECURED OPERATING SYSTEM EXECUTION ENVIRONMENT - In one embodiment, a system for launching a security architecture includes an electronic device comprising a processor and one or more operating systems, a security agent, and a launching module. The launching module comprises a boot manager and a secured launching agent. The boot manager is configured to boot the secured launching agent before booting the operating systems, and the secured launching agent is configured to load a security agent. The security agent is configured to execute at a level below all operating systems of the electronic device, intercept a request to access a resource of the electronic device, the request originating from the operational level of one of one or more operating systems of the electronic device, and determine if a request is indicative of malware. In some embodiments, the secured launching agent may be configured to determine whether the security agent is infected with malware prior to loading the security agent. | 10-04-2012 |
| 20120255016 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM PROTECTION OF AN OPERATING SYSTEM KERNEL - A below-operating system security agent may be configured to: (i) trap attempted accesses to the components of the operating system and the set of drivers executing on the electronic device; (ii) in response to trapping an attempted access, compare contextual information associated with the attempted access to an access map; and (iii) determine if the attempted access is trusted based on the comparison. The access map may be generated by: (i) trapping, at a level below all of the operating systems of a second electronic device accessing components of the second operating system and the second set of drivers executing on the second electronic device and each substantially free of malware, accesses to components of the second operating system and the second set of drivers executing on the second electronic device; and (ii) in response to trapping the accesses, recording contextual information regarding the accesses to the access map. | 10-04-2012 |
| 20120255014 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM REPAIR OF RELATED MALWARE-INFECTED THREADS AND RESOURCES - A security agent may be configured to: (i) execute on an electronic device at a level below all of the operating systems of the electronic device accessing a memory or processor resources of the electronic device; (ii) trap attempted accesses to the memory or the processor resources associated with function calls for thread synchronization objects associated with creation, suspension, or termination of one thread by another thread; (iii) in response to trapping each attempted access, record information associated with the attempted access in a history, the information including one or more identities of threads associated with the attempted access; (iv) determine whether a particular thread is affected by malware; and (iv) in response to a determining that the particular thread is affected by malware, analyze information in the history associated with the particular memory location or processor resource to determine one or more threads related to the particular thread. | 10-04-2012 |
| 20120255013 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM MODIFICATION OF MALICIOUS CODE ON AN ELECTRONIC DEVICE - A system for securing an electronic device, may include a memory, a processor, one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to detect presence of malicious code, and in response to detecting presence of the malicious code, modify the malicious code. | 10-04-2012 |
| 20120255012 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM REGULATION AND CONTROL OF SELF-MODIFYING CODE - A system for securing an electronic device may include a memory, a processor; one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to: (i) trap attempted accesses to the memory, wherein each of such attempted accesses may, individually or in the aggregate, indicate the presence of self-modifying malware; (ii) in response to trapping each attempted access to the memory, record information associated with the attempted access in a history; and (iii) in response to a triggering attempted access associated with a particular memory location, analyze information in the history associated with the particular memory location to determine if suspicious behavior has occurred with respect to the particular memory location. | 10-04-2012 |
| 20120255011 | SYSTEMS AND METHODS FOR IDENTIFYING HIDDEN PROCESSES - A security module may be configured to execute on the electronic device at a level below all of the operating systems of an electronic device accessing the one or more system resources. The security module may be configured to: trap one or more attempts to access system resources of the electronic device, the one or more attempts made from a less privileged ring of execution than the first security module; record information identifying one or more processes attempting to access the system resources of the electronic device; compare the information identifying one or more processes attempting to access the system resources with the enumerated one or more processes visible to the operating system; and based on the comparison, determine one or more hidden processes, the hidden processes determined by at least identifying processes whose information was recorded by first security module but were not enumerated by the second security module. | 10-04-2012 |
| 20120255010 | SYSTEM AND METHOD FOR FIRMWARE BASED ANTI-MALWARE SECURITY - A system for securing an electronic device includes a non-volatile memory, a processor coupled to the non-volatile memory, a resource of the electronic device, firmware residing in the non-volatile memory and executed by the processor, and a firmware security agent residing in the firmware. The firmware is communicatively coupled to the resource of an electronic device. The firmware security agent is configured to, at a level below all of the operating systems of the electronic device accessing the resource, intercept a request for the resource and determine whether the request is indicative of malware. | 10-04-2012 |
| 20120255004 | SYSTEM AND METHOD FOR SECURING ACCESS TO SYSTEM CALLS - In one embodiment, a system for securing access to system calls includes a memory, an operating system configured to execute on an electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to identify one or more resources associated with a system call for which attempted accesses will be trapped, trap an attempted access of the one or more resources that originates from the operational level of the operating system, access one or more security rules to determine whether the attempted access is authorized, and operate at a level below all of the operating systems of the electronic device accessing the one or more resources associated with a system call. | 10-04-2012 |
| 20120255003 | SYSTEM AND METHOD FOR SECURING ACCESS TO THE OBJECTS OF AN OPERATING SYSTEM - In one embodiment, a system for protecting an electronic device against malware includes an object-oriented operating system configured to execute on the electronic device and a below-operating-system security agent. The below-operating-system security agent may be configured to trap an attempted access of an object manager of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device. In some embodiments, the below-operating-system security agent may determine whether the attempted access is indicative of malware by comparing the attempted access to a behavioral state map to determine if the attempted access represents behavior associated with malware. | 10-04-2012 |
| 20120255002 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING OF DRIVER LOADING AND UNLOADING - A system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access of one or more resources of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, operate at a level below all of the operating systems of the electronic device accessing the one or more resources. The attempted access includes an attempted loading or unloading of a driver in the operating system. | 10-04-2012 |
| 20120255001 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING OF DRIVER FILTER ATTACHMENT - A system for protecting an electronic system against malware includes an operating system configured to execute on the electronic device, a driver coupled to the operating system, and a below-operating-system security agent. The below-operating-system security agent is configured to identify one or more resources for changing filters of the driver, trap an attempted access of the one or more resources that originates from the operational level of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic system accessing the one or more resources for changing filters of the driver. | 10-04-2012 |
| 20120255000 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING AND SECURING OF INTERDRIVER COMMUNICATION - In one embodiment, a system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access by a first driver of the operating system of a second driver of the electronic device, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device accessing the second driver. | 10-04-2012 |
| 20120254999 | SYSTEMS AND METHOD FOR REGULATING SOFTWARE ACCESS TO SECURITY-SENSITIVE PROCESSOR RESOURCES - A method for protecting an electronic device against malware includes consulting one or more security rules to determine a processor resource to protect, in a module below the level of all operating systems of the electronic device, intercepting an attempted access of the processor resource, accessing a processor resource control structure to determine a criteria by which the attempted access will be trapped, trapping the attempted access if the criteria is met, and consulting the one or more security rules to determine whether the attempted access is indicative of malware. The attempted access originates from the operational level of one of one or more operating systems of the electronic device | 10-04-2012 |
| 20120254995 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING AND SECURING LOADING OF CODE INTO MEMORY - A system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access of a resource of the electronic device, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device accessing the memory. The attempted access includes attempting to write instructions to the memory and attempting to execute the instructions. | 10-04-2012 |
| 20120254994 | SYSTEM AND METHOD FOR MICROCODE BASED ANTI-MALWARE SECURITY - A system for securing an electronic device includes a processor comprising microcode, a resource coupled to the processor, and a microcode security agent embodied the microcode. The microcode security agent is configured to intercept a communication and determine whether the communication is indicative of malware. The communication includes a request made of the resource or information generated from the resource. | 10-04-2012 |
| 20120254993 | SYSTEM AND METHOD FOR VIRTUAL MACHINE MONITOR BASED ANTI-MALWARE SECURITY - A system for securing an electronic device includes a memory, a processor, one or more operating systems residing in the memory for execution by the processor, a resource of the electronic device communicatively coupled to the operating system, a virtual machine monitor configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the resource, and a security agent configured to execute on the electronic device at a level below all operating systems of the electronic device accessing the resource. The virtual machine monitor is configured to intercept a request of the resource made from a level above the virtual machine monitor and inform the security agent of the request. The security agent is configured to determine whether the request is indicative of malware. | 10-04-2012 |
| 20120254982 | SYSTEM AND METHOD FOR PROTECTING AND SECURING STORAGE DEVICES USING BELOW-OPERATING SYSTEM TRAPPING - In one embodiment, a system for securing a storage device includes an electronic device comprising a processor, a storage device communicatively coupled to the processor, and a security agent. The security agent is configured to execute at a level below all of the operating systems of the electronic device, intercept a request to access the storage device, identify a requesting entity responsible for initiating the request, and utilize one or more security rules to determine if the request from the requesting entity is authorized. In some embodiments, the security agent is configured to determine whether the request involves a protected area of the storage device. If the request involves a protected area of the storage device, the security agent may be configured to allow the request if the requesting entity is authorized to access the protected area of the storage device. | 10-04-2012 |
| 20120216248 | ADJUSTING FILTER OR CLASSIFICATION CONTROL SETTINGS - Methods and systems for managing data communications are described. The method includes receiving a data communication; analyzing the data communication to determine a particular type of sender or recipient activity associated with the data communication based at least in part on an application of a plurality of tests to the data communication; assigning a total risk level to the data communication based at least in part on one or more risks associated with the particular type of sender or recipient activity and a tolerance for each of the one or more risks; comparing the total risk level assigned to the data communication with a maximum total acceptable level of risk; and allowing the data communication to be delivered to a recipient in response to the comparison indicating that the total risk level assigned to the data communication does not exceed the maximum total acceptable level of risk. | 08-23-2012 |
| 20120216190 | On Demand Scan Engine Deployment - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for on-demand scan engine deployment. In one aspect, a method includes obtaining parameters of a scheduled scan, the parameters defining computer assets to be scanned and performance requirements. The method includes obtaining historical data describing prior scans that were performed according to similar parameters. The method includes determining performance measures of the prior scans using the historical data. The method includes calculating resource requirements based on the parameters and the performance measures, the resource requirements being requirements that are determined to be needed to meet the performance requirements of the scheduled scan. The method includes determining a number of scan engines required to meet the performance requirements based on the resource scan requirements. The method includes adjusting a number of scan engines in virtual machines so that the number of scan engines are available. | 08-23-2012 |
| 20120204265 | Systems and Methods For Message Threat Management - The present invention is directed to systems and methods for detecting unsolicited and threatening communications and communicating threat information related thereto. Threat information is received from one or more sources; such sources can include external security databases and threat information data from one or more application and/or network layer security systems. The received threat information is reduced into a canonical form. Features arc extracted from the reduced threat information; these features in conjunction with configuration data such as goals are used to produce rules, in some embodiments, these rules are tested against one or more sets of test data and compared against the same or different goals; if one or more tests fail, the rules are refined until the tests succeed within ah acceptable margin of error. The hues are then propagated to one or more application layer security systems. | 08-09-2012 |
| 20120198554 | Obfuscated Malware Detection - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting obfuscated malware. In one aspect, a method includes identifying call instructions in a binary executable; executing the call instruction; executing instructions subsequent to a target of the call instruction; determining that an address identified by a stack pointer is different from the return address; in response to the determination that the address is different, determining if there is a non-obfuscation signal; if there is a non-obfuscation signal, identifying the call instruction as a non-obfuscated call instruction; if there is not a non-obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; determining whether the call instructions identified as possibly obfuscated call instructions exceeds a threshold; in response to the determination that the call instructions identified as possibly obfuscated call instructions exceeds the threshold, identifying the executable as an obfuscated executable. | 08-02-2012 |
| 20120174219 | IDENTIFYING MOBILE DEVICE REPUTATIONS - Methods and systems for operation upon one or more data processors for assigning a reputation to a messaging entity by analyzing the attributes of the entity, correlating the attributes with known attributes to define relationships between entities sharing attributes, and attributing a portion of the reputation of one related entity to the reputation of the other related entity. | 07-05-2012 |
| 20120144486 | METHOD AND SYSTEM FOR PROTECTING AGAINST UNKNOWN MALICIOUS ACTIVITIES BY DETECTING A HEAP SPRAY ATTACK ON AN ELECTRONIC DEVICE - A method and system for protecting against unknown malicious activities by detecting a heap spray attack on a electronic device are disclosed. A script is received at an electronic device from a remote device via a network and a loop operation is detected in the script that contains a write operation operable to write data to a memory of the electronic device. The amount of the data operable to be written to the memory by the write operation is determined and the data is prevented from being written to the memory if the amount of the data is greater than or equal to a threshold. | 06-07-2012 |
| 20120144030 | Probe Election In Failover Configuration - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for allocating probing responsibilities between a primary sensor and a secondary sensor. In one aspect, a method includes determining a first probe type, the first probe type being the probe type of the highest priority information probe for which a reply from the host device was received at the primary sensor, determining a second probe type, the second probe type being the probe type of the highest priority information probe for which a reply from the host device was received at the secondary sensor, determining whether the second probe type is prioritized higher than the first probe type, and allocating probing responsibilities between the primary sensor and the second sensor based on the prioritization of the first probe type and the second probe type. | 06-07-2012 |
| 20120110672 | SYSTEMS AND METHODS FOR CLASSIFICATION OF MESSAGING ENTITIES - Methods and systems for operation upon one or more data processors for biasing a reputation score. A communication having data that identifies a plurality of biasing characteristics related to a messaging entity associated with the communication is received. The identified plurality of biasing characteristics related to the messaging entity associated with the communication based upon a plurality of criteria are analyzed, and a reputation score associated with the messaging entity is biased based upon the analysis of the identified plurality of biasing characteristics related to the messaging entity associated with the communication. | 05-03-2012 |
| 20120102568 | SYSTEM AND METHOD FOR MALWARE ALERTING BASED ON ANALYSIS OF HISTORICAL NETWORK AND PROCESS ACTIVITY - A method for malware protection includes receiving detection information for detecting malware on an electronic device, accessing historical information of an electronic device, comparing the detection information to the historical information, and based on the comparison of the detection information with the historical information, alerting a user of the electronic device of risks of malware evidenced by the historical information. Comparing detection information to historical information includes determining that information from a first category of historical information is associated with a source of malware, cross-referencing information from a second category of historical information to the information from the first category, and associating the information from the second category with the malware. | 04-26-2012 |
| 20120102545 | METHOD AND SYSTEM FOR PROTECTING AGAINST UNKNOWN MALICIOUS ACTIVITIES BY DETERMINING A REPUTATION OF A LINK - A method and system for protecting against unknown malicious activities by determining a reputation of a link are disclosed. A reputation server queries a database including reputation information associated with a plurality of links to retrieve a reputation of a redirected link. The reputation information may indicate whether the links are associated with a malicious activity. The reputation of the redirected link may be associated with the original link to create a reputation of the original link. | 04-26-2012 |
| 20120084441 | PRIORITIZING NETWORK TRAFFIC - Methods, systems and apparatus, including computer programs encoded on a computer storage medium, for receiving, at a global server system, from each of a plurality of local network devices, network data specifying network communication activity at the local network device, wherein the plurality of local network devices collectively provide backbone communications facilities for multiple networks; aggregating, at the global server system, the network data from each of the local network devices; analyzing, at the global server system, the aggregated network data to identify network activities; generating, at the global server system, update data based on the analysis of the aggregated network data, the update data including instructions for the local network devices for processing network communications to or from the local network devices; and transmitting from the global server system the update data to the local network devices. | 04-05-2012 |
| 20120060217 | ATOMIC DETECTION AND REPAIR OF KERNEL MEMORY - A method for detecting memory modifications includes allocating a contiguous block of a memory of an electronic device, and loading instructions for detecting memory modifications into the contiguous block of memory. The electronic device includes a plurality of processing entities. The method also includes disabling all but one of a plurality of processing entities of the electronic device, scanning the memory of the electronic device for modifications performed by malware, and, if a memory modification is detected, repairing the memory modification. The method also includes enabling the processing entities that were disabled. The remaining processing entity executes the instructions for detecting memory modifications. | 03-08-2012 |
| 20120047259 | WEB HOSTED SECURITY SYSTEM COMMUNICATION - A distributed proxy server system is operable to receive a request for Internet data from a user, obtain the user's identity, store at least one cookie on the user's web browser identifying the user, and filter undesired content before forwarding requested Internet data to the user. A master cookie is associated with the proxy server including user identity information, and an injected domain cookie is associated with the domain of the requested Internet data including user identity information. | 02-23-2012 |
| 20120023583 | SYSTEM AND METHOD FOR PROACTIVE DETECTION OF MALWARE DEVICE DRIVERS VIA KERNEL FORENSIC BEHAVIORAL MONITORING AND A BACK-END REPUTATION SYSTEM - A method for detecting malware device drivers includes the steps of identifying one or more device drivers loaded on an electronic device, analyzing the device drivers to determine suspicious device drivers, accessing information about the suspicious device drivers in a reputation system, and evaluating whether the suspicious device driver include malware. The suspicious device drivers are not recognized as not including malware. The reputation system is configured to store information about suspicious device drivers. The evaluation is based upon historical data regarding the suspicious device driver. | 01-26-2012 |
| 20120017274 | WEB SCANNING SITE MAP ANNOTATION - A computerized website vulnerability scanner includes a scanning module operable to navigate through a website and scan the website for vulnerabilities, and an annotation module operable to present a map of web pages comprising a part of the website. The annotation module is also operable to receive annotations from a user that are associated with the web pages, and the scanning module is further operable to use the user-provided annotations in subsequently scanning the website. | 01-19-2012 |
| 20120011252 | PRIORITIZING NETWORK TRAFFIC - Methods and systems for operation upon one or more data processors for prioritizing transmission among a plurality of data streams based upon a classification associated with the data packets associated with each of the plurality of data streams, respectively. Systems and methods can operate to allocate bandwidth to priority data streams first and recursively allocate remaining bandwidth to lesser priority data streams based upon the priority associated with those respective lesser priority data streams. | 01-12-2012 |
| 20110321160 | SYSTEMS AND METHODS TO DETECT MALICIOUS MEDIA FILES - Systems and method to detect malicious media file are described. In one example, an apparatus including a network connection, a memory, and a programmable processor communicatively coupled to the memory is discussed. The memory can include instructions, which when executed by the programmable processor cause the apparatus to receive a data stream from the network connection and detect at least a portion of a media file within the data stream. The instructions can also cause the apparatus to determine a file type of the media file and extract the media file from the data stream. Further, the instructions cause the apparatus to parse the media file to location a suspicious tag, extract an embedded URL from the suspicious tag, determine with the embedded URL is malicious, and block the media file if the embedded URL is malicious. | 12-29-2011 |
| 20110314545 | METHOD AND SYSTEM FOR AUTOMATIC INVARIANT BYTE SEQUENCE DISCOVERY FOR GENERIC DETECTION - A method for creating a set of genericized signatures for detection of byte sequences in computer code includes accessing a first set of sample signatures, determining a maximum number of wildcards that a wildcarded signature may comprise, determining a first wildcarded signature corresponding to the first set of sample signatures, evaluating the first wildcarded signature, and repeating the steps of evaluating for any second wildcarded signatures. Each of the signatures corresponds to an instance of malware. The evaluation further includes if the number of wildcards in the first wildcarded signature exceeds the maximum number of wildcards, determining a plurality of second wildcarded signatures corresponding to a plurality of subsets of the set of sample signatures. The evaluation further includes if the number of wildcards in the first wildcarded signature is less than or equal to the maximum number of wildcards, adding the first wildcarded signature to a set of genericized signatures. | 12-22-2011 |
| 20110296519 | REPUTATION BASED CONNECTION CONTROL - Methods and systems for operation upon one or more data processors for reputation based firewall processing of communications. The reputation based firewall processing includes receiving a communication identifying an entity, retrieving the reputation of the entity identified by the communication, and handling the communication based upon the retrieved reputation. | 12-01-2011 |
| 20110296164 | SYSTEM AND METHOD FOR PROVIDING SECURE NETWORK SERVICES - A system and method for providing secure network services. A secure computer including a processor, a memory, and a secure operating system is discussed. The secure operating system includes an operational kernel and an administrative kernel. The operational kernel includes a Type Enforcement security mechanism for restricting execution of files stored in the memory by the processor. The execution restrictions placed on files in the memory of the secure computer can only be modified from within the administrative kernel. | 12-01-2011 |
| 20110283358 | METHOD AND SYSTEM TO DETECT MALWARE THAT REMOVES ANTI-VIRUS FILE SYSTEM FILTER DRIVER FROM A DEVICE STACK - A method for detecting removal of a filter driver includes performing an operation on an element of a kernel mode of an operating system, the operation initiated by a user mode entity, obtaining the result of performing the operation, and comparing the result of performing the operation against an expected result of the operation. If the result of performing the operation matches the expected result of the operation, it is determined that a file system filter driver in the kernel mode of the operating system is working correctly. If the result of performing the operation does not match the expected result of the operation, it is determined that a file system filter driver in the kernel mode of the operating system has been compromised by malware. | 11-17-2011 |
| 20110280160 | VoIP Caller Reputation System - Methods and systems for collecting data from a plurality of voice over Internet protocol (VoIP) calls and determining at least one attribute for each of the plurality of calls. Relationships between the VoIP calls based on the determined attributes are identified, and a reputation score is assigned to a first entity based on the identified relationships. A call policy is associated with a caller reputation profile based on the reputation score. | 11-17-2011 |
| 20110277035 | Detection of Malicious System Calls - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting malicious system calls. In one aspect, a method includes monitoring a function vulnerable to a buffer overflow attack; receiving a call to the function, the call associated with a call stack, the call stack including one or more base pointers, and a destination buffer associated with the function; identifying a first critical memory address vulnerable to the buffer overflow attack comprising: determining the first critical memory address based on a base pointer of the one or more base pointers, wherein the base pointer address is greater than an address of the destination buffer; identifying a first address based on the base pointer of the one or more base pointers; and determining that the first address is a critical memory address in response to the first memory address is greater than the address of the destination buffer. | 11-10-2011 |
| 20110277033 | Identifying Malicious Threads - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for identifying and processing malicious threads In one aspect, a method includes identifying a memory heap block; identifying threads that reside in the memory heap block; determining whether at least one of the identified threads in the memory heap block is a malicious thread; and in response to determining that at least one of the identified threads is a malicious thread, terminating each of the identified threads | 11-10-2011 |
| 20110277031 | Token Processing - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for mapping security processing rules into a data structure that facilitates a more efficient processing of the security processing rules. In one aspect, a method includes receiving security processing rules, each of the security processing rules defining one or more security checks and security operations corresponding to the security checks and that are to be performed when the security checks occur; and generating from the security processing rules a mapping of security checks to security operations, the mapping including a security check entry for each security check that is defined in one or more of the security processing rules, and each security check entry being mapped to one or more security operations that the security processing rules define as corresponding to the security check. | 11-10-2011 |
| 20110219448 | SYSTEMS AND METHODS FOR RISK RATING AND PRO-ACTIVELY DETECTING MALICIOUS ONLINE ADS - Methods and systems for risk rating and pro-actively detecting malicious online ads are described. In one example embodiment, a system for risk rating and pro-actively detecting malicious online ads includes an extraction module, an analysis engine, and a filter module. The extraction module is configured to extract a SWF file from a web page downloaded by the system. The analysis engine is communicatively coupled to the extraction module. The analysis engine is configured to determine a risk rating for the SWF file and send the risk rating to a web application for display. In an example, determining the risk rating includes locating an embedded redirection URL and determining a risk rating for the embedded redirection URL. The filter module is configured to determine, based on the risk rating, whether to block the SWF file and send a warning to the web application for display. | 09-08-2011 |
| 20110219002 | METHOD AND SYSTEM FOR DISCOVERING LARGE CLUSTERS OF FILES THAT SHARE SIMILAR CODE TO DEVELOP GENERIC DETECTIONS OF MALWARE - A computer-implemented method for determining similarities between system executable objects includes the steps of determining with one or more computing systems a plurality of subsequences of operation codes in a plurality of disassembled system executable objects, for each subsequence, determining with the one or more computing systems a first set of system executable objects associated with the subsequence, with the computing systems, clustering the first set of system executable objects with a cluster. The cluster includes a set of system executable objects. The step of clustering the first set of system executable objects and the cluster includes the steps of determining with the computing systems the relative similarity between the first set of system executable objects and the cluster, and if the first set of system executable objects is similar to the cluster, adding with the computing systems the system executable objects to the cluster. | 09-08-2011 |
