Patent application number | Description | Published |
20110185423 | METHOD AND SYSTEM FOR DETECTION OF MALWARE THAT CONNECT TO NETWORK DESTINATIONS THROUGH CLOUD SCANNING AND WEB REPUTATION - A method for detecting malware includes the steps of identifying a one or more open network connections of an electronic device, associating one or more executable objects on the electronic device with the one or more open network connections of the electronic device, determining the address of a first network destination that is connected to the open network connections of the electronic device, receiving an evaluation of the first network destination, and identifying one or more of the executable objects as malware executable objects. The evaluation includes an indication that the first network destination is associated with malware. The malware executable objects includes the executable objects that are associated with the open network connections that are connected to the first network destination. | 07-28-2011 |
20110185424 | SYSTEM AND METHOD FOR PROACTIVE DETECTION AND REPAIR OF MALWARE MEMORY INFECTION VIA A REMOTE MEMORY REPUTATION SYSTEM - A method for detecting malware memory infections includes the steps of scanning a memory on an electronic device, determining a suspicious entry present in the memory, accessing information about the suspicious entry in a reputation system, and evaluating whether the suspicious entry indicates a malware memory infection. The memory includes memory known to be modified by malware. The suspicious entry is not recognized as a safe entry. The reputation system is configured to store information on suspicious entries. The evaluation is based upon historical data regarding the suspicious entry. | 07-28-2011 |
20110185428 | METHOD AND SYSTEM FOR PROTECTION AGAINST UNKNOWN MALICIOUS ACTIVITIES OBSERVED BY APPLICATIONS DOWNLOADED FROM PRE-CLASSIFIED DOMAINS - A method for monitoring an application includes the steps of detecting the download of an application that originates from a website, identifying the domain of the website, and querying a database to select one or more behavioral analysis rules to apply to the application. The behavioral analysis rules are selected based upon an evaluation of the domain of the website. The evaluation of the domain of the website indicates a possible association with malware. | 07-28-2011 |
20110185429 | METHOD AND SYSTEM FOR PROACTIVE DETECTION OF MALICIOUS SHARED LIBRARIES VIA A REMOTE REPUTATION SYSTEM - A method for proactively detecting shared libraries suspected of association with malware includes the steps of determining one or more shared libraries loaded on an electronic device, determining that one or more of the shared libraries include suspicious shared libraries by determining that the shared library is associated with indications that the shared library may have been maliciously injected, loaded, and/or operating on the electronic device, and identifying the suspicious shared libraries to a reputation server. | 07-28-2011 |
20110185430 | METHOD AND SYSTEM FOR DISCRETE STATEFUL BEHAVIORAL ANALYSIS - A method for analyzing a computing system includes the steps of at a first moment in time, scanning the resources of the computing system for indications of malware, at a second moment in time scanning the resources of the computing system for indications of malware and determining the system executable objects loaded on the computing system, determining malware system changes, identifying a relationship between the malware system changes and the system executable objects loaded on the computing system, and identifying as suspected malware the system executable objects loaded on the computing system which have a relationship with the malware system changes. The malware system changes include differences between the results of scanning the resources of the computing system for indications of malware at the second and first moment of time. | 07-28-2011 |
20120023583 | SYSTEM AND METHOD FOR PROACTIVE DETECTION OF MALWARE DEVICE DRIVERS VIA KERNEL FORENSIC BEHAVIORAL MONITORING AND A BACK-END REPUTATION SYSTEM - A method for detecting malware device drivers includes the steps of identifying one or more device drivers loaded on an electronic device, analyzing the device drivers to determine suspicious device drivers, accessing information about the suspicious device drivers in a reputation system, and evaluating whether the suspicious device driver include malware. The suspicious device drivers are not recognized as not including malware. The reputation system is configured to store information about suspicious device drivers. The evaluation is based upon historical data regarding the suspicious device driver. | 01-26-2012 |
20120060217 | ATOMIC DETECTION AND REPAIR OF KERNEL MEMORY - A method for detecting memory modifications includes allocating a contiguous block of a memory of an electronic device, and loading instructions for detecting memory modifications into the contiguous block of memory. The electronic device includes a plurality of processing entities. The method also includes disabling all but one of a plurality of processing entities of the electronic device, scanning the memory of the electronic device for modifications performed by malware, and, if a memory modification is detected, repairing the memory modification. The method also includes enabling the processing entities that were disabled. The remaining processing entity executes the instructions for detecting memory modifications. | 03-08-2012 |
20120254982 | SYSTEM AND METHOD FOR PROTECTING AND SECURING STORAGE DEVICES USING BELOW-OPERATING SYSTEM TRAPPING - In one embodiment, a system for securing a storage device includes an electronic device comprising a processor, a storage device communicatively coupled to the processor, and a security agent. The security agent is configured to execute at a level below all of the operating systems of the electronic device, intercept a request to access the storage device, identify a requesting entity responsible for initiating the request, and utilize one or more security rules to determine if the request from the requesting entity is authorized. In some embodiments, the security agent is configured to determine whether the request involves a protected area of the storage device. If the request involves a protected area of the storage device, the security agent may be configured to allow the request if the requesting entity is authorized to access the protected area of the storage device. | 10-04-2012 |
20120254993 | SYSTEM AND METHOD FOR VIRTUAL MACHINE MONITOR BASED ANTI-MALWARE SECURITY - A system for securing an electronic device includes a memory, a processor, one or more operating systems residing in the memory for execution by the processor, a resource of the electronic device communicatively coupled to the operating system, a virtual machine monitor configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the resource, and a security agent configured to execute on the electronic device at a level below all operating systems of the electronic device accessing the resource. The virtual machine monitor is configured to intercept a request of the resource made from a level above the virtual machine monitor and inform the security agent of the request. The security agent is configured to determine whether the request is indicative of malware. | 10-04-2012 |
20120254994 | SYSTEM AND METHOD FOR MICROCODE BASED ANTI-MALWARE SECURITY - A system for securing an electronic device includes a processor comprising microcode, a resource coupled to the processor, and a microcode security agent embodied the microcode. The microcode security agent is configured to intercept a communication and determine whether the communication is indicative of malware. The communication includes a request made of the resource or information generated from the resource. | 10-04-2012 |
20120254995 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING AND SECURING LOADING OF CODE INTO MEMORY - A system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access of a resource of the electronic device, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device accessing the memory. The attempted access includes attempting to write instructions to the memory and attempting to execute the instructions. | 10-04-2012 |
20120254999 | SYSTEMS AND METHOD FOR REGULATING SOFTWARE ACCESS TO SECURITY-SENSITIVE PROCESSOR RESOURCES - A method for protecting an electronic device against malware includes consulting one or more security rules to determine a processor resource to protect, in a module below the level of all operating systems of the electronic device, intercepting an attempted access of the processor resource, accessing a processor resource control structure to determine a criteria by which the attempted access will be trapped, trapping the attempted access if the criteria is met, and consulting the one or more security rules to determine whether the attempted access is indicative of malware. The attempted access originates from the operational level of one of one or more operating systems of the electronic device | 10-04-2012 |
20120255000 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING AND SECURING OF INTERDRIVER COMMUNICATION - In one embodiment, a system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access by a first driver of the operating system of a second driver of the electronic device, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device accessing the second driver. | 10-04-2012 |
20120255001 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING OF DRIVER FILTER ATTACHMENT - A system for protecting an electronic system against malware includes an operating system configured to execute on the electronic device, a driver coupled to the operating system, and a below-operating-system security agent. The below-operating-system security agent is configured to identify one or more resources for changing filters of the driver, trap an attempted access of the one or more resources that originates from the operational level of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic system accessing the one or more resources for changing filters of the driver. | 10-04-2012 |
20120255002 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING OF DRIVER LOADING AND UNLOADING - A system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access of one or more resources of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, operate at a level below all of the operating systems of the electronic device accessing the one or more resources. The attempted access includes an attempted loading or unloading of a driver in the operating system. | 10-04-2012 |
20120255003 | SYSTEM AND METHOD FOR SECURING ACCESS TO THE OBJECTS OF AN OPERATING SYSTEM - In one embodiment, a system for protecting an electronic device against malware includes an object-oriented operating system configured to execute on the electronic device and a below-operating-system security agent. The below-operating-system security agent may be configured to trap an attempted access of an object manager of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device. In some embodiments, the below-operating-system security agent may determine whether the attempted access is indicative of malware by comparing the attempted access to a behavioral state map to determine if the attempted access represents behavior associated with malware. | 10-04-2012 |
20120255004 | SYSTEM AND METHOD FOR SECURING ACCESS TO SYSTEM CALLS - In one embodiment, a system for securing access to system calls includes a memory, an operating system configured to execute on an electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to identify one or more resources associated with a system call for which attempted accesses will be trapped, trap an attempted access of the one or more resources that originates from the operational level of the operating system, access one or more security rules to determine whether the attempted access is authorized, and operate at a level below all of the operating systems of the electronic device accessing the one or more resources associated with a system call. | 10-04-2012 |
20120255010 | SYSTEM AND METHOD FOR FIRMWARE BASED ANTI-MALWARE SECURITY - A system for securing an electronic device includes a non-volatile memory, a processor coupled to the non-volatile memory, a resource of the electronic device, firmware residing in the non-volatile memory and executed by the processor, and a firmware security agent residing in the firmware. The firmware is communicatively coupled to the resource of an electronic device. The firmware security agent is configured to, at a level below all of the operating systems of the electronic device accessing the resource, intercept a request for the resource and determine whether the request is indicative of malware. | 10-04-2012 |
20120255011 | SYSTEMS AND METHODS FOR IDENTIFYING HIDDEN PROCESSES - A security module may be configured to execute on the electronic device at a level below all of the operating systems of an electronic device accessing the one or more system resources. The security module may be configured to: trap one or more attempts to access system resources of the electronic device, the one or more attempts made from a less privileged ring of execution than the first security module; record information identifying one or more processes attempting to access the system resources of the electronic device; compare the information identifying one or more processes attempting to access the system resources with the enumerated one or more processes visible to the operating system; and based on the comparison, determine one or more hidden processes, the hidden processes determined by at least identifying processes whose information was recorded by first security module but were not enumerated by the second security module. | 10-04-2012 |
20120255012 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM REGULATION AND CONTROL OF SELF-MODIFYING CODE - A system for securing an electronic device may include a memory, a processor; one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to: (i) trap attempted accesses to the memory, wherein each of such attempted accesses may, individually or in the aggregate, indicate the presence of self-modifying malware; (ii) in response to trapping each attempted access to the memory, record information associated with the attempted access in a history; and (iii) in response to a triggering attempted access associated with a particular memory location, analyze information in the history associated with the particular memory location to determine if suspicious behavior has occurred with respect to the particular memory location. | 10-04-2012 |
20120255013 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM MODIFICATION OF MALICIOUS CODE ON AN ELECTRONIC DEVICE - A system for securing an electronic device, may include a memory, a processor, one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to detect presence of malicious code, and in response to detecting presence of the malicious code, modify the malicious code. | 10-04-2012 |
20120255014 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM REPAIR OF RELATED MALWARE-INFECTED THREADS AND RESOURCES - A security agent may be configured to: (i) execute on an electronic device at a level below all of the operating systems of the electronic device accessing a memory or processor resources of the electronic device; (ii) trap attempted accesses to the memory or the processor resources associated with function calls for thread synchronization objects associated with creation, suspension, or termination of one thread by another thread; (iii) in response to trapping each attempted access, record information associated with the attempted access in a history, the information including one or more identities of threads associated with the attempted access; (iv) determine whether a particular thread is affected by malware; and (iv) in response to a determining that the particular thread is affected by malware, analyze information in the history associated with the particular memory location or processor resource to determine one or more threads related to the particular thread. | 10-04-2012 |
20120255016 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM PROTECTION OF AN OPERATING SYSTEM KERNEL - A below-operating system security agent may be configured to: (i) trap attempted accesses to the components of the operating system and the set of drivers executing on the electronic device; (ii) in response to trapping an attempted access, compare contextual information associated with the attempted access to an access map; and (iii) determine if the attempted access is trusted based on the comparison. The access map may be generated by: (i) trapping, at a level below all of the operating systems of a second electronic device accessing components of the second operating system and the second set of drivers executing on the second electronic device and each substantially free of malware, accesses to components of the second operating system and the second set of drivers executing on the second electronic device; and (ii) in response to trapping the accesses, recording contextual information regarding the accesses to the access map. | 10-04-2012 |
20120255017 | SYSTEM AND METHOD FOR PROVIDING A SECURED OPERATING SYSTEM EXECUTION ENVIRONMENT - In one embodiment, a system for launching a security architecture includes an electronic device comprising a processor and one or more operating systems, a security agent, and a launching module. The launching module comprises a boot manager and a secured launching agent. The boot manager is configured to boot the secured launching agent before booting the operating systems, and the secured launching agent is configured to load a security agent. The security agent is configured to execute at a level below all operating systems of the electronic device, intercept a request to access a resource of the electronic device, the request originating from the operational level of one of one or more operating systems of the electronic device, and determine if a request is indicative of malware. In some embodiments, the secured launching agent may be configured to determine whether the security agent is infected with malware prior to loading the security agent. | 10-04-2012 |
20120255018 | SYSTEM AND METHOD FOR SECURING MEMORY AND STORAGE OF AN ELECTRONIC DEVICE WITH A BELOW-OPERATING SYSTEM SECURITY AGENT - A security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory or a storage of the electronic device may be further configured to: (i) access one or more security rules to determine a criteria by which an attempted access involving a transfer of content between the memory and the storage of an electronic device will be trapped; (ii) if the criteria is met, trap, at a level below all of the operating systems of the electronic device, attempted access of data between memory and storage of an electronic device; and (iii) analyze, at a level below all of the operating systems of the electronic device, information associated with the attempted access to determine if the attempted access was affected by malware | 10-04-2012 |
20120255021 | SYSTEM AND METHOD FOR SECURING AN INPUT/OUTPUT PATH OF AN APPLICATION AGAINST MALWARE WITH A BELOW-OPERATING SYSTEM SECURITY AGENT - A system for securing an electronic device may include a memory, a processor, one or more operating systems residing in the memory for execution by the processor, an input-output (I/O) device of the electronic device coupled to the operating system; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the I/O device. The security agent may be further configured to: (i) trap, at a level below all of the operating systems of the electronic device accessing an input/output (I/O) device, an attempted access of a facility for I/O operation with the I/O device; and (ii) using one or more security rules, analyze the attempted access to determine whether the attempted access is indicative of malware. | 10-04-2012 |
20120255031 | SYSTEM AND METHOD FOR SECURING MEMORY USING BELOW-OPERATING SYSTEM TRAPPING - In one embodiment, a system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to identify one or more portions of memory for which attempted accesses will be trapped and comprising criteria by which the attempted access will be trapped, trap an attempted access of the memory that originates from the operational level of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device accessing the memory. | 10-04-2012 |
20140130157 | METHOD AND SYSTEM FOR DISCRETE STATEFUL BEHAVIORAL ANALYSIS - A method for analyzing a computing system includes the steps of at a first moment in time, scanning the resources of the computing system for indications of malware, at a second moment in time scanning the resources of the computing system for indications of malware and determining the system executable objects loaded on the computing system, determining malware system changes, identifying a relationship between the malware system changes and the system executable objects loaded on the computing system, and identifying as suspected malware the system executable objects loaded on the computing system which have a relationship with the malware system changes. The malware system changes include differences between the results of scanning the resources of the computing system for indications of malware at the second and first moment of time. | 05-08-2014 |
20140325656 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM REGULATION AND CONTROL OF SELF-MODIFYING CODE - A system for securing an electronic device may include a memory, a processor; one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to: (i) trap attempted accesses to the memory, wherein each of such attempted accesses may, individually or in the aggregate, indicate the presence of self-modifying malware; (ii) in response to trapping each attempted access to the memory, record information associated with the attempted access in a history; and (iii) in response to a triggering attempted access associated with a particular memory location, analyze information in the history associated with the particular memory location to determine if suspicious behavior has occurred with respect to the particular memory location. | 10-30-2014 |
20150052608 | METHOD AND SYSTEM FOR DETECTION OF MALWARE THAT CONNECT TO NETWORK DESTINATIONS THROUGH CLOUD SCANNING AND WEB REPUTATION - A method for detecting malware includes the steps of identifying a one or more open network connections of an electronic device, associating one or more executable objects on the electronic device with the one or more open network connections of the electronic device, determining the address of a first network destination that is connected to the open network connections of the electronic device, receiving an evaluation of the first network destination, and identifying one or more of the executable objects as malware executable objects. The evaluation includes an indication that the first network destination is associated with malware. The malware executable objects includes the executable objects that are associated with the open network connections that are connected to the first network destination. | 02-19-2015 |