Patent application number | Description | Published |
20120317570 | SYSTEM AND METHOD FOR VIRTUAL PARTITION MONITORING - A method is provided in one example embodiment that includes receiving in an external handler an event notification associated with an event in a virtual partition. A thread in the process in the virtual partition that caused the event can be parked. Other threads and processes may be allowed to resume while a security handler evaluates the event for potential threats. A helper agent within the virtual partition may be instructed to execute a task, such as collecting and assembling event context within the virtual partition, and results based on the task can be returned to the external handler. A policy action can be taken based on the results returned by the helper agent, which may include, for example, instructing the helper agent to terminate the process that caused the event. | 12-13-2012 |
20130031291 | SYSTEM AND METHOD FOR VIRTUAL PARTITION MONITORING - A method is provided in one example embodiment that includes rebasing a module in a virtual partition to load at a fixed address and storing a hash of a page of memory associated with the fixed address. An external handler may receive a notification associated with an event affecting the page. An internal agent within the virtual partition can execute a task and return results based on the task to the external handler, and a policy action may be taken based on the results returned by the internal agent. In some embodiments, a code portion and a data portion of the page can be identified and only a hash of the code portion is stored. | 01-31-2013 |
20130047255 | SYSTEM AND METHOD FOR INDIRECT INTERFACE MONITORING AND PLUMB-LINING - A method is provided in one example embodiment that includes monitoring a first interface, monitoring a second interface, and taking a policy action if the second interface is not executed before the first interface. In more particular embodiments, monitoring the second interface may include walking a call stack associated with the first interface. Moreover, a program context for calling code associated with the second interface may be identified and acted upon. | 02-21-2013 |
20140096252 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR DYNAMICALLY ADJUSTING A LEVEL OF SECURITY APPLIED TO A SYSTEM - A system, method, and computer program product are provided for dynamically adjusting a level of security applied to a system. In use, predetermined activity that is at least potentially associated with unwanted activity is identified on a system. Further, a level of security applied to the system is dynamically adjusted, in response to the identification of the predetermined activity. | 04-03-2014 |
20140173728 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR MOUNTING AN IMAGE OF A COMPUTER SYSTEM IN A PRE-BOOT ENVIRONMENT FOR VALIDATING THE COMPUTER SYSTEM - A system, method, and computer program product are provided for mounting an image of a computer system in a pre-boot environment for validating the computer system. In use, an image of a computer system is mounted in a pre-boot environment of the computer system, where the image includes a file system structure and initialization data of the computer system. Furthermore, at least one task is performed on the mounted image for validating the computer system. | 06-19-2014 |
20140223509 | SYSTEM AND METHOD FOR INDIRECT INTERFACE MONITORING AND PLUMB-LINING - A method is provided in one example embodiment that includes monitoring a first interface, monitoring a second interface, and taking a policy action if the second interface is not executed before the first interface. In more particular embodiments, monitoring the second interface may include walking a call stack associated with the first interface. Moreover, a program context for calling code associated with the second interface may be identified and acted upon. | 08-07-2014 |
20150020200 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR MOUNTING AN IMAGE OF A COMPUTER SYSTEM IN A PRE-BOOT ENVIRONMENT FOR VALIDATING THE COMPUTER SYSTEM - A system, method, and computer program product are provided for mounting an image of a computer system in a pre-boot environment for validating the computer system. An image of an operating system is mounted in a pre-boot environment of the programmable device. An untrusted component of the operating system is identified that is registered to be automatically loaded or loaded during a boot-up stage of the operating system that is predetermined to be early. The untrusted component is rescheduled to be initiated after loading of at least a portion of a security system on the programmable device. | 01-15-2015 |
Patent application number | Description | Published |
20110145926 | SYSTEMS AND METHODS FOR BEHAVIORAL SANDBOXING - Methods and system for behavioral sandboxing are described. In one example embodiment, a system for behavioral sandboxing can include a network and a computer. The network communicatively coupled to a source of an executable application. The computer communicatively couple to the network and including a behavioral analysis module and a plurality of execution environments. The behavioral analysis module is configured to perform behavioral analysis on the executable application downloaded over the network. The plurality of execution environments including a standard execution environment and a protected execution environment. The behavioral analysis module is configured to evaluate a plurality of behavioral characteristics of the executable application to determine whether the executable application should be executed within the protected execution environment prior to execution of the executable application. The behavioral analysis module also monitors execution of the executable application to determine whether the execution environment can be changed. | 06-16-2011 |
20130254884 | SYSTEMS AND METHODS FOR BEHAVIORAL SANDBOXING - Methods and system for behavioral sandboxing are described. In one example embodiment, a system for behavioral sandboxing can include a network and a computer. The network communicatively coupled to a source of an executable application. The computer communicatively couple to the network and including a behavioral analysis module and a plurality of execution environments. The behavioral analysis module is configured to perform behavioral analysis on the executable application downloaded over the network. The plurality of execution environments including a standard execution environment and a protected execution environment. The behavioral analysis module is configured to evaluate a plurality of behavioral characteristics of the executable application to determine whether the executable application should be executed within the protected execution environment prior to execution of the executable application. The behavioral analysis module also monitors execution of the executable application to determine whether the execution environment can be changed. | 09-26-2013 |
20130275573 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR DEFERRING INTERFACE MONITORING BASED ON WHETHER A LIBRARY ASSOCIATED WITH THE INTERFACE IS LOADED - An interface monitoring system, method and computer program product are provided. In use, an interface is identified. In addition, monitoring of the interface is deferred based on whether a library associated with the interface is loaded. | 10-17-2013 |
20130275950 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR MONITORING AND/OR ANALYZING AT LEAST ONE ASPECT OF AN INVOCATION OF AN INTERFACE - A system, method and computer program product are provided. In use, execution of a portion of internal code of an interface is identified. Further, in response to the execution of the portion of internal code, at least one aspect of an invocation of the interface is monitored and/or analyzed. | 10-17-2013 |
20130275952 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR IDENTIFYING UNWANTED DATA BASED ON AN ASSEMBLED EXECUTION PROFILE OF CODE - A system, method, and computer program product are provided for identifying unwanted data based on an assembled execution profile of code. In use, an execution profile of code is assembled by tracking interface usage of the code. Further, it is determined whether the code is associated with unwanted activity, based on the execution profile. | 10-17-2013 |
20130275963 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR CONDITIONALLY PREVENTING USE OF HARDWARE VIRTUALIZATION - A system, method, and computer program product are provided for conditionally preventing use of hardware virtualization. In use, an attempt to use hardware virtualization is identified. Further, the use of the hardware virtualization is conditionally prevented. | 10-17-2013 |
20130275981 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR MONITORING AN EXECUTION FLOW OF A FUNCTION - A system, method, and computer program product are provided for monitoring an execution flow of a function. In use, data associated with a function is identified within a call stack. Additionally, a call stack frame is determined from freed memory in the call stack. Further, an execution flow of the function is monitored, utilizing the call stack frame from the freed memory. | 10-17-2013 |
20130275998 | Automated local exception rule generation system, method and computer progam product - A system, method and computer program product are provided for automatically generating a rule exception. An event is identified that at least potentially violates a rule. Thereafter, an exception to the rule is automatically generated. | 10-17-2013 |
20130276002 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR INVOKING AN APPLICATION PROGRAM INTERFACE WITHIN AN INTERCEPTION OF ANOTHER APPLICATION PROGRAM INTERFACE - A system, method, and computer program product are provided for invoking an application program interface within an interception of another application program interface. In use, a first application program interface invoked utilizing a first thread is intercepted. Further, a second application program interface is invoked within the interception of the first application program interface, utilizing a second thread. | 10-17-2013 |
20130276107 | BEHAVIORAL TRACKING SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR UNDOING EVENTS BASED ON USER INPUT - A behavioral tracking system, method, and computer program product are provided for undoing events based on user input. In use, a plurality of unclassified events is identified on a system utilizing behavioral tracking. Additionally, input associated with at least one of the unclassified events is received from a user of the system for classifying the at least one of the unclassified events as an unwanted event. Further, the at least one unwanted event is undone in response to the receipt of the input. | 10-17-2013 |
20130276110 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR DETECTING AT LEAST POTENTIALLY UNWANTED ACTIVITY BASED ON EXECUTION PROFILE MONITORING - A system, method, and computer program product are provided for detecting at least potentially unwanted activity based on execution profile monitoring. In use, an execution profile of code is monitored utilizing call frame monitoring. Further, at least potentially unwanted activity is detected based on the monitoring of the execution profile. | 10-17-2013 |
20130276112 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR DYNAMICALLY ADJUSTING A LEVEL OF SECURITY APPLIED TO A SYSTEM - A system, method, and computer program product are provided for dynamically adjusting a level of security applied to a system. In use, predetermined activity that is at least potentially associated with unwanted activity is identified on a system. Further, a level of security applied to the system is dynamically adjusted, in response to the identification of the predetermined activity. | 10-17-2013 |
20130276113 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR REMOVING MALWARE FROM A SYSTEM WHILE THE SYSTEM IS OFFLINE - A system, method, and computer program product are provided for removing malware from a system while the system is offline. In use, a system is identified as being infected with malware. Additionally, it is determined whether the malware can be fully removed from the system while the system is online. Further, at least part of the malware is conditionally removed from the system while the system is offline, based on the determining. | 10-17-2013 |
20130276120 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR DETERMINING WHETHER A SECURITY STATUS OF DATA IS KNOWN AT A SERVER - A system, method, and computer program product are provided for determining whether a security status of data is known at a server. In use, a request for a security status of data is received over a network at a server. Additionally, it is determined whether the security status is known at the server using at least one of a whitelist and a blacklist. Furthermore, a result of the determination is transmitted over the network. | 10-17-2013 |
20130276132 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR UTILIZING CODE STORED IN A PROTECTED AREA OF MEMORY FOR SECURING AN ASSOCIATED SYSTEM - A security system, method, and computer program product are provided. In use, code is stored in a protected area of memory. In addition, the stored code is utilized for securing a system associated with the protected area of memory. | 10-17-2013 |
20130339646 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR UTILIZING CODE STORED IN A PROTECTED AREA OF MEMORY FOR SECURING AN ASSOCIATED SYSTEM - A security system, method, and computer program product are provided. In use, code is stored in a protected area of memory. In addition, the stored code is utilized for securing a system associated with the protected area of memory. | 12-19-2013 |
20140059685 | System, Method and Computer Program Product for Monitoring and/or Analyzing at Least One Aspect of an Invocation of an Interface - A system, method and computer program product are provided. In use, execution of a portion of internal code of an interface is identified. Further, in response to the execution of the portion of internal code, at least one aspect of an invocation of the interface is monitored and/or analyzed. | 02-27-2014 |
20140143829 | AUTOMATED LOCAL EXCEPTION RULE GENERATION SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT - A system, method and computer readable medium pertaining to evaluation of events from a computer system to assess security risks to that system. Events are evaluated according to the aspects of each event and the aspects are used to make a preliminary determination regarding violation of a security rule. In addition to a preliminary determination of a rule violation, exceptions to the rule may be identified. | 05-22-2014 |
20140283065 | SERVER-ASSISTED ANTI-MALWARE CLIENT - A host-based antimalware client can interface with a server-based antimalware support server. A file is identified at a host device. It is determined whether local reputation data for the file is available at the host device for the file. A query is sent to an antimalware support system relating to the file. Particular reputation data is received from the antimalware support system corresponding to the query. It is determined whether to allow the file to be loaded on the host device based at least in part on the particular reputation data. | 09-18-2014 |
20140283066 | SERVER-ASSISTED ANTI-MALWARE CLIENT - An antimalware support system is provided to support one or more host-based antimalware clients. A query is received from a particular host device that identifies a file detected by an antimalware tool local to the particular host device. Reputation data is determined for the file, and a response to the query is sent to the particular host device. The query response includes the reputation data determined for the file. | 09-18-2014 |
20140289853 | REMOTE MALWARE REMEDIATION - An opportunity to assist with remediation of a file at a remote particular host device is identified. One or more remediation techniques are identified that can be applied to assist with remediation of the file at the particular host device. In one aspect, one or more remediation scripts are identified from a plurality of remediation scripts for remediation of the file and provided to the particular host device for execution on the particular host device. In another aspect, a remediation tool is identified and launched on a computing device remote from the particular host device with operations of the remediation tool applied to resources of the particular host device. In another aspect, at least a portion of the remediation techniques are remotely initiated to be performed locally at the particular host device. | 09-25-2014 |
20140359762 | BEHAVIORAL TRACKING SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR UNDOING EVENTS BASED ON USER INPUT - A behavioral tracking system, method, and computer program product are provided for undoing events based on user input. In use, a plurality of unclassified events is identified on a system utilizing behavioral tracking. Additionally, input associated with at least one of the unclassified events is received from a user of the system for classifying the at least one of the unclassified events as an unwanted event. Further, the at least one unwanted event is undone in response to the receipt of the input. | 12-04-2014 |
20150067763 | HARDWARE AND SOFTWARE EXECUTION PROFILING - Technologies for assembling an execution profile of an event are disclosed. The technologies may include monitoring the event for a branch instruction, generating a callback to a security module upon execution of the branch instruction, filtering the callback according to a plurality of event identifiers, and validating a code segment associated with the branch instruction, the code segment including code executed before the branch instruction and code executed after the branch instruction. | 03-05-2015 |