| Patent Number |
Title Of Patent |
Date Issued |
| H2202 |
Method and apparatus to dynamically hook runtime processes without interrupting the flow of exec |
September 4, 2007 |
| A method of dynamically hooking runtime processes without interrupting the flow of execution includes: suspending a thread; hooking a function comprising modifying code of the function; and determining whether the thread was executing the modified code when the thread was suspended. If |
| H2196 |
Method for intercepting specific system calls in a specific application from applications space |
July 3, 2007 |
| One or more specified system calls of a running process are trapped in kernel space from user space. While the process is stopped, information associated with the process is read and a security analysis is performed on the information to determine whether malicious code activity is d |
| 7418729 |
Heuristic detection of malicious computer code by page tracking |
August 26, 2008 |
| To detect a computer virus in a host file (100), an emulating module (414) emulates the host file (100) in a virtual machine (422) having a virtual memory (426). While emulating the host file (100), the system (400) tracks the host file's access of the virtual memory (426). Responsive to |
| 7415504 |
System and method for controlling distribution of network communications |
August 19, 2008 |
| A method for controlling distribution of network communications (messages). An incoming message either carries priority information, or is assigned priority information based on a shared characteristic with other messages. The priority information is used to determine how and/or when |
| 7409717 |
Metamorphic computer virus detection |
August 5, 2008 |
| The executions of computer viruses are analyzed to develop register signatures for the viruses. The register signatures specify the sets of outputs the viruses produce when executed with a given set of inputs. A virus detection system (VDS) (400) holds a database (430) of the register |
| 7406714 |
Computer code intrusion detection system based on acceptable retrievals |
July 29, 2008 |
| Methods, apparati, and computer-readable media for protecting computer code (1) from malicious retrievers (3). A method embodiment of the present invention comprises the steps of generating (22) retrieval information characteristic of data sent to a retriever (3) by the computer code |
| 7401255 |
Mechanisms for recovering data from a backup by comparing transformed data to identify altered m |
July 15, 2008 |
| Mechanisms for efficiently restoring one or more memory blocks of a primary computing system. In order to restore a backup memory block, the primary system accesses transformed data that represents a result of a deterministic many-to-one mapping function, such as a hash function, app |
| 7398365 |
Restoring data with reduced suspension-of-access periods |
July 8, 2008 |
| Restoring data, without suspending access to the data for the entire time that the data is being restored. Access is suspended only while a portion of the data is restored, before access to all of the data is permitted. A driver virtualizes any remaining unrestored data. To accomplish th |
| 7395244 |
Criticality classification system and method |
July 1, 2008 |
| A method includes determining usage of assets, and determining criticality classifications of the assets based on the usage. The criticality classifications of assets are calculated automatically and without requiring security personnel to classify assets and enter the criticality cl |
| 7392543 |
Signature extraction system and method |
June 24, 2008 |
| Host computer systems automatically detect malicious code. The host computer systems automatically generate and send malicious code packets of the malicious code to a local analysis center (LAC) computer system. Based on the received malicious code packets, the LAC computer system pr |
| 7392523 |
Systems and methods for distributing objects |
June 24, 2008 |
| Systems and methods consistent with the present invention ensure software integrity by associating each software component to be included in a federation with a distinct unique identifier. A subset of the identifiers corresponding to any two software components should match for the f |
| 7392356 |
Promotion or demotion of backup data in a storage hierarchy based on significance and redundancy |
June 24, 2008 |
| Moving backup data within a storage hierarchy based on a calculated uniqueness of the backup data and on the estimated significance of at least a portion of the backup data. More unique and significant backup data would tend to have higher availability levels. Conversely, less unique |
| 7389410 |
Automatically deriving order of initialization for computing services across multiple computing |
June 17, 2008 |
| Automated derivation of an initialization ordering for computing services distributed across multiple computing systems. The initialization ordering is derived by monitoring initialization times for the computing services for one or more prior initializations of the computing services. |
| 7383568 |
Security management administration system and method |
June 3, 2008 |
| A method includes defining areas of ownership for users of a computer system; receiving a proposed modification from a first user of the users, the first user being an owner of the proposed modification, wherein a set of the users are stakeholders in the proposed modification; and receiv |
| 7383534 |
Configuration system and methods including configuration inheritance and revisioning |
June 3, 2008 |
| A system includes a security management system for a plurality of managed products. The security management system stores configuration data for managed products and managed nodes in a directory. Configuration data is stored in the directory in the form of configuration objects and setti |
| 7380277 |
Preventing e-mail propagation of malicious computer code |
May 27, 2008 |
| Computer-implemented methods, systems, and computer-readable media for detecting the presence of malicious computer code in an e-mail sent from a client computer (1) to an e-mail server (2). An embodiment of the inventive method comprises the steps of: interposing (41) an e-mail proxy |
| 7380123 |
Remote activation of covert service channels |
May 27, 2008 |
| Remote activation of covert service channels is provided. A remote host can initiate and establish a connection with a target host without exposing a service channel or communications port to an unauthenticated host. Triggers can be received by and sent to a host and an associated op |
| 7373667 |
Protecting a computer coupled to a network from malicious code infections |
May 13, 2008 |
| Computer implement methods, apparati, and computer-readable media for enabling a first computer (12) to determine that it is safe to communicate with a second computer (10) coupled to the first computer (12) over a network (15). In a method embodiment of the present invention, the fi |
| 7373664 |
Proactive protection against e-mail worms and spam |
May 13, 2008 |
| Methods, apparati, and computer-readable media for detecting the presence of malicious computer code in a plurality of e-mails. In a method embodiment of the present invention, the following steps are performed for each e-mail: calculating a feature vector (80), said feature vector ( |
| 7373519 |
Distinguishing legitimate modifications from malicious modifications during executable computer |
May 13, 2008 |
| Prior to a modification of an executable computer file (101), a modification analysis manager (111) stores (1101) content concerning a specified number of specified sized blocks (115) of a specified section of the executable file (101). After the modification of the executable file ( |
| 7370356 |
Distributed network monitoring system and method |
May 6, 2008 |
| Methods and systems for protecting the computer network against unauthorized access are disclosed. Information is reported about each network device connected to the network and/or one or more corresponding users. The reported information is correlated to determine if any unauthorize |
| 7370233 |
Verification of desired end-state using a virtual machine environment |
May 6, 2008 |
| An integrity verification manager (101) verifies the integrity of a backup (102) of a computer (103). The integrity verification manager (101) audits the computer (103), and stores information (107) concerning items of interest such as executing processes (109, 111) and open listening |
| 7367056 |
Countering malicious code infections to computer files that have been infected more than once |
April 29, 2008 |
| Methods, apparati, and computer-readable media for countering malicious code infections to computer files (20). A preferred embodiment comprises selecting (40) an invariant section of each file (20), wherein said invariant section is invariant to malicious code infections and to repair |
| 7366919 |
Use of geo-location data for spam detection |
April 29, 2008 |
| Computer implemented methods, apparati, and computer-readable media for detecting suspected spam in e-mail (24) originating from a sending computer (21). A method embodiment comprises the steps of determining (11) the actual IP address (23) of the sending computer (21); converting (1 |
| 7363330 |
Work monitor with file synchronization |
April 22, 2008 |
| When the user works at home on his home computer, a work monitor logs his file activities on all the drives of his home computer in a work monitor log, which can be displayed in a work monitor window. The user can choose to update from the work monitor window. When update is selected, th |
| 7360249 |
Refining behavioral detections for early blocking of malicious code |
April 15, 2008 |
| A blocking-scanning manager (101) detects (200) attempted malicious behavior of running code (120). In response to detection, the blocking-scanning manager (101) blocks (206) the attempted malicious behavior. The blocking-scanning manager (101) generates (208) a signature to identify |
| 7356844 |
System and method for computer security |
April 8, 2008 |
| A system and method are disclosed for providing security for a computer network. Content is generated for a computer associated with the network. It is determined whether a user should be routed to the generated content. If it is determined that the user should be routed to the gener |
| 7356843 |
Security incident identification and prioritization |
April 8, 2008 |
| Techniques are disclosed for protecting a computer environment. The technique comprises providing an index; comparing a first event with the index; determining whether the first event is unusual; and determining whether a security incident associated with the first event has occurred. |
| 7340777 |
In memory heuristic system and method for detecting viruses |
March 4, 2008 |
| Characteristics of a call module originating a critical operating system function call are analyzed for indications of suspicious content and a virus threshold counter is incremented appropriately. For example, the memory image to the file image of the call module are compared for in |
| 7337471 |
Selective detection of malicious computer code |
February 26, 2008 |
| System, methods, and computer readable media for determining whether a computer file (340) has been infected by an attacking agent. A scanning engine (205) generates a new hash of a critical viral target region of the file (340) and compares it to a stored hash of the critical viral |
| 7337327 |
Using mobility tokens to observe malicious mobile code |
February 26, 2008 |
| One or more mobility token managers (101) track movement of files (105) within a network. A mobility token manager (101) on a source computer (113) detects an attempt to write a file (105) to a target computer (117). Responsive to the detection, the mobility token manager (101) write |
| 7337198 |
In-place preservation of file system objects during a disk clone operation |
February 26, 2008 |
| A cloning manager preserves in-place file system objects during a clone operation. The cloning manager determines boundaries on a target storage medium to contain a resultant file system to be created by the clone operation, and identifies at least one protected area within the bound |
| 7334722 |
Scan-on-read |
February 26, 2008 |
| A scan-on-read manager efficiently scans received data. The scan-on-read manager detects attempts by applications to read received data. The scan-on-read manager scans received data only responsive to an application attempting to read it. The scan-on-read manager only allows the appl |
| 7334263 |
Detecting viruses using register state |
February 19, 2008 |
| A register signature specifies an initial state of a virtual machine (422) and changes to the initial state made by a block of viral code. A virus detection system (VDS) The VDS (400) selects (810) a file that might contain a computer virus, identifies (812) potential entry points in the |
| 7334262 |
Proactive prevention of polymorphic SMTP worms |
February 19, 2008 |
| A method includes establishing a SMTP proxy, defining an application that forms a connection with the SMTP proxy as a SMTP client application, emulating the SMTP client application including generating at least one SMTP client application dirty page, intercepting an executable applic |
| 7334163 |
Duplicating handles of target processes without having debug privileges |
February 19, 2008 |
| A source process duplicates handles owned by a target process, without the source process having debug privileges. A handle duplication manager running in kernel space receives requests from source processes for duplicates of handles owned by remote target processes. In response to a |
| 7334005 |
Controllable deployment of software updates |
February 19, 2008 |
| The risk of inadvertent introduction of software bugs to a large number of users during a software update is minimized by controlling updates using a uniform mechanism of sending updates to seed users. A value-generating module generates a value for a computer, the value falling within a |
| 7331062 |
Method, computer software, and system for providing end to end security protection of an online |
February 12, 2008 |
| A method for implementing an online transaction security product includes downloading an online transaction security product program from a web site to an information handling system. The security product program includes an anti-malicious code program configured to detect malicious |
| 7328456 |
Method and system to detect dangerous file name extensions |
February 5, 2008 |
| A file system event including a file name having at least a last file name extension is intercepted and stalled. The file name is parsed to obtain at least the last file name extension and a next to last file name extension, when present. A determination is made whether the last file |
| 7328323 |
Heap buffer overflow exploitation prevention system and method |
February 5, 2008 |
| A method includes stalling a call to a heap allocation function originating from a request by an application for a block of heap buffer, predicting a block of the heap buffer to fulfill the request, and determining if a forward link (F-link) and a backward link (B-link) of the predic |
| 7325251 |
Method and system to prevent peer-to-peer (P2P) worms |
January 29, 2008 |
| A call to a file system function is intercepted in the context of a caller, and stalled. A determination is made whether malicious code, such as a peer-to peer (P2P) computer worm, is detected based upon the call. Upon a determination that malicious code is detected, protective action |
| 7325185 |
Host-based detection and prevention of malicious code propagation |
January 29, 2008 |
| Requests issuing on a host computer are intercepted and stalled prior to sending to target computer systems. The requests are analyzed to determine whether they are suspicious. Requests determined to be suspicious are added as request entries to a request database. Each time a reques |
| 7308541 |
Optimistic reads in a multi-node environment |
December 11, 2007 |
| A method, system, computer system, and computer program produce to support a distributed environment in which changes to data shared by multiple nodes are logged using private logs and managed by a coordinator. The coordinator recognizes invalidating operations and informs a reader when |
| 7305529 |
Cooperative data replication |
December 4, 2007 |
| A method or apparatus for cooperative data replication. The method in one embodiment can be performed by a computer system or several computer systems executing software instructions. The method may include modifying data in n data blocks of a data volume to create n modified data blocks |
| 7296293 |
Using a benevolent worm to assess and correct computer security vulnerabilities |
November 13, 2007 |
| Methods, systems, and computer readable media utilize a benevolent worm (100) to assess computer security vulnerabilities, and to correct computer security vulnerabilities. A benevolent worm (100) attempts (301) to copy itself to a computer (201), in order to assess (303) potential s |
| 7296138 |
Method and apparatus to hook shared libraries across all processes on windows |
November 13, 2007 |
| A process page table entry (PTE) associated with a process is located, and a determination is made whether the process PTE is prototype PTE. If the process PTE is a prototype PTE, the location of the actual PTE is determined. A copy-on-write functionality associated with the PTE is d |
| 7293290 |
Dynamic detection of computer worms |
November 6, 2007 |
| Methods, apparati, and computer-readable media for detecting malicious computer code in a host computer (1). A method embodiment of the present invention comprises the steps of determining (32) whether data leaving the host computer (1) is addressed to exit a port (15) of the host co |
| 7293146 |
Method and apparatus for restoring a corrupted data volume |
November 6, 2007 |
| Disclosed is a method and apparatus for restoring a corrupted data volume. In one embodiment, the method includes creating a backup copy of the data volume before the data volume is corrupted. Data transactions that modify the contents of the data volume are stored in a transaction log. |
| 7293063 |
System utilizing updated spam signatures for performing secondary signature-based analysis of a |
November 6, 2007 |
| A spam manager (101) receives (201) at least one e-mail (106) addressed to a domain (103). The spam manager (101) performs (203) a signature based analysis of received e-mail (106) to determine whether received e-mail (106) includes at least one signature indicative of spam. Responsive t |
| 7290282 |
Reducing false positive computer virus detections |
October 30, 2007 |
| Virus detection modules (120) execute virus detection techniques on clients (110) to check for the presence of computer viruses in data and also communicate with a software server (116). A constraints module (320) specifies constraints on the application of certain virus detection te |
