WO2003012644A1 - System, method and computer program product for equipping wireless devices with malware scanning capabilities - Google Patents
System, method and computer program product for equipping wireless devices with malware scanning capabilities Download PDFInfo
- Publication number
- WO2003012644A1 WO2003012644A1 PCT/US2002/013570 US0213570W WO03012644A1 WO 2003012644 A1 WO2003012644 A1 WO 2003012644A1 US 0213570 W US0213570 W US 0213570W WO 03012644 A1 WO03012644 A1 WO 03012644A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- mobile wireless
- wireless device
- file
- recited
- malware
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/22—Processing or transfer of terminal data, e.g. status or physical capabilities
- H04W8/24—Transfer of terminal data
- H04W8/245—Transfer of terminal data from a network towards a terminal
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/564—Static detection by virus signature recognition
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/34—Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
- H04L69/322—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
- H04L69/329—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/128—Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Definitions
- the present invention relates to wireless device security, and more particularly to scanning wireless devices for malware.
- malware such as viruses, Trojan horses, and worms (referred to collectively hereinafter as “viruses”) in much the same way as present day personal computers and workstations are susceptible to malware attack.
- viruses viruses, Trojan horses, and worms
- a number of mobile telephone viruses have already been identified.
- anti-virus software In order to resist virus attacks, anti-virus software must be deployed into mobile platforms in much the same way as it has been deployed in the desktop environment.
- a number of different desktop anti- virus applications are currently available. The majority of these applications rely upon a basic scanning engine which searches suspect files for the presence of predetermined vims signatures. These signatures are held in a database which must be constantly updated to reflect the most recently identified viruses.
- users download replacement databases every so often, either over the Internet, from a received e-mail, or from a CDROM or floppy disk. Users are also expected to update there software engines every so often in order to take advantage of new viras detection techniques (e.g. which may be required when a new strain of vims is detected).
- Mobile wireless platforms present a series of problems for software developers (including developers of anti-vims software). Chief among these are the limited memory and processing power of mobile platforms, and the limited input/output capabilities which they possess (i.e. no CDROM or floppy drive, and no high bandwidth fixed line network or Internet connectivity).
- mobile wireless platforms are traditionally not standardized like conventional desktops. For example, instead of running MicrosoftTM WindowsTM, such mobile wireless platforms may have installed thereon a variety of types of operating systems. This complicates the act of designing an anti-vims scanner that is capable of operating on any one of a plurality of mobile wireless platforms.
- a system, method and computer program product are provided for scanning a mobile wireless device for malware. Initially, an application service provider is initiated utilizing a mobile wireless device. Next, an anti-malware scanner installed on the mobile wireless device is updated over a wireless network utilizing the application service provider. The mobile wireless device is then scanned utilizing the updated anti-malware scanner.
- the update may be effected by wirelessly communicating with a back-end server. Further, such communication with the back-end server may be effected only upon user authorization so as to regulate usage of the wireless network with the mobile wireless device.
- the application service provider may include a platform- independent component manager capable of running a plurality of functional modules on any one of a plurality of mobile wireless device platforms.
- Such platform-independent component manager may include a platform abstraction layer.
- the mobile wireless device may be updated on a schedule that is coordinated with a plurality of other mobile wireless devices for maintaining the performance of the wireless network.
- the update may include a package. Such package may possibly be wrapped.
- the mobile wireless device may be updated based on a manual trigger, a self trigger, a scanner trigger, a scheduled trigger, and/or an external trigger.
- Figure 1 illustrates an exemplary architecture for scanning a mobile wireless device for malware, in accordance with one embodiment.
- Figure 2 illustrates an overview of the component architecture associated with the anti-malware seamier running on the mobile wireless devices.
- Figure 3 illustrates a method for scanning a mobile wireless device for malware utilizing a user interface, in accordance with one embodiment.
- Figure 4 illustrates a sample user interface screen that shows the features exposed by the anti-malware scanner.
- Figure 5 illustrates a block diagram showing the interaction between a component manager and other subsystems such as the user interface.
- Figure 6 illustrates a method for scanning a mobile wireless device for malware utilizing a component manager, in accordance with one embodiment.
- Figure 7 illustrates a system including an on-access scanner, in accordance with one embodiment.
- Figure 8 illustrates a framework with an on-access scanner interfacing with a file system, and filtering all file I/O related events.
- Figure 9 illustrates the manner in which the on-access scanner is enabled and disabled during use based on on-demand scanning.
- Figure 10 illustrates a Java scanning module interfacing with Java, and filtering all Java applet and Java script executions.
- Figure 11 illustrates an on-demand scanner system including an on-demand scanner interacting with a component manager and a scan engine.
- Figure 12 illustrates a method for performing on-demand scanning, in accordance with one embodiment.
- Figure 13 illustrates a scan engine system including a scan engine module, a file parser, and an interpreter.
- FIG 14 illustrates a service agent (SA) architecture, in accordance with one embodiment.
- Figure 15 illustrates a method for scanning a mobile wireless device for malware, involving service agents.
- Figure 16 illustrates a sample service agent activation method, in accordance with one embodiment.
- Figure 17 provides a method for client and server package handling.
- Figure 18 illustrates the various steps of a package installation process, in accordance with one embodiment.
- Figure 19 illustrates the components of the platform abstraction layer and the manner in which they interface with a mobile wireless device and operating system thereof.
- Figure 20 illustrates a transaction server command process flow, in accordance with one embodiment.
- Figure 21 illustrates a plurality of personal device database table relationships, in accordance with one embodiment.
- Figure 22 shows an exemplary client information flow, in accordance with one embodiment.
- FIG. 1 illustrates an exemplary architecture 100 for scanning a mobile wireless device for malware, in accordance with one embodiment.
- the architecture 100 includes a mobile wireless device 102.
- Such mobile wireless device 102 may include, but is not limited to a cellular phone, personal digital assistant (PDA), a palm computer, or any combination thereof. Further, such mobile wireless device 102 may rely on any desired operating system. It should be noted that the vast variety of mobile wireless devices 102 operate different operating systems, unlike traditional desktop and laptop environments which typically mn MicrosoftTM WindowsTM operating systems.
- the mobile wireless device 102 is associated with an application service provider and is equipped with an anti-malware scanner for providing active content security service.
- anti-malware scanner may include any program adapted to scan or detect malware (i.e. virus, Trojan horse, worm and other forms of data or program that may result in an unexpected and/or unwanted outcome).
- the application service provider is initiated utilizing the mobile wireless device 102.
- the anti-malware scanner installed on the mobile wireless device 102 is updated over a wireless network utilizing the application service provider.
- the mobile wireless device 102 is then scanned utilizing the updated anti-malware scanner.
- the back-end architecture 104 may, in one embodiment, include a carrier gateway 106 for communicating with the mobile wireless device 102.
- a load distributor 108 may be coupled between the carrier gateway 106 and a plurality of hypertext transfer protocol (HTTP) servers 110 which, in turn, are coupled to a plurality of transaction servers 112.
- HTTP hypertext transfer protocol
- a database 114 coupled between the transaction servers 112 and a configuration/reporting server 116.
- the back-end architecture 104 receives device requests, and sends and receives client-specific data to and from the mobile wireless devices 102.
- the transaction servers 112 make database queries to store and retrieve information to/from the database 114.
- Client configuration information, usage information and component update packages are stored in the database 114. Configuration and reporting maybe accomplished via Web interfaces 118. More information regarding such back-end architecture 104 will be set forth hereinafter in greater detail.
- the anti-malware scanner on the mobile wireless devices 102 may be specifically designed with the following objects set forth in Table 1A in mind.
- the anti-malware scanner may evolve over time as new computer vimses and other malicious code are discovered.
- the anti-malware scanner is designed to protect wireless devices 102 from malicious code.
- the scope of this protection includes, but is not limited to the following set forth in Table IB.
- Identify malicious code in persistent data stored on the device This includes native executables as well as scripting languages embedded in documents .
- the anti-malware scanner architecture is based on a collection of components. These components are further analysed to expose properties and interfaces. This design helps isolate defects to specific components as well as providing a framework for porting the design to other devices with different hardware requirements.
- FIG. 2 illustrates an overview of the component architecture 200 associated with the anti-malware scanner mnning on the mobile wireless devices.
- a user interface 202 is provided which communicates with a component manager 204.
- Such component manager 204 is responsible for controlling and managing an on- access scanner module 206, on-demand scanner module 208, Java-scanner module 210, service manager module 212, and activity logging module 214.
- the on-access scanner module 206, on-demand scanner module 208, and the Java- scanner module 210 utilize a common scan engine 216.
- the anti-malware scanner component architecture 200 further includes a platform abstraction layer 218 that provides an interface between an operating system 220 of the mobile wireless device and the component manager 204 and the components associated therewith.
- a platform abstraction layer 218 that provides an interface between an operating system 220 of the mobile wireless device and the component manager 204 and the components associated therewith.
- Figure 3 illustrates a method 300 for scanning a mobile wireless device for malware utilizing a user interface, in accordance with one embodiment.
- decision 302 it is determined whether an update command is received from a user utilizing a graphical user interface of a mobile wireless device.
- the update command may be received upon the selection of an update icon displayed on the graphical user interface of the mobile wireless device.
- an anti- malware scanner installed on the mobile wireless device is then updated over a wireless network in response to the update command.
- a scan command has been received via the selection of a scan icon displayed on the graphical user interface of the mobile wireless device. More information regarding an exemplary interface with such icons will be set forth hereinafter during reference to Figure 4.
- the mobile wireless device is then scanned utilizing the updated anti-malware scanner, as indicated in operation 308.
- Such anti-malware scanner may be conditionally updated based on the update command so as to regulate usage of the wireless network with the mobile wireless device.
- a version number of a last update may be displayed utilizing the graphical user interface of the mobile wireless device. Further, a time of a last update may be displayed utilizing the graphical user interface of the mobile wireless device.
- the anti-malware scanner user interface is very effective in design. Configuration settings and updates are handled by the back-end system, relieving the user from any responsibilities. Some basic feedback such as the product name, logo, and version information is provided. The user may check for product updates, and initiate a scan for malicious programs on removable media. The details for these capabilities are provided below.
- Manually viras scanning of the entire device is performed according to the configuration settings set by the IT administrator. That is, either all files may be scanned or only certain types of files. Also, the IT Administrator specifies how the anti-malware scanner responds to any infected file that is found. Upon scan completion, a report is created that reflects what was scanned and whether any computer vimses were found.
- Figure 4 illustrates a sample user interface screen 400 that shows the features exposed by the anti-malware scanner.
- the user interface screen 400 may be displayed upon the selection of an anti-malware scanner tab 401 always shown on the user interface screen 400.
- other tabs such as a contacts tab 401-A, a mail tab 401-B, a browser tab 401-C, an address book tab 401-D, and a notes tab 401-E may also be provided.
- a scan icon 402, an update icon 404, and an about icon 406 are illustrated upon the selection of the anti-malware scanner tab 401 for allowing a user to carry out the functionality of the anti-malware scanner.
- the component manager inside the anti-malware scanner is the logic layer that instantiates the following subsystems of Table ID.
- the component manager contains logic on how to instantiate the different subsystems, how to configure them, and manages when to activate and deactivate subsystems. It drives the entire application and can provide the user interface with feedback on subsystem progress.
- the user interface relies on the component manager to initiate actions such as manually scanning for computer viruses and to check for product updates.
- Figure 5 illustrates a block diagram 500 showing the interaction between the component manager 502 and the other subsystems 504 such as the user interface 506. As shown, any number of subsystems 508 may be employed per the desires of the user. How the Component Manager works
- Figure 6 illustrates a method 600 for scanning a mobile wireless device for malware utilizing a component manager, in accordance with one embodiment.
- the component manager is initially instantiated, in operation 602, just like any other core technology component of the present embodiment.
- the operation 602 may be executed in response to a scan command received from a user utilizing the user interface of the mobile wireless device.
- memory is allocated to store private data information for the component manager.
- the configuration manager is then used to load in anti- malware scanner scan settings in the private memory just allocated. See operation 606.
- the specialized subsystems are initiated. See operation 608. These subsystems may include the on-access scanning, activity logging and/or a service agent function.
- the on-demand scanning subsystem is only instantiated on a per need basis in order to save system resources. On-demand scanning is only needed when manual device scanning is requested. Based on these initialisation steps, a completion return code is returned to the owner of this subsystem.
- the on-access scanning subsystem is initiated so real-time monitoring for vimses begins.
- a component manager callback function is called by the on-access scanning subsystem.
- the component manager determines based on the scan settings how it wishes the on- access scanning subsystem to deal with infected items.
- the completion status of this event is then passed to the activity logging subsystem for recording purposes.
- manual scanning When manual scanning is requested, it is performed according to the established configuration provided by an IT administrator. Manual scanning involves accessing several files or databases on the device and this same action is what the on-access scanner also monitors. In order to not cause system resources to be spent unnecessarily, the on-access scanning subsystem is disabled for the brief time period that the on-demand scanning is active.
- the component manager exposes all its functionality through an API layer. No platform dependencies are necessarily assumed. All interfaces follow a sandwiched approach where there is an initialisation to obtain an instance handle. Based on this instance handle, the component manager worker functions are available and when the object is not needed anymore the object is destroyed. The number of features that a user interface can request to be performed by the component manager may be limited. All knowledge on how scanning is performed may be contained within the component manager. A user interface can request from the component manager to do the following steps of Table IE.
- all events that are generated may be communicated back to the owner of the component manager handle using a callback function.
- the callback function may return a TRUE Boolean value to indicate an affirmative answer that the core technology in question should proceed with the action that is about to happen, or return a FALSE to indicate that the action should not be performed.
- CMgrCreate() creates an instance of the component manager.
- a user interface layer that wraps the core technology should make this call.
- the handle that is returned by this function call should be passed to all subsequent calls to the component manager.
- PFNCMGRNOTIFY pfhNotify // [in] Function to notify.
- PVOID pUserParam // [in[ Any user defined value.
- the owner of this object can specify a user specific pointer size value that should be passed to the callback function. This can be handy to eliminate the need of static variables on platforms where static variables are not allowed.
- the CMgrDestroyO function destroys a component manager object that was created using CmgrCreate(). When this call is made all specialized subsystems are terminated and all resources associated with these subsystems are freed up.
- the CMgrActivateO function starts the specified core technology component. It should be called by the user interface to start certain actions such as a manual scan of the device or to start checking for an update.
- CompID Core component identifier that should be activated. This value can be any of the following values. If some other core component value is given an error is returned.
- COMPID DNDEMAND starts a manual scan of the device.
- COMPID_SERVAGENT start to check for a product update.
- CMgrCreate ( ) CMgrDestroy O , CMgrActivate O , CMgrNotif y ( )
- CMgrNotifyO Description The CMgrNotifyO function must be implemented by the calling application and a pointer to it must be passed during initialisation to CMgrCreate(). This component manager may notify the caller about different events as they are about to occur so the application can record these events if it has to. The application can also indicate using the return code whether the event that it is being notified about should be allowed or disallowed from happening.
- COMPID CompID // Component that generates this event .
- VSCNEVENT hEvent // Why the notification function was called.
- COMPMGRVALID Valid // Fields that are valid to check.
- HVSCNITEM hltem // Item that scanner is notifying about.
- pUserParam The same user defined pointer size value that was given to the core component manager during creation is returned in this field. This is a convenient way for applications to not have to resort to global static data usage since this is not supported on many platforms.
- CompID This field indicates the component identification number that is notifying about an event that is about to happen, or about an event that just happened. The possible component identification numbers are as follows:
- COMPID_ONACCESS On-access scanning subsystem.
- COMPID_ONDEMAND On-demand scanning subsystem.
- COMPID_ACTILOG Activity logging subsystem.
- COMPID 3ERVAGENT Service agent subsystem.
- hEvent This is the event that the CompID subsystem is notifying about. The possible event identifiers for this field are as follows:
- the component manager is indicating that a computer virus or some malicious code was found.
- the subsystem that found this malicious code is known from the CompID component identification number. If the component that found this malicious code is the on-demand scanner, a return code of TRUE indicates that scanning should continue. A return code of FALSE indicates that scanning should be stopped. If FALSE is returned a confirmation notification message VSE_CANCELLED may be sent to the owner of this object. On the on-access and the on-demand scanning subsystems can generate this event.
- This event indicates the completion status of the action that was taken on an infected file. This event can only be generated by the on-access and by the on-demand subsystems. For possible completion status codes please see the DoneAction structure member. If the component that found this malicious code is the on-demand scanner, a return code of TRUE indicates that scanning should continue. A return code of FALSE indicates that scanning should be stopped. If FALSE is returned a confirmation notification message VSE_CANCELLED may be sent to the owner of this object. On the on-access and the on- demand scanning subsystems can generate this event. VSE_SCANNINGITEM
- the file that is about to be scanned has already been pre-filtered based on the IT Administrator specified scan setting so at this way the user interface has no say about what files are being scanned.
- the only core components that can generate this event are the on- access and the on-demand scanners. Because the user can choose to cancel a user initiated on-demand scan, the return code may only be respected if this event was generated by the on-demand scanner subsystem.
- a return code of TRUE indicates that scanning should continue.
- a return code of FALSE indicates that scanning should be stopped. If FALSE is returned a confirmation notification message VSE_CANCELLED may be sent to the owner of this object.
- VSE_START This event indicates to the caller that the core technology component identified in the
- This event indicates to the caller that the core technology component identified in the CompID structure member just terminated. This is only a notification message so any return code that is returned to the component manager from this event notification may be ignored.
- Valid This structure member indicates what other fields below this structure member contains valid values. This structure field should be interpreted as a bit field and the individual bits should be access the standard documented 'C coding guideline way. The named bit fields are as follows: bit_hltem, indicates that the hltem structure member is valid.
- bit DoneAction indicates that the DoneAction structure member is valid.
- hltem This is a handle to a anti-malware scanner scan item. Information that is associated with this handle can be accessed using the Scnltem family of functions.
- DoneAction This structure member indicates the completion status of an action that was performed on an infected item. The completion status can be one of the following values:
- SCNDONE_NOACTION None was done about the infected item.
- SCNDONE_DENIED ACCESS Infected item was denied access to.
- SCNDONE_CLEANED Infected item was cleaned.
- SCNDONE_CLEANFAILED Infected item could not be cleaned.
- SCNDONE_DELETED Infected item was deleted.
- Boolean return value depends on the type of event that the owner of this object is being notified with. Please see the description of each event for description on what the appropriate return code should be.
- CMgrCreate ( ) CMgrDestroy O
- Figure 7 illustrates a system 700 including an on-access scanner 702, in accordance with one embodiment, hi general, the on-access scanner 702 is governed by operating system hooks 704 which provide document access notification. Further, the on-access scanner 702 interfaces with a scan engine 706 to scan documents. Still yet, the on-access scanner 702 reports scan activity to a component manager 708. More information relating to such operation will now be set forth.
- the on-access scanner 702 identifies malware as documents are being access on the device.
- the on-access scanner 702 may be entirely transparent to the user until malicious code is discovered. Scanning can be performed on all executables and documents. This includes word processor documents or files being downloaded by a web browser.
- the on-access scanner can be configured to only scan certain types of documents.
- the on-access scanner 702 is notified of various events related to accessing documents. It then determines whether the document needs to be scanned.
- the scan engine 706 is used to detect malicious code. When malicious code is discovered, the on-access scanner 702 notifies the component manager 708. It is then the component manager's responsibility to determine which of the following actions in Table 2B to perform.
- On-access file scanning is accomplished by hooking into a file access notification mechanism that resides inside the operating system.
- a file access notification mechanism that resides inside the operating system.
- the file system related events that are filtered are as follows.
- File Create Event When a file create event is received it may be because the user has decided to download, beam or install some sort of application.
- the anti-malware scanner keeps track of a reference information that is associated with this event, and matches it up with the corresponding close event. This is done because when a new file is created it does not contain any information that can be analyzed for malicious code. It is important to know that if a "file create" event is the same as a file open event, these two are combined into one.
- the anti-malware scanner Prior to opening a file, the anti-malware scanner must make sure that the file is not infected. If the file is not infected, identification information is obtained from it. This way, when the file is closed this same information is compared to determine if any changes were made to the file. If changes were made, the anti-malware scanner resorts to a more resource intensive task to ensure that the file does not contain any malicious code. It is important to note that if application execution is a different event from a regular file open event, file execution should be monitored the same way.
- the close event must be monitored for several reasons. As described above, when a file is created, it is scanned after the close operation occurred so the anti-malware scanner can analyze its content for computer viruses.
- the on-access scanner subsystem is made usable with the help of other application subsystems.
- Each subsystem that on-access scanning interacts with are described below. A reason why this interaction is needed is also explained.
- the on-access scanning subsystem determines that there is something important to notify about such as an error condition or that an infected files was found, it informs the component manager.
- the scan engine is the component that takes a file and analyzes it to see if the file contains any malicious code.
- the scan engine is invoked prior to an open event happening and after a close event has happened.
- the on-access scanning subsystem must interact with the underlying operating system that informs of all file related events that take place.
- the operating system may always inform about the following information in Table 2C.
- An example way of accomplishing this would be to have a file system hook installation function that accepts a pointer to a callback function and a void pointer to application defined data. This application defined data would then be passed with every call to the hooking function.
- An example set of functions that are required to perform comprehensive file system hooking is described in Table 3.
- the FsInstallHookO function installs a file system hook. All file I/O related events that occur within the operating system are piped through this function.
- Prototype int FsInstallHook PFNFSHOOK pAppCallback, void * pUser, PFNFSHOOK * ppPrevHook
- a return value of zero should be returned for success or any other number to indicate an error condition. See Also
- the FsUninstallHookO function removes a previously installed file system hook.
- a return value of zero should be returned for success or any other number to indicate an error condition.
- the FsHookFuncO is an application defined function that the operating system calls before a file event occurs. This allows an application to be notified of all file I/O related events before they occur and the application has the capability of allowing or disallowing a file I/O event from continuing. Because FsHookFuncO is called before the event occurs, the hooking function may most likely chain this event to the next caller in the list using the pPrevHook value that was returned during hook installation. In case the hooking function determines that further chaining of this file I/O event should not continue, it may return an error indicating this intent. As noted previously, the file system should allow for reentrancy so within FsHookFuncO the application can perform I/O operations on any other file that it chooses.
- this is an operating system dependent structure that contains all the necessary information needed by the operating system to perform a file I/O related function.
- information that a hooking function could obtain from here are:
- File system function identifier that is currently being requested such as CREATE, OPEN, EXECUTE, CLOSE, READ, WRITE, Etc.
- Function specific attributes such as file open attributes for an open function and file handle for a close function.
- a return value of zero indicates success and any other number to indicate an error condition. When an error is returned the operating system should not process this event.
- the anti-malware scanner requires access to all files being accessed through system provided APIs.
- the on-access scanning subsystem resides parallel to the other specialized subsystems and as such the component manager manages it.
- Figure 8 illustrates a framework 800 with an on-access scanner 801 interfacing with the file system 802 and filtering all file I/O related events. Every file that is about to be accessed is passed to the scan engine 804 that determines whether it is safe to access it. If the scan engine 804 determines that it is not safe, the component manager 806 may be notified and, based on established scan settings, some action may be done on the infected file. See Table 4 for an exemplary API.
- the OnAccCreateO function creates an instance of the on-access scanning subsystem. If the creation returns success the subsystem is ready to monitor for viruses in real-time. The actual monitoring may begin when the OnAccEnable() function is called to request the subsystem to enable itself. Prototype
- a user defined value that may be passed to the call-back function is a user defined value that may be passed to the call-back function.
- OnAccDestroyO function destroys an on-access scan instance that was created using
- OnAccCreate() There is no need to call OnAccEnable() function to disable the on-access scanning subsystem prior to destroying.
- the OnAccEnableO function allows the caller to enable and disable the on-access scanning subsystem that was created using OnAccCreate().
- the on-access scanner is enabled and disabled internally to the anti-malware scanner when an on-demand scan is started. This is done so the on-access scanner does not interfere with the on-demand scanners work.
- On-demand scanning is completed, on-access scanning is re-enabled.
- HONACCESS hOnAccess // [in] handle to on-access scanner.
- BOOL bEnable // [in] TRUE/FALSE to enable/disable. );
- a Boolean TRUE to indicate that the on-access scanning subsystem should be enabled, that is it should monitor for file activities and scan files as they are being accessed.
- Boolean value of FALSE disables the on-access scanning subsystem.
- Table 5 illustrates additional optional components of the on-access scanner API.
- OnAccNotifyO function is only a placeholder and it should be defined by the calling application in case the application would like to be notified of events that are occurring within the on-access scanning subsystem. A pointer to this function should be passed to OnAccCreate().
- Prototype typedef BOOL (* PFONACCNOTIFY)(PONACCNOTIFYINFO pNotify);
- PVOID pUserParam // User defined value used in OnAccCreate 0
- VSCNEVENT hEvent // Reason why the notification was called.
- HVSCNITEM hltem // Item that scanner is notifying about.
- the possible event identifiers for this field are as follows:
- VSE INFECTED The component manager is indicating that a computer virus or some malicious code was found. The subsystem that found this malicious code is known from the CompID component identification number. If the component that found this malicious code is the on-demand scanner, a return code of TRUE indicates that scanning should continue. A return code of FALSE indicates that scanning should be stopped. If FALSE is returned a confirmation notification message VSE_CANCELLED may be sent to the owner of this object. On the on-access and the on-demand scanning subsystems can generate this event.
- VSE_COMPLSTATUS This event indicates the completion status of the action that was taken on an infected file.
- This event can only be generated by the on-access and by the on-demand subsystems. For possible completion status codes please see the DoneAction structure member. If the component that found this malicious code is the on-demand scanner, a return code of TRUE indicates that scanning should continue. A return code of FALSE indicates that scanning should be stopped. If FALSE is returned a confirmation notification message
- VSE_CANCELLED may be sent to the owner of this object.
- On the on-access and the on- demand scanning subsystems can generate this event.
- the file that is about to be scanned has already been pre-filtered based on the IT A(lministrator specified scan setting so at this way the user interface has no say about what files are being scanned.
- the only core components that can generate this event are the on- access and the on-demand scanners. Because the user can choose to cancel a user initiated on-demand scan, the return code may only be respected if this event was generated by the on-demand scanner subsystem.
- a return code of TRUE indicates that scanning should continue.
- a return code of FALSE indicates that scanning should be stopped. If FALSE is returned a confirmation notification message VSE_CANCELLED may be sent to the owner of this object.
- This event indicates to the caller that the core technology component identified in the CompID structure member just finished initializing. This is only a notification message so any return code that is returned to the component manager from this event notification may be ignored.
- This event indicates to the caller that the core technology component identified in the CompID structure member just terminated. This is only a notification message so any return code that is returned to the component manager from this event notification may be ignored, hltem: This is a handle to a scan item. Information that is associated with this handle can be accessed using the Scnltem family of functions.
- DoneAction This structure member indicates the completion status of an action that was performed on an infected item.
- the completion status can be one of the following values:
- SCNDONE_CLEANED Infected item was cleaned.
- SCNDONE_CLEANF AILED Infected item could not be cleaned.
- SCNDONEJDELETED Infected item was deleted.
- SCNDONE DELETEFAILED Infected item could not be deleted.
- Boolean return value depends on the type of event that the owner of this object is being notified with. Please see the description of each event for description on what the appropriate return code should be.
- OnAccCreate () OnAccDestroy() , OnAccEnable () ScnltemCreateO
- the ScnltemCreateO function is used to create an object that contains all information that there is to know about a scan object that is scanned by the on-access scanning subsystem.
- a 'Scan Item' object could contain the name of the file, the virus it was infected with, what type of scan actions the anti-malware scanner attempted to perform on it and the outcome of this operation.
- ScnltemDestroy () , Scnlte Copy 0 , ScnltemGetltemName () , ScnltemGetVirusName 0 , ScnltemGetActions () , ScnltemSetActionO , ScnltemSetUserPara O , ScnltemGetUserParamO ScnltemDestroyO
- ScnltemDestroyO function is used to free up all resources associated with a scan item object that was created using ScnltemCreateO.
- Parameters hltem [in] handle to a scan item object that should be destroyed.
- ScnltemCreate ScnltemCopy ( ) , ScnltemGetltemName ( ) , ScnltemGetVirusName ( ) , ScnltemGetActions 0 , ScnltemSetAction O , ScnltemSetUserParam O , ScnltemGetUserParam O
- the ScnltemCopyO function is used to create a copy of a scan item object.
- the copied object may be a carbon copy of the source.
- ScnltemCreateO function Before calling this function make sure to call ScnltemCreateO function on the hltemTgt scan item object.
- ScnltemCreateO ScnltemDestroyO
- ScnltemGetltemName () ScnltemGetVirusName ()
- ScnltemGetActions () , ScnltemSetActionO, ScnltemSetUserParamO, ScnltemGetUserParam ( )
- ScnltemGetNameO Description The ScnltemGetNameO function is used to retrieve the name of the item that this object is referencing to.
- HVSCNITEM hltem // [in] handle of the scan item.
- text_t * pBuffer // [out] file name is placed here, size _t uSize // [in] buffer size in CHARACTERS ! );
- ScnltemCreateO ScnltemDestroyO
- ScnltemSetltemName ()
- ScnltemGetVirusName ()
- ScnltemGetActions ()
- ScnltemSetActionO ScnltemSetUserParamO
- the ScnltemSetNameO function is used to set the name of the item that this object is referencing to.
- HVSCNITEM hltem // [in] handle of the scan item.
- ScnltemGetVirusName ( ) , ScnltemGetActions 0 , ScnltemSetAction O , ScnltemSetUserParam O , Scn temGetUserParam ( ) ScnItemGetVirusName()
- the ScnItemGetVirusName() function is used to get the name of the virus that this object is referencing to.
- ScnltemSetVirusName ( ) , ScnltemGetActions ( ) , ScnltemSetActio O , ScnltemSetUserParam O , ScnltemGetUserParam ( ) ScnltemSetVirusNameO
- ScnltemSetVirusNameO function is used to set the name of the virus that this object is referencing to.
- ScnltemCreate O ScnltemDestroy O , ScnltemGetltemName () , ScnltemGetVirusName ( ) , ScnltemGetActions 0 , ScnltemSetAction O , ScnltemSetUserParam O ,
- the ScnltemSetActionO function is used to indicate what was done on this scan item by a subsystem such as the scan engine. As an example if cleaning this scan item was attempted, the outcome of this operation should be indicated so other subsystems, such as activity logging can retrieve this information. A queue of the 3 last scan actions is maintained within the object.
- HVSCNITEM hltem // [in] item that was scanned.
- SCNDONE_NOACTION None was done about the infected item.
- SCNDONE _DENIED ACCESS Infected item was denied access to.
- SCNDONE _CLEANED Infected item was cleaned.
- SCNDONE XEANFAILED Infected item could not be cleaned.
- SCNDONE _DELETED Infected item was deleted.
- SCNDONE _DELETEFAILED Infected item could not be deleted.
- the ScnItemGetActions() function is used to retrieve what actions were done on this scan item by subsystems such as the scan engine. A list of the 3 last scan actions is maintained within the scan item object. When the last item is of type OAS_NOACTION, that means no more actions are associated with this scan item.
- HVSCNITEM hltem // [in] item that was scanned.
- SCNDONE _DENIED ACCESS Infected item was denied access to.
- SCNDONE _CLEANED Infected item was cleaned.
- ScnltemCreateO ScnltemDestroyO
- ScnltemGetltemName 0 ScnltemGetVirusName ()
- ScnltemSetVirusName ScnltemGetActions
- ScnltemSetActionO ScnltemSetUserParamO
- ScnltemGetUserParamO ScnltemGetUserParamO
- the ScnltemSetUserParamO function is used to associate any pointer size argument with a scan item object.
- the meaning of this value is up to the application to define.
- ScnltemCreateO ScnltemDestroyO
- the ScnltemGetUserParamO function is used to retrieve any application associated value with this object.
- HVSCNITEM hltem // [in] scan item to associate with.
- PVOID * ppUserParam // [out] pointer to associated item.
- ScnltemCreateO ScnltemDestroyO
- Figure 9 illustrates the manner 900 in which the on-access scanner is enabled and disabled during use based on on-demand scanning.
- on-access scanning is disabled in operation 904.
- on-demand scanning may be performed in operation 906.
- the on-access scanning may be enabled in operation 908.
- the on-access scanning is disabled when on- demand scanning to preserve resources on the mobile wireless device.
- the OnAccEnableO command may be used to effect the enabling and disabling of the on-access scanning. More information on the on-demand scanning will be set forth hereinafter in greater detail.
- Java Applet and Script Scanning To protect against malicious Java applets and Java scripts, the anti-malware scanner requires access to executable images and scripts through system provided APIs.
- the Java applet / script scanning subsystem resides parallel to on-access scanning and on-demand scanning subsystems and, as such, it is managed by the component manager.
- Figure 10 illustrates the Java scanning module 1000 interfacing with the Java VM 1002 and filtering all Java applet and Java script executions. Every Java object that is about to be executed is passed to the scan engine 1004 that determines whether it is safe to execute the Java object. If the scan engine determines that it is not safe, the component manager 1006 maybe notified and, based on established scan settings, some action may be done on it.
- the JavalnstallHookO function installs a Java applet interpreter or a Java script interpreter hook. All I/O related events that occur within the Java interpreter are piped through this function.
- a return value of zero should be returned for success or any other number to indicate an error condition. See Also
- JavaUninstallHook ( )
- JavaHookFunc ( )
- JavaUninstallHook() removes a previously installed Java interpreter hook.
- a return value of zero should be returned for success or any other number to indicate an error condition.
- JavalnstallHook() JavaHookFunc () JavaHookFuncO
- the JavaHookFuncO is an application defined function that the Java interpreter calls before a Java applet or a Java script is executed. This allows an application to analyze and allow or disallow the execution of the Java script. Because JavaHookFuncO is called before the execution occurs, the hooking function may most likely chain this event to the next caller in the list using the pPrevHook value that was returned during hook installation. In case the hooking function determines that further chaining of this event should not continue, it may return an error indicating this intent.
- plnterpreterlnfo This is a Java interpreter dependent stmcture that contains all the necessary information needed by the Java interpreter to perform I/O related function.
- information that a hooking function could obtain from here are:
- Java interpreter specific function identifier that is being performed such as EXECUTE
- Any Java interpreter data that is required to complete the request As an example for an execute event there should be a buffer pointer to the Java applet or Java script that is about to be executed.
- a return value of zero indicates success and any other number to indicate an error condition. When an error is returned the Java interpreter should not process this event. See Also
- JavalnstallHoo O JavaUninstallHook ( )
- Figure 11 illustrates an on-demand scanner system 1100 including an on-demand scanner 1101 interacting with a component manager 1102 and a scan engine 1004. Further provided is plug-in support 1006 which interfaces a plurality of abstract file system plug-ins 1108.
- the on-demand scanner 1101 is a component of the anti-malware scanner system responsible for scanning collections of data objects.
- the component manager 1102 initiates calls to the on-demand scanner 1101.
- the on-demand scanner 1101 makes use of the scan engine 1102 to detect and clean malware. It also makes use of plug- ins 1106, 1108 to determine if a given file can be interpreted as a directory. For example, a compress archive can be enumerated like a directory.
- the plug-ins 1108 may supply alternate translations to files for decompression, decryption, or other aspects of using the file.
- the on-demand scanner 1101 recursively enumerates all data objects on the device from a given starting location.
- the caller To use the on-demand scanner 1101, the caller must initialise an SE_SCANNER from the scan engine 1104 and the proper callback functions.
- Figure 12 illustrates a method 1200 for performing on-demand scanning, in accordance with One embodiment.
- the scanner is started in operation 1202, after which a first entry is identified in operation 1204. It is then determined whether the entry is of a file type or a directory type in decision 1206.
- a filter is obtained in operation 1208, after which a file callback is executed in operation 1210. Based on the callback function, the file is then conditionally scanned in operation 1212. If the file is deemed infected, a clean callback is executed. See operation 1214.
- a directory callback is executed in operation 1216.
- a recursive scan is executed in operation 1218. The foregoing method 1200 is continued until all of the entries are identified (see operation 1220).
- the SCAN_ACTION enumeration is used by callback functions to tell the on-demand scanner what to do when the callback function returns.
- Skip the next item to be scanned This may be used to skip files or directories depending on the callback function that returns this value.
- the returned handle is used for setting callback functions and launching the recursive scan. It must be destroyed when no longer needed with ODDestroyScanner. See Also
- ODDesrroyScannerO ODSetFileCallback(), ODSetDirCallback(), ODSetCleanFileCallback().
- the pScanFileCallback () is called by the ODScanRecursiveDirO function just before each file is scanned.
- the data pointer sent to ODSetScanFileCallback () is passed to the pScanFileCallback(). This enables the application to supply context information.
- This function is implemented by the ODScanRecursiveDirO caller. It is used by ODScanRecursiveDirO to notify the caller when a file is about to be scanned, and provides an opportunity to direct the scanner's behaviour.
- Prototype typedef SCAN_ACTION (*PSCANFILECALLBACK)( void *pData, FILEPATH *pFName ); Parameters pData
- ScanFileCallbackO must return one of the following:
- CONTINUE_RECURSIVE_SCAN This is the normal return value so that the file may be scanned.
- ABORT_RECURSIVE_SCAN This is used to stop scanning entirely.
- the given file is not scanned.
- the given file is not scanned.
- the recursive scan continues with the next file.
- the callback fimction merely copies information for the timer to consume.
- the timer event displays progress and interacts with the user using a separate stack.
- ODScanRecursiveDirO to notify the caller when a directory is about to be scanned, and provides an opportunity to direct the scanner's behavior.
- Prototype typedef SCAN_ACTION (*PSCANDIRCALLBACK)( void *pData, DIRPATH *pFName
- the return values are the same as pScanFileCallback().
- the pCleanFileCallback () is called when malware is discovered by the ODScanRecursiveDir () function. All the information necessary to call SECleanFile () is supplied.
- SECleanFile It is up the to the callback function to call SECleanFile () if needed. As scanner state information is needed by the SECleanFile () function, it must be called before continuing the recursive scan, or not at all. Storing the scan_result_t id, and calling SECleanFile () after returning from the callback may have unexpected results.
- the CleanFileCallback () called when an infected file is discovered.
- the callback function is responsible for deciding what must be done with the malware, and executes the response.
- the response may be a call to SECleanFile().
- Prototype typedef SCAN ACTION (*PCLEANFILECALLBACK)( Void *pData, HODS hScan, FILEPATH *pFileName, scan_result_t id
- the CleanFileCallbackO may return CONTINUE_RECURSIVE_SCAN or ABORT RECURSIVE SCAN. See Also
- ODScanRecursiveDir O pScanDirCallback ( ) , pScanFileCallback ( ) , ODSetScanFileCallback ( ) .
- ODScanFileCallback ODScanDirCallback
- ODCleanFileCallback ODScanFileCallback
- the ODScanFileCallback () is called just before the given file is scanned. This provides the calling application an opportunity to track scan progress, to skip files, and abort scanning.
- the ODScanDirCallback () is called just before the given directory is scanned. Just like the ODScanFileCallbackO, the application can track progress, skip the directory, or abort scanning.
- the ODCleanFileCallback () is only used when malware is detected. The application then needs to choose the proper action. This may include calling the SECleanFile () function. Any callback not set, or set to NULL, is ignored.
- ODScanRecursiveDirO is done.
- the SCAN_ACTION returned denotes how the function ended: CONTINUE_RECURSIVE_SCAN or ABORT_RECURSIVE_SCAN.
- a return value of CONTI JE_ RECURSIVE_SCAN indicates that it successfully completed the scan.
- ABORT_RECURSIVE_SCAN indicates that the scan was aborted.
- the on-demand scanner supports adding plug-ins for new abstract directory and file types. This enables adding support for compressed archives and other special file formats.
- the caller supplies a callback function for creating HDIR instances.
- the callback function takes an HFILE and detects whether the HFILE can be interpreted as an ADIR.
- the callback function must return an HDIR or NULL.
- This callback function is responsible for deterrmning whether the given pAFile can be represented as an ADIR.
- compressed archives may be treated as an ADIR so that the contents can be enumerated and scanned.
- the callback must return NULL if it is not able to use the provided hFile. Otherwise, it returns a valid HDIR implementation for the pAFile.
- the callback can rely in the hFile to continue to be open for the life of the returned HDIR. See Also
- the caller supplies a callback function for creating AFILE instances.
- the callback function takes an hFile and detects whether it is supported. If supported, the callback function returns a new HFILE. Otherwise, NULL.
- This callback function is used to determine if this filter supports the given hFile. If the hFile is supported, this function creates an HFILE interface to wrap the hFile.
- the hFile must remain available for the returned HDIR to use in accessing the file.
- the caller is responsible for releasing both the HDIR and hFile. Note that the caller must not release the hFile until after releasing the returned HDIR. Returns NULL if no HDIR filter is available.
- the supplied hFile must remain available for the returned HFILE to access.
- the caller is responsible for releasing both the returned HFILE and supplied hFile. Note that the caller must not release the hFile until after releasing the returned HFILE.
- Figure 13 illustrates a scan engine system 1300 including a scan engine module 1302, a file parser 1304, and an interpreter 1306.
- the scan engine system 1300 interfaces the on-access and on-demand scanner modules 1308 to carry out vims detection and clean files. See operation 1310.
- the scan engine system 1300 is responsible for scanning individual data objects for malware and to repair infected documents. Potentially infected data is presented to the scan engine system 1300 from the on-access and on-demand scanner modules 1308. It is built to be system independent, and thus has an abstraction for data objects that can be scanned and cleaned. Scan Engine API
- the purpose of the scanner API is to enable the on-demand and on-access scanner modules 1308 to initiate detection and cleaning of malware in a given data object. This involves providing the necessary detection and cleaning files as well as providing data objects to scan.
- An abstract file system is used to make the scan engine system 1300 portable to new devices and enable scanning of many different data objects. More information about ADIR, ADIRENT, and AFILE data objects of the abstract file system will be set forth hereinafter in greater detail.
- Table 8 illustrates an exemplary scan engine API.
- the scanner is initialized with files found in the provided pADir. As the scanner doesn't know how to parse file names (being ASCII and Unicode agnostic), the ADIR must filter out any non-PD files. Prototype
- the supplied HDIR must enumerate only the PD files that are to be used by the scanner.
- the function return is an initialized SCANNER data stmcture.
- the contents of the SCANNER data structure are internal to the scan engine implementation.
- Scan the given file for malware.
- the return value may usually be -1 for no malware detected. Otherwise, SEScanFile returns an identifier for the discovered malware.
- the returned ID is used with the SECleanFile (), SEGetScanName (), and SEGetScanVariant () functions.
- the ID doesn't completely identify the malware as the scanner state holds information about what was discovered.
- the file opened for read access The hFile may be a specialized interface for reading this type of file. Return Value
- the returned scan_result_t is an identifier for the malware detected. If malware is not detected, then the return value is -1. See Also
- the string is the base name of the malware detected. If no name is available, NULL is returned.
- This file is to provide the necessary information to detect and clean malware on handheld devices.
- the PD file is composed of a header and a collection of records.
- the header provides general information about the use and management of the PD file.
- the records contain details about scanning and cleaning malware.
- 2-byte entries is desired to be 2-byte aligned, and 4-byte entries to be 4-byte aligned. This resolves some portability issues to processors that can't or have difficulty accessing non-aligned memory references. Note that aligned 4-byte values are not enforced with the instruction byte-code unless the target platform requires it.
- One goal is to keep file transfers to the PD devices small.
- Table 10 illustrates an exemplary file header.
- the PD file is formatted for the target.
- the target platform identifier denotes which type of target the file is intended. From this, the following information of Table 11 can be deduced.
- Table 12 The definition of Table 12 is used for the target platforms of Table 13.
- Table 13 The definition of Table 12 is used for the target platforms of Table 13.
- the scan class identifier is a value for identifying what class of data the PD file is designed to scan.
- the following classes of Table 14 are identified at this time.
- the records have a common layout to make incremental update simple and aide in finding records without making the scan engine large. An update would send only those records that need to be deleted, replaced, or added. See Table 15.
- the PD file uses record ID's. This makes it possible to move a record without having to change every reference to the record.
- the record header uses addresses to create a linked list of each type of record. This may help improve performance in finding the proper record. Eventually this could be used to sort records by record ID.
- Record lengths are only 2-byte values. This is intentional to make porting between 16-bit processors simple.
- a mobile wireless device such as a Palm® PilotTM uses a database instead of a file system.
- Each record can be at most 64KB. Nearly all scan functions may be very small. As they get larger, new instmctions should be added to the language to move the functionality into the scan engine.
- This record contains a function for doing an initial scan of the selected file.
- the amount of code needed for this scan may exceed 64KB (the maximum record size).
- the first scan record starts the process, but may reference other scan records.
- One goal is to keep the initial scan record small, yet able to eliminate 80% of the clean files. This keeps the scan engine's memory footprint small as well as making efficient use of the processor.
- the scan function may return the record ID of the name record for this item.
- This table entry may provide the proper check function to verify the malware variant present. Though this does a double reference, it may not be important. Most of the time is spent eliminating files so that this step may be rare. Check records
- Check records contain functions for identifying the specific malware variant once identified by the scan records.
- the check record starts with the following header information in Table 16.
- a clean record contains a function for removing the malware and repairing files if possible.
- Replacing a record is the same as deleting the original, and then adding a new record in its place.
- Free records may be set to zero to make predicting the checksum easier.
- the activity logging subsystem is responsible for recording significant events to be collected at the back-end for analysis. This aids in providing information from the field to track outbreaks, detect and diagnose issues, and help determine how to improve the product.
- Service agent upgrades The detection of and response to malware is separated. Detection is logged immediately when the malware it detected. Once the action is taken and successfully completed, the response is logged. If anything were to go wrong with the response, one would at least see the detection entry.
- log file entries is supported at two levels. The most common are functions that handle specific logging needs. These require all the necessary information and add them to the log file with the minimum effort from the programmer.
- the lower layer manages the log file rotation and a generic mechanism for adding entries.
- the activity log requires the following configuration values in Table 18.
- a single log file is used until is reaches the log file rotation size. At which point, it is renamed and a new log file is started. Once the total space used by all of the log files exceeds the maximum, the oldest log file is removed. As log files are uploaded from the device, they are deleted from the device.
- the log file location and naming conventions are configured per platform when the program is compiled.
- the log file may be truncated.
- Table 20 illustrates an exemplary interface associated with the activity logging module.
- LOG TRACE is used to help diagnose problems by logging certain milestones in the program. Normally, trace messages are not added into the log file unless configured.
- LOG_WARNING is provided when a problem is encountered, but does not prevent the proper operation of the program.
- LOG_ERROR should be used when a recoverable error is encountered. Some functionality of the program may be hindered.
- LOG_FATAL should only be used when the error is severe, non-recoverable, or prevents the program from running. This may be useful in a post-mortem analysis if the device is returned.
- log entries on starting the application without it being stopped may denote that it crashed and was restarted.
- LogMessage() fimction Unlike the LOGJTRACE messages, the service events are always available in the log file.
- the low level API manages the log file rotation and adding generic entries to the log file. This interface is agnostic to what data is added to the log file.
- the high level API is implemented based on these fanctions.
- the first group is for adding entries to the log file.
- LogOpenEntry LogEntryField LogCloseEntry
- the above functions are used to create new high-level API fanctions that are consistent with the subset of XML that is supported. Be careful to define all English words that are used as keywords. This way they can be parsed and translated easily to different languages. This ensures that the raw log file is human readable, though in English, but is easy to also view in any other language.
- a handle to the log entry is supplied, or NULL on error.
- the LogEntryField() function returns 1 on success, or 0 if it failed to add the entry.
- the returned value a UTF-8 encoded, zero terminated string for the XML entry. It is autonomous in the sense that the caller can stop reading at any time and have a valid XML file from what was read.
- the returned string is only valid until the next call to LogRead(). At which point, it may be overwritten with the next entry or de-allocated. A call to LogClose() also invalidates the string.
- NULL is returned if there are no more log entries.
- the file format may be based on XML.
- Each log file is numbered sequentially. This enables sorting and merging log files, as well as detecting when log files are missing. See Table 21.
- the strings entry-name and field-name are replaced with the actual entry and field names.
- the time-date-stamp is the time at which the entry is added to the log file. This is encoded as YYYYMMDDhlimmss, where YYYY is the year, MM is the month, DD is the day of the month, hh is the hour, mm is the minutes, and ss is the seconds.
- message_type is one of trace, warning, error, or fatal.
- message_body is the text string provided for the message.
- a sample LogMalwareDetect object is shown in Table 23.
- ⁇ detect date "YYYYMMDDhhmmss"> ⁇ path>file-path ⁇ /path> ⁇ narae>malware- ⁇ ame ⁇ /name> ⁇ variant>2nalware-variant ⁇ /variant> ⁇ /detect> file-path is a string identifying where the infected item was found.
- malware-name is the name of the detected infection malware-variant is the verified variant name of the infection
- a LogServiceEvent is shown in Table 24.
- service-name is the name of the service: "on-demand”, “on-access”, “application”, “agent”, “installer”. service-action the word “start” or "stop”.
- FIG 14 illustrates a service agent (SA) architecture 1400, in accordance with one embodiment.
- a service agent 1402 interfaces with an user interface 1403, an on-access scanner module 1404, and an on-demand scanner module 1406.
- the service agent 1402 communicates with the back-end architecture 1410 which may be controlled and monitored via a web-interface 1412.
- the service agent 1402 is thus responsible for communicating with the back-end architecture 1410. It handles delivering device-specific information such as log data to a remote back-end architecture 1410.
- the second responsibility is in retrieving the anti-malware scanner component installation and package updates.
- the component manager initiates service agent updates. This may be due to scheduled updates or by user initiated updates.
- Figure 15 illustrates a method 1500 for scanning a mobile wireless device for malware. Initially, in operation 1502, a service agent 1402 is initiated utilizing a mobile wireless device. In one embodiment, the service agent may be initiated by a user interface of the mobile wireless device.
- the service agent maybe initiated by the anti-malware scanner of the mobile wireless device. Still yet, the service agent may be initiated by a daemon of the mobile wireless device. As an option, the service agent may be initiated by a scheduler of the mobile wireless device or a trigger.
- information describing the mobile wireless device is transmitted to a back-end server over a wireless network utilizing the service agent of the mobile wireless device.
- the information describing the mobile wireless may include log data. Such log data may be specific to the mobile wireless device.
- an update is then received from the back-end server over the wireless network utilizing the service agent of the mobile wireless device.
- the update may be wrapped.
- the update may include a header and a plurality of parts. Such parts may include a part-header section and a part-data section.
- an anti-malware scanner installed on the mobile wireless device is updated so that the mobile wireless device may be scanned utilizing the updated anti-malware scanner. More information regarding the foregoing architecture 1400 and associated method 1500 will now be set forth.
- Figure 16 illustrates a sample service agent activation method 1600, in accordance with one embodiment.
- the service agent 1602 can be launched by the user-interface 1604, on- demand and on-access scanners 1606, a background process (daemon) and/or system scheduler 1608, itself 1609, and external signal/trigger 1610 originated from the service provider. More information regarding such triggers will now be set forth.
- the agent can be directly launched from the wireless user-interface by the user.
- the user-interface activates the agent.
- the service agent stays resident and awaits (or sleeps) for update-interval time specified in the anti-malware scanner configuration before contacting the update server.
- the agent is launched for new updates when the on-demand and/or on-access scanner notices that the update-interval-time has elapsed since the agent was activated last.
- the wireless device/phone may support launching an application via a signal from its service provider.
- an update signal from an external source is received by the device, it launches a pre-configured application, in this case the service agent, for immediate update.
- the agent configuration information is kept in a central location.
- Table 25 lists the service agent communication configuration and status variables read/updated.
- the term "package” refers to any data/information uploaded/downloaded to/from a remote update server. Each package is made up of a header and parts. Each part consists of part-header and part-data sections. Designed for simplicity, endian-ness independence, and extensibility, the anti-malware scanner package format is an HTTP-like transmission format that allows multiple inclusion of any types of data. The package format is composed by subsequent entries:
- Table 26 illustrates an exemplary format.
- the end-of-file marks the end-of-package data.
- Package and part header section has the following format:
- ContentName ENRTY-NAME
- ContentLength LENGTH
- ENRTY-NAME is the object identification name
- LENGTH is the length of the subsequent DATA section in bytes.
- the part-data section is made up of a binary chuck of data whose length is LENGTH.
- the part-header section can contain other useful information, for example, content type, compression method, signatures, checksums, etc. Also, it's possible to contain information that does not carry any data by setting the ContentLength: to zero and by making the ⁇ FIELD> carry data.
- the device identification number is uploaded to a server by setting the ContentName to $DEV- UTD, including a field names X-DEVUID, and setting the ContentLength to zero. See Table 27 for a package containing device ID number.
- the content name part can easily contain pathname information that make the format suitable for multi-level packaging transfers.
- Table 28 shows an example package uploaded to a server. It contains three separate information: 1) device identification number, 2) device log information, and 3) product and component version information (catalogue).
- Three types of part contents are uploaded to a server for back-end processing are: 1) device identification number, 2) device system/log information in XML format, and 3) component version information.
- the device identification number is used by the back-end to validate a device connection.
- Uploaded system and log information is processed and stored in a back-end database for reporting.
- Product/component version information, catalogue is used by the back-end server in selecting an installation package to download.
- the upload package is created from data provided by individual components that are registered with the service agent to upload/report its information to the back-end server.
- the service agent simply requests the registered components for upload data.
- Table 29 illustrates sample upload parts.
- the server uses the device identification number specified by the X-Device-UTD field to verify and retrieve client-specific information. This verification is done as soon as any part of the HTTP POST data containing the device identification is received.
- Event Log Also given in the client upload package is a wireless component/application log entries. Like the catalogue information, the log entries are formatted in XML form. There are two types of log entries: detection log and application event log. The detection log entry contains detected malware name, its type, infected filename, and the action taken by the scanner. Application (or component) event log entry lists severity of the event and a short message describing the event. Both the detection and the event log entries have a timestamp specified in UTC. Table 30 illustrates a pair of XML formats.
- the log entry time stamp given in UTC has the following format in Table 31.
- MM month (01-12)
- DD day of the month (01-31)
- hh hour of the day in 24 hour format (00-23)
- mm minute (00-59)
- ss second (00-59)
- Table 32 illustrates a sample log.
- the device catalogue (version information) uploads lists on the anti-malware scanner components. This catalogue information along with the device identification number is used in constructing a download package for the specific-device/client. Each catalogue entry given in the client upload package follows the format in Table 33.
- the service agent does not directly generate or format the data in the upload package - the service agent uploads data obtained from its clients.
- the service agent uses a set of callback functions supplied by its caller (or client) to request upload information.
- the service agent API SaSetParameter (and SaSetParameters) is used to by service agent client(s) to specify how to obtain upload data from each component.
- each client is notified by the S A to construct a package part to upload.
- the service agent After uploading a package, the service agent awaits for the server to download an installation package.
- the package header specifies the total package size, and the SA uses it to determine if the package contains installation part(s). The package size specified is greater zero, the SA downloads and saves the entire package data onto a download directory and calls the component installer.
- Each install part in an install package is identified by the content name that specifies the data format. The installer uses the format identifier in selecting an appropriate unpacker/decompressor for extracting and installing files contained in the part. Table 34 illustrates a sample installation package.
- Figure 17 provides a method 1700 for client and server package handling.
- a package is prepared by a mobile wireless device to be uploaded. See operation 1702.
- This client package is then posted for access by the server in operation 1704.
- the client package is received in operation 1706, after which the client is verified in operation 1708. If an error is detected in decision 1712, an error message is posted in operation 1710. If not, however, the database is updated based on the client package in operation 1714.
- a server package is generated in operation 1716, after which the server package is posted for access by the client in operation 1718.
- the client process 1701 then proceeds by receiving the server package in operation 1720. If an error is identified in decision 1722, the process is terminated. If, however, no error is detected, the contents that are listed in operation 1724 are installed in operation 1726. Further, the catalogue is updated in operation 1728.
- the client-server communication is thus initiated by the service agent by posting an upload package to a remote server.
- HTTP(S) POST is made to the server
- the client connection is verified and the entire client package is received.
- the server updates database with the uploaded information, and then returns a package generated based on the information uploaded.
- the client installs components in the server package and updates its installed component catalogue.
- the device update process may take place by preparing the package format (MPF) that may be basically composed by an LTD entry, an XML file containing device catalogue information like dat/engine/applications versions and log entries and eventually quarantine files.
- MPF package format
- the service agent may lookup its configuration searching for the URL to which to post the request.
- the URL may have the form shown in Table 35 Table 35
- the package may be sent to the remote back-end agent (RBA) with a standard HTTP POST request like given that in Table 36.
- RBA remote back-end agent
- the RBA may be invoked and it may unpack the package looking for the catalogue information coming from the device (i.e. details of what happens inside the RBA are described in another document ). Based on the device current catalogue, the RBA may prepare a custom package whose format may be device dependent to better utilize intrinsic device capabilities and hence reduce the code footprint of the SA application. The RBA may send the prepared package as data inside the HTTP POST response given in Table 37. Then, the connection to the RBA may be closed and the SA may be free to process the package.
- the service agent uses system-provided secure channel (e.g. SSL) for server communication and authentication APIs for downloaded package verification. Data uploaded from a device to a server is done through secure channel to protect private information.
- the download package containing viras detection files and component upgrades need to be cryptographically signed and authenticated. Without proper authentication, the device may be vulnerable to a third party attack.
- Table 38 illustrates an exemplary service agent API.
- the SaOpen() call creates a service agent(SA) instance and returns its handle.
- the returned handle must be released using the SaClose() call.
- NULL indicates failure
- SaClose releases system resources used by a service agent handle. If the SA is mnning as a separate process, SARUNJFORK model, the process is terminated.
Applications Claiming Priority (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/920,065 US6718469B2 (en) | 2001-08-01 | 2001-08-01 | System and method for executing computer virus definitions containing general purpose programming language extensions |
US09/920,065 | 2001-08-01 | ||
US10/006,413 US6792543B2 (en) | 2001-08-01 | 2001-11-30 | Virus scanning on thin client devices using programmable assembly language |
US10/006,413 | 2001-11-30 | ||
US10/121,087 | 2002-04-10 | ||
US10/121,087 US7096501B2 (en) | 2001-08-01 | 2002-04-10 | System, method and computer program product for equipping wireless devices with malware scanning capabilities |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2003012644A1 true WO2003012644A1 (en) | 2003-02-13 |
Family
ID=27358127
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2002/013570 WO2003012644A1 (en) | 2001-08-01 | 2002-04-30 | System, method and computer program product for equipping wireless devices with malware scanning capabilities |
Country Status (2)
Country | Link |
---|---|
US (6) | US7861303B2 (US20040025042A1-20040205-P00052.png) |
WO (1) | WO2003012644A1 (US20040025042A1-20040205-P00052.png) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2004095177A2 (en) | 2003-04-17 | 2004-11-04 | Networks Associates Technology, Inc. | Platform-independent scanning subsystem api for use in a mobile communication framework |
WO2004095166A2 (en) | 2003-04-17 | 2004-11-04 | Networks Associates Technology, Inc. | Api system, method and computer program product for accessing content/security analysis functionality in a mobile communication framework |
EP1549091A2 (fr) * | 2003-12-23 | 2005-06-29 | Alcatel | Terminal avec des moyens de protection contre le dysfonctionnement de certaines applications java |
US7178144B2 (en) | 2002-04-23 | 2007-02-13 | Secure Resolutions, Inc. | Software distribution via stages |
US7401133B2 (en) | 2002-04-23 | 2008-07-15 | Secure Resolutions, Inc. | Software administration in an application service provider scenario via configuration directives |
US7703139B2 (en) | 2004-05-19 | 2010-04-20 | Computer Associates Think, Inc. | Antivirus product using in-kernal cache of file state |
US8443446B2 (en) | 2006-03-27 | 2013-05-14 | Telecom Italia S.P.A. | Method and system for identifying malicious messages in mobile communication networks, related network and computer program product therefor |
CN103180862A (zh) * | 2010-08-25 | 2013-06-26 | 前景公司 | 用于服务器耦合的恶意软件防止的系统和方法 |
US9779253B2 (en) | 2008-10-21 | 2017-10-03 | Lookout, Inc. | Methods and systems for sharing risk responses to improve the functioning of mobile communications devices |
Families Citing this family (401)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7861303B2 (en) * | 2001-08-01 | 2010-12-28 | Mcafee, Inc. | Malware scanning wireless service agent system and method |
US7340774B2 (en) * | 2001-10-15 | 2008-03-04 | Mcafee, Inc. | Malware scanning as a low priority task |
US7016965B2 (en) * | 2001-11-13 | 2006-03-21 | International Business Machines Corporation | System and method for asynchronously reading data across secure sockets layer sessions |
US7401359B2 (en) * | 2001-12-21 | 2008-07-15 | Mcafee, Inc. | Generating malware definition data for mobile computing devices |
US7203681B1 (en) | 2002-02-20 | 2007-04-10 | Palm, Inc. | Hand-held device filtering |
US20040006586A1 (en) * | 2002-04-23 | 2004-01-08 | Secure Resolutions, Inc. | Distributed server software distribution |
US20030233483A1 (en) * | 2002-04-23 | 2003-12-18 | Secure Resolutions, Inc. | Executing software in a network environment |
US20030200300A1 (en) * | 2002-04-23 | 2003-10-23 | Secure Resolutions, Inc. | Singularly hosted, enterprise managed, plural branded application services |
GB0211644D0 (en) | 2002-05-21 | 2002-07-03 | Wesby Philip B | System and method for remote asset management |
US11337047B1 (en) | 2002-05-21 | 2022-05-17 | M2M Solutions Llc | System and method for remote asset management |
US7734824B2 (en) * | 2002-10-18 | 2010-06-08 | Ricoh Co., Ltd. | Transport of reversible and unreversible embedded wavelets |
TWI324309B (en) * | 2002-08-26 | 2010-05-01 | Interdigital Tech Corp | Communication circuit |
US7748039B2 (en) * | 2002-08-30 | 2010-06-29 | Symantec Corporation | Method and apparatus for detecting malicious code in an information handling system |
US7331062B2 (en) | 2002-08-30 | 2008-02-12 | Symantec Corporation | Method, computer software, and system for providing end to end security protection of an online transaction |
US7363373B2 (en) * | 2002-09-10 | 2008-04-22 | Corel Tw Corp. | Data scanning system and method thereof combining real-time scanning and periodical scanning modes |
FI113499B (fi) * | 2002-09-12 | 2004-04-30 | Jarmo Talvitie | Turvajärjestelmä, menetelmä ja laite tietokonevirusten torjumiseksi sekä tiedon eristämiseksi |
US7363490B2 (en) * | 2002-09-12 | 2008-04-22 | International Business Machines Corporation | Method and system for selective email acceptance via encoded email identifiers |
US6981092B2 (en) * | 2002-10-31 | 2005-12-27 | Hewlett-Packard Development Company, L.P. | Automatic media readying system and method |
US7278019B2 (en) * | 2002-11-04 | 2007-10-02 | Hewlett-Packard Development Company, L.P. | Method of hindering the propagation of a computer virus |
US7386889B2 (en) * | 2002-11-18 | 2008-06-10 | Trusted Network Technologies, Inc. | System and method for intrusion prevention in a communications network |
US7660980B2 (en) | 2002-11-18 | 2010-02-09 | Liquidware Labs, Inc. | Establishing secure TCP/IP communications using embedded IDs |
JP3979285B2 (ja) * | 2002-12-17 | 2007-09-19 | 株式会社日立製作所 | 情報処理システム |
JP2004302516A (ja) * | 2003-03-28 | 2004-10-28 | Ntt Docomo Inc | 端末装置およびプログラム |
JP4597488B2 (ja) * | 2003-03-31 | 2010-12-15 | 株式会社日立製作所 | プログラム配置方法及びその実施システム並びにその処理プログラム |
US7493614B2 (en) * | 2003-03-31 | 2009-02-17 | Microsoft Corporation | System architecture and related methods for dynamically adding software components to extend functionality of system processes |
US8171551B2 (en) | 2003-04-01 | 2012-05-01 | Mcafee, Inc. | Malware detection using external call characteristics |
US7254811B2 (en) * | 2003-04-17 | 2007-08-07 | Ntt Docomo, Inc. | Update system and method for updating a scanning subsystem in a mobile communication framework |
US6987963B2 (en) * | 2003-04-17 | 2006-01-17 | Ntt Docomo, Inc. | System, method and computer program product for content/context sensitive scanning utilizing a mobile communication device |
US7640590B1 (en) | 2004-12-21 | 2009-12-29 | Symantec Corporation | Presentation of network source and executable characteristics |
US7366919B1 (en) * | 2003-04-25 | 2008-04-29 | Symantec Corporation | Use of geo-location data for spam detection |
US7739494B1 (en) | 2003-04-25 | 2010-06-15 | Symantec Corporation | SSL validation and stripping using trustworthiness factors |
US9118711B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9118708B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Multi-path remediation |
US9118709B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9100431B2 (en) | 2003-07-01 | 2015-08-04 | Securityprofiling, Llc | Computer program product and apparatus for multi-path remediation |
US8984644B2 (en) | 2003-07-01 | 2015-03-17 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9350752B2 (en) | 2003-07-01 | 2016-05-24 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US20070113272A2 (en) | 2003-07-01 | 2007-05-17 | Securityprofiling, Inc. | Real-time vulnerability monitoring |
US9118710B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | System, method, and computer program product for reporting an occurrence in different manners |
US7685573B2 (en) * | 2003-07-31 | 2010-03-23 | Sun Microsystems, Inc. | Flexible error trace mechanism |
US20050081053A1 (en) * | 2003-10-10 | 2005-04-14 | International Business Machines Corlporation | Systems and methods for efficient computer virus detection |
US20050177720A1 (en) * | 2004-02-10 | 2005-08-11 | Seiichi Katano | Virus protection for multi-function peripherals |
US20050177748A1 (en) * | 2004-02-10 | 2005-08-11 | Seiichi Katano | Virus protection for multi-function peripherals |
US8051483B2 (en) | 2004-03-12 | 2011-11-01 | Fortinet, Inc. | Systems and methods for updating content detection devices and systems |
US20050216762A1 (en) * | 2004-03-25 | 2005-09-29 | Cyrus Peikari | Protecting embedded devices with integrated reset detection |
US8584239B2 (en) | 2004-04-01 | 2013-11-12 | Fireeye, Inc. | Virtual machine with dynamic data flow analysis |
US8881282B1 (en) | 2004-04-01 | 2014-11-04 | Fireeye, Inc. | Systems and methods for malware attack detection and identification |
US8528086B1 (en) | 2004-04-01 | 2013-09-03 | Fireeye, Inc. | System and method of detecting computer worms |
US8898788B1 (en) | 2004-04-01 | 2014-11-25 | Fireeye, Inc. | Systems and methods for malware attack prevention |
US8793787B2 (en) | 2004-04-01 | 2014-07-29 | Fireeye, Inc. | Detecting malicious network content using virtual environment components |
US8566946B1 (en) | 2006-04-20 | 2013-10-22 | Fireeye, Inc. | Malware containment on connection |
US9106694B2 (en) | 2004-04-01 | 2015-08-11 | Fireeye, Inc. | Electronic message analysis for malware detection |
US7587537B1 (en) | 2007-11-30 | 2009-09-08 | Altera Corporation | Serializer-deserializer circuits formed from input-output circuit registers |
US8171553B2 (en) | 2004-04-01 | 2012-05-01 | Fireeye, Inc. | Heuristic based capture with replay to virtual machine |
US8549638B2 (en) | 2004-06-14 | 2013-10-01 | Fireeye, Inc. | System and method of containing computer worms |
US20050268342A1 (en) * | 2004-05-14 | 2005-12-01 | Trusted Network Technologies, Inc. | System, apparatuses, methods and computer-readable media for determining security status of computer before establishing network connection second group of embodiments-claim set II |
US20060021021A1 (en) * | 2004-06-08 | 2006-01-26 | Rajesh Patel | Security event data normalization |
US20060015940A1 (en) * | 2004-07-14 | 2006-01-19 | Shay Zamir | Method for detecting unwanted executables |
US20060041893A1 (en) * | 2004-08-20 | 2006-02-23 | Microsoft Corporation | Extensible device synchronization architecture and user interface |
WO2006047163A2 (en) * | 2004-10-26 | 2006-05-04 | Priderock, L.L.C. | System and method for identifying and removing malware on a computer system |
US10043008B2 (en) * | 2004-10-29 | 2018-08-07 | Microsoft Technology Licensing, Llc | Efficient white listing of user-modifiable files |
US7698744B2 (en) | 2004-12-03 | 2010-04-13 | Whitecell Software Inc. | Secure system for allowing the execution of authorized computer program code |
US7673341B2 (en) * | 2004-12-15 | 2010-03-02 | Microsoft Corporation | System and method of efficiently identifying and removing active malware from a computer |
US7917955B1 (en) * | 2005-01-14 | 2011-03-29 | Mcafee, Inc. | System, method and computer program product for context-driven behavioral heuristics |
US7735138B2 (en) * | 2005-01-14 | 2010-06-08 | Trend Micro Incorporated | Method and apparatus for performing antivirus tasks in a mobile wireless device |
KR100599084B1 (ko) * | 2005-02-24 | 2006-07-12 | 삼성전자주식회사 | 이동 통신 네트워크에서의 바이러스 치료 방법 |
US7349931B2 (en) * | 2005-04-14 | 2008-03-25 | Webroot Software, Inc. | System and method for scanning obfuscated files for pestware |
US7591016B2 (en) * | 2005-04-14 | 2009-09-15 | Webroot Software, Inc. | System and method for scanning memory for pestware offset signatures |
US7571476B2 (en) * | 2005-04-14 | 2009-08-04 | Webroot Software, Inc. | System and method for scanning memory for pestware |
CA2605786C (en) * | 2005-04-25 | 2012-06-19 | Lg Electronics Inc. | Reader control system |
US7721331B1 (en) * | 2005-05-19 | 2010-05-18 | Adobe Systems Inc. | Methods and apparatus for performing a pre-processing activity |
US8452744B2 (en) * | 2005-06-06 | 2013-05-28 | Webroot Inc. | System and method for analyzing locked files |
US7945958B2 (en) * | 2005-06-07 | 2011-05-17 | Vmware, Inc. | Constraint injection system for immunizing software programs against vulnerabilities and attacks |
US9705911B2 (en) * | 2005-06-30 | 2017-07-11 | Nokia Technologies Oy | System and method for using quarantine networks to protect cellular networks from viruses and worms |
US20070006304A1 (en) * | 2005-06-30 | 2007-01-04 | Microsoft Corporation | Optimizing malware recovery |
US20070006300A1 (en) * | 2005-07-01 | 2007-01-04 | Shay Zamir | Method and system for detecting a malicious packed executable |
US8037290B1 (en) * | 2005-07-01 | 2011-10-11 | Symantec Corporation | Preboot security data update |
US8849752B2 (en) * | 2005-07-21 | 2014-09-30 | Google Inc. | Overloaded communication session |
US7832006B2 (en) * | 2005-08-09 | 2010-11-09 | At&T Intellectual Property I, L.P. | System and method for providing network security |
US8161548B1 (en) | 2005-08-15 | 2012-04-17 | Trend Micro, Inc. | Malware detection using pattern classification |
WO2007029091A1 (en) * | 2005-09-06 | 2007-03-15 | Nokia Corporation | Optimized broadcast of esg with simple fragment management scheme |
US7712132B1 (en) * | 2005-10-06 | 2010-05-04 | Ogilvie John W | Detecting surreptitious spyware |
US7779472B1 (en) * | 2005-10-11 | 2010-08-17 | Trend Micro, Inc. | Application behavior based malware detection |
US8484725B1 (en) * | 2005-10-26 | 2013-07-09 | Mcafee, Inc. | System, method and computer program product for utilizing a threat scanner for performing non-threat-related processing |
US20070201270A1 (en) * | 2005-12-30 | 2007-08-30 | Stmicroelectronics Pvt. Ltd. | Read only memory device with bitline leakage reduction |
US8255992B2 (en) * | 2006-01-18 | 2012-08-28 | Webroot Inc. | Method and system for detecting dependent pestware objects on a computer |
JP4983047B2 (ja) * | 2006-03-02 | 2012-07-25 | 富士ゼロックス株式会社 | 電子データ格納装置、及びプログラム |
AU2007200606A1 (en) * | 2006-03-03 | 2007-09-20 | Pc Tools Technology Pty Limited | Scanning files using direct file system access |
US7634262B1 (en) * | 2006-03-07 | 2009-12-15 | Trend Micro, Inc. | Virus pattern update for mobile device |
US9171157B2 (en) * | 2006-03-28 | 2015-10-27 | Blue Coat Systems, Inc. | Method and system for tracking access to application data and preventing data exploitation by malicious programs |
US9112897B2 (en) * | 2006-03-30 | 2015-08-18 | Advanced Network Technology Laboratories Pte Ltd. | System and method for securing a network session |
US8434148B2 (en) * | 2006-03-30 | 2013-04-30 | Advanced Network Technology Laboratories Pte Ltd. | System and method for providing transactional security for an end-user device |
WO2007117567A2 (en) * | 2006-04-06 | 2007-10-18 | Smobile Systems Inc. | Malware detection system and method for limited access mobile platforms |
US7975304B2 (en) * | 2006-04-28 | 2011-07-05 | Trend Micro Incorporated | Portable storage device with stand-alone antivirus capability |
US20070258437A1 (en) * | 2006-05-05 | 2007-11-08 | Broadcom Corporation, A California Corporation | Switching network employing server quarantine functionality |
US8316439B2 (en) * | 2006-05-19 | 2012-11-20 | Iyuko Services L.L.C. | Anti-virus and firewall system |
DE102006031870B4 (de) * | 2006-06-01 | 2008-07-31 | Siemens Ag | Verfahren und System zum Bereitstellen eines Mobile IP Schlüssels |
US7814544B1 (en) * | 2006-06-22 | 2010-10-12 | Symantec Corporation | API-profile guided unpacking |
US8332947B1 (en) | 2006-06-27 | 2012-12-11 | Symantec Corporation | Security threat reporting in light of local security tools |
US8087084B1 (en) * | 2006-06-28 | 2011-12-27 | Emc Corporation | Security for scanning objects |
US20080005797A1 (en) * | 2006-06-30 | 2008-01-03 | Microsoft Corporation | Identifying malware in a boot environment |
US8234710B2 (en) * | 2006-07-05 | 2012-07-31 | BB4 Solutions, Inc. | Malware automated removal system and method using a diagnostic operating system |
US7996903B2 (en) | 2006-07-07 | 2011-08-09 | Webroot Software, Inc. | Method and system for detecting and removing hidden pestware files |
US8190868B2 (en) | 2006-08-07 | 2012-05-29 | Webroot Inc. | Malware management through kernel detection |
US7647590B2 (en) * | 2006-08-31 | 2010-01-12 | International Business Machines Corporation | Parallel computing system using coordinator and master nodes for load balancing and distributing work |
US20080148340A1 (en) * | 2006-10-31 | 2008-06-19 | Mci, Llc. | Method and system for providing network enforced access control |
US20080155696A1 (en) * | 2006-12-22 | 2008-06-26 | Sybase 365, Inc. | System and Method for Enhanced Malware Detection |
US7689567B2 (en) * | 2006-12-28 | 2010-03-30 | Sap Ag | Error handling for intermittently connected mobile applications |
US7673023B1 (en) * | 2006-12-29 | 2010-03-02 | Unisys Corporation | Method and apparatus for service processor updates |
US8689334B2 (en) * | 2007-02-28 | 2014-04-01 | Alcatel Lucent | Security protection for a customer programmable platform |
US8959568B2 (en) * | 2007-03-14 | 2015-02-17 | Microsoft Corporation | Enterprise security assessment sharing |
US8413247B2 (en) * | 2007-03-14 | 2013-04-02 | Microsoft Corporation | Adaptive data collection for root-cause analysis and intrusion detection |
US8955105B2 (en) * | 2007-03-14 | 2015-02-10 | Microsoft Corporation | Endpoint enabled for enterprise security assessment sharing |
US20080229419A1 (en) * | 2007-03-16 | 2008-09-18 | Microsoft Corporation | Automated identification of firewall malware scanner deficiencies |
DE102007018456B4 (de) * | 2007-04-19 | 2022-02-24 | Novaled Gmbh | Verwendung von Hauptgruppenelementhalogeniden und/oder -pseudohalogeniden, organisches halbleitendes Matrixmaterial, elektronische und optoelektronische Bauelemente |
US8613092B2 (en) | 2007-05-21 | 2013-12-17 | Mcafee, Inc. | System, method and computer program product for updating a security system definition database based on prioritized instances of known unwanted data |
US20080295153A1 (en) * | 2007-05-24 | 2008-11-27 | Zhidan Cheng | System and method for detection and communication of computer infection status in a networked environment |
US8171467B1 (en) * | 2007-07-03 | 2012-05-01 | Trend Micro Incorporated | Updating of malicious code patterns using public DNS servers |
US9069960B1 (en) * | 2007-08-31 | 2015-06-30 | Mcafee, Inc. | System, method, and computer program product for avoiding an on-access scan of data accessible by a collaborative portal application after an on-demand scan |
US8373538B1 (en) | 2007-09-12 | 2013-02-12 | Oceans' Edge, Inc. | Mobile device monitoring and control system |
US20090100519A1 (en) * | 2007-10-16 | 2009-04-16 | Mcafee, Inc. | Installer detection and warning system and method |
US8918865B2 (en) | 2008-01-22 | 2014-12-23 | Wontok, Inc. | System and method for protecting data accessed through a network connection |
WO2009094371A1 (en) * | 2008-01-22 | 2009-07-30 | Authentium, Inc. | Trusted secure desktop |
US8706745B1 (en) * | 2008-05-30 | 2014-04-22 | Symantec Corporation | Systems and methods for determining a file set |
US8607344B1 (en) * | 2008-07-24 | 2013-12-10 | Mcafee, Inc. | System, method, and computer program product for initiating a security action at an intermediate layer coupled between a library and an application |
CN101640880A (zh) * | 2008-08-01 | 2010-02-03 | 中国移动通信集团公司 | 设备描述结构信息上报以及更新方法、系统和设备 |
US8521312B2 (en) * | 2008-08-06 | 2013-08-27 | Honeywell International Inc. | Apparatus and method for wireless access and control of process control instruments |
US8667583B2 (en) * | 2008-09-22 | 2014-03-04 | Microsoft Corporation | Collecting and analyzing malware data |
US8364705B1 (en) * | 2008-09-24 | 2013-01-29 | Symantec Corporation | Methods and systems for determining a file set |
US8051480B2 (en) * | 2008-10-21 | 2011-11-01 | Lookout, Inc. | System and method for monitoring and analyzing multiple interfaces and multiple protocols |
US8984628B2 (en) * | 2008-10-21 | 2015-03-17 | Lookout, Inc. | System and method for adverse mobile application identification |
US8087067B2 (en) | 2008-10-21 | 2011-12-27 | Lookout, Inc. | Secure mobile platform system |
US8060936B2 (en) | 2008-10-21 | 2011-11-15 | Lookout, Inc. | Security status and information display system |
US8108933B2 (en) | 2008-10-21 | 2012-01-31 | Lookout, Inc. | System and method for attack and malware prevention |
US9367680B2 (en) * | 2008-10-21 | 2016-06-14 | Lookout, Inc. | System and method for mobile communication device application advisement |
US8533844B2 (en) | 2008-10-21 | 2013-09-10 | Lookout, Inc. | System and method for security data collection and analysis |
US8099472B2 (en) * | 2008-10-21 | 2012-01-17 | Lookout, Inc. | System and method for a mobile cross-platform software system |
US8347386B2 (en) | 2008-10-21 | 2013-01-01 | Lookout, Inc. | System and method for server-coupled malware prevention |
US9235704B2 (en) | 2008-10-21 | 2016-01-12 | Lookout, Inc. | System and method for a scanning API |
US9043919B2 (en) | 2008-10-21 | 2015-05-26 | Lookout, Inc. | Crawling multiple markets and correlating |
US8850571B2 (en) | 2008-11-03 | 2014-09-30 | Fireeye, Inc. | Systems and methods for detecting malicious network content |
US8997219B2 (en) | 2008-11-03 | 2015-03-31 | Fireeye, Inc. | Systems and methods for detecting malicious PDF network content |
US8855601B2 (en) | 2009-02-17 | 2014-10-07 | Lookout, Inc. | System and method for remotely-initiated audio communication |
US9042876B2 (en) | 2009-02-17 | 2015-05-26 | Lookout, Inc. | System and method for uploading location information based on device movement |
US9955352B2 (en) | 2009-02-17 | 2018-04-24 | Lookout, Inc. | Methods and systems for addressing mobile communications devices that are lost or stolen but not yet reported as such |
US8538815B2 (en) * | 2009-02-17 | 2013-09-17 | Lookout, Inc. | System and method for mobile device replacement |
US8467768B2 (en) | 2009-02-17 | 2013-06-18 | Lookout, Inc. | System and method for remotely securing or recovering a mobile device |
US9208315B2 (en) * | 2009-03-17 | 2015-12-08 | Microsoft Corporation | Identification of telemetry data |
US8490176B2 (en) * | 2009-04-07 | 2013-07-16 | Juniper Networks, Inc. | System and method for controlling a mobile device |
GB2469308B (en) * | 2009-04-08 | 2014-02-19 | F Secure Oyj | Disinfecting a file system |
US11489857B2 (en) | 2009-04-21 | 2022-11-01 | Webroot Inc. | System and method for developing a risk profile for an internet resource |
US8732296B1 (en) * | 2009-05-06 | 2014-05-20 | Mcafee, Inc. | System, method, and computer program product for redirecting IRC traffic identified utilizing a port-independent algorithm and controlling IRC based malware |
US9871811B2 (en) * | 2009-05-26 | 2018-01-16 | Microsoft Technology Licensing, Llc | Identifying security properties of systems from application crash traffic |
US9087195B2 (en) * | 2009-07-10 | 2015-07-21 | Kaspersky Lab Zao | Systems and methods for detecting obfuscated malware |
TW201128383A (en) | 2009-07-29 | 2011-08-16 | Reversinglabs Corp | Portable executable file analysis |
KR101017258B1 (ko) | 2009-09-24 | 2011-02-28 | 주식회사 잉카인터넷 | 오브젝트매니저를 이용한 프로세스 보호시스템 및 방법 |
US8832829B2 (en) | 2009-09-30 | 2014-09-09 | Fireeye, Inc. | Network-based binary file extraction and analysis for malware detection |
US8869282B1 (en) * | 2009-10-15 | 2014-10-21 | American Megatrends, Inc. | Anti-malware support for firmware |
GB2475473B (en) | 2009-11-04 | 2015-10-21 | Nds Ltd | User request based content ranking |
US8397301B2 (en) | 2009-11-18 | 2013-03-12 | Lookout, Inc. | System and method for identifying and assessing vulnerabilities on a mobile communication device |
US8584120B2 (en) * | 2009-11-23 | 2013-11-12 | Julian Michael Urbach | Stream-based software application delivery and launching system |
KR101183083B1 (ko) * | 2009-12-18 | 2012-09-20 | 주식회사 안랩 | 시그니처 데이터베이스 업데이트 시스템 및 방법과 클라이언트 단말기의 데이터베이스 업데이트 장치 |
US9665712B2 (en) * | 2010-02-22 | 2017-05-30 | F-Secure Oyj | Malware removal |
US9479357B1 (en) * | 2010-03-05 | 2016-10-25 | Symantec Corporation | Detecting malware on mobile devices based on mobile behavior analysis |
US9098333B1 (en) | 2010-05-07 | 2015-08-04 | Ziften Technologies, Inc. | Monitoring computer process resource usage |
US8918874B2 (en) * | 2010-05-25 | 2014-12-23 | F-Secure Corporation | Malware scanning |
US8732473B2 (en) | 2010-06-01 | 2014-05-20 | Microsoft Corporation | Claim based content reputation service |
US9202049B1 (en) | 2010-06-21 | 2015-12-01 | Pulse Secure, Llc | Detecting malware on mobile devices |
US8850321B2 (en) * | 2010-06-23 | 2014-09-30 | Hewlett-Packard Development Company, L.P. | Cross-domain business service management |
US8479292B1 (en) * | 2010-11-19 | 2013-07-02 | Symantec Corporation | Disabling malware that infects boot drivers |
US8763126B2 (en) | 2010-12-08 | 2014-06-24 | At&T Intellectual Property I, L.P. | Devices, systems, and methods for detecting proximity-based mobile propagation |
US9064112B2 (en) * | 2010-12-09 | 2015-06-23 | At&T Intellectual Property I, L.P. | Malware detection for SMS/MMS based attacks |
US10114660B2 (en) | 2011-02-22 | 2018-10-30 | Julian Michael Urbach | Software application delivery and launching system |
US20120216281A1 (en) | 2011-02-22 | 2012-08-23 | PCTEL Secure LLC | Systems and Methods for Providing a Computing Device Having a Secure Operating System Kernel |
KR20120096983A (ko) * | 2011-02-24 | 2012-09-03 | 삼성전자주식회사 | 악성 프로그램 검출 방법 및 이를 구현하는 휴대 단말기 |
EP2684152B1 (en) | 2011-03-09 | 2020-07-22 | Irdeto B.V. | Method and system for dynamic platform security in a device operating system |
US8042186B1 (en) * | 2011-04-28 | 2011-10-18 | Kaspersky Lab Zao | System and method for detection of complex malware |
US8566935B2 (en) | 2011-05-12 | 2013-10-22 | At&T Intellectual Property I, L.P. | Balancing malware rootkit detection with power consumption on mobile devices |
US9535817B2 (en) * | 2011-06-10 | 2017-01-03 | Microsoft Technology Licensing, Llc | Application development environment for portable electronic devices |
US8516592B1 (en) | 2011-06-13 | 2013-08-20 | Trend Micro Incorporated | Wireless hotspot with lightweight anti-malware |
US8738765B2 (en) | 2011-06-14 | 2014-05-27 | Lookout, Inc. | Mobile device DNS optimization |
US8584242B2 (en) | 2011-07-12 | 2013-11-12 | At&T Intellectual Property I, L.P. | Remote-assisted malware detection |
US8788881B2 (en) | 2011-08-17 | 2014-07-22 | Lookout, Inc. | System and method for mobile device push communications |
US9298917B2 (en) | 2011-09-27 | 2016-03-29 | Redwall Technologies, Llc | Enhanced security SCADA systems and methods |
US10701097B2 (en) * | 2011-12-20 | 2020-06-30 | Micro Focus Llc | Application security testing |
RU2472215C1 (ru) | 2011-12-28 | 2013-01-10 | Закрытое акционерное общество "Лаборатория Касперского" | Способ выявления неизвестных программ с использованием эмуляции процесса загрузки |
US8863288B1 (en) | 2011-12-30 | 2014-10-14 | Mantech Advanced Systems International, Inc. | Detecting malicious software |
US20130191497A1 (en) * | 2012-01-25 | 2013-07-25 | International Business Machines Corporation | Storage and Transmission of Log Data In a Networked System |
US8726338B2 (en) | 2012-02-02 | 2014-05-13 | Juniper Networks, Inc. | Dynamic threat protection in mobile networks |
US10070195B1 (en) * | 2012-02-09 | 2018-09-04 | Amazon Technologies, Inc. | Computing resource service security method |
US9032520B2 (en) | 2012-02-22 | 2015-05-12 | iScanOnline, Inc. | Remote security self-assessment framework |
US8948795B2 (en) | 2012-05-08 | 2015-02-03 | Sybase 365, Inc. | System and method for dynamic spam detection |
CN103425928B (zh) * | 2012-05-17 | 2017-11-24 | 富泰华工业(深圳)有限公司 | 电子装置的杀毒系统及方法 |
US9407443B2 (en) | 2012-06-05 | 2016-08-02 | Lookout, Inc. | Component analysis of software applications on computing devices |
US9589129B2 (en) | 2012-06-05 | 2017-03-07 | Lookout, Inc. | Determining source of side-loaded software |
US8910161B2 (en) * | 2012-07-13 | 2014-12-09 | Vmware, Inc. | Scan systems and methods of scanning virtual machines |
TWI460661B (zh) * | 2012-10-03 | 2014-11-11 | Inventec Corp | 移動終端中結束程式之系統及其方法 |
US9460283B2 (en) * | 2012-10-09 | 2016-10-04 | Dell Products L.P. | Adaptive integrity validation for portable information handling systems |
CN103780589A (zh) * | 2012-10-24 | 2014-05-07 | 腾讯科技(深圳)有限公司 | 病毒提示方法、客户端设备和服务器 |
US8655307B1 (en) | 2012-10-26 | 2014-02-18 | Lookout, Inc. | System and method for developing, updating, and using user device behavioral context models to modify user, device, and application state, settings and behavior for enhanced user security |
US9208215B2 (en) | 2012-12-27 | 2015-12-08 | Lookout, Inc. | User classification based on data gathered from a computing device |
US9374369B2 (en) | 2012-12-28 | 2016-06-21 | Lookout, Inc. | Multi-factor authentication and comprehensive login system for client-server networks |
US10572665B2 (en) | 2012-12-28 | 2020-02-25 | Fireeye, Inc. | System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events |
US8855599B2 (en) | 2012-12-31 | 2014-10-07 | Lookout, Inc. | Method and apparatus for auxiliary communications with mobile communications device |
US9424409B2 (en) | 2013-01-10 | 2016-08-23 | Lookout, Inc. | Method and system for protecting privacy and enhancing security on an electronic device |
US9286047B1 (en) | 2013-02-13 | 2016-03-15 | Cisco Technology, Inc. | Deployment and upgrade of network devices in a network environment |
US8990944B1 (en) | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
US9176843B1 (en) | 2013-02-23 | 2015-11-03 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US9195829B1 (en) | 2013-02-23 | 2015-11-24 | Fireeye, Inc. | User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications |
US9367681B1 (en) | 2013-02-23 | 2016-06-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application |
US9009823B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications installed on mobile devices |
WO2014130045A1 (en) * | 2013-02-23 | 2014-08-28 | iScan Online, Inc. | Remote security self-assessment framework |
US9626509B1 (en) | 2013-03-13 | 2017-04-18 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US9104867B1 (en) * | 2013-03-13 | 2015-08-11 | Fireeye, Inc. | Malicious content analysis using simulated user interaction without user involvement |
US9355247B1 (en) | 2013-03-13 | 2016-05-31 | Fireeye, Inc. | File extraction from memory dump for malicious content analysis |
US9430646B1 (en) | 2013-03-14 | 2016-08-30 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
US9311479B1 (en) | 2013-03-14 | 2016-04-12 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of a malware attack |
US9413781B2 (en) | 2013-03-15 | 2016-08-09 | Fireeye, Inc. | System and method employing structured intelligence to verify and contain threats at endpoints |
US10713358B2 (en) | 2013-03-15 | 2020-07-14 | Fireeye, Inc. | System and method to extract and utilize disassembly features to classify software intent |
US9471782B2 (en) * | 2013-04-08 | 2016-10-18 | Tencent Technology (Shenzhen) Company Limited | File scanning method and system, client and server |
US9495180B2 (en) | 2013-05-10 | 2016-11-15 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US9635039B1 (en) | 2013-05-13 | 2017-04-25 | Fireeye, Inc. | Classifying sets of malicious indicators for detecting command and control communications associated with malware |
US9027078B1 (en) * | 2013-05-28 | 2015-05-05 | Symantec Corporation | Systems and methods for enforcing data loss prevention policies on sandboxed applications |
US10133863B2 (en) | 2013-06-24 | 2018-11-20 | Fireeye, Inc. | Zero-day discovery system |
US9300686B2 (en) | 2013-06-28 | 2016-03-29 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
US9584488B2 (en) * | 2013-08-09 | 2017-02-28 | Introspective Power, Inc. | Data encryption cipher using rotating ports |
US9171160B2 (en) | 2013-09-30 | 2015-10-27 | Fireeye, Inc. | Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses |
US9628507B2 (en) | 2013-09-30 | 2017-04-18 | Fireeye, Inc. | Advanced persistent threat (APT) detection center |
US9690936B1 (en) | 2013-09-30 | 2017-06-27 | Fireeye, Inc. | Multistage system and method for analyzing obfuscated content for malware |
US9294501B2 (en) | 2013-09-30 | 2016-03-22 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US9736179B2 (en) | 2013-09-30 | 2017-08-15 | Fireeye, Inc. | System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection |
US10515214B1 (en) | 2013-09-30 | 2019-12-24 | Fireeye, Inc. | System and method for classifying malware within content created during analysis of a specimen |
US9642008B2 (en) | 2013-10-25 | 2017-05-02 | Lookout, Inc. | System and method for creating and assigning a policy for a mobile communications device based on personal data |
US9921978B1 (en) | 2013-11-08 | 2018-03-20 | Fireeye, Inc. | System and method for enhanced security of storage devices |
US10122747B2 (en) | 2013-12-06 | 2018-11-06 | Lookout, Inc. | Response generation after distributed monitoring and evaluation of multiple devices |
US9753796B2 (en) | 2013-12-06 | 2017-09-05 | Lookout, Inc. | Distributed monitoring, evaluation, and response for multiple devices |
US9747446B1 (en) | 2013-12-26 | 2017-08-29 | Fireeye, Inc. | System and method for run-time object classification |
US9756074B2 (en) | 2013-12-26 | 2017-09-05 | Fireeye, Inc. | System and method for IPS and VM-based detection of suspicious objects |
US9507935B2 (en) | 2014-01-16 | 2016-11-29 | Fireeye, Inc. | Exploit detection system with threat-aware microvisor |
US9262635B2 (en) | 2014-02-05 | 2016-02-16 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US9612587B2 (en) | 2014-02-11 | 2017-04-04 | Honeywell International Inc. | Mobile extension for industrial operator consoles |
US9241010B1 (en) | 2014-03-20 | 2016-01-19 | Fireeye, Inc. | System and method for network behavior detection |
US10242185B1 (en) | 2014-03-21 | 2019-03-26 | Fireeye, Inc. | Dynamic guest image creation and rollback |
US9591015B1 (en) | 2014-03-28 | 2017-03-07 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US9432389B1 (en) | 2014-03-31 | 2016-08-30 | Fireeye, Inc. | System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object |
US9223972B1 (en) | 2014-03-31 | 2015-12-29 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
US10243985B2 (en) | 2014-06-03 | 2019-03-26 | Hexadite Ltd. | System and methods thereof for monitoring and preventing security incidents in a computerized environment |
US9973531B1 (en) | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
US9438623B1 (en) | 2014-06-06 | 2016-09-06 | Fireeye, Inc. | Computer exploit detection using heap spray pattern matching |
US9594912B1 (en) | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
US10084813B2 (en) | 2014-06-24 | 2018-09-25 | Fireeye, Inc. | Intrusion prevention and remedy system |
US10805340B1 (en) | 2014-06-26 | 2020-10-13 | Fireeye, Inc. | Infection vector and malware tracking with an interactive user display |
US9398028B1 (en) | 2014-06-26 | 2016-07-19 | Fireeye, Inc. | System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers |
US10002252B2 (en) | 2014-07-01 | 2018-06-19 | Fireeye, Inc. | Verification of trusted threat-aware microvisor |
US9990505B2 (en) | 2014-08-12 | 2018-06-05 | Redwall Technologies, Llc | Temporally isolating data accessed by a computing device |
US9363280B1 (en) | 2014-08-22 | 2016-06-07 | Fireeye, Inc. | System and method of detecting delivery of malware using cross-customer data |
JP6246377B2 (ja) * | 2014-08-28 | 2017-12-13 | 三菱電機株式会社 | プロセス解析装置、プロセス解析方法、及びプロセス解析プログラム |
US10671726B1 (en) | 2014-09-22 | 2020-06-02 | Fireeye Inc. | System and method for malware analysis using thread-level event monitoring |
US10027689B1 (en) | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
US9773112B1 (en) | 2014-09-29 | 2017-09-26 | Fireeye, Inc. | Exploit detection of malware and malware families |
US10489147B1 (en) * | 2014-10-01 | 2019-11-26 | Ivanti, Inc. | System and methods for patch management |
US9141431B1 (en) | 2014-10-07 | 2015-09-22 | AO Kaspersky Lab | System and method for prioritizing on access scan and on demand scan tasks |
US9690933B1 (en) | 2014-12-22 | 2017-06-27 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US10075455B2 (en) | 2014-12-26 | 2018-09-11 | Fireeye, Inc. | Zero-day rotating guest image profile |
US9934376B1 (en) | 2014-12-29 | 2018-04-03 | Fireeye, Inc. | Malware detection appliance architecture |
US9838417B1 (en) | 2014-12-30 | 2017-12-05 | Fireeye, Inc. | Intelligent context aware user interaction for malware detection |
US9949000B1 (en) * | 2015-03-17 | 2018-04-17 | 8X8, Inc. | IPBX control interface for distributed networks |
US10148693B2 (en) | 2015-03-25 | 2018-12-04 | Fireeye, Inc. | Exploit detection system |
US9690606B1 (en) | 2015-03-25 | 2017-06-27 | Fireeye, Inc. | Selective system call monitoring |
US9438613B1 (en) | 2015-03-30 | 2016-09-06 | Fireeye, Inc. | Dynamic content activation for automated analysis of embedded objects |
US9483644B1 (en) | 2015-03-31 | 2016-11-01 | Fireeye, Inc. | Methods for detecting file altering malware in VM based analysis |
US10417031B2 (en) | 2015-03-31 | 2019-09-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US10474813B1 (en) | 2015-03-31 | 2019-11-12 | Fireeye, Inc. | Code injection technique for remediation at an endpoint of a network |
US9654485B1 (en) | 2015-04-13 | 2017-05-16 | Fireeye, Inc. | Analytics-based security monitoring system and method |
US9594904B1 (en) | 2015-04-23 | 2017-03-14 | Fireeye, Inc. | Detecting malware based on reflection |
EP3289510B1 (en) | 2015-05-01 | 2020-06-17 | Lookout Inc. | Determining source of side-loaded software |
US10374904B2 (en) | 2015-05-15 | 2019-08-06 | Cisco Technology, Inc. | Diagnostic network visualization |
US9800497B2 (en) | 2015-05-27 | 2017-10-24 | Cisco Technology, Inc. | Operations, administration and management (OAM) in overlay data center environments |
US9967158B2 (en) | 2015-06-05 | 2018-05-08 | Cisco Technology, Inc. | Interactive hierarchical network chord diagram for application dependency mapping |
US10536357B2 (en) | 2015-06-05 | 2020-01-14 | Cisco Technology, Inc. | Late data detection in data center |
US10142353B2 (en) | 2015-06-05 | 2018-11-27 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US10454950B1 (en) | 2015-06-30 | 2019-10-22 | Fireeye, Inc. | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks |
US10726127B1 (en) | 2015-06-30 | 2020-07-28 | Fireeye, Inc. | System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer |
US10642753B1 (en) | 2015-06-30 | 2020-05-05 | Fireeye, Inc. | System and method for protecting a software component running in virtual machine using a virtualization layer |
US11113086B1 (en) | 2015-06-30 | 2021-09-07 | Fireeye, Inc. | Virtual system and method for securing external network connectivity |
US10715542B1 (en) | 2015-08-14 | 2020-07-14 | Fireeye, Inc. | Mobile application risk analysis |
US10176321B2 (en) | 2015-09-22 | 2019-01-08 | Fireeye, Inc. | Leveraging behavior-based rules for malware family classification |
US10033747B1 (en) | 2015-09-29 | 2018-07-24 | Fireeye, Inc. | System and method for detecting interpreter-based exploit attacks |
US10817606B1 (en) | 2015-09-30 | 2020-10-27 | Fireeye, Inc. | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic |
US10601865B1 (en) | 2015-09-30 | 2020-03-24 | Fireeye, Inc. | Detection of credential spearphishing attacks using email analysis |
US9825976B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Detection and classification of exploit kits |
US10210329B1 (en) | 2015-09-30 | 2019-02-19 | Fireeye, Inc. | Method to detect application execution hijacking using memory protection |
US10706149B1 (en) | 2015-09-30 | 2020-07-07 | Fireeye, Inc. | Detecting delayed activation malware using a primary controller and plural time controllers |
US9825989B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
US10664590B2 (en) | 2015-10-01 | 2020-05-26 | Twistlock, Ltd. | Filesystem action profiling of containers and security enforcement |
US10943014B2 (en) | 2015-10-01 | 2021-03-09 | Twistlock, Ltd | Profiling of spawned processes in container images and enforcing security policies respective thereof |
US10567411B2 (en) | 2015-10-01 | 2020-02-18 | Twistlock, Ltd. | Dynamically adapted traffic inspection and filtering in containerized environments |
US10915628B2 (en) | 2015-10-01 | 2021-02-09 | Twistlock, Ltd. | Runtime detection of vulnerabilities in an application layer of software containers |
US10599833B2 (en) | 2015-10-01 | 2020-03-24 | Twistlock, Ltd. | Networking-based profiling of containers and security enforcement |
US10922418B2 (en) | 2015-10-01 | 2021-02-16 | Twistlock, Ltd. | Runtime detection and mitigation of vulnerabilities in application software containers |
US10223534B2 (en) | 2015-10-15 | 2019-03-05 | Twistlock, Ltd. | Static detection of vulnerabilities in base images of software containers |
US10586042B2 (en) | 2015-10-01 | 2020-03-10 | Twistlock, Ltd. | Profiling of container images and enforcing security policies respective thereof |
US10778446B2 (en) | 2015-10-15 | 2020-09-15 | Twistlock, Ltd. | Detection of vulnerable root certificates in software containers |
CN106682504B (zh) * | 2015-11-06 | 2019-08-06 | 珠海豹趣科技有限公司 | 一种防止文件被恶意编辑的方法、装置及电子设备 |
US10284575B2 (en) | 2015-11-10 | 2019-05-07 | Fireeye, Inc. | Launcher for setting analysis environment variations for malware detection |
WO2017100364A1 (en) * | 2015-12-07 | 2017-06-15 | Prismo Systems Inc. | Systems and methods for detecting and responding to security threats using application execution and connection lineage tracing |
US10447728B1 (en) | 2015-12-10 | 2019-10-15 | Fireeye, Inc. | Technique for protecting guest processes using a layered virtualization architecture |
US10846117B1 (en) | 2015-12-10 | 2020-11-24 | Fireeye, Inc. | Technique for establishing secure communication between host and guest processes of a virtualization architecture |
US10108446B1 (en) | 2015-12-11 | 2018-10-23 | Fireeye, Inc. | Late load technique for deploying a virtualization layer underneath a running operating system |
US10050998B1 (en) | 2015-12-30 | 2018-08-14 | Fireeye, Inc. | Malicious message analysis system |
US10565378B1 (en) | 2015-12-30 | 2020-02-18 | Fireeye, Inc. | Exploit of privilege detection framework |
US10621338B1 (en) | 2015-12-30 | 2020-04-14 | Fireeye, Inc. | Method to detect forgery and exploits using last branch recording registers |
US10133866B1 (en) * | 2015-12-30 | 2018-11-20 | Fireeye, Inc. | System and method for triggering analysis of an object for malware in response to modification of that object |
US11552986B1 (en) | 2015-12-31 | 2023-01-10 | Fireeye Security Holdings Us Llc | Cyber-security framework for application of virtual features |
US10581874B1 (en) | 2015-12-31 | 2020-03-03 | Fireeye, Inc. | Malware detection system with contextual analysis |
US9824216B1 (en) | 2015-12-31 | 2017-11-21 | Fireeye, Inc. | Susceptible environment detection system |
US10616266B1 (en) | 2016-03-25 | 2020-04-07 | Fireeye, Inc. | Distributed malware detection system and submission workflow thereof |
US10671721B1 (en) | 2016-03-25 | 2020-06-02 | Fireeye, Inc. | Timeout management services |
US10601863B1 (en) | 2016-03-25 | 2020-03-24 | Fireeye, Inc. | System and method for managing sensor enrollment |
US10785255B1 (en) | 2016-03-25 | 2020-09-22 | Fireeye, Inc. | Cluster configuration within a scalable malware detection system |
US10826933B1 (en) | 2016-03-31 | 2020-11-03 | Fireeye, Inc. | Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints |
US10893059B1 (en) | 2016-03-31 | 2021-01-12 | Fireeye, Inc. | Verification and enhancement using detection systems located at the network periphery and endpoint devices |
US10243972B2 (en) * | 2016-04-11 | 2019-03-26 | Crowdstrike, Inc. | Correlation-based detection of exploit activity |
US10171357B2 (en) | 2016-05-27 | 2019-01-01 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10931629B2 (en) | 2016-05-27 | 2021-02-23 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10289438B2 (en) | 2016-06-16 | 2019-05-14 | Cisco Technology, Inc. | Techniques for coordination of application components deployed on distributed virtual machines |
US10169585B1 (en) | 2016-06-22 | 2019-01-01 | Fireeye, Inc. | System and methods for advanced malware detection through placement of transition events |
US10462173B1 (en) | 2016-06-30 | 2019-10-29 | Fireeye, Inc. | Malware detection verification and enhancement by coordinating endpoint and malware detection systems |
US10708183B2 (en) | 2016-07-21 | 2020-07-07 | Cisco Technology, Inc. | System and method of providing segment routing as a service |
US10592678B1 (en) | 2016-09-09 | 2020-03-17 | Fireeye, Inc. | Secure communications between peers using a verified virtual trusted platform module |
US10491627B1 (en) | 2016-09-29 | 2019-11-26 | Fireeye, Inc. | Advanced malware detection using similarity analysis |
US10795991B1 (en) | 2016-11-08 | 2020-10-06 | Fireeye, Inc. | Enterprise search |
US10354173B2 (en) * | 2016-11-21 | 2019-07-16 | Cylance Inc. | Icon based malware detection |
US10972388B2 (en) | 2016-11-22 | 2021-04-06 | Cisco Technology, Inc. | Federated microburst detection |
US10587647B1 (en) | 2016-11-22 | 2020-03-10 | Fireeye, Inc. | Technique for malware detection capability comparison of network security devices |
US10581879B1 (en) | 2016-12-22 | 2020-03-03 | Fireeye, Inc. | Enhanced malware detection for generated objects |
US10552610B1 (en) | 2016-12-22 | 2020-02-04 | Fireeye, Inc. | Adaptive virtual machine snapshot update framework for malware behavioral analysis |
US10523609B1 (en) | 2016-12-27 | 2019-12-31 | Fireeye, Inc. | Multi-vector malware detection and analysis |
US10708152B2 (en) | 2017-03-23 | 2020-07-07 | Cisco Technology, Inc. | Predicting application and network performance |
US10904286B1 (en) | 2017-03-24 | 2021-01-26 | Fireeye, Inc. | Detection of phishing attacks using similarity analysis |
US10523512B2 (en) | 2017-03-24 | 2019-12-31 | Cisco Technology, Inc. | Network agent for generating platform specific network policies |
US10250446B2 (en) | 2017-03-27 | 2019-04-02 | Cisco Technology, Inc. | Distributed policy store |
US10764141B2 (en) | 2017-03-27 | 2020-09-01 | Cisco Technology, Inc. | Network agent for reporting to a network policy system |
US10594560B2 (en) | 2017-03-27 | 2020-03-17 | Cisco Technology, Inc. | Intent driven network policy platform |
US10873794B2 (en) | 2017-03-28 | 2020-12-22 | Cisco Technology, Inc. | Flowlet resolution for application performance monitoring and management |
US10902119B1 (en) | 2017-03-30 | 2021-01-26 | Fireeye, Inc. | Data extraction system for malware analysis |
US10798112B2 (en) | 2017-03-30 | 2020-10-06 | Fireeye, Inc. | Attribute-controlled malware detection |
US10791138B1 (en) | 2017-03-30 | 2020-09-29 | Fireeye, Inc. | Subscription-based malware detection |
US10848397B1 (en) | 2017-03-30 | 2020-11-24 | Fireeye, Inc. | System and method for enforcing compliance with subscription requirements for cyber-attack detection service |
US10334015B2 (en) * | 2017-04-28 | 2019-06-25 | Bank Of America Corporation | Apparatus and methods for shortening user exposure to malicious websites |
US11424993B1 (en) | 2017-05-30 | 2022-08-23 | Amazon Technologies, Inc. | Artificial intelligence system for network traffic flow based detection of service usage policy violations |
US10218697B2 (en) | 2017-06-09 | 2019-02-26 | Lookout, Inc. | Use of device risk evaluation to manage access to services |
US10503904B1 (en) | 2017-06-29 | 2019-12-10 | Fireeye, Inc. | Ransomware detection and mitigation |
US10855700B1 (en) | 2017-06-29 | 2020-12-01 | Fireeye, Inc. | Post-intrusion detection of cyber-attacks during lateral movement within networks |
US10601848B1 (en) | 2017-06-29 | 2020-03-24 | Fireeye, Inc. | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators |
US10893068B1 (en) | 2017-06-30 | 2021-01-12 | Fireeye, Inc. | Ransomware file modification prevention technique |
US10680887B2 (en) | 2017-07-21 | 2020-06-09 | Cisco Technology, Inc. | Remote device status audit and recovery |
US10747872B1 (en) | 2017-09-27 | 2020-08-18 | Fireeye, Inc. | System and method for preventing malware evasion |
US10805346B2 (en) | 2017-10-01 | 2020-10-13 | Fireeye, Inc. | Phishing attack detection |
US10664254B2 (en) | 2017-10-23 | 2020-05-26 | Blackberry Limited | Analyzing binary software components utilizing multiple instruction sets |
US10891212B2 (en) | 2017-10-23 | 2021-01-12 | Blackberry Limited | Identifying functions prone to logic errors in binary software components |
US10554501B2 (en) | 2017-10-23 | 2020-02-04 | Cisco Technology, Inc. | Network migration assistant |
US10523541B2 (en) | 2017-10-25 | 2019-12-31 | Cisco Technology, Inc. | Federated network and application data analytics platform |
US10594542B2 (en) | 2017-10-27 | 2020-03-17 | Cisco Technology, Inc. | System and method for network root cause analysis |
US11108809B2 (en) | 2017-10-27 | 2021-08-31 | Fireeye, Inc. | System and method for analyzing binary code for malware classification using artificial neural network techniques |
US11271955B2 (en) | 2017-12-28 | 2022-03-08 | Fireeye Security Holdings Us Llc | Platform and method for retroactive reclassification employing a cybersecurity-based global data store |
US11005860B1 (en) | 2017-12-28 | 2021-05-11 | Fireeye, Inc. | Method and system for efficient cybersecurity analysis of endpoint events |
US11240275B1 (en) | 2017-12-28 | 2022-02-01 | Fireeye Security Holdings Us Llc | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture |
US11233821B2 (en) | 2018-01-04 | 2022-01-25 | Cisco Technology, Inc. | Network intrusion counter-intelligence |
US11765046B1 (en) | 2018-01-11 | 2023-09-19 | Cisco Technology, Inc. | Endpoint cluster assignment and query generation |
US10826803B2 (en) | 2018-01-25 | 2020-11-03 | Cisco Technology, Inc. | Mechanism for facilitating efficient policy updates |
US10798015B2 (en) | 2018-01-25 | 2020-10-06 | Cisco Technology, Inc. | Discovery of middleboxes using traffic flow stitching |
US10873593B2 (en) | 2018-01-25 | 2020-12-22 | Cisco Technology, Inc. | Mechanism for identifying differences between network snapshots |
US10574575B2 (en) | 2018-01-25 | 2020-02-25 | Cisco Technology, Inc. | Network flow stitching using middle box flow stitching |
US10917438B2 (en) | 2018-01-25 | 2021-02-09 | Cisco Technology, Inc. | Secure publishing for policy updates |
US10999149B2 (en) | 2018-01-25 | 2021-05-04 | Cisco Technology, Inc. | Automatic configuration discovery based on traffic flow data |
US11128700B2 (en) | 2018-01-26 | 2021-09-21 | Cisco Technology, Inc. | Load balancing configuration based on traffic flow telemetry |
US10826931B1 (en) | 2018-03-29 | 2020-11-03 | Fireeye, Inc. | System and method for predicting and mitigating cybersecurity system misconfigurations |
US10956477B1 (en) | 2018-03-30 | 2021-03-23 | Fireeye, Inc. | System and method for detecting malicious scripts through natural language processing modeling |
US11558401B1 (en) | 2018-03-30 | 2023-01-17 | Fireeye Security Holdings Us Llc | Multi-vector malware detection data sharing system for improved detection |
US11003773B1 (en) | 2018-03-30 | 2021-05-11 | Fireeye, Inc. | System and method for automatically generating malware detection rule recommendations |
US10735442B1 (en) * | 2018-06-04 | 2020-08-04 | Target Brands, Inc. | Network security analysis and malware detection using multiple types of malware information |
US11134090B1 (en) | 2018-06-04 | 2021-09-28 | Target Brands, Inc. | Network security analysis and malware detection using multiple types of malware information |
JP7070119B2 (ja) * | 2018-06-08 | 2022-05-18 | コニカミノルタ株式会社 | 画像処理装置、その制御方法、およびプログラム |
US11314859B1 (en) | 2018-06-27 | 2022-04-26 | FireEye Security Holdings, Inc. | Cyber-security system and method for detecting escalation of privileges within an access token |
US11075930B1 (en) | 2018-06-27 | 2021-07-27 | Fireeye, Inc. | System and method for detecting repetitive cybersecurity attacks constituting an email campaign |
US11228491B1 (en) | 2018-06-28 | 2022-01-18 | Fireeye Security Holdings Us Llc | System and method for distributed cluster configuration monitoring and management |
US11316900B1 (en) | 2018-06-29 | 2022-04-26 | FireEye Security Holdings Inc. | System and method for automatically prioritizing rules for cyber-threat detection and mitigation |
US11182473B1 (en) | 2018-09-13 | 2021-11-23 | Fireeye Security Holdings Us Llc | System and method for mitigating cyberattacks against processor operability by a guest process |
US11763004B1 (en) | 2018-09-27 | 2023-09-19 | Fireeye Security Holdings Us Llc | System and method for bootkit detection |
US11347850B2 (en) | 2018-10-01 | 2022-05-31 | Blackberry Limited | Analyzing binary software code |
US10936718B2 (en) | 2018-10-01 | 2021-03-02 | Blackberry Limited | Detecting security risks in binary software code |
US11106791B2 (en) | 2018-10-01 | 2021-08-31 | Blackberry Limited | Determining security risks in binary software code based on network addresses |
US10984102B2 (en) * | 2018-10-01 | 2021-04-20 | Blackberry Limited | Determining security risks in binary software code |
US11368475B1 (en) | 2018-12-21 | 2022-06-21 | Fireeye Security Holdings Us Llc | System and method for scanning remote services to locate stored objects with malware |
US11736499B2 (en) | 2019-04-09 | 2023-08-22 | Corner Venture Partners, Llc | Systems and methods for detecting injection exploits |
US11258806B1 (en) | 2019-06-24 | 2022-02-22 | Mandiant, Inc. | System and method for automatically associating cybersecurity intelligence to cyberthreat actors |
US11556640B1 (en) | 2019-06-27 | 2023-01-17 | Mandiant, Inc. | Systems and methods for automated cybersecurity analysis of extracted binary string sets |
US11392700B1 (en) | 2019-06-28 | 2022-07-19 | Fireeye Security Holdings Us Llc | System and method for supporting cross-platform data verification |
US11886585B1 (en) | 2019-09-27 | 2024-01-30 | Musarubra Us Llc | System and method for identifying and mitigating cyberattacks through malicious position-independent code execution |
US11637862B1 (en) | 2019-09-30 | 2023-04-25 | Mandiant, Inc. | System and method for surfacing cyber-security threats with a self-learning recommendation engine |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6292833B1 (en) * | 1998-07-17 | 2001-09-18 | Openwave Systems Inc. | Method and apparatus for providing access control to local services of mobile devices |
US20020042886A1 (en) * | 2000-08-31 | 2002-04-11 | Pasi Lahti | Software virus protection |
US6403312B1 (en) * | 1998-10-16 | 2002-06-11 | Xencor | Protein design automatic for protein libraries |
US6411685B1 (en) * | 1999-01-29 | 2002-06-25 | Microsoft Corporation | System and method for providing unified messaging to a user with a thin web browser |
Family Cites Families (61)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4724521A (en) * | 1986-01-14 | 1988-02-09 | Veri-Fone, Inc. | Method for operating a local terminal to execute a downloaded application program |
US5319776A (en) * | 1990-04-19 | 1994-06-07 | Hilgraeve Corporation | In transit detection of computer virus with safeguard |
JPH04181884A (ja) * | 1990-11-16 | 1992-06-29 | Sony Corp | 映像信号記録装置 |
US5539810A (en) * | 1992-01-27 | 1996-07-23 | Highwaymaster Communications, Inc. | Data messaging in a communications network |
US5240295A (en) * | 1992-02-27 | 1993-08-31 | Spencer Donald R | Knot tying device |
US5440702A (en) * | 1992-10-16 | 1995-08-08 | Delco Electronics Corporation | Data processing system with condition code architecture for executing single instruction range checking and limiting operations |
JP2501771B2 (ja) * | 1993-01-19 | 1996-05-29 | インターナショナル・ビジネス・マシーンズ・コーポレイション | 不所望のソフトウェア・エンティティの複数の有効なシグネチャを得る方法及び装置 |
US5440723A (en) * | 1993-01-19 | 1995-08-08 | International Business Machines Corporation | Automatic immune system for computers and computer networks |
JPH07146788A (ja) * | 1993-11-22 | 1995-06-06 | Fujitsu Ltd | ウイルス診断機構の作成システムと作成方法並びにウイルス診断機構と診断方法 |
US5864853A (en) * | 1994-09-14 | 1999-01-26 | Kabushiki Kaisha Toshiba | Portable file system operable under various computer environments |
US5896566A (en) * | 1995-07-28 | 1999-04-20 | Motorola, Inc. | Method for indicating availability of updated software to portable wireless communication units |
US5623600A (en) * | 1995-09-26 | 1997-04-22 | Trend Micro, Incorporated | Virus detection and removal apparatus for computer networks |
US5914675A (en) * | 1996-05-23 | 1999-06-22 | Sun Microsystems, Inc. | Emergency locator device transmitting location data by wireless telephone communications |
US6074434A (en) | 1996-06-07 | 2000-06-13 | International Business Machines Corporation | Selection of code updates, data updates or new data for client |
US5790796A (en) * | 1996-06-14 | 1998-08-04 | Symantec Corporation | Polymorphic package files to update software components |
US5832208A (en) * | 1996-09-05 | 1998-11-03 | Cheyenne Software International Sales Corp. | Anti-virus agent for use with databases and mail servers |
US6802028B1 (en) | 1996-11-11 | 2004-10-05 | Powerquest Corporation | Computer virus detection and removal |
US6108515A (en) * | 1996-11-21 | 2000-08-22 | Freeman; Michael J. | Interactive responsive apparatus with visual indicia, command codes, and comprehensive memory functions |
EP1010076A1 (en) * | 1996-11-27 | 2000-06-21 | 1Vision Software, L.L.C. | File directory and file navigation system |
KR20000069257A (ko) | 1996-12-04 | 2000-11-25 | 내쉬 로저 윌리엄 | 통화 셋업 프로세스 |
FI101922B1 (fi) * | 1997-01-03 | 1998-09-15 | Nokia Telecommunications Oy | Lyhytsanomavastauksen reititys |
US6141681A (en) * | 1997-03-07 | 2000-10-31 | Advanced Micro Devices, Inc. | Method of and apparatus for transferring and interpreting a data package |
US5960170A (en) | 1997-03-18 | 1999-09-28 | Trend Micro, Inc. | Event triggered iterative virus detection |
US6123737A (en) * | 1997-05-21 | 2000-09-26 | Symantec Corporation | Push deployment of software packages using notification transports |
US5948104A (en) * | 1997-05-23 | 1999-09-07 | Neuromedical Systems, Inc. | System and method for automated anti-viral file update |
US6357008B1 (en) * | 1997-09-23 | 2002-03-12 | Symantec Corporation | Dynamic heuristic method for detecting computer viruses using decryption exploration and evaluation phases |
SE518180C2 (sv) * | 1997-11-06 | 2002-09-03 | Telia Ab | Samtalsuppkoppling i mobila system |
FI974244A (fi) * | 1997-11-14 | 1999-05-15 | Nokia Mobile Phones Ltd | Kuvan kompressointimenetelmä |
US6035423A (en) * | 1997-12-31 | 2000-03-07 | Network Associates, Inc. | Method and system for providing automated updating and upgrading of antivirus applications using a computer network |
DE19800378A1 (de) | 1998-01-08 | 1999-07-15 | Cit Alcatel | Verfahren zum Übergehen von Betriebsparametern von einer Zentrale an ein örtlich begrenztes drahtloses Telekommunikationssystem und entsprechendes drahtloses Telekommunikationssystem |
FI106180B (fi) * | 1998-01-20 | 2000-11-30 | Nokia Mobile Phones Ltd | Tilatietojen välitysjärjestelmä, menetelmä liitäntärajapinnan tilatietojen välittämiseksi ja telepäätelaite |
US6052531A (en) * | 1998-03-25 | 2000-04-18 | Symantec Corporation | Multi-tiered incremental software updating |
US6298445B1 (en) * | 1998-04-30 | 2001-10-02 | Netect, Ltd. | Computer security |
US6347375B1 (en) * | 1998-07-08 | 2002-02-12 | Ontrack Data International, Inc | Apparatus and method for remote virus diagnosis and repair |
US6577920B1 (en) * | 1998-10-02 | 2003-06-10 | Data Fellows Oyj | Computer virus screening |
US6266774B1 (en) * | 1998-12-08 | 2001-07-24 | Mcafee.Com Corporation | Method and system for securing, managing or optimizing a personal computer |
US6301668B1 (en) * | 1998-12-29 | 2001-10-09 | Cisco Technology, Inc. | Method and system for adaptive network security using network vulnerability assessment |
FI114768B (fi) | 1999-03-11 | 2004-12-15 | Nokia Corp | Parannettu menetelmä ja järjestely tiedon siirtämiseksi pakettiradiopalvelussa |
US6533168B1 (en) * | 1999-05-27 | 2003-03-18 | Peter N. Ching | Method and apparatus for computer-readable purchase receipts using multi-dimensional bar codes |
US6711686B1 (en) * | 1999-06-29 | 2004-03-23 | Dell Usa L.P. | Security management tool for managing security attributes in computer systems |
US6971019B1 (en) | 2000-03-14 | 2005-11-29 | Symantec Corporation | Histogram-based virus detection |
US6184651B1 (en) * | 2000-03-20 | 2001-02-06 | Motorola, Inc. | Contactless battery charger with wireless control link |
US6842861B1 (en) * | 2000-03-24 | 2005-01-11 | Networks Associates Technology, Inc. | Method and system for detecting viruses on handheld computers |
GB2368233B (en) * | 2000-08-31 | 2002-10-16 | F Secure Oyj | Maintaining virus detection software |
GB2366691B (en) * | 2000-08-31 | 2002-11-06 | F Secure Oyj | Wireless device management |
GB2366692B (en) * | 2000-08-31 | 2002-08-14 | F Secure Oyj | Virus protection in an internet environment |
US6622150B1 (en) * | 2000-12-18 | 2003-09-16 | Networks Associates Technology, Inc. | System and method for efficiently managing computer virus definitions using a structured virus database |
US7162080B2 (en) * | 2001-02-23 | 2007-01-09 | Zoran Corporation | Graphic image re-encoding and distribution system and method |
JP2002259150A (ja) * | 2001-03-05 | 2002-09-13 | Fujitsu Prime Software Technologies Ltd | ワクチンソフト提供方法及びプログラム |
US7043557B2 (en) * | 2001-06-29 | 2006-05-09 | Hewlett-Packard Development Company, L.P. | Low power scheduling for multimedia systems |
US20030022657A1 (en) * | 2001-07-18 | 2003-01-30 | Mark Herschberg | Application provisioning over a wireless network |
US6993642B2 (en) * | 2001-07-24 | 2006-01-31 | Microsoft Corporation | Method and system for creating and employing an operating system having selected functionality |
US7023861B2 (en) * | 2001-07-26 | 2006-04-04 | Mcafee, Inc. | Malware scanning using a network bridge |
US6718469B2 (en) * | 2001-08-01 | 2004-04-06 | Networks Associates Technology, Inc. | System and method for executing computer virus definitions containing general purpose programming language extensions |
US7861303B2 (en) * | 2001-08-01 | 2010-12-28 | Mcafee, Inc. | Malware scanning wireless service agent system and method |
US6792543B2 (en) * | 2001-08-01 | 2004-09-14 | Networks Associates Technology, Inc. | Virus scanning on thin client devices using programmable assembly language |
US7716137B2 (en) * | 2001-08-14 | 2010-05-11 | Nokia Inc. | System and method for automatically tracking and enabling the operation of a product |
US6836860B2 (en) | 2001-09-04 | 2004-12-28 | Networks Associates Technology, Inc. | Data scanning for updatable predefined properties |
US6892241B2 (en) * | 2001-09-28 | 2005-05-10 | Networks Associates Technology, Inc. | Anti-virus policy enforcement system and method |
US7210168B2 (en) * | 2001-10-15 | 2007-04-24 | Mcafee, Inc. | Updating malware definition data for mobile data processing devices |
US7401359B2 (en) | 2001-12-21 | 2008-07-15 | Mcafee, Inc. | Generating malware definition data for mobile computing devices |
-
2002
- 2002-04-12 US US10/122,087 patent/US7861303B2/en not_active Expired - Lifetime
- 2002-04-12 US US10/121,639 patent/US7096368B2/en not_active Expired - Fee Related
- 2002-04-12 US US10/122,095 patent/US7827611B2/en active Active
- 2002-04-12 US US10/122,092 patent/US20040010703A1/en not_active Abandoned
- 2002-04-12 US US10/122,100 patent/US7540031B2/en not_active Expired - Lifetime
- 2002-04-12 US US10/121,374 patent/US7171690B2/en active Active
- 2002-04-30 WO PCT/US2002/013570 patent/WO2003012644A1/en not_active Application Discontinuation
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6292833B1 (en) * | 1998-07-17 | 2001-09-18 | Openwave Systems Inc. | Method and apparatus for providing access control to local services of mobile devices |
US6403312B1 (en) * | 1998-10-16 | 2002-06-11 | Xencor | Protein design automatic for protein libraries |
US6411685B1 (en) * | 1999-01-29 | 2002-06-25 | Microsoft Corporation | System and method for providing unified messaging to a user with a thin web browser |
US20020042886A1 (en) * | 2000-08-31 | 2002-04-11 | Pasi Lahti | Software virus protection |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7178144B2 (en) | 2002-04-23 | 2007-02-13 | Secure Resolutions, Inc. | Software distribution via stages |
US7401133B2 (en) | 2002-04-23 | 2008-07-15 | Secure Resolutions, Inc. | Software administration in an application service provider scenario via configuration directives |
EP1623297A4 (en) * | 2003-04-17 | 2009-11-04 | Mcafee Inc | API SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR ACCESSING CONTENT / SECURITY ANALYSIS FUNCTIONALITY IN A MOBILE COMMUNICATION FRAME |
KR101046544B1 (ko) | 2003-04-17 | 2011-07-05 | 가부시키가이샤 엔티티 도코모 | 이동 통신 프레임워크용 플랫폼-독립 스캐닝 서브시스템api |
EP1629346A2 (en) * | 2003-04-17 | 2006-03-01 | Networks Associates Technology, Inc. | Platform-independent scanning subsystem api for use in a mobile communication framework |
WO2004095166A2 (en) | 2003-04-17 | 2004-11-04 | Networks Associates Technology, Inc. | Api system, method and computer program product for accessing content/security analysis functionality in a mobile communication framework |
WO2004095177A2 (en) | 2003-04-17 | 2004-11-04 | Networks Associates Technology, Inc. | Platform-independent scanning subsystem api for use in a mobile communication framework |
EP1623297A2 (en) * | 2003-04-17 | 2006-02-08 | Networks Associates Technology, Inc. | Api system, method and computer program product for accessing content/security analysis functionality in a mobile communication framework |
EP1629346A4 (en) * | 2003-04-17 | 2010-12-15 | Mcafee Inc | PLATFORM-INDEPENDENT SCAN API SUBSYSTEM FOR USE IN A MOBILE COMMUNICATION STRUCTURE |
EP1549091A2 (fr) * | 2003-12-23 | 2005-06-29 | Alcatel | Terminal avec des moyens de protection contre le dysfonctionnement de certaines applications java |
EP1549091A3 (fr) * | 2003-12-23 | 2007-04-18 | Alcatel Lucent | Terminal avec des moyens de protection contre le dysfonctionnement de certaines applications java |
US7703139B2 (en) | 2004-05-19 | 2010-04-20 | Computer Associates Think, Inc. | Antivirus product using in-kernal cache of file state |
US8443446B2 (en) | 2006-03-27 | 2013-05-14 | Telecom Italia S.P.A. | Method and system for identifying malicious messages in mobile communication networks, related network and computer program product therefor |
US8443439B2 (en) | 2006-03-27 | 2013-05-14 | Telecom Italia S.P.A. | Method and system for mobile network security, related network and computer program product |
US9779253B2 (en) | 2008-10-21 | 2017-10-03 | Lookout, Inc. | Methods and systems for sharing risk responses to improve the functioning of mobile communications devices |
US9781148B2 (en) | 2008-10-21 | 2017-10-03 | Lookout, Inc. | Methods and systems for sharing risk responses between collections of mobile communications devices |
CN103180862A (zh) * | 2010-08-25 | 2013-06-26 | 前景公司 | 用于服务器耦合的恶意软件防止的系统和方法 |
Also Published As
Publication number | Publication date |
---|---|
US20040010703A1 (en) | 2004-01-15 |
US7540031B2 (en) | 2009-05-26 |
US20030233566A1 (en) | 2003-12-18 |
US7096368B2 (en) | 2006-08-22 |
US7827611B2 (en) | 2010-11-02 |
US20030229801A1 (en) | 2003-12-11 |
US20040025042A1 (en) | 2004-02-05 |
US7861303B2 (en) | 2010-12-28 |
US7171690B2 (en) | 2007-01-30 |
US20030079145A1 (en) | 2003-04-24 |
US20040003276A1 (en) | 2004-01-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7171690B2 (en) | Wireless malware scanning back-end system and method | |
US7096501B2 (en) | System, method and computer program product for equipping wireless devices with malware scanning capabilities | |
KR101071597B1 (ko) | 이동 통신 프레임워크에서 스캐닝 서브시스템을업데이트하기 위한 업데이트시스템 및 업데이트 방법 | |
CA2517534C (en) | System, method and computer program product for content/context sensitive scanning utilizing a mobile communication device | |
CA2517553C (en) | Platform-independent scanning subsystem api for use in a mobile communication framework | |
EP1623297B1 (en) | Api system, method and computer program product for accessing content/security analysis functionality in a mobile communication framework | |
US7752669B2 (en) | Method and computer program product for identifying or managing vulnerabilities within a data processing network | |
AU2002239889B2 (en) | Computer security and management system | |
US20030070087A1 (en) | System and method for automatic updating of multiple anti-virus programs | |
JP2004534973A (ja) | ネットワークデバイスのアップグレードシステム及び方法 | |
NZ540856A (en) | System for registry-based automatic installation and component handling on a device | |
CN100524211C (zh) | 在移动通信框架内用于更新扫描子系统的更新系统与方法 | |
Kawaguchi et al. | Design of User Support System for Combating against Malware | |
Rice | Security Analysis of Palm PDA Computing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BY BZ CA CH CN CO CR CU CZ DE DM DZ EC EE ES FI GB GD GE GH HR HU ID IL IN IS JP KE KG KP KR LC LK LR LS LT LU LV MA MD MG MN MW MX MZ NO NZ OM PH PL PT RU SD SE SG SI SK SL TJ TM TN TR TZ UA UG UZ VN YU ZA ZM Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG UZ VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ UG ZM ZW AM AZ BY KG KZ RU TJ TM AT BE CH CY DE DK FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ ML MR NE SN TD TG Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
122 | Ep: pct application non-entry in european phase | ||
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: JP |