WO2006102399A1 - Agent de service persistant - Google Patents

Agent de service persistant Download PDF

Info

Publication number
WO2006102399A1
WO2006102399A1 PCT/US2006/010381 US2006010381W WO2006102399A1 WO 2006102399 A1 WO2006102399 A1 WO 2006102399A1 US 2006010381 W US2006010381 W US 2006010381W WO 2006102399 A1 WO2006102399 A1 WO 2006102399A1
Authority
WO
WIPO (PCT)
Prior art keywords
agent
electronic device
persistent
driver agent
driver
Prior art date
Application number
PCT/US2006/010381
Other languages
English (en)
Inventor
Philip B. Gardner
Original Assignee
Absolute Software Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Absolute Software Corporation filed Critical Absolute Software Corporation
Priority to JP2008502159A priority Critical patent/JP2008533621A/ja
Priority to EP06748543A priority patent/EP1864238A1/fr
Priority to CA2601260A priority patent/CA2601260C/fr
Publication of WO2006102399A1 publication Critical patent/WO2006102399A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/88Detecting or preventing theft or loss

Definitions

  • the present invention relates to a persistent or tamper resistant servicing agent in a computer and network environment.
  • IT information technology
  • Remote and mobile computer assets that travel outside a LAN are problematic in a number of ways. Initially, most asset tracking software cannot track these machines when they are not connected to the local network. Also, these remote machines pose a large security threat to the entire IT network. More often than not the remote user is responsible for the administration and configuration updating of the machine rather than the IT administrator. Most users are normally not as security conscious as they should be. Users may lower security settings, install malicious software unknowingly, let anti-virus software fall out of date and fail to install the latest security patches. What may seem like minor security faults to a remote user can have drastic effects on the entire network. When the remote user connects the LAN they may infect the entire network due to these relaxed security concerns. Without effective asset management tools for these remote machines IT administrators cannot ensure the integrity of the entire network.
  • a network is only as secure as its weakest link.
  • the annual CSI/FBI survey on computer security shows that 57% of stolen PC assets are used to perpetrate additional crimes against corporations. hi a response to recent corporate accounting scandals, identity theft and malicious hacking, governments are establishing regulations that force businesses to protect and be accountable for all sensitive digital information.
  • the Sarbanes-Oxley Act of 2002 is an excellent example of such a regulation. With Sarbanes-Oxley there is increased exposure when not accurately reporting assets. Executives are asked to legally verify if the proper controls and regulations are in place to ensure accurate asset reporting. It is now the fiduciary responsibility of the CFO and CEO to ensure that accurate asset reporting is performed. The legal, regulatory and financial exposure to an organization that inaccurately reports its asset base could be significant.
  • an authorized user is a person responsible for some aspect of the life-cycle management of the computer.
  • the tracking agent should be able to protect the authorized user from the accidental removal of the tracking agent, while allowing the legitimate need to disable the agent (for example at end of life of the computer asset).
  • An unauthorized user is a person who wishes to remove the agent software, but who is typically not responsible for the life-cycle management of the computer.
  • a reason for a deliberate, unauthorized attempt to remove the agent would include actions of a thief or potential thief who wishes to ensure that any tracking software is permanently removed.
  • An attempt of unauthorized yet accidental removal would include someone's successful or unsuccessful attempt to install a new operating system, or re-image the hard drive, for example.
  • Absolute Software Corporation the assignee of the present invention, has developed and is marketing Computrace, a product and service that securely tracks assets and recovers lost and stolen assets, and AbsoluteTrack, a secure asset tracking, and inventory management, solution powered by the Computrace technology platform.
  • Computrace deploys a stealth agent, which is a software client that resides on the hard drive of host computers. Once installed, the agent automatically contacts a monitoring center on a regular basis transmitting location information and all auto-discovered asset data points. Ongoing communication between the agent and the monitoring center requires no user intervention and is maintained via an Internet or phone connection.
  • the Computrace agent will be able to report asset data to the monitoring center.
  • the user intervention- free communication between the agent and a monitoring center ensures the authorized user of the agent to have secure access to up-to-date location information and comprehensive asset data about their entire computer inventory.
  • AbsoluteTrack has been a cost-effective application service for helping businesses of all sizes monitor remote, mobile and desktop computers and perform daily hardware and software inventory tracking functions.
  • Computrace has been an effective tool to track theft of mobile computers, and to recovery of stolen mobile computers.
  • the agent that is deployed on each protected device is stealthy, making it resistant to detection by the user of the computer.
  • the level of tamper-resistance directly impacts the difficulty of detection and level of skill required to defeat the Computrace service. While the Computrace agent is as tamper-resistant as a disk-based utility can be, it would be desirable to develop an improved agent that provide additional level of tamper-resistance, and further enable, support and/or provides services beyond asset tracking and recovery.
  • the present invention is directed to a servicing Agent for enabling, supporting and/or providing services relating to management and protection of assets (including without limitation hardware, firmware, software, data, etc.) and their software configurations, with improved tamper resistance.
  • the services may include asset tracking, asset recovery, data delete, software deployment, etc.
  • the servicing Agent comprises multiple modules. Each module is designed to function in a specific operating environment.
  • the modular design provides flexibility in configuring the agent for deployment in the particular operating environment, for example, in the BIOS or on the hard drive, without having to rebuild the entire application.
  • the Agent may be implemented wholly or partly by software (including hardware microcode), and may reside in software, firmware and/or hardware components within a system. hi accordance with one aspect of the invention, a loader module is loaded and gains control during power-on self-test (POST).
  • POST power-on self-test
  • the Agent can be relied upon to enable, support and/or provide services (e.g., tracking, data delete and software updates) with respect to the device in which it is installed, as well as assets associated with the device in which the Agent is installed.
  • control acts to load other functions and modules of the Agent, including as necessary and at the appropriate time, the reloading across the network (e.g., Internet) of portions of the Agent that may have been removed or missing from the machine.
  • the servicing Agent has the ability to be persistent in spite of actions that might ordinarily be expected to remove it.
  • At least one module and/or data for the agent code of the persistent Agent is implemented in the firmware of a device, such as a ROM, and in particular the basic input output system (BIOS) or its functional equivalent, resident in the device.
  • the servicing Agent can load itself to be ready to perform its designed servicing function (e.g., tracking, data delete and software updates), independent of the operating system of the device, and can adapt itself to the environment (e.g., the operating system of the device) that controls certain basic operations (e.g., input/output) of the device by detecting the operating environment, so that the Agent can make use of such basic operations of the system to perform its designed servicing functions.
  • the persistent agent comprises three main modules, including the "Computrace” Loader Module (CLM), the Adaptive Installer Module (AIM), and the Communications Driver Agent (CDA).
  • CLM loads the AIM, which in turn locates, validates, decompresses and adapts the CDA for the detected OS environment, hi one embodiment, the CDA exists in two forms, a partial or mini CDA and a full-function CDA.
  • the function of the mini CDA is to determine whether a full or current CDA is located somewhere on the device, and if not, to load the full-function CDA across the network (e.g., Internet) from a monitoring server.
  • the full-function CDA is then responsible for all communications between the device and.
  • the different modules, and in particular the CLM may be programmable, which may require custom functionality to adapt to their specific environment. By providing Agent in several modules, the level of customization could be kept to a minimum.
  • at least the CLM is stored in firmware, such as the BIOS, with one or more of the other modules stored in hard drive partition gap, or the hard drive Host Protection Area (HPA).
  • the CLM is stored in a substitute Master Boot Record (MBR), or a combination of the foregoing.
  • the servicing functions that the Agent performs can be controlled by a remote server, by combining generic sub-function calls available in the Agent.
  • This programmable capability of the Agent allow its functionality to be extended based on server-driven commands.
  • the extensibility is critical to the successful deployment of the Agent in firmware, such as the BIOS, where space is at a premium and frequent updates to add or change functionality is not economical.
  • the extensibility feature is a primary component of the activation process and the reactivation process of the Agent.
  • the extensibility of the Agent enables a data delete application, for erasing data stored at the client device.
  • the extensibility of the Agent enables software updates to be delivered and programmed onto the client device.
  • the invention improves upon the ability for a pre-deployed servicing Agent to remain "active" regardless of the actions of a "user" of the device.
  • active refers to the specific ability of a component of the Agent software to load itself and then reconstruct its full capabilities over a wide range of "user” actions, including, for example in one embodiment, low-level commands to format the hard drive, re-installation of an operating system, re-imaging of the hard drive using an imaging utility, and replacement of the hard drive.
  • "User” refers to an individual who is performing these actions and may be acting in an authorized or unauthorized capacity. Their actions to remove the Agent may be intentional or accidental.
  • the invention protects the authorized user from the accidental removal of the servicing Agent, while allowing the legitimate need to disable the Agent (for example at end of life of the computer asset).
  • the invention prevents an unauthorized user from removing the Agent software.
  • the persistent attributes of the present invention have value in asset protection, data and network security, IT asset management, software deployment, and other types of applications, hi the context of a secure, stealthy device-tracking software application, the invention is of significant value as it makes theft of a valuable asset much more difficult to conceal, as regardless of actions taken by a thief, the software will persist and make itself available for contacting a remote monitoring center, hi addition, the persistent nature of the servicing Agent provides peace of mind to secu ⁇ ty personnel, as it provides contidence that the Agent cannot be accidentally removed.
  • FIG. 1 is a schematic diagram depicting representative communication links including networks by which asset tracking may be implemented in accordance with one embodiment of the present invention.
  • FIG. 2 is a schematic diagram depicting attachment of a PCI Option ROM to the BIOS, which includes the Persistent Agent, in accordance with one embodiment of the present invention.
  • FIG. 3 is a schematic diagram depicting the module components of the Persistent Agent present in the PCI Option ROM, in accordance with one embodiment of the present invention.
  • FIG. 4 is a schematic flow diagram depicting the Option ROM loading routine, in accordance with one embodiment of the present invention.
  • FIG. 5 is a schematic flow diagram depicting the routine performed by the CLM of the Persistent Agent, in accordance with one embodiment of the present invention.
  • FIG. 6a and 6b are schematic flow diagrams depicting the routine performed by the Interrupt Handler of the CLM, in accordance with one embodiment of the present invention.
  • FIG. 7 is a schematic flow diagram depicting the routine performed by the AIM of the Persistent Agent, in accordance with one embodiment of the present invention.
  • FIG. 8 is a schematic flow diagram depicting the Installer Mode routine of the CDA of the Persistent Agent, in accordance with one embodiment of the present invention.
  • FIG. 9 is a schematic flow diagram depicting the Service Mode routine of the CDA, in accordance with one embodiment of the present invention.
  • FIG. 10 is a schematic depiction of the CDA in Application Mode, in accordance with one embodiment of the present invention.
  • FIG. 11 is a schematic depiction of Flash Image Management, in accordance with one embodiment of the present invention.
  • FIG. 12 is a schematic depiction of Host Protected Area Image Management, in accordance with one embodiment of the present invention.
  • FIG. 13 is a schematic depiction of Partition Gap Image Management, in accordance with one embodiment of the present invention.
  • FIG. 14 is a schematic depiction of a communication session between the CDA of the Persistent Agent and the remote server, in accordance with one embodiment of the present invention.
  • FIG. 15 is a schematic flow diagram depicting the client side Date Delete routine of the CDA in accordance with one embodiment of the present invention.
  • FIG. 16 is a schematic flow diagram depicting the server side Data Delete routine in accordance with one embodiment of the present invention.
  • FIG. 17 is a schematic flow diagram depicting the Data Delete executable routine in accordance with one embodiment of the present invention.
  • Asset tracking function is an example of the services that can be enabled, supported and/or provided by the persistent Agent of the present invention.
  • the asset tracking system in accordance with one embodiment of the present invention involves a client/server architecture, which may comprise the following main components: (a) client device A consisting of any one of the electronic devices shown which have been implanted with the Agent.
  • the Agent software runs on the client devices for the purpose of reporting asset, location and other information, and receiving instructions from a remote server to program the Agent to support and execute a desired function.
  • the invention provides the ability of the agent software to be more persistent to accidental or deliberate removal and the programmability of the client from the monitoring server; (b) a communication link B, such as an information exchange network, which may include switched communications networks, the Internet, private and public intranet, radio networks, satellite networks, and cable networks; and (c) a host monitoring system C, which include a host monitoring server 3 that monitors the communications between the client device A and the host monitoring system C, which is contacted on a regular basis by the client devices records information from the client devices.
  • the monitoring server also provides instructions to the client on what actions to perform, including what actions the client is to perform, what data to collect and the clients next scheduled call time.
  • the client devices contact the monitoring server via the communication link B (e.g., an IP connection or via a dial-up telephone connection).
  • the monitoring server can perform its functions either as a service offered over the Internet, or as a customer-owned server over a corporate intranet.
  • the host monitoring system C may include a reporting and administration portal, which provides customers, administrators and asset tracking service providers the ability to view data and manage the functions of the monitoring server and the client devices.
  • the host monitoring server can notify customers, designated representative and law enforcement agencies concerning status of asset monitoring via a number of communication means.
  • useful client devices A in which the persistent servicing Agent in accordance with the present invention can be implemented include, but are not limited to, general or specific purpose digital processing, information processing and/or computing devices, which devices may be standalone devices or a component part of a larger system (e.g., a mass storage device), portable, handheld or fixed in location.
  • client devices may be implemented with the servicing Agent application of the present invention.
  • the servicing Agent application of the present invention may be applied to desktop client computing devices, portable computing devices (e.g., laptop and notebook computers;, or hand-held devices (e.g., cell phones, PDAs (personal digital assistants), personal electronics, etc.), which have the ability to communicate to an external server, as further explained below.
  • the client devices may be selectively operated, activated or configured by a program, routine and/or a sequence of instructions and/or logic stored in the devices, in addition to the operating systems resident in the devices.
  • use of the methods described and suggested herein is not limited to a particular processing configuration.
  • the present invention is described in reference to examples of deployments and implementations relating to the context of the Internet and in reference to a laptop or notebook computer as the client device A (computer Al is schematically represented as a desktop device, but may instead comprise a portable computing device). It will be understood by one of ordinary skill in the art that the application of this invention to any currently existing of future global network is contemplated herein. Further, although the Internet aspect of this invention is described and illustrated with respect to client computer Al it should be understood that the Internet application is readily applicable to other client devices without departing from the scope and spirit of the present invention.
  • Fig. 1 is a schematic representation of the communication links B in the form of information exchange networks in which the present invention may be deployed for asset tracking.
  • the information exchange network accessed by the asset tracking Agent application in accordance with the present invention may involve, without limitation, distributed information exchange networks, such as public and private computer networks (e.g., Internet, Intranet, WAN, LAN, etc.), value-added networks, communications networks (e.g., wired or wireless networks), broadcast networks, cable networks, radio networks, and a homogeneous or heterogeneous combination of such networks.
  • the networks include both hardware and software and can be viewed as either, or both, according to which description is most helpful for a particular purpose.
  • the network can be described as a set of hardware nodes that can be interconnected by a communications facility, or alternatively, as the communications facility, or alternatively, as the communications facility itself with or without the nodes.
  • a communications facility or alternatively, as the communications facility, or alternatively, as the communications facility itself with or without the nodes.
  • the line between hardware, firmware and software is not always sharp, it being understood by those skilled in the art that such networks and communications facility, and the components of the persistent agent technology platform, involve software, firmware and hardware aspects.
  • the Internet is an example of an information exchange network including a computer network in which the present invention may be implemented. Details of various hardware and software components comprising the Internet network (such as servers, routers, gateways, etc.) are not shown, as they are well known in the art. Further, it is understood that access to the Internet by the user/client devices and servers may be via any suitable transmission medium L, such as coaxial cable, telephone wire, wireless RF links, or the like, and tools such as browser implemented therein. Communication between the servers and the clients takes place by means of an established protocol.
  • the persistent asset tracking Agent application of the present invention may be configured in or as one of the clients, which can communicate with one of the servers over the information exchange network. This invention works in conjunction with other existing technologies, which are not detailed here, as it is well known in the art and to avoid obscuring the present invention. Specifically, for example, methods currently exist involving the Internet, web based tools and communication, and related methods and protocols.
  • the host monitoring system C may simply be a computer (e.g., a server 3) that is configured to exchange data with client devices A that have an Agent installed thereon, via one or more (concurrently or in parallel) of the communication links B.
  • the host monitoring system C includes routines for identifying and filtering external user access (Cl).
  • the host monitoring system C also communicates (C3) directly or indirectly with the owners and/or representatives of the tracked client devices A concerning information related to the tracked devices A (e.g., network location information), via the reporting and administration portal.
  • the host monitoring system C may communicate by email, fax, paging, phone, etc.
  • the host monitoring system C may itself be a staffed monitoring service station, or part of a law enforcement agency.
  • the host monitoring system C and/or downstream target locations may maintain an inventory list of the tracked assets, or the lost/stolen status of the tracked assets.
  • a plurality of host monitoring systems C may be distributed across the communication networks, for example in different geographic regions.
  • each client device A is associated with a unique identification, which may be part of the information delivered by the client device A to the host monitoring station C.
  • the unique identification can be in the form of an Electronic Serial Number (ESN), Media Access Control (MAC) number, Internet host name/IP address, an owner/user specified identification, or other numeric, alpha or alphanumeric information that represents, identifies and/or allows identification of the client device, and further information such as date and time, which might present further basis for determination or validation of the actual or virtual geographical location of the Agent and its identification.
  • the Agent has to determine the appropriate time for it to call the host monitoring system C. If is suffice to mention briefly here that once the Agent is installed and running it will either periodically (e.g. every N hours), or after specified periods have elapsed (e.g. from system or user logon), or after device system boot, or upon the occurrence of certain pre-determined conditions, or triggered by some internal or external events such as hardware reconfiguration, report its identity and/or location via the communication link B to the host monitoring system C, without user intervention to initiate the communication process.
  • the Agent may also concurrently report its identity and location via two or more available communication links B to the host monitoring system C.
  • the location of the Agent hence the tracked device, may be determine, for example, by a traceroute routine to obtain a listing of all IP routers used to enable communication between the client device A and host monitoring system C via the Internet.
  • All location and asset related data transmitted to the monitoring system C may be kept in a central repository and can be accessed 24x7 by authorized administrators via secure web-based or network based console.
  • the monitoring system C sends and programs the instructions for the next set of tasks, and the next scheduled call time and date to the Agent.
  • the monitoring system C archives all Agent transmissions, providing a current and accurate audit trail on each computer (C2).
  • a comprehensive computer asset tracking and inventory solution will capture this information on systems connected locally to the corporate network, as well as on remote and mobile systems connecting remotely via EP or dial-up.
  • information needs to be captured on a regular basis to ensure the most up-to-date view of the assets is being provided.
  • the tracking Agent is persistent with high resistance to tampering, and the Agent may be configured to remain transparent to an unauthorized user.
  • the Agent in order to remain hidden to the user, will not interfere with any running applications unless designed to interfere.
  • the persistent Agent in accordance with the present invention can report t ⁇ e original identification of the PC asset and its status throughout the PCs lifecycle, regardless of, for example, IMAC and break/fix operations, even if the hard drive has been reformatted or the operating system reinstalled or tampered with.
  • the persistent Agent is designed to protect itself and will survive any unauthorized removal attempts. This persistence feature is critical in order to remain connected to PC assets in case of theft and to ensure accurate and secure asset tracking.
  • the persistent Agent is a low-level undetectable software client that resides on the host computer.
  • the Agent is persistent software and extremely difficult to remove.
  • the Agent incorporates self-healing technology that functions to rebuild the agent software installation even if the agent service is deleted by conventional means. The agent will survive an operating system installation, hard drive format, and even a hard drive replacement. This survivability is critical to the success of asset tracking and theft recovery (and other services that the Agent may also enable, support and/or provide).
  • the self-healing function is not resident within the file system and is more difficult to detect and remove than traditional software.
  • the persistent and self-healing portion of the software is difficult to remove because it is stealthy.
  • the software is normally removed only by an authorized IT administrator with the correct password.
  • the self- healing feature will function to repair an Agent installation in newly formatted and installed operating systems as well as newly imaged systems.
  • the Agent is programmable to extend its functions beyond what was initially programmed.
  • the Agent communicates with a remote server, wherein the remoter server sends and programs the Agent by providing the Agent with instructions for next set of tasks.
  • the Agent may be implemented in the hardware, firmware or software of any electronic device.
  • the Agent may be implemented in any component of a device, as with an electronic component such as the DSP in a modem or the CPU in a computer.
  • the functionality of the Agent maybe implemented in the circuitry of any hardware device capable of establishing a communication link through sending and/or receiving packets of data.
  • the Agent may be embodied in non- volatile memory (such as ROM BIOS, ROM, Flash ROM, EPROM, EEPROM, or the like) of the electronic device, a software program, a micro-code program, a digital signal processor ("DSP") program or a built-in function of the operating system.
  • non- volatile memory such as ROM BIOS, ROM, Flash ROM, EPROM, EEPROM, or the like
  • the persistent tracking Agent (hereinafter also referred to as a "Persistent Agent”) is embodied in BIOS (or its functionally equivalent system).
  • BIOS is the startup code that always executes on system power up or reset. This can be microcode embedded into the processing unit or software (instructions) starting from a fixed location in memory space. These instructions handles startup operations such as the Power-On Self- Test (POST) and low-level control for hardware, such as disk drives, keyboard, and monitor, independent of and typically before the booting of the operating system resident on the device.
  • the Persistent Agent is embodied in firmware, such as a read-only memory (ROM), in the client device A, such as personal computers. When BIOS is embodied in a chip, it includes a set of instructions encoded in ROM. It is understood that all references to BIOS hereunder is not limited to ROM bases BIOS.
  • BIOS-based loader makes the Agent components more persistent, and hence it is more difficult to defeat the asset tracking or other servicing function.
  • the BIOS-based loader also eliminates the need to reverse the boot order on the machine and thus removes a step in the manufacturing process.
  • a BIOS-based loader also reduces potential compatibility issues with products such as anti- virus scanners, full-disk encryption and other utilities that read or modify the operating system loader in the Master Boot Record (MBR).
  • the Persistent Agent 10 is initially stored in an Option ROM, such as a an Option ROM based on peripheral component interface bus - PCI Option ROM 12 attached to the Core BIOS Flash Image 13, as depicted in Fig. 2. There may be additional Option ROMs attached (not shown), which supports other functions not related to the Persistent Agent.
  • the Persistent Agent 10 comprises multiple modules. The three main modules are the "Computrace" Loader Module (CLM) 14, the Adaptive Installer Module (AIM) 16, and the Communications Driver Agent (CDA) 18, as depicted in Fig. 3.
  • the small (can be approximately 22 Kb - compressed) PCI Option ROM 12 containing the three modules of Persistence Agent 10 are bound to the standard core flash image and loaded into protected memory along with the BIOS and other Option ROMs during BIOS POST.
  • the small PCI Option ROM is recognized by POST and loaded into read/write shadow memory along with the BIOS and other Option ROMs during BIOS POST.
  • This configuration provides a modular architecture that will enable the security enhancing features while minimizing the development effort and number of interface points in the core BIOS which must be re-qualified.
  • the CLM incorporates the PCI (in the case of a PC device), Image Management and Execution Environment functions. It is responsible for the interface to the BIOS, locating and unpacking the AIM, resizing the PCI Option ROM to its final size, and executing the AIM within the proper context on the system.
  • the AIM accesses the hard drive, detects active operating systems, and adapts the mini CDA to the discovered installations.
  • the mini CDA is the communications driver. It includes support for the HTTP protocol, an application layer for communicating with the monitoring server, a service layer for interfacing to an OS and an adaptive layer for interfacing with the AIM.
  • the mini CDA is responsible for checking whether the full-function CDA is available in the computer's file system to run as a service when the operating system is loaded. If the full-function CDA is not available, the mini CDA will initiate download of the full-function CDA from the monitoring server. Once the full function CDA is present, it will frequently check for newer versions of itself on the monitoring server, and if available, will replace itself with a new version.
  • the Option ROM load process 20 is depicted in the flow diagram of Fig. 4.
  • the BIOS POST process performs a self-test and chipset configuration routine 21, and reaches a point where the bus is scanned at 22 for Option ROMs that support functions on the motherboard or on extension cards.
  • the PCI Option ROM 12 containing the Persistence Agent 10 is loaded into low memory (e.g., a RAM) at 22 and its initialization vector (CLM 14, as discussed below) is called at 23.
  • the initialization routine determines the status of the function to be supported and its final image size.
  • the BIOS POST process then completes the Option ROM scan and calculates the final locations of each Option ROM whose function is present.
  • Each PCI Option ROM is then relocated and its completion vector is called, including the Persistent Agent enabled PCI Option ROM 12.
  • the BIOS memory is write-protected at 27. The boot-devices are called in turn until an operating system is successfully started at 28. At this point, both the device operating system and the Agent would be running simultaneously.
  • the CLM 14 is responsible for setting up a temporary Execution Environment for the AIM 16, loading and decompressing the AM 16 and calling it in an appropriate context.
  • the last "act” of the CLM 14 is to shrink to a minimum size (2K) and return execution to POST.
  • the CLM only “fails” if the AIM 16 is not found or invalid.
  • the CLM 14 is the interface to POST, or the "front-end" of the PCI Option ROM 12.
  • the PCI Option ROM header is in the CLM 14 and its entry points are advertised according to the standard in this header.
  • the CLM 14 provides two function points for integration with the BIOS POST.
  • the initial interface is presented during PCI Option ROM enumeration by the BIOS.
  • This interface is a standard legacy ROM header and PCI Option ROM header pair.
  • a PCI Vendor ID of 1917h and the device ID 1234h may be set.
  • the BIOS POST process scans the bus for Option ROMs that support functions on the motherboard or on extension cards, the whole PCI Option ROM 12 is loaded and the initialization vector of the CLM 14 is called.
  • the Option ROM loads and executes a compressed .COM application.
  • the ROM entry point is defined by the START_SEG label.
  • the START_SEG Segment contains the ROM header and its link to the PCI Option ROM header.
  • the Option ROM is initialized by a FAR CALL to offset 3 in the Option ROM.
  • the jump instruction chain here passes control to the OptRomProc.
  • the routine 30 undertaken by the PCI Option ROM CLM 14 may be summarized as follows: a. Find the BIOS POST Memory Manager at 31. b. Allocate a control STUB_BLOCK at 32(e.g., 2K for interrupt handling and application execution). c. Allocate extended memory for the COMPRESSED application and a backup of application memory (e.g., 64K) at 33. d. Allocate a block of application memory (e.g., 64K) in conventional memory for the DECOMPRESSED execution of the application at 34. e.
  • the second interface is an Interrupt Handler. This executes after the initial load and execution of the initialization procedure of the PCI Option ROM from memory allocated from the BIOS POST memory manager. This interface executes first on int 15h and then on an alternate trigger. Int 19h is the preferred alternate trigger and the default. The interrupt handler is only activated if BIOS Disk Services (int 13h) is not yet available during initialization of the PCI Option ROM. Int 19h is the preferred trigger method because in some cases there is no Int 13h issued by the BIOS after the last int 15h/func 910Oh. Another issue is that physical drive 8Oh by not be consistent with physical drive 80h at hit 19h until shortly before Lit 19h. ComFileStub contains the main interrupt hook entry point.
  • the AIM 16 is designed to be loaded under the execution context set up by the CLM 14. Referring to Fig. 7, the routine 54 undertaken by AIM 16 includes the following steps. When executed, the AIM 16 scans the partition table to fmd the active partition at 55. On the active partition it looks for the operating system (OS) system directories or the configuration files at 56, which point to them and then creates and installs the installer mode instance of the Communication Driver Agent CDA at 57.
  • OS operating system
  • the installation mechanism is specific and unique to each OS, and AIM 16 uses standard OS installation mechanisms.
  • the CDA 18 exists in two forms, a mini CDA and a full-function CDA.
  • the mini-CDA resides in the PCI Option ROM 12.
  • the function of the mini CDA is to determine whether a full-function and/or current version CDA is installed and functioning on the device, and if not, to load the full-function CDA across the Internet from the host monitoring server C (Fig. 1).
  • the full-function CDA is then responsible for all communications between the device and the host monitoring server C.
  • the mini CDA first runs (via ATM 16) an installer mode 58, in which the primary function of the mini CDA is to register as an OS service.
  • the installer mode instance of the agent creates another instance of itself at 59 and registers the copy with the Service Manager at under 2000/XP, for example, at 60.
  • the executable then cleans up the installer copy of itself and exits. It runs in Installer mode only once, as the full-function CDA takes over the normal operations of the CDA from that point.
  • the service mode instance of the mini CDA is executed as a Service under 2000/XP, for example.
  • the Service sets up a service manager environment at 62 and at an appropriate time (after waiting at 63), launches an instance of itself as an application at 64.
  • the application mode is the normal mode of operation of the mini-CDA.
  • the Agent is now in "active" mode.
  • the mini CDA application initiates communications with the host monitoring server C using, for example, the HTTP protocol by default, as depicted in Fig. 10. Other protocols are supported by additional modules are uploaded from the host monitoring server C to the Agent.
  • the host monitoring server C performs functions such as identifying the Agent, storing monitoring history, configuration and software updates.
  • the host monitoring server C conducts a session with the mini CDA to activate and install a full version of the CDA, disable the mini- CDA (e.g., at end of life of the device, or for disabling self healing function so that it can be upgraded to a newer version), update the Agent, or configure the Agent, as required for that platform.
  • Fig. 10 The communications between the client device A and the server C via communication link B are depicted in Fig. 10 in accordance with one embodiment of the present invention.
  • the mini CDA provides identification or type of BIOS or device platform to the server C 3 a copy of BIOS or platform specific full-function CDA or its updates can be downloaded to the device A.
  • the Agent initiates a call to the host at predetermined, random, event based or deferred intervals.
  • the Agent in its "active" mode the Agent calls the host every predetermined number of hours.
  • the Agent uses the current time and the unique Agent identification to encode an Internet host name.
  • the Agent then forms a DNS request using an encoded Internet host name. The Agent sends this DNS request to the host through the Internet.
  • the Agent will sleep for a predetermined period of time, e.g., one minute, and then repeat the call. If the call fails due to another error (such as the absence of Winsock facilities which enable communication with the Internet, and/or the failure of the computer to be configured for TCP/IP communication) then the Agent will repeat the cycle several hours later. In this way, the Agent inherently checks for the existence of an Internet connection.
  • the Agent After sending its DNS request, the Agent waits for a response.
  • the IP address is extracted from the response and compared against a reference IP address.
  • the reference IP address maybe set as "204.174.10.1". If the extracted IP address equals "204.174.10.1” then the Agent's mode is changed from "active" to "alert" on the Internet side.
  • the host will send this IP address, for example, when it, or the operator at the host, has determined that the Agent identification matches one of the entries on a list of reported lost or stolen computers stored at the host. If the IP address extracted from the host response does not equal "204.174.10.1" then the Agent remains in active mode and does not call the host for another four hours.
  • the Agent when the Agent goes into "alert" mode in the Internet application, the Agent initiates a traceroute routine which provides the host with the Internet communication links that were used to connect the client computer to the host. These Internet communication links will assist the host system in tracking the client computer.
  • the IP address of the source of the DNS query is sent to the host within the DNS query.
  • the IP address of the client computer (which may not be unique since it may not have been assigned by the InterNIC) will likely be insufficient to track the location of the client computer. In such a scenario, it is necessary to determine the addresses of other EP routers that were accessed to enable communication between the client and the host.
  • the Agent's protocol is designed to provide these mechanisms.
  • the format of a read packet is:
  • the format of a write packet is:
  • the communications protocol distinguishes a read packet by determining that no DATA is contained in the packet. If there is DATA, then it is a write. This address based protocol is the basis of the extensibility design.
  • Fig. 14 The general sequence of steps in a communication session, based on the extensible protocol, between the client device A and the server C via communication link B is schematically depicted in Fig. 14 in accordance with one embodiment of the present invention. Examples of specific transactions handled by a communication session is further disclosed below.
  • a typical session begins with a connection sequence such that:
  • the client replies with the address of its session handle
  • the handle structure contains important information like the version of the client, the version of the supporting OS and the Command Packet.
  • the client interprets "writes" to the Command Packet as "special” and will call the CommandPacketProcessorO function when the Command Packet is written.
  • the CommandPacketProcessorO function takes the arguments: function code, parameter address, number of parameters, and the result address.
  • the minimum set of function codes which must be implemented are:
  • This small library of commands can be strung together in packets to accomplish any management task.
  • the critical management tasks are:
  • each item described represents one transaction (message pair between the client and server). Some transactions occur on every agent call, others depend on the service implemented and others are done on one call only as a result of a flag set by maintenance or recovery personnel. Below are tables of typical communications sessions between the server and the Agent.
  • ATI data for subscribers to asset tracking/monitoring services
  • AT2 DLL the data collected by the AT2 DLL.
  • AT-II data (e.g., for AbsoluteTrack & ComputraceComplete customers) is retrieved. Note that this is a super-set of the data collected by the ATI DLL. Either the ATI or AT2 DLL will be executed on the client, never both.
  • Function retrieves make, model and serial number from client and change boot order.
  • the activation process links the Application agent identity to a customer account and installs the Persistent Agent module. This process is described as follows: • The Application Agent connects • The Server uses the extensibility features in the protocol to send down and inventory DLL to identify the computer - this DLL gathers attributes such as the BIOS, chassis and hard-drive serial numbers.
  • a unique identifying number (the Electronic Serial Number) is assigned to the device associated with this inventory record.
  • the Monitoring Server uses the extensibility features in the protocol to send down an inventory DLL to identify the computer - this DLL gathers attributes such as the BIOS, chassis and hard- drive serial numbers and compares with those previously stored.
  • BIOS BIOS and software persistence
  • Data delete is another example of a service enabled, supported and/or provided by the Agent.
  • the enhanced survivability of the CDA improves tracking physical location of the asset. It is recognized that even when location of asset is established, physical recovery of tracked device is not always feasible due to applicable local laws, police enforcement and burden of proof of ownership.
  • programmable capabilities based on the extensible protocol of the CDA offers alternate means of safeguarding confidential or sensitive user data on the device.
  • User defined data files, user profiles or other user defined information e.g., stored on a hard drive at the client device A, can be deleted under control from the monitoring server. Data deletion can be done on selected data items, or complete device storage medium, including the operating system can be erased, in accordance with the features and options specified by the monitoring server.
  • 2-stage Data Delete process for full operating system delete To ensure that the Agent (e.g., the CDA) uploads the log files when a "full O/S Data Delete" option is specified by the monitoring server, Agent undertakes a 2-stage delete process. Log files are obtained by the monitoring server from the Agent after a first stage delete before deleting the operating system in a second stage.
  • the full O/D Data Delete option includes the following steps: a) Delete all files except the O/S b) Force an agent call and upload the logfiles c) Delete the O/S files
  • Data Delete override - Data Delete executable is turned off by the monitoring server to stop the Data Delete running again if the computer is subsequently recovered.
  • Data Delete Pre-launch check Additional pre-launch Data Delete checks for an affected client device is provided by the monitoring server to ensure: (a) theft report exists for the affected client device, (b) client device is positively identified and no duplicates exist, (c) there is authorization by the client device owner (e.g., a pre-authorization agreement in place between the owner representative and the entity maintaining the monitoring server such as the host monitoring station).
  • notifications e.g., via email, SMS - short messaging service
  • the interested parties e.g., authorizing owner representative, and/or requestor.
  • Fig. 15 is a schematic flow diagram depicting the client side Date Delete routine 70 of the CDA in accordance with one embodiment of the present invention.
  • Fig. 16 is a schematic flow diagram depicting the server side Data Delete routine 80 in accordance with one embodiment of the present invention.
  • Fig. 17 is a schematic flow diagram depicting the Data Delete executable routine 90 in accordance with one embodiment of the present invention.
  • Data delete executable or sub-functions are called at 84 and 85 with parameters defining the data to be deleted (at 91), with wildcard variables to delete complete data structures.
  • the server instructs the Agent at 86 to contact back the server within a set period of time (e.g., 15 minutes).
  • CDA sub-functions may use US Department of Defense recommended algorithms to delete the data so as to make it non-recoverable (e.g., US Department of Defense Standard 5220.22 -M Clearing and Sanitization Matrix).
  • CDA sub functions also use available built in operating system support to delete data. These data deletion algorithms and mechanisms are publicly well known by persons skilled in the art, and actual delete mechanism does not alter the system capabilities being described herein.
  • the data delete application will delete applications and data on the hard drive at 93, for example, then will make a call back in to the monitoring server at 95, where it will upload at 76 and 88 a report (e.g., logfiles) to the server detailing the success of the data delete application (e.g., at 94, create/append to logfile a log of each action, and/or log fall path of deleted file).
  • a report e.g., logfiles
  • the data delete application will delete all data and application files, except those required for the operating system and the Agent function.
  • the Agent will attempt to return at 94 a status report (e.g., logfiles) to the monitoring server at 76 and 88.
  • the client device will remain operational after the delete process.
  • the Data Delete routine for the server and the Agent would proceed with other actions at 78 and 87. For example, if the data delete application has also been instructed by the server to delete the operating system, it will then continue to delete the operating system files.
  • the routine for data delete of the operating system is as follows.
  • the data delete application will delete all data and application files, except those required for the operating system and the Agent to function.
  • the Agent returns a status report to the monitoring server.
  • the data delete application will then continue to delete the remainder of the files on the device. This may cause the device to become non-operational.
  • the Agent may not be able to call the monitoring server once the full data delete process has been completed. If the user reinstalls an operating system, the Agent will regain its original function.
  • the data delete service has the following features:
  • the data delete application is disguised.
  • the service that runs during the delete process is titled "WCTSYS.EXE", in an attempt to conceal the delete process running in the background. If the user stops the process before the deletion is completed, the application is able to resume the deletion process where it left off, once the Agent makes it's next call to the monitoring server. For example, at 92, the Agent determines if data delete is perpetual. If perpetual, then proceeds to rest of date delete functions (i.e., 93, etc.) If not perpetual, and if data delete has not been completed before (at 97), the process proceeds to data delete functions. If data delete has been completed (at 97), the data delete process terminates.
  • the Agent call back period may be set to a predetermined value for both modem and IP calls (e.g., at 86).
  • the time required for the data delete process to complete is dependant on a number of variables, including the speed of the processor, the. size of UIe 1 hard drive, the amount of data to be deleted and the amount of activity already taking place on the client device. It has been determined that the data delete process can be expected to take between several minutes to half an hour or more to complete.
  • the report that is returned on a successful deletion contains the following information:
  • This information may be provided to the user on the success of the Data Delete process.
  • the functionality of the data delete can be controlled by a policy file downloaded from the server, at 84 or 85.
  • the policy file will dictate to Data Delete application what files, folders, or file types to delete.
  • the policy can also dictate other data selection criteria.
  • full function CDA and mini-CDA use the extensible protocols to keep itself current with the most up ' t ⁇ &$> , yj&sion available on trie monitoring server. It also uses this capability to keep other asset tracking extensions updated to the current version.
  • Generic sub-functions included in the extensible protocol are generic and flexible so they can be leveraged to have a multitude of functionalities, in addition to asset tracking and data delete described above.
  • An example of another application of the extensible protocol is to provide downloading and launching applications from the monitoring server. An executable file can be downloaded into memory and then launched. Alternatively, an installer can be downloaded from the monitoring server and launched to install an application, or upgrade an existing application.
  • Examples applications that leverage the agent's extensible protocol to provide functionality include:
  • Persistent Firewall The Agent can download and enforce network communication firewall. The Agent can also monitor and correct any changes to firewall configurations or removal or disabling of. the firewall. Since the Agent is persistence (cannot be detected or removed) it can provide and enforce security features such as firewall in a much more persistence way.
  • Data Encrypt- Persistence Agent upon instruction from the server, can encrypt the data on the machine. This vill enable data protection in a theft or loss scenario, in a much more persistent mechlanism. Agent can also change the encryption keys or passwords post theft to protect user's data.. Changing encryption passwords or keys can also protect machines in internal theft scenarios
  • Location Tracking One of the primary functions of the Agent is to contact the host monitoring system to report the identity and physical location of the device.
  • the physical location can be implied by the machine's EP address or other related network parameters.
  • the agent could use data from built in GPS receivers or cellular network receivers and transmitters for identifying the physical location of the device.
  • the agent can log GPS or Assisted GPS location information (current, or a series of logged information).
  • the CDA can periodically read the GPS location and create a log file, that can be uploaded to the server during a call.
  • This invention can be implemented in a variety of embodiments of Persistent Agent to adapt to their specific environment based upon factors including, but not limited to: (a) different BIOS implementations from different device (e.g., PC) manufacturers; (b) different interface requirements with the BIOS; (c) variation of flash memory space available from different device manufacturers or on different device models; and (d) ability to work without a BIOS PCI Option ROM enumeration hook.
  • the CLM is formatted as a PCI Option ROM and the AIM and CDA may be stored separately, or being bound to the CLM.
  • the CLM shrinks down to a small stub at the end of the POST cycle.
  • the CLM may reside in a partition gap and use a substitute Master Boot Record (MBR).
  • MLR Master Boot Record
  • the CLM, AEVI and mini CDA are all loaded in the BIOS flash image.
  • This approach leverages existing processes used in BIOS where PCI Option ROMs are loaded from the BIOS flash image.
  • the additional modules may be stored separately in flash or bound to the CLM in PCI Option ROM, as is in the case of Fig. 3.
  • an 18 - 20 KB PCI Option ROM is loaded by POST into upper shadow memory and the AIM is unpacked by the CLM.
  • the ADVI in turn adapts and configures the mini CDA for the system and returns control to the CLM.
  • The- CLM shrinks the size of PCI Option ROM image to a minimum and remains in the upper memory region as a 2 KB ROM block. If the AIM ( ⁇ 6 KB) and CDA ( ⁇ 10 KB) are simply stored in the flash image, and not bound to the CLM, the CLM incorporates additional image access functions to locate and unpack the AIM and mini CDA. The operation of the CLM, AIM, and mini CDA are similar to the bound method above.
  • the size of the CLM is slightly larger and specially tailored to the platform for which the flash image is targeted. This approach assumes the pre-establishment of a vendor ID to allow recognition of the flash-resident PCI Option ROM.
  • the management of the flash image is depicted in Fig. 11.
  • BIOS flash memory there may not be sufficient space in the BIOS flash memory for all the modules of the complete Persistent Agent, hi this case, depending on the device vendor support, the AIM, or the AIM and the mini CDA may be resident in a user inaccessible area in a mass storage device, such as the hard drive partition gap.
  • a mass storage device such as the hard drive partition gap.
  • the CLM still resides in flash and gets called during the PCI Option ROM enumeration process as in the earlier embodiment, but CLM loads AIM, which in turn executes the CDA from another location.
  • Fig. 13 depicts the partition gap image management involved in the situation in which the additional modules of the Persistent Agent will reside within the partition gap.
  • This gap exists between the MBR and the first partition.
  • the gap is 62 sectors, for example, on most new hard drives, but some of the sectors are reserved by the installation utility to maintain compatibility with other software and the useable size is about 27 Kb. This size is sufficient to include the base modules of the Agent (AIM, CDA) necessary to communicate with the server and bootstrap the rest of the modules into the OS.
  • AIM Agent
  • HPA Host Protected Area
  • the additional modules of the Persistent Agent will reside in another user inaccessible area on the mass storage device, such as within the HPA, or its functional equivalent.
  • This HPA access mechanism will be PC OEM specific.
  • the images within the HPA may need to be managed at runtime.
  • the driver and applications will support the existing methods to authenticate with the BIOS interfaces and obtain the necessary runtime access to manage our portion of the HPA space.
  • the CLM still resides in flash and gets called during the PCI Option ROM enumeration process as in the earlier embodiment, but CLM loads AIM, which in turn executes the CDA from another location.
  • While the most secure embodiments will involve the CLM being resident in the BIOS flash memory, there may be environments where this is not supported. This may be the case where OEM has not configured the BIOS to enumerate the CLM header in flash during PCI Option ROM scan. On these systems, an alternative location- for the CLM will still provide a superior solution relative to existing products.
  • the use of a substitute Master Boot Record offers a solution to this.
  • the CLM loads from the substitute Master Boot Record.
  • CLM then loads and passes control to the AIM and mini CDR, which would be located in the partition gap, as described in the earlier embodiments.
  • the substituted MBR approach for an agent subloader has been patented by the assignee, and incorporated by reference herein.
  • the CLM herein may take advantage of similar subloading approach, although in the present invention, the CLM has additional and different functions in relation to the AIM and CDA not found in the earlier patents.
  • the mini-CDA is integrated into an operating system image entirely stored in flash memory. Persistence is achieved by being included in the persistent operating system image and is protected by the same security mechanisms used to protect accidental and deliberate modifications to the operating system.
  • the mini-CDA or is directly loaded and run by an operating system utility.
  • the full-function CDA is subsequently downloaded and installed into volatile memory.
  • a CLM is loaded by the operating system utility and it subsequently loads and runs the mini-CDA. In this latter case, both the CLM and the mini-CDA are included in the persistent operating system image.
  • the server initiates communications with the CDA instead of waiting for the CDA to initiate communication with the server.
  • Server initiated communications permits the execution of server instructions that are time critical and cannot wait until the next scheduled call by the client.
  • the server may use the same or a different communications network and protocol from the principal network or protocol used by the CDA to call the server.
  • An example of a time sensitive scenario is the execution of a data delete operation on a misplaced or stolen mobile device before communications are interrupted by the network operator as a result of the device being reported stolen. Any time-sensitive service may be invoked in this manner.
  • the mini-CDA is integrated into an operating system distribution (e.g., software, firmware of hardware). Persistence is achieved by being included as a fundamental, inseparable component of the operating system. In this case, it is protected by the same security mechanisms used to protect accidental and deliberate modifications to the operating system.
  • the mini-CDA is reinstalled from the operating installation medium and, as a result, the services provided by the mini-CDA are enabled in the second installation.
  • the mini- CDA is directly loaded and run by an operating system function. The full- function CDA is subsequently downloaded and installed as in other embodiments.
  • EFI Extensible Firmware Interface
  • BIOS embodiment of the persistence modules i.e. AIM and CLM
  • AIM and CLM can be modified to install the mini-CDA or the agent in an EFI environment, either as an EFI driver or EFI application prior to OS loader.
  • Persistence is achieved when the EFI loads CLM, which then uses AIM to install or restore mini- CDA similar to the BIOS embodiment.
  • the mini-CDA, after OS boot can then download and install the full featured agent, as in BIOS embodiment. Optimization
  • the CLM PCI Option ROM is not difficult to integrate into the system BIOS.
  • the IBM Model T43 notebook computer is installed with an IBM BIOS having an option ROM structure. Its form and function parallels video option ROMs or motherboard controller option ROMs already existing in the BIOS. In the simple case, the BIOS must simply be reconfigured to recognize the vendor ID of the CLM. If the form and function of the CLM is more tightly integrated to the host BIOS, some size- optimization can occur. There is an opportunity to save a little space in the ⁇ 20 KB required to store the CLM, AIM, and CDA modules within the Flash Image. Below is a table listing various functions within the three main modules and the approximate size of each major functional group. The "optimization" column lists an estimate of the optimization opportunity of the functional group within each module.
  • CLM CLM .8 KB
  • the size of the Image Management functions can be reduced by about .3 KB by using the compression algorithm of the BIOS and by using the "bound" method to store the AIM and CDA modules.
  • the size of the Execution Environment setup and control function can reduced by .8 KB by ensuring that the PCI Option ROM is loaded late in POST so that all disk resources are available and that POST Memory Manager support is not needed.
  • the lower range of the -20 KB size is about -18.9 KB.
  • BIOS interface exposes an application program interface (API) for detecting and configuring the CLM through SMBIOS, then the 2 KB visible ROM "stub requirement" is relaxed.
  • API application program interface
  • the persistent servicing Agent may be extended to track additional devices, such as portable digital devices.
  • the intelligent Agent may reside in BIOS Option ROM, partition gap on hard drive, hard drives Host protected area (HPA), embedded firmware (e.g., OS ROM) of a consumer electronic device (e.g. Apple IPODTM digitial media player, MP3 player, cell phone or gaming device such as Microsoft XBOXTM or Sony PlayStationTM).
  • HPA Host protected area
  • OS ROM embedded firmware
  • CDA executes, it will communicate with the monitoring server (either CDA initiated or server initiated communication), as described in examples discussed above.
  • CDA functions can be generic functions such as copy to memory, copy from memory and execute from memory. These functions will be executed based on the sequences provided by the monitoring server during the communications with the CDA. These sequences can be executed to copy an application into memory, execute it, and read the results back to the monitoring server.
  • the persistent agent may be programmable, as disclosed above.
  • the persistent servicing Agent may be deployed in various portable and/or personal digital devices, for example:
  • PDA Personal digital assistant
  • Digital media devices such as an MP3 player, digital recorder, portable TV, radio, etc.
  • Wireless devices such as a cellular phone, two-way radio, etc.
  • Handheld devices such as global positioning system (GPS), etc.
  • GPS global positioning system
  • Gaming devices such as portable versions of computer gaming (Nintendo, Sony PlayStation), etc.
  • Agent would be programmed to contact, or be contacted by, a monitoring server proactively. Agent will be in a standby state until the device is connected to the Internet, or connected to another base device (e.g., a personal computer) that is connected to the Internet. Once the device connects to a third party website (such as ITunes), the Agent would use the website's embedded controls to connect to the monitoring server. Alternatively, the Agent could install a copy of itself, or another Agent onto the connected base device to connect to the monitoring server. Once connected, the Agent validates the device's status from the monitoring server.
  • IPODTM digital media player
  • the validation may include checking a unique identification information of the device (e.g., an electronic serial number (ESN), manufacturer's serial number, or a serial number embedded into the Agent). This unique identification information would be matched against a database at the monitoring server. If the portable device is flagged missing (e.g., by the device's original owner or representative), the Agent will trigger the portable device to render itself non-functional (e.g., Data Delete discussed above, or shut off or disable or other similar actions rendering at least certain functions of the portable device inoperable at least to some extent to discourage continue use of the portable device). Alternatively or in addition, the Agent will trigger the device to display informational messages to the person in possession of the portable device. The message could instruct that person to contact the owner, device vendor or an asset tracking company for further information, such as return of device to its owner, associated rewards for return or re-enabling of the device.
  • ESN electronic serial number
  • manufacturer's serial number e.g., manufacturer's serial number, or a serial number embedded into the Agent.
  • the Agent would be programmed to contact a monitoring server proactively (e.g., server initiated or Agent initiated). Once the device is connected to the wireless network, the Agent could use standard communication protocols to communicate with the monitoring server, or alternatively or in addition send SMS messages (or another choice of protocol) to the monitoring server or the owner representative. Once connected, the Agent would validate the device's unique identification information against the database at the monitoring server. The validation may include checking the identification number, such as ESN or serial number of the device (manufacturer's serial number or a serial number embedded into the Agent, or SIM card ID etc. This unique identification information would be matched against a database at the monitoring server.
  • the validation may include checking the identification number, such as ESN or serial number of the device (manufacturer's serial number or a serial number embedded into the Agent, or SIM card ID etc. This unique identification information would be matched against a database at the monitoring server.
  • the agent will trigger the device to render itself non-functional (e.g., Data Delete discussed above, or shut off or disable or other similar actions rendering at least certain functions of the portable device inoperable at least to some extent to discourage continue use of the portable device).
  • the Agent will trigger the device to display informational messages to the person in possession of the portable device. The message could instruct that person to contact the owner, device vendor or an asset tracking company for further information, such as return of device to its owner, associated rewards for return or re-enabling of the device.
  • the Agent would be programmed to contact a monitoring server proactively (e.g., server initiated or Agent initiated). Once the gaming device connects to an online gaming server, the agent could use standard communication protocols (e.g., IP) embedded into the gaming site to communicate with the monitoring server. Alternatively it could send TCP/IP or standard Internet protocols to another third party monitoring server. Once connected, the Agent would validate the device's unique identification information, and take appropriate actions in much the same manner as the earlier embodiments described above.
  • IP IP
  • the servicing Agent as disclosed above has the ability to be persistent in spite of actions that might ordinarily be expected to remove it.
  • the programmable capabilities of the Agent allows its functionality to be extended based on server-driven commands.
  • the invention improves upon the ability for a pre- deployed servicing Agent to remain "active" regardless of the actions of a "user" of the device.
  • the users' actions with respect to the Agent may be intentional or accidental.
  • the invention protects the authorized user from the accidental removal of the servicing Agent, while allowing the legitimate need to disable the Agent (for example at end of life of the computer asset).
  • the invention prevents an unauthorized user from removing the Agent software.
  • the persistent attributes of the present invention have value in both security and asset management applications.
  • the invention is of significant value as it makes theft of a valuable asset much more difficult to disguise, as regardless of actions taken by a thief, the software will persist and make itself available for contacting a remote monitoring center.
  • the persistent nature of the servicing Agent provides peace of mind to security personnel, as it provides confidence that the tracking Agent cannot be accidentally removed, hi the context of a secure asset management application, this is of further value as it ensures continuity of tracking an asset over its whole lifecycle.
  • a key challenge for IT administrators today is the ability to track assets over the whole lifecycle. During the lifecycle devices are frequently transferred from one user to another, during which they may be re-imaged, or have the operating reinstalled or otherwise be subjected to maintenance procedures that render tracking of the asset difficult.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Stored Programmes (AREA)

Abstract

L'invention concerne un agent de service résistant aux effractions destiné à fournir de différents services (tels que la suppression de données, la protection par la paroi coupe-feu, le chiffrage de données, le suivi de position, la communication de messages et la mise à jour de logiciels) qui comprend des modules fonctionnels multiples, y compris un module de chargeur (CLM) qui effectue le chargement et prend le contrôle pendant POST, indépendamment du système d'exploitation, un module d'installeur adaptatif (AIM) et un agent pilote de communications (CDA). Une fois le contrôle passé au CLM, il charge l'AM, qui a son tour localise, valide, décompresse et adapte le CDA à l'environnement OS détecté. Le CDA existe sous deux formes, un mini-CDA qui détermine si un CDA complet ou courant est situé quelque part dans le dispositif et, dans le cas contraire, charge le CDA à fonctions complètes depuis le réseau; et un CDA à fonctions complètes qui est responsable de toutes les communications entre le dispositif et le serveur de monitorage. Les fonctions de service peuvent être contrôlés par un serveur distant.
PCT/US2006/010381 2005-03-18 2006-03-20 Agent de service persistant WO2006102399A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP2008502159A JP2008533621A (ja) 2005-03-18 2006-03-20 永続的サービスエージェント
EP06748543A EP1864238A1 (fr) 2005-03-18 2006-03-20 Agent de service persistant
CA2601260A CA2601260C (fr) 2005-03-18 2006-03-20 Agent de service persistant

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
US66349605P 2005-03-18 2005-03-18
US66361505P 2005-03-18 2005-03-18
US60/663,615 2005-03-18
US60/663,496 2005-03-18
US75679606P 2006-01-07 2006-01-07
US60/756,796 2006-01-07

Publications (1)

Publication Number Publication Date
WO2006102399A1 true WO2006102399A1 (fr) 2006-09-28

Family

ID=36778184

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2006/010381 WO2006102399A1 (fr) 2005-03-18 2006-03-20 Agent de service persistant

Country Status (4)

Country Link
EP (1) EP1864238A1 (fr)
JP (2) JP2008533621A (fr)
CA (1) CA2601260C (fr)
WO (1) WO2006102399A1 (fr)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008090470A2 (fr) 2007-01-16 2008-07-31 Absolute Software Corporation Module de sécurité doté d'un agent secondaire en coordination avec un agent hôte
WO2009122296A2 (fr) 2008-04-02 2009-10-08 Yougetitback Limited Système permettant d'enrayer l'utilisation non autorisée d'un dispositif
WO2009122293A2 (fr) 2008-04-01 2009-10-08 Yougetitback Limited Système pour surveiller l’utilisation non autorisée d’un appareil
WO2009122297A2 (fr) * 2008-04-01 2009-10-08 Yougetitback Limited Système permettant de surveiller l'utilisation non autorisée d'un dispositif
WO2009122290A2 (fr) 2008-04-02 2009-10-08 Yougetitback Limited Système permettant d'enrayer l'utilisation non autorisée d'un dispositif
EP2110767A2 (fr) * 2008-04-15 2009-10-21 Giga-Byte Technology Co., Ltd. Procédé et système anti-effraction pour dispositifs informatiques portables
WO2011021112A1 (fr) * 2009-08-20 2011-02-24 Nds Limited Caractéristiques de sécurité d’un livre électronique
EP2278467A3 (fr) * 2009-06-22 2012-11-07 Uniloc Usa, Inc. Système et procédé de contrôle de l'utilisation de logiciels
WO2013014532A1 (fr) * 2011-07-22 2013-01-31 Yougetitback Limited Systèmes et procédés pour évaluer et atténuer dynamiquement le risque d'une entité assurée
WO2013158789A1 (fr) * 2012-04-18 2013-10-24 Mcafee, Inc. Détection et prévention de l'installation d'applications mobiles malveillantes
US8601606B2 (en) 2002-11-25 2013-12-03 Carolyn W. Hafeman Computer recovery or return
US8881280B2 (en) 2013-02-28 2014-11-04 Uniloc Luxembourg S.A. Device-specific content delivery
US8932368B2 (en) 2008-04-01 2015-01-13 Yougetitback Limited Method for monitoring the unauthorized use of a device
US8949954B2 (en) 2011-12-08 2015-02-03 Uniloc Luxembourg, S.A. Customer notification program alerting customer-specified network address of unauthorized access attempts to customer account
WO2015040459A1 (fr) * 2013-03-15 2015-03-26 Yougetitback Limited Systèmes et procédés pour évaluer et atténuer dynamiquement le risque d'une entité assurée
US9031536B2 (en) 2008-04-02 2015-05-12 Yougetitback Limited Method for mitigating the unauthorized use of a device
US9253308B2 (en) 2008-08-12 2016-02-02 Apogee Technology Consultants, Llc Portable computing device with data encryption and destruction
US9564952B2 (en) 2012-02-06 2017-02-07 Uniloc Luxembourg S.A. Near field authentication through communication of enclosed content sound waves
US9576157B2 (en) 2008-04-02 2017-02-21 Yougetitback Limited Method for mitigating the unauthorized use of a device
US9886599B2 (en) 2008-04-02 2018-02-06 Yougetitback Limited Display of information through auxiliary user interface
US9916481B2 (en) 2008-04-02 2018-03-13 Yougetitback Limited Systems and methods for mitigating the unauthorized use of a device
US10206060B2 (en) 2012-01-04 2019-02-12 Uniloc 2017 Llc Method and system for implementing zone-restricted behavior of a computing device

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019089020A1 (fr) 2017-11-01 2019-05-09 Hewlett-Packard Development Company, L.P. Notifications d'événement de non-conformité à des dispositifs auxiliaires

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5680547A (en) * 1993-08-04 1997-10-21 Trend Micro Devices Incorporated Method and apparatus for controlling network and workstation access prior to workstation boot
US5748084A (en) * 1996-11-18 1998-05-05 Isikoff; Jeremy M. Device security system
WO2001084455A1 (fr) * 2000-04-27 2001-11-08 Solagent, Inc. Systeme et procede de communication d'appareil de calcul portable
US20030051090A1 (en) * 2001-09-10 2003-03-13 Bonnett William B. Apparatus and method for secure program upgrade
WO2005096122A1 (fr) * 2004-03-26 2005-10-13 Absolute Software Corporation Agent de service persistant

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0791195A4 (fr) * 1993-08-04 1998-05-20 Trend Micro Devices Inc Procede et dispositif de gestion des acces au reseau et aux stations de travail avant l'initialisation de la station

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5680547A (en) * 1993-08-04 1997-10-21 Trend Micro Devices Incorporated Method and apparatus for controlling network and workstation access prior to workstation boot
US5748084A (en) * 1996-11-18 1998-05-05 Isikoff; Jeremy M. Device security system
WO2001084455A1 (fr) * 2000-04-27 2001-11-08 Solagent, Inc. Systeme et procede de communication d'appareil de calcul portable
US20030051090A1 (en) * 2001-09-10 2003-03-13 Bonnett William B. Apparatus and method for secure program upgrade
WO2005096122A1 (fr) * 2004-03-26 2005-10-13 Absolute Software Corporation Agent de service persistant

Cited By (45)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8601606B2 (en) 2002-11-25 2013-12-03 Carolyn W. Hafeman Computer recovery or return
WO2008090470A2 (fr) 2007-01-16 2008-07-31 Absolute Software Corporation Module de sécurité doté d'un agent secondaire en coordination avec un agent hôte
WO2009122297A3 (fr) * 2008-04-01 2010-03-25 Yougetitback Limited Système permettant de surveiller l'utilisation non autorisée d'un dispositif
US8932368B2 (en) 2008-04-01 2015-01-13 Yougetitback Limited Method for monitoring the unauthorized use of a device
WO2009122293A2 (fr) 2008-04-01 2009-10-08 Yougetitback Limited Système pour surveiller l’utilisation non autorisée d’un appareil
WO2009122297A2 (fr) * 2008-04-01 2009-10-08 Yougetitback Limited Système permettant de surveiller l'utilisation non autorisée d'un dispositif
US9881152B2 (en) 2008-04-01 2018-01-30 Yougetitback Limited System for monitoring the unauthorized use of a device
US8719909B2 (en) 2008-04-01 2014-05-06 Yougetitback Limited System for monitoring the unauthorized use of a device
CN102084372A (zh) * 2008-04-01 2011-06-01 优盖提特拜克有限公司 用于监视对设备的未授权使用的系统
WO2009122293A3 (fr) * 2008-04-01 2010-03-11 Yougetitback Limited Système pour surveiller l’utilisation non autorisée d’un appareil
US9916481B2 (en) 2008-04-02 2018-03-13 Yougetitback Limited Systems and methods for mitigating the unauthorized use of a device
WO2009122296A2 (fr) 2008-04-02 2009-10-08 Yougetitback Limited Système permettant d'enrayer l'utilisation non autorisée d'un dispositif
WO2009122296A3 (fr) * 2008-04-02 2010-03-11 Yougetitback Limited Système permettant d'enrayer l'utilisation non autorisée d'un dispositif
CN102084371A (zh) * 2008-04-02 2011-06-01 优盖提特拜克有限公司 用于缓解对设备的未授权使用的系统
US8248237B2 (en) 2008-04-02 2012-08-21 Yougetitback Limited System for mitigating the unauthorized use of a device
US9031536B2 (en) 2008-04-02 2015-05-12 Yougetitback Limited Method for mitigating the unauthorized use of a device
US9576157B2 (en) 2008-04-02 2017-02-21 Yougetitback Limited Method for mitigating the unauthorized use of a device
US9886599B2 (en) 2008-04-02 2018-02-06 Yougetitback Limited Display of information through auxiliary user interface
US9838877B2 (en) 2008-04-02 2017-12-05 Yougetitback Limited Systems and methods for dynamically assessing and mitigating risk of an insured entity
WO2009122290A3 (fr) * 2008-04-02 2010-03-25 Yougetitback Limited Système permettant d'enrayer l'utilisation non autorisée d'un dispositif
WO2009122290A2 (fr) 2008-04-02 2009-10-08 Yougetitback Limited Système permettant d'enrayer l'utilisation non autorisée d'un dispositif
EP2110767A2 (fr) * 2008-04-15 2009-10-21 Giga-Byte Technology Co., Ltd. Procédé et système anti-effraction pour dispositifs informatiques portables
EP2110767A3 (fr) * 2008-04-15 2009-12-16 Giga-Byte Technology Co., Ltd. Procédé et système anti-effraction pour dispositifs informatiques portables
US9699604B2 (en) 2008-08-12 2017-07-04 Apogee Technology Consultants, Llc Telemetric tracking of a portable computing device
US9686640B2 (en) 2008-08-12 2017-06-20 Apogee Technology Consultants, Llc Telemetric tracking of a portable computing device
US9679154B2 (en) 2008-08-12 2017-06-13 Apogee Technology Consultants, Llc Tracking location of portable computing device
US9253308B2 (en) 2008-08-12 2016-02-02 Apogee Technology Consultants, Llc Portable computing device with data encryption and destruction
US9674651B2 (en) 2008-08-12 2017-06-06 Apogee Technology Consultants, Llc Portable computing device with data encryption and destruction
US9369836B2 (en) 2008-08-12 2016-06-14 Apogee Technology Consultants, Llc Portable computing device with data encryption and destruction
US9380416B2 (en) 2008-08-12 2016-06-28 Apogee Technology Consultants, Llc Portable computing device with data encryption and destruction
US9392401B2 (en) 2008-08-12 2016-07-12 Apogee Technology Consultants, Llc Portable computing device with data encryption and destruction
EP2278467A3 (fr) * 2009-06-22 2012-11-07 Uniloc Usa, Inc. Système et procédé de contrôle de l'utilisation de logiciels
WO2011021112A1 (fr) * 2009-08-20 2011-02-24 Nds Limited Caractéristiques de sécurité d’un livre électronique
CN104380298A (zh) * 2011-07-22 2015-02-25 优盖提特拜克有限公司 用于动态地评估和减轻被保险实体风险的系统和方法
WO2013014532A1 (fr) * 2011-07-22 2013-01-31 Yougetitback Limited Systèmes et procédés pour évaluer et atténuer dynamiquement le risque d'une entité assurée
US8949954B2 (en) 2011-12-08 2015-02-03 Uniloc Luxembourg, S.A. Customer notification program alerting customer-specified network address of unauthorized access attempts to customer account
US10206060B2 (en) 2012-01-04 2019-02-12 Uniloc 2017 Llc Method and system for implementing zone-restricted behavior of a computing device
US9564952B2 (en) 2012-02-06 2017-02-07 Uniloc Luxembourg S.A. Near field authentication through communication of enclosed content sound waves
US10068224B2 (en) 2012-02-06 2018-09-04 Uniloc 2017 Llc Near field authentication through communication of enclosed content sound waves
US9596257B2 (en) 2012-04-18 2017-03-14 Mcafee, Inc. Detection and prevention of installation of malicious mobile applications
US9152784B2 (en) 2012-04-18 2015-10-06 Mcafee, Inc. Detection and prevention of installation of malicious mobile applications
WO2013158789A1 (fr) * 2012-04-18 2013-10-24 Mcafee, Inc. Détection et prévention de l'installation d'applications mobiles malveillantes
US9294491B2 (en) 2013-02-28 2016-03-22 Uniloc Luxembourg S.A. Device-specific content delivery
US8881280B2 (en) 2013-02-28 2014-11-04 Uniloc Luxembourg S.A. Device-specific content delivery
WO2015040459A1 (fr) * 2013-03-15 2015-03-26 Yougetitback Limited Systèmes et procédés pour évaluer et atténuer dynamiquement le risque d'une entité assurée

Also Published As

Publication number Publication date
EP1864238A1 (fr) 2007-12-12
JP2013008400A (ja) 2013-01-10
JP5508502B2 (ja) 2014-06-04
JP2008533621A (ja) 2008-08-21
CA2601260C (fr) 2016-05-03
CA2601260A1 (fr) 2006-09-28

Similar Documents

Publication Publication Date Title
US9465959B2 (en) Persistent agent supported by processor
CA2601260C (fr) Agent de service persistant
CA2561130C (fr) Agent de service persistant
AU2009279430B2 (en) Secure computing environment to address theft and unauthorized access
US9117092B2 (en) Approaches for a location aware client
AU2010315412B2 (en) Approaches for ensuring data security
JP5959749B2 (ja) 悪意のあるソフトウェアによるアタックからオペレーティングシステムを保護する方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2006748543

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2601260

Country of ref document: CA

ENP Entry into the national phase

Ref document number: 2008502159

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU