Abstract: A method is provided for protecting a computer system, comprising creating an isolated process, then assigning a first process group to the process; creating an additional group process within the first process group; performing a first determination by an application programming interface (API) that the additional group process is within the first process group, and as a result of the first determination, causing the additional group process to inherit and duplicate a handle of the process. Process communications and control within isolated groups is permitted freely, whereas process control by an isolated process for non-isolated processes or isolated processes in different groups is constrained or prohibited.

Abstract: A method is provided for protecting a computer system, comprising creating an isolated process, then assigning a first process group to the process; creating an additional group process within the first process group; performing a first determination by an application programming interface (API) that the additional group process is within the first process group, and as a result of the first determination, causing the additional group process to inherit and duplicate a handle of the process. Process communications and control within isolated groups is permitted freely, whereas process control by an isolated process for non-isolated processes or isolated processes in different groups is constrained or prohibited.

Abstract: A method is provided for protecting a computer system, comprising creating an isolated process, then assigning a first process group to the process; creating an additional group process within the first process group; performing a first determination by an application programming interface (API) that the additional group process is within the first process group, and as a result of the first determination, causing the additional group process to inherit and duplicate a handle of the process. Process communications and control within isolated groups is permitted freely, whereas process control by an isolated process for non-isolated processes or isolated processes in different groups is constrained or prohibited.

Abstract: A method is provided for protecting a computer system, comprising: attaching a security descriptor to a process running on a processor of the computer system; associating with the security descriptor an isolation indicator that indicates the process runs in an isolation mode; calling a system routine by the isolated process that is also callable by a process that is not running in isolation mode; attempting to write to an object of a disk or a registry by the system routine called by the isolated process; determining whether the system routine is requesting the write on behalf of the isolated process or not; if the write is requested on behalf of the isolated process, then performing the write in a pseudo storage area; and if the write is requested on behalf of the non-isolated process, then performing the write in an actual storage area in which the disk or registry resides.