Abstract: A system for securing an electronic device may include a memory, a processor; one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to: (i) trap attempted accesses to the memory, wherein each of such attempted accesses may, individually or in the aggregate, indicate the presence of self-modifying malware; (ii) in response to trapping each attempted access to the memory, record information associated with the attempted access in a history; and (iii) in response to a triggering attempted access associated with a particular memory location, analyze information in the history associated with the particular memory location to determine if suspicious behavior has occurred with respect to the particular memory location.

Abstract: A system, method and computer program product are provided. In use, a COM server dynamic link library is identified. Further, an emulation layer is inserted in association with the COM server dynamic link library to emulate interfaces exported by the COM server dynamic link library. As an option, it may be determined whether the COM server DLL is loaded, and the emulation layer may be inserted in response to the determination.

Abstract: A method for analyzing a computing system includes the steps of at a first moment in time, scanning the resources of the computing system for indications of malware, at a second moment in time scanning the resources of the computing system for indications of malware and determining the system executable objects loaded on the computing system, determining malware system changes, identifying a relationship between the malware system changes and the system executable objects loaded on the computing system, and identifying as suspected malware the system executable objects loaded on the computing system which have a relationship with the malware system changes. The malware system changes include differences between the results of scanning the resources of the computing system for indications of malware at the second and first moment of time.

Abstract: A system for protecting an electronic system against malware includes an operating system configured to execute on the electronic device, a driver coupled to the operating system, and a below-operating-system security agent. The below-operating-system security agent is configured to identify one or more resources for changing filters of the driver, trap an attempted access of the one or more resources that originates from the operational level of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic system accessing the one or more resources for changing filters of the driver.

Abstract: A below-operating system security agent may be configured to: (i) trap attempted accesses to the components of the operating system and the set of drivers executing on the electronic device; (ii) in response to trapping an attempted access, compare contextual information associated with the attempted access to an access map; and (iii) determine if the attempted access is trusted based on the comparison. The access map may be generated by: (i) trapping, at a level below all of the operating systems of a second electronic device accessing components of the second operating system and the second set of drivers executing on the second electronic device and each substantially free of malware, accesses to components of the second operating system and the second set of drivers executing on the second electronic device; and (ii) in response to trapping the accesses, recording contextual information regarding the accesses to the access map.

Abstract: In one embodiment, a system for securing a storage device includes an electronic device comprising a processor, a storage device communicatively coupled to the processor, and a security agent. The security agent is configured to execute at a level below all of the operating systems of the electronic device, intercept a request to access the storage device, identify a requesting entity responsible for initiating the request, and utilize one or more security rules to determine if the request from the requesting entity is authorized. In some embodiments, the security agent is configured to determine whether the request involves a protected area of the storage device. If the request involves a protected area of the storage device, the security agent may be configured to allow the request if the requesting entity is authorized to access the protected area of the storage device.

Abstract: A system, method, and computer program product are provided for terminating a hidden kernel process. In use, a hidden kernel process structure associated with a hidden kernel process is identified. In addition, the hidden kernel process structure is inserted into an active process list. Further, the hidden kernel process is terminated.

Abstract: A security module may be configured to execute on the electronic device at a level below all of the operating systems of an electronic device accessing the one or more system resources. The security module may be configured to: trap one or more attempts to access system resources of the electronic device, the one or more attempts made from a less privileged ring of execution than the first security module; record information identifying one or more processes attempting to access the system resources of the electronic device; compare the information identifying one or more processes attempting to access the system resources with the enumerated one or more processes visible to the operating system; and based on the comparison, determine one or more hidden processes, the hidden processes determined by at least identifying processes whose information was recorded by first security module but were not enumerated by the second security module.

Abstract: A method for protecting an electronic device against malware includes consulting one or more security rules to determine a processor resource to protect, in a module below the level of all operating systems of the electronic device, intercepting an attempted access of the processor resource, accessing a processor resource control structure to determine a criteria by which the attempted access will be trapped, trapping the attempted access if the criteria is met, and consulting the one or more security rules to determine whether the attempted access is indicative of malware. The attempted access originates from the operational level of one of one or more operating systems of the electronic device.

Abstract: A system, method, and computer program product are provided for populating a list of known wanted data. In use, an update to data is identified. In addition, a list of known wanted data is populated with the data, in response to the update.

Abstract: A system, method, and computer program product are provided for populating a list of known wanted data. In use, an update to data is identified. In addition, a list of known wanted data is populated with the data, in response to the update.

Abstract: A method for detecting malware memory infections includes the steps of scanning a memory on an electronic device, determining a suspicious entry present in the memory, accessing information about the suspicious entry in a reputation system, and evaluating whether the suspicious entry indicates a malware memory infection. The memory includes memory known to be modified by malware. The suspicious entry is not recognized as a safe entry. The reputation system is configured to store information on suspicious entries. The evaluation is based upon historical data regarding the suspicious entry.

Abstract: A system, method, and computer program product are provided for determining whether a hook is associated with potentially unwanted activity. In use, a hook is identified in a data section or a code section. Additionally, a first enumeration of objects associated with the data section or the code section is performed, and a second enumeration of objects associated with the data section or the code section is performed. Further, results of the first enumeration and results of the second enumeration are compared for determining whether the hook is associated with potentially unwanted activity.

Abstract: A system, method and computer program product are provided for sending, to a central system, information associated with unwanted activity. In use, information associated with unwanted activity is identified utilizing a plurality of different types of security systems. Further, the information is sent to a central system.

Abstract: A method for analyzing a computing system includes the steps of at a first moment in time, scanning the resources of the computing system for indications of malware, at a second moment in time scanning the resources of the computing system for indications of malware and determining the system executable objects loaded on the computing system, determining malware system changes, identifying a relationship between the malware system changes and the system executable objects loaded on the computing system, and identifying as suspected malware the system executable objects loaded on the computing system which have a relationship with the malware system changes. The malware system changes include differences between the results of scanning the resources of the computing system for indications of malware at the second and first moment of time.

Abstract: A system, method, and computer program product are provided for detecting unwanted activity associated with an object, based on an attribute associated with the object. In use, an object is labeled with an attribute of a predetermined behavior based on detection of the predetermined behavior in association with the object. Additionally, unwanted activity associated with the object is detected, utilizing the attribute.

Abstract: A system, method, and computer program product are provided for copying a modified page table entry to a translation look aside buffer. In use, a page table entry corresponding to an original page associated with original code is identified. In addition, a page mapping in a translation look aside buffer is invalidated by calling a processor instruction that invalidates the page mapping. Further, the page table entry is modified to correspond to a different page associated with different code. Still yet, an instruction of the different code is accessed for prompting a processor to copy the modified page table entry to the translation look aside buffer. Moreover, the modified page table entry is restored to correspond to the original page associated with the original code.

Abstract: A system for securing an electronic device, may include a memory, a processor, one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to detect presence of malicious code, and in response to detecting presence of the malicious code, modify the malicious code.

Abstract: In one embodiment, a system for securing a storage device includes an electronic device comprising a processor, a storage device communicatively coupled to the processor, and a security agent. The security agent is configured to execute at a level below all of the operating systems of the electronic device, intercept a request to access the storage device, identify a requesting entity responsible for initiating the request, and utilize one or more security rules to determine if the request from the requesting entity is authorized. In some embodiments, the security agent is configured to determine whether the request involves a protected area of the storage device. If the request involves a protected area of the storage device, the security agent may be configured to allow the request if the requesting entity is authorized to access the protected area of the storage device.

Abstract: A system for securing an electronic device includes a memory, a processor, one or more operating systems residing in the memory for execution by the processor, a resource of the electronic device communicatively coupled to the operating system, a virtual machine monitor configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the resource, and a security agent configured to execute on the electronic device at a level below all operating systems of the electronic device accessing the resource. The virtual machine monitor is configured to intercept a request of the resource made from a level above the virtual machine monitor and inform the security agent of the request. The security agent is configured to determine whether the request is indicative of malware.