Abstract: Examples described herein include systems and methods for bare metal management of computing devices. Firmware of the computing device can be configured to contact a network location as part of an HTTP boot and download a boot agent. The boot agent can be prioritized to execute before a primary OS boot loader. The boot agent can download an OS configuration including a package that is inserted into the primary OS. The primary OS, as configured, can then boot. The boot agent can also attest to OS health and device compliance on subsequent boots. For example, the boot agent can cause the firmware to track how many boots have occurred since compliance verification. If a threshold number of boots occur without verification, the boot agent can initiate restoration. Alternatively, if a decommission flag is set, the boot agent can cause the computing device to boot into its original configuration.

Abstract: Disclosed are various examples for dynamic application deployment in trusted code environments. In some embodiments, an application is identified for installation on a client device. The client device includes a security process that limits the client device to execute trusted code based on a trusted code policy. Characteristics of a file are identified from an installation package for a client application. A management agent is instructed to update the trusted code policy to whitelist the file by providing the characteristics of the executable file to the security process. A command to install the application is transmitted to the management agent, where the management agent is a trusted installer for the client device.

Abstract: Examples described herein include systems and methods for bare metal management of computing devices. Firmware of the computing device can be configured to contact a network location as part of an HTTP boot and download a boot agent. The boot agent can be prioritized to execute before a primary OS boot loader. The boot agent can download an OS configuration including a package that is inserted into the primary OS. The primary OS, as configured, can then boot. The boot agent can also attest to OS health and device compliance on subsequent boots. For example, the boot agent can cause the firmware to track how many boots have occurred since compliance verification. If a threshold number of boots occur without verification, the boot agent can initiate restoration. Alternatively, if a decommission flag is set, the boot agent can cause the computing device to boot into its original configuration.

Abstract: A method for generating a stereoscopic video stream (101) having composite images (C) that include information about a right image (R) and a left image (L), as well as at least one depth map includes pixels from the right image (R) and from the left image (L), and then entering the selected pixels into a composite image (C) of the stereoscopic video stream. The method also provides for entering all the pixels of the right image (R) and all the pixels of the left image (L) into the composite image (C) by leaving one of said two images unchanged and breaking up the other one into regions (R1, R2, R3) having a plurality of pixels. The pixels of the depth map(s) are then entered into that region of the composite image which is not occupied by pixels of the right and left images.

Abstract: A method for generating a stereoscopic video stream (101) having composite images (C) that include information about a right image (R) and a left image (L), as well as at least one depth map includes pixels from the right image (R) and from the left image (L), and then entering the selected pixels into a composite image (C) of the stereoscopic video stream. The method also provides for entering all the pixels of the right image (R) and all the pixels of the left image (L) into the composite image (C) by leaving one of said two images unchanged and breaking up the other one into regions (R1, R2, R3) having a plurality of pixels. The pixels of the depth map(s) are then entered into that region of the composite image which is not occupied by pixels of the right and left images.

Abstract: Disclosed are systems, methods and computer program products for determining a security status of at least one potentially malicious file in a customer network. An example method comprising receiving, by a client computer system, client heuristics information from a server system for determining a security status of client data generated by at least one client application; monitoring and identifying at least one suspicious file of the client data as a potentially malicious file by analyzing metadata associated with the at least one suspicious file using the client heuristics information; collecting threat-identification information of the potentially malicious file to exclude confidential information associated with a content of the potentially malicious file; transmitting the threat-identification information to the server system for determining a security status of the potentially malicious file; and receiving security tools from the server system to block or remove the potentially malicious file.

Abstract: A server system that includes one or more processors and memory receives, from a client, metadata for a plurality of suspicious files for which the client was unable to conclusively determine a security status. The server system also analyzes the metadata using threat-identification information to identify potentially malicious files and requests authorization to receive the potentially malicious files from the client. In response to the request, upon authorization for the server system to receive the potentially malicious files, the server system automatically receives one or more potentially malicious files from the client that were authorized based on a confidentiality level of the potentially malicious files.

Abstract: An anti-malware system that reduces the likelihood of detecting a false positive. The system is applied in an enterprise network in which a server receives reports of suspected malware from multiple hosts. Files on hosts suspected of containing malware are compared to control versions of those files. A match between a suspected file and a control version is used as an indication that the malware report is a false positive. Such an indication may be used in conjunction with other information, such as whether other hosts similarly report suspect files that match control versions or whether the malware report is generated by a recently changed component of the anti-malware system.

Abstract: A malware analysis system is described that provides information about malware execution history on a client computer and allows automated back-end analysis for faster creation of identification signatures and removal instructions. The malware analysis system collects threat information on client computers and sends the threat information to a back-end analysis component for automated analysis. The back-end analysis component analyzes the threat information by comparing the threat information to information about known threats. The system builds a signature for identifying the threat family and a mitigation script for neutralizing the threat. The system sends the signature and mitigation data to client computers, which use the information to mitigate the threat. Thus, the malware analysis system detects and mitigates threats more quickly than previous systems by reducing the burden on technicians to manually create environments for reproducing the threats and manually analyze the threat behavior.

Abstract: A method and system in a computing device for performing security related functions as part of a process created to execute a software component that may be unrelated to security is provided. The security system provides security code that performs one or more security related functions. When a process is created to execute the code of a software component, the security system causes the security code to be executed before the execution of the code of the software component. One security related function of the security code may be to cause the operating system to maintain information about the process as long as the process exists. If the operating system later reports that the process no longer exists but the information is still being maintained, then the security system can assume that malware is attempting to hide the process.

Abstract: Disclosed are systems, methods and computer program products for detection of malware with complex infection patterns. The system provides enhanced protection against malware by identifying potentially harmful software objects, monitoring execution of various processes and threads of potentially harmful objects, compiling contexts of events of execution of the monitored processes and threads, and merging contexts of related processes and threads. Based on the analysis of the individual and merged object contexts using malware behavior rules, the system allows detection of malicious objects that have simple and complex behavior patterns.

Abstract: An anti-malware system that reduces the likelihood of detecting a false positive. The system is applied in an enterprise network in which a server receives reports of suspected malware from multiple hosts. Files on hosts suspected of containing malware are compared to control versions of those files. A match between a suspected file and a control version is used as an indication that the malware report is a false positive. Such an indication may be used in conjunction with other information, such as whether other hosts similarly report suspect files that match control versions or whether the malware report is generated by a recently changed component of the anti-malware system.

Abstract: The present invention is directed to a method and system for automatically classifying an application into an application group which is previously classified in a knowledge base. More specifically, a runtime behavior of an application is captured as a series of events which are monitored and recorded during the execution of the application. The series of events are analyzed to find a proper application group which shares common runtime behavior patterns with the application. The knowledge base of application groups is previously constructed based on a large number of sample applications. The construction of the knowledge base is done in such a manner that each sample application can be classified into application groups based on a set of classification rules in the knowledge base. The set of classification rules are applied to a new application in order to classify the new application into one of the application groups.

Abstract: A malware analysis system is described that provides information about malware execution history on a client computer and allows automated back-end analysis for faster creation of identification signatures and removal instructions. The malware analysis system collects threat information on client computers and sends the threat information to a back-end analysis component for automated analysis. The back-end analysis component analyzes the threat information by comparing the threat information to information about known threats. The system builds a signature for identifying the threat family and a mitigation script for neutralizing the threat. The system sends the signature and mitigation data to client computers, which use the information to mitigate the threat. Thus, the malware analysis system detects and mitigates threats more quickly than previous systems by reducing the burden on technicians to manually create environments for reproducing the threats and manually analyze the threat behavior.

Abstract: A generic RootKit detector is disclosed that identifies when a malware, commonly known as RootKit, is resident on a computer. In one embodiment, the generic RootKit detector performs a method that compares the properties of different versions of a library used by the operating system to provide services to an application program. In this regard, when a library is loaded into memory, an aspect of the generic RootKit detector compares two versions of the library; a potentially infected version in memory and a second version stored in a protected state on a storage device. If certain properties of the first version of the library are different from the second version, a determination is made that a RootKit is infection the computer.

Abstract: Aspects of the subject matter described herein relate to antivirus protection and transactions. In aspects, a filter detects that a file is participating in a transaction and then may cause the file to be scanned together with any changes that have made to the file during the transaction. After a file is scanned, a cache entry may be updated to indicate that the file is clean. The cache entry may be used subsequently for like-type states. For example, if the file was scanned inside a transaction, the cache entry may be used later in the transaction. If the file was scanned outside a transaction, the cache entry may be used later for requests pertaining to files not in a transaction. Cache entries may be discarded when they are invalid or no longer useful.

Abstract: Embodiments of a RootKit detector are directed to identifying a RootKit on a computer that is designed to conceal malware. Aspects of the RootKit detector leverage services provided by kernel debugger facilities to automatically obtain data in specified data structures that are maintained by an operating system. Then the data obtained from the kernel debugger facilities is processed with an integrity checker that determines whether the data contains properties sufficient to declare that a RootKit is resident on the computer.

Abstract: To detect the presence of malicious software in a system, selected data in memory of the system is stored in a designated storage location and analyzed by a known safe operating system. In an example configuration, a snapshot of system memory is downloaded to a dedicated device coupled to the motherboard of the system. A clean, uncorrupted operating system is loaded into the dedicated device, and the snapshot is analyzed utilizing the clean operating system. If malicious software is detected, the system is repaired using the clean operating system. In an example embodiment, this process is initiated when the system goes into a hibernation state, and/or during a system restoration operation.

Abstract: Generally described, the present invention is directed at identifying malware. In one embodiment, a method is provided that performs a search for malware during the boot process. More specifically, the method causes a software module configured to scan for malware to be initialized at computer start up. Then, in response to identifying the occurrence of a scanning event, the method causes the software module to search computer memory for data that is characteristic of malware. If data characteristic of malware is identified, the method handles the malware infection.

Abstract: Aspects of the subject matter described herein relate to antivirus protection and transactions. In aspects, a filter detects that a file is participating in a transaction and then may cause the file to be scanned together with any changes that have made to the file during the transaction. After a file is scanned, a cache entry may be updated to indicate that the file is clean. The cache entry may be used subsequently for like-type states. For example, if the file was scanned inside a transaction, the cache entry may be used later in the transaction. If the file was scanned outside a transaction, the cache entry may be used later for requests pertaining to files not in a transaction. Cache entries may be discarded when they are invalid or no longer useful.