Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; instructions encoded within the memory to instruct the processor to: identify a downloaded file on a file system; inspect a metadata object attached to the downloaded file; parse the metadata object to extract an advertiser identification string from a GET code portion of a uniform resource locator (URL); query a reputation cache for a reputation for the advertiser identification string; receive a deceptive reputation for the advertiser identification string; and take a remedial action against the downloaded file.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; instructions encoded within the memory to instruct the processor to: identify a downloaded file on a file system; inspect a metadata object attached to the downloaded file; parse the metadata object to extract an advertiser identification string from a GET code portion of a uniform resource locator (URL); query a reputation cache for a reputation for the advertiser identification string; receive a deceptive reputation for the advertiser identification string; and take a remedial action against the downloaded file.

Abstract: A method in one example implementation includes selecting at least one criterion for controlling data transmission from within a virtual machine. At least one application is included within the virtual machine, which includes a policy module. The selected criterion corresponds to at least one policy associated with the policy module. The method also includes evaluating the selected criterion of the policy to permit an attempt to transmit the data from within the virtual machine. In more specific embodiments, the policy may include a plurality of criteria with a first selected criterion permitting transmission of the data to a first application and a second selected criterion prohibiting transmission of the data to a second application. In another specific embodiment, the method may include updating the policy module through an administration module to modify the selected criterion.

Abstract: A method in one example implementation includes selecting at least one criterion for controlling data transmission from within a virtual machine. At least one application is included within the virtual machine, which includes a policy module. The selected criterion corresponds to at least one policy associated with the policy module. The method also includes evaluating the selected criterion of the policy to permit an attempt to transmit the data from within the virtual machine. In more specific embodiments, the policy may include a plurality of criteria with a first selected criterion permitting transmission of the data to a first application and a second selected criterion prohibiting transmission of the data to a second application. In another specific embodiment, the method may include updating the policy module through an administration module to modify the selected criterion.

Abstract: A system, method, and computer program product are provided for detecting unwanted data based on an analysis of an icon. In use, an icon is analyzed. Furthermore, unwanted data is detected based on the analysis.

Abstract: A system, method, and computer program product are provided for detecting unwanted data based on an analysis of an icon. In use, an icon is analyzed. Furthermore, unwanted data is detected based on the analysis.

Abstract: A system, method, and computer program product are provided for detecting unwanted data based on an analysis of an icon. In use, an icon is analyzed. Furthermore, unwanted data is detected based on the analysis.

Abstract: An anti-virus system provider distributes an e-mail identifying content filtering rule seeking to identify e-mail messages suspected of containing an item of malware from a central source (20) to users (2). This distribution may be by an e-mail message itself which is appropriately signed and encrypted. At the user system (2), the received e-mail identifying content filtering rule is extracted from the e-mail message and added to the content filtering rules (18) being applied within that user system. In this way, malware which is distributed by e-mail may be identified by characteristics of its carrier e-mail rather than characteristics of the malware itself which not yet have been properly analyzed or the mechanisms for detecting such characteristics of the malware itself not yet put in place.

Abstract: A method for malware protection includes receiving detection information for detecting malware on an electronic device, accessing historical information of an electronic device, comparing the detection information to the historical information, and based on the comparison of the detection information with the historical information, alerting a user of the electronic device of risks of malware evidenced by the historical information. Comparing detection information to historical information includes determining that information from a first category of historical information is associated with a source of malware, cross-referencing information from a second category of historical information to the information from the first category, and associating the information from the second category with the malware.

Abstract: A method for defining an area to record changes made to a computer system is disclosed. The method includes defining a safe area on a primary storage device of the computer system and storing information on the location of the safe area on a secondary storage device. The method further includes booting the computer system utilizing a backup device and changing data on the primary storage device. The changes are recorded in the safe area of the primary storage device and are accessible when the computer system is booted from the backup device.

Abstract: A method for defining an area to record changes made to a computer system is provided. A safe area is defined on a primary storage device of the computer system and information is stored on the location of the safe area on a secondary storage device. Further, the computer system is booted utilizing a backup device and data is changed on the primary storage device. The changes are recorded in the safe area of the primary storage device and are accessible when the computer system is booted from the backup device.

Abstract: An anti-virus system provider distributes an e-mail identifying content filtering rule seeking to identify e-mail messages suspected of containing an item of malware from a central source (20) to users (2). This distribution may be by an e-mail message itself which is appropriately signed and encrypted. At the user system (2), the received e-mail identifying content filtering rule is extracted from the e-mail message and added to the content filtering rules (18) being applied within that user system. In this way, malware which is distributed by e-mail may be identified by characteristics of its carrier e-mail rather than characteristics of the malware itself which not yet have been properly analysed or the mechanisms for detecting such characteristics of the malware itself not yet put in place.

Abstract: A method in one example implementation includes selecting at least one criterion for controlling data transmission from within a virtual machine. At least one application is included within the virtual machine, which includes a policy module. The selected criterion corresponds to at least one policy associated with the policy module. The method also includes evaluating the selected criterion of the policy to permit an attempt to transmit the data from within the virtual machine. In more specific embodiments, the policy may include a plurality of criteria with a first selected criterion permitting transmission of the data to a first application and a second selected criterion prohibiting transmission of the data to a second application. In another specific embodiment, the method may include updating the policy module through an administration module to modify the selected criterion.

Abstract: An anti-virus system provider distributes an e-mail identifying content filtering rule seeking to identify e-mail messages suspected of containing an item of malware from a central source (20) to users (2). This distribution may be by an e-mail message itself which is appropriately signed and encrypted. At the user system (2), the received e-mail identifying content filtering rule is extracted from the e-mail message and added to the content filtering rules (18) being applied within that user system. In this way, malware which is distributed by e-mail may be identified by characteristics of its carrier e-mail rather than characteristics of the malware itself which not yet have been properly analyzed or the mechanisms for detecting such characteristics of the malware itself not yet put in place.

Abstract: A user of a computer system is provided with warning of unexpected or covert installation attempts using a malware or anti-virus detection engine. Even though the files that are unexpectedly attempted to be installed may be legitimate, rather than malware, the malware detection software is modified or configured to detect the unexpected installation and provide the user with an opportunity to abort the installation. A method of controlling installation of software in a computer system comprises detecting an attempt to install software on the computer system, identifying the software that was attempted to be installed, taking an action in response to identifying the software that was attempted to be installed.

Abstract: The present invention provides a computer program product, method and data processing apparatus for reviewing files for potential malware. The computer program product comprises logging code operable to maintain a statistical log having an entry for each file sent for review, each entry being arranged to store a count value indicating the number of times that the file has been sent for review and a value of one or more predetermined attributes relating to the file. Weighting table code is also used to maintain a weighting table identifying, for each value of said one or more predetermined attributes, a weighting indicating the likelihood that a file having that value of the one or more predetermined attributes will be malware.

Abstract: A system, method and computer program product are provided for preventing writes to critical files. Initially, factors associated with a computer are identified. Then, requests to write to files on the computer are monitored. The writes to the files on the computer are conditionally prevented based on the factors to prevent virus proliferation. In use, the factors are altered based on the monitoring of the requests.

Abstract: An anti-computer virus system is used to enforce the banning of computer programs. A user is provided with a tool for creating their own banned computer program identifying data. The user-created data is then used to control the anti-virus system to identify banned computer programs and take appropriate banned computer program actions. The banned computer program identifying data can be encrypted with an organization's private PGP key such that it will only be capable of successful decryption and use upon computer systems within that organization bearing the corresponding public PGP encryption key.

Abstract: A software audit system is provided in conjunction with an anti-virus system. A computer virus scan request received by the anti-virus system (16) is used to trigger an audit data generator (18) to generate audit data. The audit data generator (18) may also serve to ban certain computer programs from execution and monitor the concurrent usage of other computer programs.

Abstract: An anti computer virus program uses a library of virus drivers that includes an indication of whether a particular virus can cause irreparable damage and data indicating enhanced user warnings and actions that might be associated with such viruses. If a detected computer virus is one that can cause irreparable damage, then an enhanced user warning (16) is issued indicating this to the user and a notification (28) of the possibility of such corruption is added into the repaired computer file. The notification may take the form of an electronically signed (30) banner message or the like.