Abstract: Provided is a way of evaluating rules/conditions that span different domain entities against a set of disparate events from multiple sources that have occurred within a specific window or interval of time from the current time back to a specific time in the past. Events are stored in dedicated storage to enable an extended window of time to be used for multiple event evaluation. Only relevant event/rule pairs are evaluated. The system will record when an event relevant to a rule happens. When a second event that is relevant to the rule happens, the system checks the records to see if a previous relevant event had happened in the past that would cause the rule to trigger an alert. A mechanism is also provided for evaluating static state in combination with changed properties.

Abstract: Multiple binary images stored in the firmware of an electronic device are written to the device's configuration tables during booting of the device, where one of the binary images is a manager binary. During booting, the manager binary is saved to the file system of the operating system such that it automatically executes upon completion of booting. The manager binary then deploys the other binary images.

Abstract: A mailbox mechanism is used for communication of secure messages from a server to the firmware of a device. Mailbox content provided by the server is authenticated in a driver execution environment of the device, using reboots across the communication sessions, and then stored in secure storage. The communication sessions include first receiving a signed server key, and then receiving a message from the server that is based on a hash of a nonce generated by the device.

Abstract: A mailbox mechanism is used for communication of secure messages from a server to the firmware of a device. Mailbox content provided by the server is authenticated in a driver execution environment of the device, using reboots across the communication sessions, and then stored in secure storage. The communication sessions include first receiving a signed server key, and then receiving a message from the server that is based on a hash of a nonce generated by the device.

Abstract: Provided is a way of evaluating rules/conditions that span different domain entities against a set of disparate events from multiple sources that have occurred within a specific window or interval of time from the current time back to a specific time in the past. Events are stored in dedicated storage to enable an extended window of time to be used for multiple event evaluation. Only relevant event/rule pairs are evaluated. The system will record when an event relevant to a rule happens. When a second event that is relevant to the rule happens, the system checks the records to see if a previous relevant event had happened in the past that would cause the rule to trigger an alert. A mechanism is also provided for evaluating static state in combination with changed properties.

Abstract: A mailbox mechanism is used for communication of secure messages from a server to the firmware of a device. Mailbox content provided by the server is authenticated in a driver execution environment of the device, using reboots across the communication sessions, and then stored in secure storage. The communication sessions include first receiving a signed server key, and then receiving a message from the server that is based on a hash of a nonce generated by the device.

Abstract: Measurements of a device's firmware are made regularly and compared with prior, derived measurements. Prior measurements are derived from a set of identical firmware measurements obtained from multiple devices having the same make, model and firmware version number. The firmware integrity status is reported on a data and device security console for a group of managed endpoints. Alerts about firmware changes, which may be potential attacks on the firmware, are given automatically.

Abstract: Multiple binary images stored in the firmware of an electronic device are written to the device's configuration tables during booting of the device, where one of the binary images is a manager binary. During booting, the manager binary is saved to the file system of the operating system such that it automatically executes upon completion of booting. The manager binary then saves the other binary images to the OS file system, such that they also execute automatically.

Abstract: An electronic device monitoring system uses two different types of servers to communicate with electronic devices of users. One type of server, which may be a rapid contact server, is optimized or configured for relatively short and frequent communications with the electronic devices. The other type of server is optimized or configured for less frequent but (typically) longer communications with the electronic devices. In some embodiments, the electronic devices are configured to communicate relatively frequently (e.g., every few minutes) with the rapid contact server. When an electronic device is reported as lost or stolen, the rapid contact server may instruct the electronic device to contact the other type of server to obtain security-related instructions.

Abstract: A system is disclosed in which an electronic device of a user emits an identifiable alert as a result of a trigger indicating loss or theft, or probability or risk of loss or theft. Alerts may be acoustic, either audible or inaudible and may be disguised. Alerts may also be short range radio signals. Other, local electronic devices of users may detect the alert and react by transmitting their location and the information in the alert to a monitoring center. The monitoring center may respond by sending a silence code or identification information to the device detecting the alert.

Abstract: A process is disclosed for capturing screenshots on an electronic device of a user, and for transmitting representations of the captured screenshots to a monitoring system for storage. The captured screenshot data may, for example, be used to recover a device that is lost or stolen.

Abstract: A system is disclosed in which an electronic device of a user emits an identifiable alert as a result of a trigger indicating loss or theft, or probability or risk of loss or theft. Alerts may be acoustic, either audible or inaudible and may be disguised. Alerts may also be short range radio signals. Other, local electronic devices of users may detect the alert and react by transmitting their location and the information in the alert to a monitoring center. The monitoring center may respond by sending a silence code or identification information to the device detecting the alert.

Abstract: Electronic devices without device names are provided with an application for retrieving a data point from the device from which a name can be deduced. A match for the data point is searched for in the contacts list in the device, and when found, the name corresponding to the contact entry, in which the data point has been found, is used to derive the device name. The derived device name (or information from which the device name may be derived) may be transmitted to a remote server which may be used for managing multiple such devices.

Abstract: Systems and methods for protecting data stored on an electronic device from access by an illegitimate user are presented. The data is protected by activating an offline data delete module installed in the electronic device to conditionally delete the data according to the following criteria: after establishing a first communication between an agent installed in the electronic device and a remote server, obtaining a password from a user if a second communication is not established between the agent and the remote server within a predetermined period of time. After obtaining a password from the user, deleting at least some data stored on the electronic device after a second communication is not established between the agent and the remote server within the predetermined period of time and a predetermined number of incorrect passwords has been obtained.

Abstract: Techniques for securing a client. Two or more varieties of location information for a client may be received. The present location of the client is determined using the two or more varieties of location information. A determination is made as to whether any of the varieties of location information were received during an immediately preceding bounded interval of time having a predefined length. A weight associated with each variety of location information that was received during the immediately preceding bounded interval of time is determined. The present location of the client is calculated using a weighted arithmetic mean for the varieties of location information that were received during the immediately preceding bounded interval of time.

Abstract: The present disclosure relates generally to systems and methods for remotely re-imaging a computer system. In one example, a method is provided for executing a re-imaging process for replacing an original image on an active system of a remote computer system with a new image. The method includes receiving a command to initiate the re-imaging process from a remote location and downloading the new image onto the active system. The re-imaging process is performed to replace the original image with the active image and remote location may be informed of the reimaging process's success. The computer system is rebooted.

Abstract: The availability of software assets on electronic devices, such as mobile devices of users, is restricted based on the time as determined by a managing server. An application that runs on the electronic devices communicates with the server to obtain information regarding which software assets are permitted to be accessed, and restricts user access accordingly. The server may use a clock, in combination with administrator-generated access restriction policies, to determine which software assets are to be made available on each electronic device at particular points in time.

Abstract: A system is disclosed that protects private data of users while permitting the monitoring or tracking of electronic devices that are shared for both business and private purposes. The electronic devices may be configured to selectively encrypt location data, and/or other types of data, before such data is transmitted to a monitoring center. For example, data collected or generated on a user device outside of work hours may be encrypted with a private key of the device's user prior to transmission to the monitoring center, so that the data is not accessible to the employer. Data collected or generated during work hours may be transmitted without such encryption.

Abstract: A database stores results of scans for wireless (e.g., Wi-Fi) access points, some of them directly associated with GPS coordinates. Mobile electronic devices detect access points, details of which are sent to the database. Contents of the database are analyzed for relations between the scanned access points and previously stored GPS coordinates. If a relation is found, the GPS coordinates are used for determining or estimating the location of the mobile device.

Abstract: A data protection system selectively deletes data from an electronic device when the device is reported as lost or stolen, or when another data protection triggering event occurs. Different data files may, for example, be treated differently depending on when such files were created. For example, data files that were created while the computing device was known to be in the owner's possession may be deleted, while data files created after the electronic device left the owner's possession may be left intact (since they may have been created by an innocent user). Data files created between these two points in time may be quarantined so that they later be restored, if appropriate.