Abstract: A system and method for performing persistent comply to connect (C2C) for establishing a connection to a network is provided. The method includes receiving, at a secure access (SA) server from an endpoint device, a request to access a network, and continuously collecting, by a secure endpoint (SE) agent, data from the endpoint device. Based on the continuous collection, determining a compliance status of the endpoint device, and automatically enforcing, by an SA server, one or more policy actions based on real-time compliance data of the endpoint device to force the endpoint device into compliance. The method further includes continuously monitoring, after the endpoint device has been granted access to the network, the compliance status of the endpoint device for a change event, and automatically enforcing a policy action to resolve a change in the compliance status.

Abstract: A booting process on a client device in a client/server network, in which a custom bootloader is installed in place of a standard bootloader for an operating system of the client device. The method includes receiving a signal instructing the client device to boot; writing UEFI variable(s) from the signal on the device; evaluating the UEFI variables. When the UEFI variables do not identify a security flag, the custom bootloader performs a direct boot to the operating system. When the UEFI variables identify a security flag, the custom bootloader executes one of a programmed bootloader process to determine whether: a correct boot sequence involves a separate bootable image present on the client device; or to connect to the server and receive a correct playbook for execution. The method also includes executing one of the separate bootable image or the correct playbook to boot the operating system.

Abstract: Embodiments include techniques for booting/rebooting a client device and a client device in a client/server network. At the client device, the techniques include detecting an unsuccessful boot of the client device and then evaluating, to identify a cause of the unsuccessful boot, one or more bootup conditions of the client device. In response to the one or more bootup conditions, embodiments can connect to a server over a computer network to communicate the one or more bootup conditions. Embodiments can also receive, from the server, a desired playbook configured to remediate the cause of the unsuccessful boot and execute the desired playbook to cause a successful boot of the client device.

Abstract: A client in a client/server network includes a processor; and storage devices storing an operating system, an operating system standard bootloader, a custom bootloader, and a reboot counter. The storage devices store a boot order in which the custom bootloader is inserted as a first entry and computer readable instructions, which, when executed by the processor cause the processor to: reboot the client device; increment the reboot counter; and determine whether a number in the reboot counter exceeds a predetermined threshold. When the number in the reboot counter is determined to exceed the predetermined threshold, the reboot counter is cleared and one of: a bootable image stored on the client device is retrieved or a secure channel to the server is established and a correct playbook is obtained from the server. Further, the processor is caused to reboot the client device to the bootable image or correct playbook.

Abstract: Provided is a way of evaluating rules/conditions that span different domain entities against a set of disparate events from multiple sources that have occurred within a specific window or interval of time from the current time back to a specific time in the past. Events are stored in dedicated storage to enable an extended window of time to be used for multiple event evaluation. Only relevant event/rule pairs are evaluated. The system will record when an event relevant to a rule happens. When a second event that is relevant to the rule happens, the system checks the records to see if a previous relevant event had happened in the past that would cause the rule to trigger an alert. A mechanism is also provided for evaluating static state in combination with changed properties.

Abstract: Multiple binary images stored in the firmware of an electronic device are written to the device's configuration tables during booting of the device, where one of the binary images is a manager binary. During booting, the manager binary is saved to the file system of the operating system such that it automatically executes upon completion of booting. The manager binary then deploys the other binary images.

Abstract: A mailbox mechanism is used for communication of secure messages from a server to the firmware of a device. Mailbox content provided by the server is authenticated in a driver execution environment of the device, using reboots across the communication sessions, and then stored in secure storage. The communication sessions include first receiving a signed server key, and then receiving a message from the server that is based on a hash of a nonce generated by the device.

Abstract: A mailbox mechanism is used for communication of secure messages from a server to the firmware of a device. Mailbox content provided by the server is authenticated in a driver execution environment of the device, using reboots across the communication sessions, and then stored in secure storage. The communication sessions include first receiving a signed server key, and then receiving a message from the server that is based on a hash of a nonce generated by the device.

Abstract: Provided is a way of evaluating rules/conditions that span different domain entities against a set of disparate events from multiple sources that have occurred within a specific window or interval of time from the current time back to a specific time in the past. Events are stored in dedicated storage to enable an extended window of time to be used for multiple event evaluation. Only relevant event/rule pairs are evaluated. The system will record when an event relevant to a rule happens. When a second event that is relevant to the rule happens, the system checks the records to see if a previous relevant event had happened in the past that would cause the rule to trigger an alert. A mechanism is also provided for evaluating static state in combination with changed properties.

Abstract: A mailbox mechanism is used for communication of secure messages from a server to the firmware of a device. Mailbox content provided by the server is authenticated in a driver execution environment of the device, using reboots across the communication sessions, and then stored in secure storage. The communication sessions include first receiving a signed server key, and then receiving a message from the server that is based on a hash of a nonce generated by the device.

Abstract: Measurements of a device's firmware are made regularly and compared with prior, derived measurements. Prior measurements are derived from a set of identical firmware measurements obtained from multiple devices having the same make, model and firmware version number. The firmware integrity status is reported on a data and device security console for a group of managed endpoints. Alerts about firmware changes, which may be potential attacks on the firmware, are given automatically.

Abstract: Multiple binary images stored in the firmware of an electronic device are written to the device's configuration tables during booting of the device, where one of the binary images is a manager binary. During booting, the manager binary is saved to the file system of the operating system such that it automatically executes upon completion of booting. The manager binary then saves the other binary images to the OS file system, such that they also execute automatically.

Abstract: An electronic device monitoring system uses two different types of servers to communicate with electronic devices of users. One type of server, which may be a rapid contact server, is optimized or configured for relatively short and frequent communications with the electronic devices. The other type of server is optimized or configured for less frequent but (typically) longer communications with the electronic devices. In some embodiments, the electronic devices are configured to communicate relatively frequently (e.g., every few minutes) with the rapid contact server. When an electronic device is reported as lost or stolen, the rapid contact server may instruct the electronic device to contact the other type of server to obtain security-related instructions.

Abstract: A utility to determine identity of an electronic device electronically, by running a device attribute collection application that collects key data points of the electronic devices and a device identification application that uses these key data points to link the electronic device to a specific owner or entity. Data points of the device may change over time for reasons such as reconfiguration, repair or normal daily use. The device identification application intelligently and consistently tracks changes in key data points associated with the device, even if the data points change over its lifecycle. The device may be identified remotely with the device identification application (e.g., in the event of theft or loss of the device) based on the collected data points. The device identification application may be deployed in conjunction with services that may include asset tracking, asset recovery, data delete, software deployment, etc.

Abstract: A tamper resistant servicing Agent for providing various services (e.g., data delete, firewall protection, data encryption, location tracking, message notification, and updating software) comprises multiple functional modules, including a loader module (CLM) that loads and gains control during POST, independent of the OS, an Adaptive Installer Module (AIM), and a Communications Driver Agent (CDA). Once control is handed to the CLM, it loads the AIM, which in turn locates, validates, decompresses and adapts the CDA for the detected OS environment. The CDA exists in two forms, a mini CDA that determines whether a full or current CDA is located somewhere on the device, and if not, to load the full-function CDA from a network; and a full-function CDA that is responsible for all communications between the device and the monitoring server. The servicing functions can be controlled by a remote server.

Abstract: A tamper resistant servicing Agent for providing various services (e.g., data delete, firewall protection, data encryption, location tracking, message notification, and updating software) comprises multiple functional modules, including a loader module (CLM) that loads and gains control during POST, independent of the OS, an Adaptive Installer Module (AIM), and a Communications Driver Agent (CDA). Once control is handed to the CLM, it loads the AIM, which in turn locates, validates, decompresses and adapts the CDA for the detected OS environment. The CDA exists in two forms, a mini CDA that determines whether a full or current CDA is located somewhere on the device, and if not, to load the full-function CDA from a network; and a full-function CDA that is responsible for all communications between the device and the monitoring server. The servicing functions can be controlled by a remote server.

Abstract: A system is disclosed in which an electronic device of a user emits an identifiable alert as a result of a trigger indicating loss or theft, or probability or risk of loss or theft. Alerts may be acoustic, either audible or inaudible and may be disguised. Alerts may also be short range radio signals. Other, local electronic devices of users may detect the alert and react by transmitting their location and the information in the alert to a monitoring center. The monitoring center may respond by sending a silence code or identification information to the device detecting the alert.

Abstract: A process is disclosed for capturing screenshots on an electronic device of a user, and for transmitting representations of the captured screenshots to a monitoring system for storage. The captured screenshot data may, for example, be used to recover a device that is lost or stolen.

Abstract: The invention is directed to a security module deployed in a host device, which provides a secondary agent that operates in coordination with the host agent in the host device, but operates independent of the host operating system of the host device to independently access an existing communication network interface in the host device or a separate dedicated network interface, if available. In one aspect, the present invention enables robust theft recovery and asset tracking services. The system comprises a monitoring center; one or more monitored devices; a security module in the monitored devices; and one or more active communications networks. Monitored devices may be stand alone devices, such as computers (e.g., portable or desktop computers), or a device or a subsystem included in a system. A monitored device comprises a security module, a host agent and software to support the host agent that runs in the monitored device's OS.

Abstract: A system is disclosed in which an electronic device of a user emits an identifiable alert as a result of a trigger indicating loss or theft, or probability or risk of loss or theft. Alerts may be acoustic, either audible or inaudible and may be disguised. Alerts may also be short range radio signals. Other, local electronic devices of users may detect the alert and react by transmitting their location and the information in the alert to a monitoring center. The monitoring center may respond by sending a silence code or identification information to the device detecting the alert.