Abstract: Provided is a way of evaluating rules/conditions that span different domain entities against a set of disparate events from multiple sources that have occurred within a specific window or interval of time from the current time back to a specific time in the past. Events are stored in dedicated storage to enable an extended window of time to be used for multiple event evaluation. Only relevant event/rule pairs are evaluated. The system will record when an event relevant to a rule happens. When a second event that is relevant to the rule happens, the system checks the records to see if a previous relevant event had happened in the past that would cause the rule to trigger an alert. A mechanism is also provided for evaluating static state in combination with changed properties.

Abstract: Multiple binary images stored in the firmware of an electronic device are written to the device's configuration tables during booting of the device, where one of the binary images is a manager binary. During booting, the manager binary is saved to the file system of the operating system such that it automatically executes upon completion of booting. The manager binary then deploys the other binary images.

Abstract: A mailbox mechanism is used for communication of secure messages from a server to the firmware of a device. Mailbox content provided by the server is authenticated in a driver execution environment of the device, using reboots across the communication sessions, and then stored in secure storage. The communication sessions include first receiving a signed server key, and then receiving a message from the server that is based on a hash of a nonce generated by the device.

Abstract: A mailbox mechanism is used for communication of secure messages from a server to the firmware of a device. Mailbox content provided by the server is authenticated in a driver execution environment of the device, using reboots across the communication sessions, and then stored in secure storage. The communication sessions include first receiving a signed server key, and then receiving a message from the server that is based on a hash of a nonce generated by the device.

Abstract: Provided is a way of evaluating rules/conditions that span different domain entities against a set of disparate events from multiple sources that have occurred within a specific window or interval of time from the current time back to a specific time in the past. Events are stored in dedicated storage to enable an extended window of time to be used for multiple event evaluation. Only relevant event/rule pairs are evaluated. The system will record when an event relevant to a rule happens. When a second event that is relevant to the rule happens, the system checks the records to see if a previous relevant event had happened in the past that would cause the rule to trigger an alert. A mechanism is also provided for evaluating static state in combination with changed properties.

Abstract: A mailbox mechanism is used for communication of secure messages from a server to the firmware of a device. Mailbox content provided by the server is authenticated in a driver execution environment of the device, using reboots across the communication sessions, and then stored in secure storage. The communication sessions include first receiving a signed server key, and then receiving a message from the server that is based on a hash of a nonce generated by the device.

Abstract: Measurements of a device's firmware are made regularly and compared with prior, derived measurements. Prior measurements are derived from a set of identical firmware measurements obtained from multiple devices having the same make, model and firmware version number. The firmware integrity status is reported on a data and device security console for a group of managed endpoints. Alerts about firmware changes, which may be potential attacks on the firmware, are given automatically.

Abstract: Multiple binary images stored in the firmware of an electronic device are written to the device's configuration tables during booting of the device, where one of the binary images is a manager binary. During booting, the manager binary is saved to the file system of the operating system such that it automatically executes upon completion of booting. The manager binary then saves the other binary images to the OS file system, such that they also execute automatically.

Abstract: An electronic device monitoring system uses two different types of servers to communicate with electronic devices of users. One type of server, which may be a rapid contact server, is optimized or configured for relatively short and frequent communications with the electronic devices. The other type of server is optimized or configured for less frequent but (typically) longer communications with the electronic devices. In some embodiments, the electronic devices are configured to communicate relatively frequently (e.g., every few minutes) with the rapid contact server. When an electronic device is reported as lost or stolen, the rapid contact server may instruct the electronic device to contact the other type of server to obtain security-related instructions.

Abstract: A utility to determine identity of an electronic device electronically, by running a device attribute collection application that collects key data points of the electronic devices and a device identification application that uses these key data points to link the electronic device to a specific owner or entity. Data points of the device may change over time for reasons such as reconfiguration, repair or normal daily use. The device identification application intelligently and consistently tracks changes in key data points associated with the device, even if the data points change over its lifecycle. The device may be identified remotely with the device identification application (e.g., in the event of theft or loss of the device) based on the collected data points. The device identification application may be deployed in conjunction with services that may include asset tracking, asset recovery, data delete, software deployment, etc.

Abstract: A tamper resistant servicing Agent for providing various services (e.g., data delete, firewall protection, data encryption, location tracking, message notification, and updating software) comprises multiple functional modules, including a loader module (CLM) that loads and gains control during POST, independent of the OS, an Adaptive Installer Module (AIM), and a Communications Driver Agent (CDA). Once control is handed to the CLM, it loads the AIM, which in turn locates, validates, decompresses and adapts the CDA for the detected OS environment. The CDA exists in two forms, a mini CDA that determines whether a full or current CDA is located somewhere on the device, and if not, to load the full-function CDA from a network; and a full-function CDA that is responsible for all communications between the device and the monitoring server. The servicing functions can be controlled by a remote server.

Abstract: A tamper resistant servicing Agent for providing various services (e.g., data delete, firewall protection, data encryption, location tracking, message notification, and updating software) comprises multiple functional modules, including a loader module (CLM) that loads and gains control during POST, independent of the OS, an Adaptive Installer Module (AIM), and a Communications Driver Agent (CDA). Once control is handed to the CLM, it loads the AIM, which in turn locates, validates, decompresses and adapts the CDA for the detected OS environment. The CDA exists in two forms, a mini CDA that determines whether a full or current CDA is located somewhere on the device, and if not, to load the full-function CDA from a network; and a full-function CDA that is responsible for all communications between the device and the monitoring server. The servicing functions can be controlled by a remote server.

Abstract: A system is disclosed in which an electronic device of a user emits an identifiable alert as a result of a trigger indicating loss or theft, or probability or risk of loss or theft. Alerts may be acoustic, either audible or inaudible and may be disguised. Alerts may also be short range radio signals. Other, local electronic devices of users may detect the alert and react by transmitting their location and the information in the alert to a monitoring center. The monitoring center may respond by sending a silence code or identification information to the device detecting the alert.

Abstract: A process is disclosed for capturing screenshots on an electronic device of a user, and for transmitting representations of the captured screenshots to a monitoring system for storage. The captured screenshot data may, for example, be used to recover a device that is lost or stolen.

Abstract: The invention is directed to a security module deployed in a host device, which provides a secondary agent that operates in coordination with the host agent in the host device, but operates independent of the host operating system of the host device to independently access an existing communication network interface in the host device or a separate dedicated network interface, if available. In one aspect, the present invention enables robust theft recovery and asset tracking services. The system comprises a monitoring center; one or more monitored devices; a security module in the monitored devices; and one or more active communications networks. Monitored devices may be stand alone devices, such as computers (e.g., portable or desktop computers), or a device or a subsystem included in a system. A monitored device comprises a security module, a host agent and software to support the host agent that runs in the monitored device's OS.

Abstract: A system is disclosed in which an electronic device of a user emits an identifiable alert as a result of a trigger indicating loss or theft, or probability or risk of loss or theft. Alerts may be acoustic, either audible or inaudible and may be disguised. Alerts may also be short range radio signals. Other, local electronic devices of users may detect the alert and react by transmitting their location and the information in the alert to a monitoring center. The monitoring center may respond by sending a silence code or identification information to the device detecting the alert.

Abstract: Electronic devices without device names are provided with an application for retrieving a data point from the device from which a name can be deduced. A match for the data point is searched for in the contacts list in the device, and when found, the name corresponding to the contact entry, in which the data point has been found, is used to derive the device name. The derived device name (or information from which the device name may be derived) may be transmitted to a remote server which may be used for managing multiple such devices.

Abstract: Systems and methods for protecting data stored on an electronic device from access by an illegitimate user are presented. The data is protected by activating an offline data delete module installed in the electronic device to conditionally delete the data according to the following criteria: after establishing a first communication between an agent installed in the electronic device and a remote server, obtaining a password from a user if a second communication is not established between the agent and the remote server within a predetermined period of time. After obtaining a password from the user, deleting at least some data stored on the electronic device after a second communication is not established between the agent and the remote server within the predetermined period of time and a predetermined number of incorrect passwords has been obtained.

Abstract: Techniques for securing a client. Two or more varieties of location information for a client may be received. The present location of the client is determined using the two or more varieties of location information. A determination is made as to whether any of the varieties of location information were received during an immediately preceding bounded interval of time having a predefined length. A weight associated with each variety of location information that was received during the immediately preceding bounded interval of time is determined. The present location of the client is calculated using a weighted arithmetic mean for the varieties of location information that were received during the immediately preceding bounded interval of time.

Abstract: The present disclosure relates generally to systems and methods for remotely re-imaging a computer system. In one example, a method is provided for executing a re-imaging process for replacing an original image on an active system of a remote computer system with a new image. The method includes receiving a command to initiate the re-imaging process from a remote location and downloading the new image onto the active system. The re-imaging process is performed to replace the original image with the active image and remote location may be informed of the reimaging process's success. The computer system is rebooted.