Abstract: A computing device is disclosed with an agent and operating system executing thereon. The agent can determine that a user account control service is disabled by querying the operating system. In response to determining that the user account control service is disabled, the agent can hook a query provided by the operating system. The agent can receive a request to confirm whether the user account control service is enabled using the query provided by the operating system. The agent can generate a confirmation that the user account control service is enabled. The agent can determine whether to execute a process by performing a privilege check as if the user account control service were enabled based on the confirmation.

Abstract: A computer device, including at least a processor and a memory, can be configured to control process components on a computer device. An agent can intercept a request to instantiate a new process component in a user account of a logged-in user. The request can originate on the computing device from an instance of a particular process component amongst a set of process components. The user account can be assigned default user privileges by a privilege access management service. The agent can determine whether to permit the intercepted request. The agent can permit the intercepted request if the relationship is validated and if a trusted owner is identified amongst the set of identified owners.

Abstract: A computer device performs operations for managing registry access, including monitoring a user process on the computer device. The computing device can determine a set of registry access rules relevant to the user process. The computing device can perform an evaluation of a registry operation requested by the user process using the set of registry access rules. The computing device can determine an action based on the evaluation. The action can include one of blocking the registry operation in relation to a particular key in a registry of the operating system, and enabling access to a particular key in the registry of the operating system to perform the requested registry operation.

Abstract: A computing device can receive a first notification that a process has started on the at least one computing device. The computing device can record a first access token associated with the process into the token cache. The computing device can receive a second notification that the process has interacted with the operating system to perform at least one of a set of predetermined operations on the at least one computing device. The computing device can capture a second access token from the process. The computing device can perform a comparison of the second access token captured from the process against the first access token recorded into the token cache. The computing device can determine that an escalation of privilege attack has occurred based on the comparison.

Abstract: A computer device that manages privilege delegation is disclosed. The computing device can insert a custom verb command into a plurality of verb commands corresponding to a file. The computing device can intercept a request to execute the custom verb command on the file by intercepting a request to create a context menu. The computer device can obtain information related to the request to execute the custom verb command by obtaining a file identifier of the file from the request to create the context menu. The computer device can determine whether to execute the custom verb command on the file according to second privileges different from the first privileges based on the information related to the request to execute the custom verb command. The computer device can cause the custom verb command to be executed on the file according to the second privileges.

Abstract: A server device for managing privilege delegation to control execution of commands thereon is described. Execution of a command, according to first privileges, by a remote management (RM) server on the server device is requested from a RM client on a client device. An agent plug-in, chained to a command execution plug-in of the RM server, intercepts the request and forwards related information to an agent service cooperating with an operating system of the server device. The agent service determines whether to execute the command according to second privileges, different from the first privileges and if permitted, delegates the second privileges to the command, and causes, via the agent plug-in chained to the command execution plug-in, the command to be executed according to the second privileges.

Abstract: A computer device has a kernel driver in a kernel mode of the operating system which records an access token as initially associated with a user process. Later, the user process presents its access token when requesting certain operations through the operating system. The kernel driver detects that the user process has been subject to an escalation of privilege attack by evaluating the access token in its presented form as against the initially recorded access token and, in response, performs a mitigation action such as suspending the user process.

Abstract: Removal or modification of an installed program on a computer device is requested by a calling process in a user account which itself may or may not have administrator privileges. An agent, cooperating with an operating system, intercepts a call to remove or modify the installed program made by the calling process prior to reaching an uninstaller component of the operating system. The agent determines whether or not to allow the remove or modify request and, if permitted, provides a proxy process through which the requested action to remove or modify the installed program is performed.

Abstract: A computer device for managing privilege delegation to control creation of processes thereon is described. Creation of a process, in a user account on a computer device, is requested according to first privileges. An agent, cooperating with an operating system of the computer device, intercepts the request. The agent determines whether to create the process according to second privileges, different from the first privileges and if permitted, cause the process to be created accordingly. The agent hooks a query provided by the operating system to identify whether a user account control service is enabled. The agent enquires of the operating system whether to create the process according to the second privileges whereupon the hooked query is invoked. The agent confirms to the operating system that the user account control service is enabled, such that checks by the operating system are performed as if the operating system were enabled.

Abstract: A computing device can manage installation of an application program using an agent registered with an operating system. The agent can receive a notification in response to a user request to mount a disk image. The disk image can include the application program. The agent can generate a challenge-response to authenticate a current user. An action to take can be determined based on the challenge-response. The application program can be installed using privileges of the agent without changing privileges of an account for the current user.

Abstract: Privilege delegation in a computer device is managed by invoking a utility by a first user account. A requested command is captured by an agent plugin which is provided as a plugin to the utility. The agent plugin sends a request message to an agent, which determines an outcome for the requested command including allowing or blocking. If allowed, a reply message from the agent instructs the agent plugin to provide command information to the utility to run the requested command by the operating system with delegated privileges of the second user account. The agent plugin can also be instructed to perform custom messaging, or passively handle the requested command via a child plugin.

Abstract: A computer device and method for managing privilege delegation to control execution of commands on files on the computer device is described. An agent plugin intercepts a request in a user account of a logged-in user to execute a command therein on a file having first privileges assigned thereto, wherein the agent plugin is provided for the file. The agent plugin obtains information related to the request and forwards the information to an agent service cooperating with an operating system of the computer device. The agent service determines whether to execute the command on the file in the user account according to second privileges different from the first privileges. The agent service launches an agent proxy process having the second privileges assigned thereto by the agent service if it is determined to execute the command on the file in the user account according to the second privileges.

Abstract: An application control system (ACS) in a computer device intercepts a request to launch a requested application by a calling process, and determines, based on the requested application, that user interaction is required before launch. In response, the ACS establishes whether or not the calling process is associated with a controlling terminal and, if so, performs the user interactions using that controlling terminal. Where the user interactions are successful then the intended application is permitted to launch or, conversely, the intended application may be denied. Other solutions are provided in the event that the calling process is not associated with the controlling terminal.

Abstract: There is described a computer device, including at least a processor and a memory, configured to control process components on the computer device, the computer device comprising: an operating system, a privilege access management service cooperating with the operating system and an agent; wherein the agent is configured to: intercept a request to instantiate a new process component in a user account of a logged-in user, wherein the request originates from an instance of a particular process component amongst a set of process components and wherein the user account has assigned thereto default user privileges by the privilege access management service; determine whether to permit the intercepted request including by: validating a relationship between the new process component and the particular process component; and establishing a set of identified owners by identifying owners of the new process component, the particular process and any parents thereof; permit the intercepted request if the relationship is v

Abstract: A policy can be consulted to determine an action to take when a disc image is mounted. The action to take can be based on the contents of an application program stored on the disc image. A notification can be received responsive to a user request to mount the disc image. Based on the determined action to take as specified by the policy, the application program can be installed using the privileges of the agent without changing the privileges of an account of a current user.

Abstract: A user account that does not have administrator privileges may request mounting of a disk image prior to installing a new application. An agent, registered with operating system, receives notification and determines whether or not to allow mounting of the disk image. If so, the agent causes the disk image to be mounted by the operating system. The agent examines the mounted disk image to detect an application bundle. The agent determines whether or not to proceed with installation of the application bundle and, if so, then causes the application bundle to be copied to a privileged system location, thereby installing the application on the computer device.

Abstract: Web resources are accessible by a process on a computer device. Access to the web resources is controlled by a web proxy running in an address space of the process. The web proxy receives a web request for a web resource from the process. The web proxy examines the web request for the web resource and selectively allows or denies access to the web resource. If the web request for the web resource is allowed, the web proxy arranges access to the web resource, for example, directly via an operating system of the computer device or via a registered web proxy.

Abstract: A computer device and respective method provides a primary clipboard accessible from a primary user account, while a sandbox is used to isolate and contain a secondary user account. A secondary clipboard is provisioned and associated with the secondary user account. The computer device, via an agent, intercepts requests from the secondary user account such as for cut, copy or paste type clipboard operations which are ordinarily directed toward the primary clipboard, and satisfies those clipboard operation requests instead by using the secondary clipboard.

Abstract: A computer device includes hardware with a connected peripheral device such as a camera or a microphone. An operating system is configured to operate the peripheral device using a device driver and a representative device object. An agent is configured to apply security attributes to the device object which permit access from a primary user account while preventing direct access to the device object by a secondary user account in a sandbox. The agent may intercept requests made toward the device object, examine each request, and then satisfy the request, when the request is allowed, by selectively arranging access to the device object from the sandboxed secondary user account.

Abstract: A computer system 300 contains an agent 303 which modifies the ordinary behaviour of a native security system 103, such as to allow security decisions with alternate granularity or an alternate set of access rights. The agent 303 intercepts authorisation requests made by applications 109 for resources 110 identified by URIs 111 and sends amended requests to the security system 103. An alternate authorisation mechanism 307 of the agent 303 is invoked by the security system 103, whereupon the agent 303 may selectively allow or deny the request according to the originally presented URI 111.