Abstract: According to a first aspect of the present invention there is provided a method of protecting a computer system from malware, which malware attempts to prevent detection or analysis when executed in an emulated computer system. The method comprises determining if an executable file should be identified as being legitimate and, if not, executing the executable file while providing indications to the executable file that it is being executed within an emulated computer system.

Abstract: A method of controlling a process on a computer system for backing-up files stored in a primary storage medium, to a secondary storage medium. The method comprises monitoring a file system implemented on the computer system in order to detect write operations made by the file system to said primary storage medium. Upon detection of a write operation, the integrity of a file being written is verified and/or changes in the file identified with respect to a version of the file currently stored in the primary storage medium and which is being replaced. In the event that the integrity of a file being written by the file system is compromised, and/or any identified changes in the file are suspicious, then the file is identified to the back-up process such that automatic back-up of the file is inhibited.

Abstract: A method and apparatus for scanning for or removing malware from a computer device. Under normal circumstances, the computer device is controlled by a first operating system installed in a memory of the device. In order to scan for or remove the malware from the computer device, control of the computer device is passed from the first operating system to a second operating system and, under the control of the second operating system, the device is either scanned for malware or the malware is removed. This allows malware to be detected or removed, even if it has affected the first operating system in some way in order to evade detection or removal.

Abstract: A method of protecting a computer against malware infection. The method includes during operation of the computer, reading master boot record code from a removable storage device into the computer and inspecting said code to identify any instructions associated with suspicious behaviour. In the event that suspicious instructions are identified, the master boot record code on the removable storage device is modified and/or the behaviour of the computer adapted in order to prevent said master boot record code installing malware into the computer. Examples of suspicious behaviour include hard disk read or write operations.

Abstract: According to a first aspect of the present invention there is provided a method of protecting a computer system from malware, which malware attempts to prevent detection or analysis when executed in an emulated computer system. The method comprises determining if an executable file should be identified as being legitimate and, if not, executing the executable file while providing indications to the executable file that it is being executed within an emulated computer system.

Abstract: A method of providing rating information in respect of Uniform Resource Identifiers to a client terminal. The method includes identifying a Uniform Resource Identifier at the client terminal, sending a first query to a rating server over an IP network, the query including as a query string a first component of the identified Uniform Resource Identifier or a derivative of that first component, and receiving the first query at the rating server and determining whether or not a rating exists for the query string. A response is sent by the server to the client terminal, the response including a determined rating, or an indication that no rating exists.

Abstract: A method of detecting malware on a computer and comprising scanning a system memory of the computer, and/or code being injected into the system memory, for known strings indicative of banking trojans. These strings may be Universal Resource Locators and/or partial Universal Resource Locators.

Abstract: A method of customizing an application on a device, the method comprising: at a server, receiving a request message from the device, while the device is running the application, the request message comprising information identifying the application and further information relating to a network operator associated with the device; using the further information to identify the network operator associated with the device and to obtain network operator specific customization information relating to the application; and sending a response message to the device, the response message comprising the obtained network operator specific customization information, the network operator specific customization information usable by the device to customize any of: the application components, application user interface, and application settings.

Abstract: A method of protecting a wireless device against viruses, comprising maintaining a database of virus signatures on the device, updating the database by downloading virus signatures in a Short Message Service (SMS) Message, and searching for virus signatures in the memory of or files stored on the wireless device by comparison with the database.

Abstract: According to a first aspect of the present invention there is provided a method of detecting malware in a mobile telecommunications device 101. In the method, maintaining a database 109 of legitimate applications and their respective expected behaviors, identifying legitimate applications running on the device 101, monitoring the behavior of the device 101, comparing this monitored behavior with that expected according to the database 109 for those legitimate applications identified as running on the device 101, and analyzing deviations from the expected behavior of the device 101 to identify the potential presence of malware.

Abstract: A method of enabling a user of a computer device to back-up an encryption key generated on the device, where the key is used to encrypt stored data, and the key is itself encrypted using a user password for storage on the device. The method comprises rendering the key into a form comprising a reduced length sequence of characters and displaying the reduced length sequence on a display of the device. The user is then able to write down the rendered key. The reduced length sequence may also be sent to a service provider in an SMS message, e-mail, or by voice dictation. In the event that the user password is lost, such that the encrypted key stored on the device cannot be unencrypted, encrypted data may still be accessed by the user entering the rendered key into the device.

Abstract: A method and apparatus for populating a trusted files database for an anti-virus application. A determination is made from several files stored in a file system of a set of files likely to be accessed from the file system. For each file that is likely to be accessed from the file system, a further determination is made to ascertain if the file is trusted by the anti-virus application. If the file is likely to be accessed from the file system, and is trusted, then it is identified in a trusted files database. By only including files that are likely to be accessed by the file system, the time to populate the trusted files database is greatly reduced.

Abstract: According to a first aspect of the present invention there is provided a method of operating a computer to detect malware, which malware writes a copy of an executable file to a non-volatile memory of the computer and creates a launch point that causes that executable file to be run at start-up of the computer. The method includes, during the shutdown procedures of the computer, monitoring the creation and/or modification of any launch points and, for any such modification or creation, saving a further copy of any executable file associated with the launch point to the non-volatile memory, and, following a subsequent start-up of the computer, examining said further copy to determine if it is potential malware.

Abstract: A computer-implemented method of scanning a plurality of files stored in a memory of a computer for malware. The computer includes a processor. The method includes, for each respective file of said plurality of files in said memory determining, using said processor, whether a relationship between the respective file and stored data satisfies a predetermined criterion. The stored data indicates one or more files determined not to contain malware and for which data associated with each of said one or more files has a predetermined characteristic. If the relationship satisfies the predetermined criterion, the respective file is processed according to said first processing method and if said relationship does not satisfy said predetermined criterion, the respective file is processed according to said second processing method.

Abstract: A method of customizing an application on a device, the method comprising: at a server, receiving a request message from the device, while the device is running the application, the request message comprising information identifying the application and further information relating to a network operator associated with the device; using the further information to identify the network operator associated with the device and to obtain network operator specific customization information relating to the application; and sending a response message to the device, the response message comprising the obtained network operator specific customization information, the network operator specific customization information usable by the device to customize any of: the application components, application user interface, and application settings.

Abstract: A method of detecting malware on a computer system. The method comprises monitoring the behavior of trusted applications running on the computer system and, in the event that unexpected behavior of an application is detected, identifying a file or files responsible for the unexpected behavior and tagging the file(s) as malicious or suspicious. The unexpected behavior of the application may comprise, for example, dropping executable files, performing modifications to a registry branch which is not a registry branch of the application, reading a file type class which is not a file type class of the application, writing portable executable (PE) files, and crashing and re-starting of the application.

Abstract: A method of facilitating the scanning of web pages for suspect and/or malicious hyperlinks that includes receiving at a content hosting website, user generated content. A web page or web page containing said content is then generated and, in the web page source code is included a detection code segment or a link from which a detection code segment can be downloaded. The detection code segment is executable by a web browser or web browser plug-in to scan the web page(s), or cause the web page(s) to be scanned, for suspect and/or malicious links.

Abstract: A method and apparatus for configuring an application at a device in a communications network. A server receives a request message from the device. The request message includes information that identifies the application, and further information relating to either or both of the device type or a network operator associated with the device. The further information is sued by the server to obtain specific configuration information relating to the application. A response is sent to the device, the response including the obtained specific configuration. The specific configuration information is subsequently be used by the device to configure the application.

Abstract: A method and apparatus for determining the identity of suspected malware on a client device. Information pertaining to the malware is sent from the client device to a server. The server determines a first required information set, and sends a request to the client device for the required information set. The client device compares the required information set with information stored at the client device, and returns the results of the comparison to the server. The server uses the results of the comparison to attempt to determine an identity of the malware. If the results of the comparison indicate that the suspected malware is one of a plurality of types of malware, a new required information set is determined, which is sent back to the client device, and the process repeated. Otherwise the identity of the suspected malware is determined, or it is determined that the suspected malware is unknown to the server.

Abstract: A method of scanning data for viruses in a computer device, the device having a browser for rendering the data for use. The method comprises storing the data in a buffer memory accessible to said browser and creating an instance of a browser plugin, said plugin providing a virus scanning function or providing a route to a virus scanning function. The data is scanned for viruses using the instance of the plugin and, if no viruses are detected in the data, it is returned to the browser for rendering. If a virus is detected in the data, rendering of the data is inhibited.