Abstract: Software is updated via a self-contained executable that includes software update patch for updating pre-existing software, and an updater package including at least one predetermined required computer state condition. Executing the self-contained executable on a client computer includes investigating a state of the client computer, and determining whether the state of the client computer matches the at least one predetermined required computer state condition. When the state of the client computer matches the at least one predetermined required computer state condition, the software update patch is installed. When the state of the client computer does not match the predetermined required computer state condition, the installation is terminated or, alternatively, the client computer is forced into a state that matches the predetermined required computer state condition and the software update patch installed.

Abstract: Techniques allow runtime extensions to a whitelist that locks down a computational system. For example, executable code is not only subject to whitelist checks that allow (or deny) its execution, but is also subject to checks that determine whether a whitelisted executable is itself trusted to introduce further executable code into the computational system in which it is allowed to run. In general, deletion and/or modification of instances of code that are already covered by the whitelist are also disallowed in accordance with a security policy. Accordingly, an executable that is trusted may be allowed to delete and/or modify code instances covered by the whitelist. In general, trust may be coded for a given code instance that seeks to introduce, remove or modify code.

Abstract: Techniques have been developed to allow runtime extensions to a whitelist that locks down a computational system. For example, executable code (including e.g., objects such as a script or active content that may be treated as an executable) is not only subject to whitelist checks that allow (or deny) its execution, but is also subject to checks that determine whether a whitelisted executable is itself trusted to introduce further executable code into the computational system in which it is allowed to run. In general, deletion and/or modification of instances of code that are already covered by the whitelist are also disallowed in accordance with a security policy. Accordingly, an executable that is trusted may be allowed to delete and/or modify code instances covered by the whitelist. In general, trust may be coded for a given code instance that seeks to introduce, remove or modify code (e.g., in the whitelist itself).

Abstract: Systems and methods for implementing application control security are disclosed. In one embodiment, a system includes a first device, a decrypted white-list, and an executable program. The first device may be in electrical communication with a memory containing an encrypted white-list. The encrypted white-list may be decrypted using an identifier of a second device. The executable program may be referenced in the decrypted white-list.

Abstract: Systems and methods for operating a saturated hash table are disclosed. In one embodiment, a system includes a hash table located in memory of a computer and a hash program in communication with the hash table. The hash table may include a plurality of index positions, and the hash program may be operable to populate the hash table with a first new digest value, where the first new digest value is associated with a first data item. The first new digest value may be stored at least at a first index position and a second index position of the hash table.

Abstract: Systems and methods for implementing application control security are disclosed. In one embodiment, a system includes a first device, a decrypted white-list, and an executable program. The first device may be in electrical communication with a memory containing an encrypted white-list. The encrypted white-list may be decrypted using an identifier of a second device. The executable program may be referenced in the decrypted white-list.

Abstract: Methods of detecting malicious code injected into memory of a computer system are disclosed. The memory injection detection methods may include enumerating memory regions of an address space in memory of computer system to create memory region address information. The memory region address information may be compared to loaded module address information to facilitate detection of malicious code memory injection.

Abstract: A system and system for controlling the execution of executable files. The executables are identified by either a cryptographic digest or a digital certificate. The cryptographic digest is computed from the binary image of the executable. An executable that is attempting to execute is intercepted by a protection module that consults a database of stored rules over a secure channel to determine whether or not the executable can be identified as a permitted executable and whether or not it has permission to execute on a particular computer system under certain specified conditions. If a stored permission is available, it is used to control the execution. Otherwise, the user is consulted for permission.

Abstract: Methods, systems, and configured storage media are provided for discovering software updates, discovering if a given computer can use the software update, and then updating the computers with the software as needed automatically across a network without storing the updates on an intermediate machine within the network. Furthermore, when a failure is detected, the rollout is stopped and the software can be automatically removed from those computers that already were updated. The software update can be stored originally at an address that is inaccessible through the network firewall by intermediately uploading the software update to an update computer which is not a part of the network but has access through the firewall, which is then used to distribute the update.

Abstract: Systems and methods for implementing application control security are disclosed. In one embodiment, a system includes a first device, a decrypted white-list, and an executable program. The first device may be in electrical communication with a memory containing an encrypted white-list. The encrypted white-list may be decrypted using an identifier of a second device. The executable program may be referenced in the decrypted white-list.

Abstract: Systems and methods for operating a saturated hash table are disclosed. In one embodiment, a system includes a hash table located in memory of a computer and a hash program in communication with the hash table. The hash table may include a plurality of index positions, and the hash program may be operable to populate the hash table with a first new digest value, where the first new digest value is associated with a first data item. The first new digest value may be stored at least at a first index position and a second index position of the hash table.

Abstract: A system and system for controlling the execution of executable files. The executables are identified by either a cryptographic digest or a digital certificate. The cryptographic digest is computed from the binary image of the executable. An executable that is attempting to execute is intercepted by a protection module that consults a database of stored rules over a secure channel to determine whether or not the executable can be identified as a permitted executable and whether or not it has permission to execute on a particular computer system under certain specified conditions. If a stored permission is available, it is used to control the execution. Otherwise, the user is consulted for permission.

Abstract: A system and method for controlling the execution of executable files. The executables are identified by either a cryptographic digest or a digital certificate. The crytographic digest is computed from the binary image of the executable. An executable that is attempting to execute is intercepted by a protection module that consults a database of stored rules over a secure channel to determine whether or not the executable can be identified as a permitted executable and whether or not it has permission to execute on a particular computer system under certain specified conditions. If a stored permission is available, it is used to control the execution. Otherwise, the user is consulted for permission.

Abstract: A system and method for controlling execution of an interpreted language. Statements of the interpreted language to be executed by a script engine are intercepted by a protection module and control is passed to a script helper module that is associated with the script engine. The script helper module establishes a secure communications channel with an authorization component and passes the statements and an authorization request to the authorization component. The authorization component sends a reply to the script helper module which either permits the script engine to execute the statement or cancels the attempted execution. When the script engine is loaded, a list is updated identifying the script engine. If a script helper module is not present for the loaded script engine, a boot-strap loader is called to load the script helper module. A special information block contains data as to the location of the interception points.

Abstract: Methods, systems, and configured storage media are provided for discovering software updates, discovering if a given computer can use the software update, and then updating the computers with the software as needed automatically across a network without storing the updates on an intermediate machine within the network. Furthermore, when a failure is detected, the rollout is stopped and the software can be automatically removed from those computers that already were updated. The software update can be stored originally at an address that is inaccessible through the network firewall by intermediately uploading the software update to an update computer which is not a part of the network but has access through the firewall, which is then used to distribute the update.

Abstract: A method and device monitor usage of external storage media. The method and system selectively shadow I/O (input/output) from/to only external storage media. The method selectively shadows only accesses to external storage media connected to a computer. The method detects a data access to an external storage medium and writes a copy of the accessed data to a storage location other than the external storage medium. In one embodiment, the access is a write operation. In one embodiment, the method intercepts an I/O request from the computer to an external storage media drive in which the external storage media is inserted. In the case of the Windows NT or Windows 2000 operating systems, the intercepted I/O requests are preferably IRP_MJ_CREATE, IRP_MJ_WRITE, IRP_MJ_CLOSE and IRP_MJ_FILE_SYSTEM_CONTROL packets. An apparatus comprises a detector and a storage connected to the detector. The detector receives I/O requests to an external storage medium. The storage is one other than the external storage medium.

Abstract: A system and method for securing data on a mass storage device. A centralized device permission store contains device identifiers for the mass storage devices to be secured along with keys of a symmetric cipher that have been encrypted with public keys or pass phrases of authorized users of the devices. A list of these users also contained in the store. A helper module provides the private key or pass phrase, for imported keys, needed to decrypt the key of the symmetric cipher, which is used to encrypt and decrypt blocks of data stored on the mass storage device. When a read request is made, a protection module intercepts the request, obtains the block from the mass storage device and decrypts the block. When a write request is made, the protection module intercepts the request, encrypts the block and has it stored on the mass storage device.

Abstract: Methods, systems, and configured storage media are provided for discovering software updates, discovering if a given computer can use the software update, and then updating the computers with the software as needed automatically across a network without storing the updates on an intermediate machine within the network. Furthermore, when a failure is detected, the rollout is stopped and the software can be automatically removed from those computers that already were updated. The software update can be stored originally at an address that is inaccessible through the network firewall by intermediately uploading the software update to an update computer which is not a part of the network but has access through the firewall, which is then used to distribute the update.

Abstract: A system and method for controlling execution of an interpreted language. Statements of the interpreted language to be executed by a script engine are intercepted by a protection module and control is passed to a script helper module that is asociated with the script engine. The script helper module establishes a secure communications channel with an authorization component and passes the statements and an authorization request to the authorization component. The authorization component sends a reply to the script helper module which either permits the script engine to execute the statement or cancels the attempted execution. When the script engine is loaded, a list is updated identifying the script engine. If a script helper module is not present for the loaded script engine, a boot-strap loader is called to load the script helper module. A special information block contains data as to the location of the interception points.