Abstract: An anti-exploit system monitors and identifies malicious behavior related to one or more protected applications or processes. The anti-exploit system intercepts API calls associated with the protected application or process including parameters passed on to the operating system functions as well as a memory address associated with the caller to the API calls. Based on the characteristics associated with the intercepted API call a Behavioral Analysis Component determines whether the API call is malicious in nature.

Abstract: A network access manager controls access to a network interface according to a set of access control instructions specifying permissible and impermissible addresses and domains on a network. The network access manager establishes a graylist of addresses based on a domain request that is associated with a whitelisted domain that is accessed via a blacklisted address. When a request to establish a connection is received directed to a graylisted address, the connection is permitted to establish and the connection is added to a session graylist. When a session data transfer packet is received, if the session corresponds to a session on the session graylist, the session data transfer packet is examined to determine if it matches a whitelisted domain, in which case the session is associated with a session whitelist and permitted access to the network. The access control instructions may be automatically updated from a trusted access control management system.

Abstract: A secure backup application executing on the computing device routinely backs up files on the device to a cloud backup server. Prior to backing up a particular file, the secure backup application performs a malware detection scan on the file to determine whether the files are malware. If a file is malware and cannot be cleaned, then the file is not backed up. Similarly, the secure backup application performs a malware detection scan on files that are being restored to a computing device from the cloud backup server. If a file retrieved from the cloud backup server is determined to be malware, then the secure backup application prevents the file from being fully restored and quarantines or expunges the file from the computing device.

Abstract: A self-protection application executes in kernel mode and manages access to processes and files related to an associated anti-malware application. The self-protection application monitors executing processes on the client device and detects the processes that are attempting to access files/processes related to the anti-malware software. These processes and files are verified by the self-protection application using digital signature authentication. Trusted processes such as those originating from the anti-malware software or other authorized programs are allowed access while other processes are restricted access.

Abstract: A deployment simulator application receives information about an anti-malware application that is to be deployed to and installed on client devices connected to a network. The deployment simulator application identifies the clients that will receive the deployed anti-malware application and performs a series of tests on the client to determine whether the anti-malware application will be able to successfully install remotely on the client. The deployment simulator application may report the results of the deployment simulation tests to an administrative client.

Abstract: A network access manager controls access to a network interface according to a set of access control instructions specifying permissible and impermissible addresses and domains on a network. The network access manager establishes a graylist of addresses based on a domain request that is associated with a whitelisted domain that is accessed via a blacklisted address. When a request to establish a connection is received directed to a graylisted address, the connection is permitted to establish and the connection is added to a session graylist. When a session data transfer packet is received, if the session corresponds to a session on the session graylist, the session data transfer packet is examined to determine if it matches a whitelisted domain, in which case the session is associated with a session whitelist and permitted access to the network. The access control instructions may be automatically updated from a trusted access control management system.