Abstract: A method, system, and computer program product for scanning incoming emails reduces the server resources needed, which improves server throughput and reduces costs. A method for processing incoming email messages comprised the steps of scanning incoming email messages to obtain an address of a sender of each incoming email message and to determine whether the email message is spam, for each email message that is determined to be spam, incrementing a count of email messages that are spam for a sender of the email message, determining that a count of email messages that are spam for a sender of an email message has exceeded a threshold, and thereafter, discarding all incoming email messages from the sender for which the count of email messages that are spam for a sender of an email message has exceeded a threshold without scanning the email messages to determine whether they are spam.

Abstract: A secure identifier is derived, using a secured microcontroller of a computing device, that is unique to a pairing of the computing device and a particular domain. Secure posture data corresponding to attributes of the computing device is identified in secured memory of the computing device. The secure identifier and security posture is sent in a secured container to a management device of the particular domain. The particular domain can utilize the information in the secured container to authenticate the computing device and determine a security task to be performed relating to interactions of the computing device with the particular domain.

Abstract: A method is described in example embodiments below that include receiving a content tag associated with transferring a file over a network connection. A session descriptor may also be received. The session descriptor and the content tag may be correlated with a network policy, which may be applied to the network connection. In some embodiments, the content tag may be received with the session descriptor. The file may be tainted by another file in some embodiments, and the content tag may be associated with other file.

Abstract: A method is provided in one example embodiment that includes receiving in an external handler an event notification associated with an event in a virtual partition. A thread in the process in the virtual partition that caused the event can be parked. Other threads and processes may be allowed to resume while a security handler evaluates the event for potential threats. A helper agent within the virtual partition may be instructed to execute a task, such as collecting and assembling event context within the virtual partition, and results based on the task can be returned to the external handler. A policy action can be taken based on the results returned by the helper agent, which may include, for example, instructing the helper agent to terminate the process that caused the event.

Abstract: A particular scan set to be performed on at least a portion of a computing environment is identified. A particular scan engine, in a plurality of scan engines, is identified that is adapted to perform at least one scan in the particular scan set, each scan engine in the plurality of scan engines adapted to perform one or more scans on one or more host devices in the computing environment. A request is sent to the particular scan engine to perform the at least one scan in the particular scan set and scan result data is received from the particular scan engine corresponding to the at least one scan in the particular scan set.

Abstract: In an example, a context-aware network is disclosed, including threat intelligence services provided over a data exchange layer (DXL). The data exchange layer may be provided on an enterprise service bus, and may include services for classifying objects as malware or not malware. One or more DXL brokers may provide messaging services including, for example, publish-subscribe messaging and request-response messaging. Advantageously, DXL endpoint devices must make very few assumptions about other DXL endpoint devices.

Abstract: In an example, there is disclosed a method or system for merging multiple system trees of different resources based in multiple locations over a data exchange layer. In one embodiment, there is disclosed a system for merging assets of different types within one or more tree-based locations. For example, an end node may be represented in a single location, a single message broker may provide services for and be represented in multiple locations. The asset to asset relationships within merged trees may be used to ensure availability of services and visualization of the system for management purposes.

Abstract: In an example, there is disclosed a system and method for providing a service-oriented architecture, including request/response, over a publish/subscribe framework. In one embodiment, a system is disclosed for adding layers upon a publish/subscribe messaging framework for sophisticated messaging such as point-to-point (request/response) and the ability to query for available services, in a reliable, scalable manner.

Abstract: To provide a more seamless experience across multiple devices, task streaming systems and methods allow a user to create “task-contexts” and manage metadata of files stored across multiple data storage devices and user preferences associated with capabilities of the multiple devices for operating on the file. Furthermore, the task streaming systems and methods are provided to allow task-contexts to be shared from one device to another device. A task-context specifies one or more files and one or more operations to be performed on the one or more files. By providing a task-context from one device to the other device, a user can accomplish a task with a particular file and seamlessly transition between devices with minimal disruption and effort.

Abstract: In an example, a web gateway is described, including an authentication proxy engine (PAE). The PAE authenticates a user device via, for example, a username and password, biometric data, or two-factor authentication. The web gateway then provides seamless and transparent single sign-on (SSO) for one or more web services. When the user requests a web page from the web service, the PAE inserts custom code that detects a login action. When the user logs in, a one-time token may be provided to auto-fill the username and password field. When the user submits the form, the PAE provides the actual credentials to the web service. The PAE may also provide authentication via authentication headers.

Abstract: According to one example, a system and method are disclosed for malware and grayware remediation. For example, the system is operable to identify applications that have some legitimate behavior but that also exhibit some undesirable behavior. A remediation engine is provided to detect malware behavior in otherwise useful applications, and allow the useful parts of the application to run while blocking the malware behavior. In an example method of “healing,” this may involve modifying the application binary to remove undesirable behavior. In an example method of “personalization,” this may involve inserting control hooks through the operating system to prevent certain subroutines from taking effect.

Abstract: In an example, there is disclosed a method and system for real-time policy and task distribution to endpoints over a data exchange layer. According to one embodiment, a persistent point-to-point messaging framework is used to distributed configuration policy and tasks to a distributed, disparate set of devices immediately upon policy definition. Advantageously, the data exchange layer may facilitate delivery of messages even to endpoints that sit, for example, behind a firewall or NAT.

Abstract: In an example, a security-connected platform is provided on a data exchange layer (DXL), which provides messaging on a publish-subscribe model. The DXL provides a plurality of DXL endpoints connected via DXL brokers. In one case, DXL endpoints designated as producers are authorized to produce certain types of messages, including security-related messages such as object reputations. Other DXL endpoints are designated as consumers of those messages. A domain master may also be provided, and may be configured to provide physical and logical location services via an asset management engine.

Abstract: The present disclosure combines Software Defined Networks (SDN) concepts with Security concepts. The coordination between SDN and Security provides a myriad of advantageous use cases. One exemplary use case involves providing a fast path at network speeds using SDN by routing network traffic to bypass a security appliance once the security appliance determines that the security appliance no longer needs to inspect the network traffic. Another exemplary use case involves remote provisioning of security zones.

Abstract: A system for securing an electronic device may include a memory, a processor; one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to: (i) trap attempted accesses to the memory, wherein each of such attempted accesses may, individually or in the aggregate, indicate the presence of self-modifying malware; (ii) in response to trapping each attempted access to the memory, record information associated with the attempted access in a history; and (iii) in response to a triggering attempted access associated with a particular memory location, analyze information in the history associated with the particular memory location to determine if suspicious behavior has occurred with respect to the particular memory location.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for collecting information of host devices. In one aspect, a method includes transmitting a plurality of information probes to the host device, including an agent probe that queries an agent installed on the host device for a unique agent identifier, monitoring for replies to the information probes from the host device during the host detection phase, ending the host detection phase in response to receiving a reply to the agent probe and that includes the unique agent identifier, resending the plurality of information probes and incrementing a repeat counter in response to not receiving a reply to the agent probe after the expiration of a time period and ending the host detection phase in response to a value of the repeat counter exceeding a maximum repeat value.

Abstract: In an example, a threat intelligence controller is configured to operate on a data exchange layer (DXL). The threat intelligence controller acts as a DXL consumer of reputation data for a network object, which may be reported in various different types and from various different sources. Of the devices authorized to act as reputation data producers, each may have its own trust level. As the threat intelligence controller aggregates data from various providers, it may weight the reputation reports according to trust level. The threat intelligence engine thus builds a composite reputation for the object. When it receives a DXL message requesting a reputation for the object, it publishes the composite reputation on the DXL bus.

Abstract: An aspect of the present invention relates to methods and systems involving receiving a request for web content from a client computing facility, presenting the web content, and retrieving an indicia of a reputation assessment of the web content and delivering the indicia to the client computing facility in coordination with delivery of the web content to the client computing facility.

Abstract: A method for securing an electronic device includes, at a level below all of the operating systems of an electronic device, trapping a first attempt and second attempt to access sensitive system resources of the electronic device. The method also includes identifying the first attempt and second attempt as representing a potential malware attack, comparing the sequence of the first attempt and second attempt against a first anti-malware rule, and, based on the comparison of the sequence of the first attempt and second attempt against the first anti-malware rule, allowing the second attempt. The first attempt and second attempt originate from code of the same operating entity. The first anti-malware rule includes a requirement of a sequence of attempts including the first attempt followed by the second attempt.

Abstract: Disclosed are systems and methods to perform coordinated blocking of source addresses, such as an Internet Protocol (IP) addresses, across a plurality of network appliances (e.g., gateways). In one disclosed embodiment the method and system temporarily alter a configuration of one or more network appliances (based on user defined configuration parameters) to allow communication from a “blocked” IP address for a period of time. A network appliance can then “receive” an email and perform analysis and provide results of the analysis to a reputation service. Thereby, the temporarily allowed communication can be used to learn information about a threat which would not have been available if all communication from that IP address had actually been blocked at the network appliance.