Abstract: A system for providing application services in a computing environment having both user-mode processes and privileged-mode processes. An agent executes in privileged mode and exposes an interface to user-mode processes. A user-mode component is provided with an interface configured to access the agent's exposed interface. A configuration component specifies a list of installable code components that are authorized for installation, wherein the agent will only execute privilege mode functions in response to accesses by the user-mode code component when the installable code component is represented on the list.

Abstract: A method and system for gathering data by monitoring data packets on a network. At least some of the packets are captured in a data buffer. Each captured packet is classified according to a preselected classification system and each captured packet is marked with an indicia of its classification. An analysis program is executed on a network coupled computer. The analysis program displays data about the buffer contents including the indicia before transferring the buffer contents to the analysis program.

Abstract: A system and a process for maintaining a plurality of remote security applications using a centralized broker in a distributed computing environment are described. A centralized broker is executed on a designated system within the distributed computing environment. A console interface from the centralized broker is exposed. The console interface implements a plurality of browser methods which each define a browser function which can be invoked by a plurality of snap-in components. A namespace snap-in component is defined and includes a logical grouping identifying at least one remote security application being executed on a remote system within the distributed computing environment. A namespace interface from the namespace snap-in component is exposed. The namespace interface implements a plurality of namespace methods each defining a storage function which can be invoked by the centralized broker. A repository including a plurality of storages corresponding to each remote system is formed.

Abstract: A system and a process for reporting network events using hierarchically-structured event databases in a distributed computing environment are disclosed. A centralized broker is executed on a designated system within the distributed computing environment. At least one security application is provided as a plug-in component on a client system interfaced remotely to the centralized broker. A local event database is maintained on the client system. The local event database includes a set of entries in which network events generated by the at least one security application are transitorily stored. Network events forwarded from the local event database are received via a communications server service. The communications server service exposes a set of communication interfaces implementing a plurality of event methods. Each communication interface defines an event management function which can be invoked by the centralized broker.

Abstract: System and methodology providing automated or “proactive” network security (“active” firewall) are described. The system implements methodology for verifying or authenticating communications, especially between network security components thereby allowing those components to share information. In one embodiment, a system implementing an active firewall is provided which includes methodology for verifying or authenticating communications between network components (e.g., sensor(s), arbiter, and actor(s)), using cryptographic keys or digital certificates. Certificates may be used to digitally sign a message or file and, in a complementary manner, to verify a digital signature. At the outset, particular software components that may participate in authenticated communication are specified, including creating a digital certificate for each such software component.

Abstract: A computer program product for assisting a service person in managing an enterprise network is described, wherein a browser-based help desk window may be invoked by the service person at any user computer on the enterprise network that is equipped with a web browser. The browser-based help desk window is customizable to each service person, allowing the service person to embed a network visibility link on an application launch toolbar contained in the browser-based help desk window. The service person may then subsequently log into a help desk server from any user computer equipped with a browser, and then launch a browser-based network visibility session upon activation of the embedded network visibility link. The user is permitted to embed the network visibility link onto the application toolbar, and to perform other browser-based help desk window customization tasks, using simple menu selection and drag-and-drop commands.

Abstract: A system and method for managing scarce computer system memory resources has three aspects. A first aspect allows large data structures to be replaced by a pointer that causes an intentional fault to occur. The fault is trapped, and the invention interposes the required data. A second aspect associates data structures with both the task and the module that own the structure. The structure can be eliminated from memory when both the owning task and the owning module have terminated. A third aspect utilizes swapping techniques to maintain multiple local data areas for multiple tasks.

Abstract: The invention provides a method for reducing the memory requirements and CPU cycle consumption of an executing program in a suspended state suspends the program by intercepting the entry points of the program. The contents of the memory occupied by the program and its data objects are then discarded or compressed, wherein the compressed data is stored at another region in the memory. The memory region containing the uncompressed data is then designated as free memory.

Abstract: A system, method and computer program product for automatic response to computer system misuse using active response modules (ARMs). ARMs are tools that allow static intrusion detection system applications the ability to dynamically increase security levels by allowing real-time responses to detected instances of computer misuse. Several classes of ARMs exist which allow them to interface with several types of network elements found within a computing environment (e.g., firewalls, web servers, Kerberos severs, certificate authorities, etc.). The ARMs, once defined, are deployed in a “plug and play” manner into an existing intrusion detection system within a computing environment. A user (e.g., system administrator) may then configure the ARMs by linking them to specific computer misuses.

Abstract: A system and method for data recovery is described. In one embodiment, an encrypting system encrypts a message or file using a secret key (KS) and attaches a key recovery field (KRF), including an access rule index (ARI) and KS, to the encrypted message or file. To access the encrypted message or file, a decrypting system must satisfactorily respond to a challenge issued by a key recovery center. The challenge is based on one or more access rules that are identified by the ARI included within the KRF.

Abstract: A method for updating antivirus files on a computer using push technology is disclosed. In a preferred embodiment, updated virus signature files or other updated antivirus information is loaded onto a central antivirus server, while local push agent software is installed on the client computer. When the user of the client computer is connected to the Internet, the push agent software operates in the background to receive updated antivirus files from the central antivirus server across the Internet, in a manner which is substantially transparent to the user. In another preferred embodiment, antivirus files on a plurality of client computers on a corporate computer network are automatically updated using push technology and automated network installation scripts. A service computer associated with the plurality of client computers receives one or batches of antivirus updates from a central antivirus server across the Internet using push technology.

Abstract: A method is provided for detecting computer viruses that infect text-based files. In accordance with a preferred embodiment, a collection of virus signatures reflecting sequences of characters or instructions known to be found in such viruses is maintained on a computer system. A virus detection program is also maintained for the purpose of comparing the contents of computer files to the virus signatures. Upon execution of the virus detection program, whitespace within text-based files is transformed such that each sequence of whitespace characters is replaced by a single whitespace character. Virus signatures of viruses known to infect text files are similarly transformed. A transformed text-based file is then searched for at least one of said virus signatures. The user is alerted to a possible virus infection if any of the virus signatures are found in a file.

Abstract: A file system for data file storage on a block storage device includes signature information embedded within each block allocated to a data file. Such signature information includes a file identification number, a sequence number within the file, and optional file type information. The signature information is used to reconstruct files on the block storage device in the event of damage to data files or critical system areas on the device. The directory structure for the file system is maintained as a self-contained flat database, stored as a B-tree for expedited searching, including full hierarchical pathnames for each directory entry, thereby enhancing the ability to recover files in a low level of the directory hierarchy when a middle level has been damaged.

Abstract: A system and method for identifying and analyzing active channels in an asynchronous transfer mode (ATM) network. The system and method open a plurality of ATM network channels during a time period; automatically monitor each of the plurality of open channels to identify any active channels from among the open channels; and automatically identify the type of traffic transmitted on the open channels. By systematically identifying the active channels in the ATM network, the ATM network analysis device can further analyze the traffic on the active channels. The present invention includes at least three functions: network data detection and capture, active channel determination, and ATM Application Layer (AAL) service type categorization. A network data detector and identifier (DDI) performs the functions of network data detection and capture. The DDI connects to an ATM network and captures, copies, and repeats cells transmitted on the network and copies cells of interest to the DDI for further analysis.

Abstract: A method for improving the availability of global DOS memory under Microsoft Windows has two primary aspects. First, upper memory blocks are linked to the global heap to increase the amount of global DOS memory available. Second, a reserved area of global DOS memory is maintained to prevent generic memory requests from being fulfilled therefrom. Valid requests for global DOS memory are intercepted to ensure that they are able to be allocated out of global DOS memory or the reserved area. Taken in conjunction, the two aspects of the invention substantially decrease the probability that unavailability of global DOS memory will result in application or system failure.

Abstract: A method for superimposing attributes on files stored in a hierarchically organized file system, having at least one file and at least one directory, is disclosed. The method initializes an attribute data base (ADB) with one or more entries having a path descriptor referencing a file in a hierarchical database, an attribute, and an attribute association option describing how the attribute is associated with the file referenced by the path descriptor. The method simplifies maintaining systems employing file attributes to describe files by using the hierarchy of the file system to superimpose attributes on the files. The method provides for handling explicit, implicit, and static associations of attributes with files in the file hierarchy. The method is invoked by a file manager, such as an attribute supplying file hierarchy (ASFH), which resides in the operating system of a computer system having a processor, memory, and a system bus for passing data between the processor and memory.

Abstract: A method for updating antivirus files on a computer using push technology is disclosed. In a preferred embodiment, updated virus signature files or other updated antivirus information is loaded onto a central antivirus server, while local push agent software is installed on the client computer. When the user of the client computer is connected to the Internet, the push agent software operates in the background to receive updated antivirus files from the central antivirus sever across the Internet, in a manner which is substantially transparent to the user. In another preferred embodiment, antivirus files on a plurality of client computers on a corporate computer network are automatically updated using push technology and automated network installation scripts. A service computer associated with the plurality of client computers receives one or batches of antivirus updates from a central antivirus server across the Internet using push technology.

Abstract: A system and method for allowing computer programs to directly access various features of a virus scanning engine is disclosed. In one embodiment of the invention, the system includes a module for instantiating an object to act as an interface between the computer program and the virus scan engine, a module for setting properties of the object that are associated with the desired feature of the virus scan engine to be accessed, a module for invoking a method of the object, the invocation resulting in access to the desired feature of the virus scan engine, and a module for examining properties of the object after the desired feature of the virus scan engine has been accessed.

Abstract: A method for protecting a computer operating system from unexpected errors write-protects certain critical system components, thereby preventing corruption by application programs, and handles otherwise fatal program errors and infinite loops outside of the context of a malfunctioning program, permitting the program to be reactivated.

Abstract: A system and method for data escrow cryptography are described. An encrypting user encrypts a message using a secret storage key (KS) and attaches a data recovery field (DRF), including an access rule index (ARI) and KS, to the encrypted message. The DRF and the encrypted message are stored in a storage device. To recover KS, a decrypting user extracts and sends the DRF to a data recovery center (DRC) that issues a challenge based on access rules (ARs) originally defined by the encrypting user. If the decrypting user meets the challenge, the DRC sends KS in a message to the decrypting user. Generally, KS need not be an encryption key but could represent any piece of confidential information that can fit inside the DRF. In all cases, the DRC limits access to decrypting users who can meet the challenge defined in either the ARs defined by the encrypting user or the ARs defined for override access.