Patents Assigned to Symantec
  • Publication number: 20110106862
    Abstract: A method for quickly identifying data residing on a volume in a multivolume file system. The method includes generating a file location map, the file location map containing a list of the locations of files that occupy space on each of a plurality of volumes of the file system. The file system comprises least a first volume and a second volume. The file location map is updated in accordance with changes in a file change log for the file system. Data residing on the first volume of the file system is identified by scanning the file location map.
    Type: Application
    Filed: October 30, 2009
    Publication date: May 5, 2011
    Applicant: SYMANTEC CORPORATION
    Inventors: Murthy V. Mamidi, Kadir Ozdemir, Charles Silvers, Paul Massiglia
  • Patent number: 7937761
    Abstract: Detecting a network security threat is disclosed. Network traffic is classified with a security risk related classification, the classification being determined at least in part by applying a threat detection heuristic to at least a portion of the network traffic. Classification data that indicates the security risk related classification into which the network traffic has been classified is added to the network traffic. The network traffic is subjected to a level of network security threat detection processing that corresponds to the security risk related classification into which the network traffic has been classified as determined based at least in part on the classification data.
    Type: Grant
    Filed: December 17, 2004
    Date of Patent: May 3, 2011
    Assignee: Symantec Corporation
    Inventor: Jeremy Bennett
  • Patent number: 7937758
    Abstract: An origin of a file of interest on a computer system is determined by monitoring file origin events on the computer system. A file of interest resulting from one of the file origin events may then be selected for tracing. A precursor file from which the file of interest emanates as a result of one of the file origin events is then identified. By iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the file of interest, an origin file with no further precursor file may thus be identified. It is thus possible to trace back a given process or file of interest to a file container and/or location that initially introduced it into the computer system and any intermediate files or forms the process or file of interest may have assumed.
    Type: Grant
    Filed: January 23, 2007
    Date of Patent: May 3, 2011
    Assignee: Symantec Corporation
    Inventors: Pierre-Michel Kronenberg, Derek Zahn
  • Patent number: 7937617
    Abstract: Systems and procedures may be used to coordinate the fail-back of multiple hosts in environments where the hosts share one or more data-storage resources. In one implementation, a procedure for coordinating fail-backs includes monitoring a failed data path to detect a restoration of the data path, polling remaining nodes in response to the restoration, and allowing the first node to resume communications if access has been restored to the remaining nodes.
    Type: Grant
    Filed: October 28, 2005
    Date of Patent: May 3, 2011
    Assignee: Symantec Operating Corporation
    Inventors: Venkata Sreenivasa Rao Nagineni, Siddhartha Nandi, Abhay K. Singh
  • Patent number: 7937764
    Abstract: The executions of computer viruses are analyzed to develop register signatures for the viruses. The register signatures specify the sets of outputs the viruses produce when executed with a given set of inputs. A virus detection system (VDS) (400) holds a database (430) of the register signatures. The VDS (400) selects (710) a file that might contain a computer virus and identifies potential entry points in the file. The VDS (400) uses a virtual machine (422) having an initial state to emulate (714) a relatively small number of instructions at each entry point. While emulating each potential entry point, the VDS builds (716) a register table that tracks the state of a subset of the virtual registers (428). Once the VDS (400) reaches an emulation breakpoint, it analyzes the register table in view of the register signatures to determine whether the file contains a virus.
    Type: Grant
    Filed: May 1, 2008
    Date of Patent: May 3, 2011
    Assignee: Symantec Corporation
    Inventor: Peter Szor
  • Patent number: 7937545
    Abstract: Method and apparatus for file-level restore from raw partition backups. A backup mechanism may be provided that is configured to perform raw partition backups to a media server and to support file-level restores from the raw partition backups through, for example, Fibre Channel (FC) or iSCSI Logical Unit (LUN) export of the raw partition backup images to client systems. Once a LUN is exported and mounted on the client system, direct file manipulation using standard file system commands may be performed. Embodiments achieve both fast backup and individual file retrieval without the necessity of understanding native file system formats and without requiring a file system mapping of the source (client) partition. Thus, embodiments may be used in heterogeneous environments.
    Type: Grant
    Filed: March 29, 2006
    Date of Patent: May 3, 2011
    Assignee: Symantec Operating Corporation
    Inventors: Weibao Wu, Graham Bromley, James P. Ohr
  • Patent number: 7934259
    Abstract: A stealth threat detection manager detects stealth threats. The stealth threat detection manager monitors system activities that are vulnerable to being used by stealth threats. Dynamic link libraries are often used by stealth threats, so in some embodiments the stealth threat detection manager monitors for the loading thereof. The stealth threat detection manager detects when a system activity being monitored occurs, and after the occurrence of the activity, determines whether a specific component associated with the activity (e.g., the dynamic link library being loaded) is accessible on the computer. If the component is accessible, the stealth threat detection manager concludes that the component is non-stealthed. On the other hand, if the component is not accessible, the stealth threat detection manager concludes that the component is a stealth threat, and takes appropriate action in response.
    Type: Grant
    Filed: November 29, 2005
    Date of Patent: April 26, 2011
    Assignee: Symantec Corporation
    Inventor: Mark Kennedy
  • Patent number: 7934257
    Abstract: A method of monitoring events in a network associated with a node. An agent collects event information associated with the monitored activities, based on a set of collection rules. A determination is made whether a portion of the collected event information complies or potentially complies with one of a set of patterns. An agent selects event information from the collection based on the determination, and makes the selected event information available to a manager associated with the node and other nodes in the network. The agent manager receives event information from a plurality of agents. A triggering event is identified, as a function of the set of patterns, based on the event information. The agent manager sends at least one request to a selected set of the agents for additional event information when a triggering event is identified.
    Type: Grant
    Filed: January 7, 2005
    Date of Patent: April 26, 2011
    Assignee: Symantec Corporation
    Inventors: Darrell Kienzle, Paul Swinton
  • Patent number: 7934229
    Abstract: A security module interfaces with a set of infection repair modules. Each repair module can perform a specific repair of an infection. Some of the repair modules utilize context information about the computer, such as the availability of a non-infected backup file. Further, the repairs performed by some repair modules are fine-grained while repairs of other repair modules are coarse-grained. The security module identifies malicious software infecting a computer and generates an infection object for each infection. The security module selectively routes the infection objects to the repair modules. In response, the repair modules provide repair objects representing repairs that the repair modules can perform on the infection. The repair objects have scores describing their thoroughness and complexity. The security module ranks the repair objects based on their scores and selects certain repairs for repairing the malicious software infections.
    Type: Grant
    Filed: December 29, 2005
    Date of Patent: April 26, 2011
    Assignee: Symantec Corporation
    Inventor: Gregory D. Vogel
  • Patent number: 7930489
    Abstract: Techniques for optimizing configuration partitioning are disclosed. In one particular exemplary embodiment, the techniques may be realized as a system for configuration partitioning comprising a module for providing one or more policy managers, a module for providing one or more applications, the one or more applications assigned to one or more application groups, a module for associating related application groups with one or more blocks, and a module for assigning each of the one or more blocks to one of the one or more policy managers, wherein if one or more of the one or more blocks cannot be assigned to a policy manager, breaking the one or more blocks into the one or more application groups and assigning the one or more application groups to one of the one or more policy managers.
    Type: Grant
    Filed: March 28, 2008
    Date of Patent: April 19, 2011
    Assignee: Symantec Corporation
    Inventors: Sachin Vaidya, Tushar Bandopadhyay
  • Patent number: 7930684
    Abstract: A system, method, and computer-accessible medium for logging and replaying asynchronous events are disclosed. One or more asynchronous events occurring during execution of a first instance of a computer program are logged. In logging the asynchronous events, a respective location in the execution of the first instance at which each of the one or more asynchronous events occurs is determined. A respective synchronous event preceding each asynchronous event is also determined. The asynchronous events are replayed during execution of a second instance of the computer program. In replaying each asynchronous event, the second instance is instrumented at the respective location during the execution of the second instance after detecting the preceding synchronous event.
    Type: Grant
    Filed: October 12, 2005
    Date of Patent: April 19, 2011
    Assignee: Symantec Operating Corporation
    Inventors: Guenter E. Roeck, Serge Pashenkov, Serge Shats
  • Patent number: 7930751
    Abstract: A method for detecting malicious code on an information handling system includes executing malicious code detection code (MCDC) on the information handling system. The malicious code detection code includes detection routines. The detection routines are applied to executable code under investigation running on the information handling system during the execution of the MCDC. The detection routines associate weights to respective executable code under investigation in response to detections of a valid program or malicious code as a function of respective detection routines. Lastly, executable code under investigation is determined a valid program or malicious code as a function of the weights associated by the detection routines. Computer-readable media and an information handling system are also disclosed.
    Type: Grant
    Filed: February 27, 2009
    Date of Patent: April 19, 2011
    Assignee: Symantec Corporation
    Inventors: Mark Obrecht, Michael Tony Alagna, Andy Payne
  • Patent number: 7930750
    Abstract: In one embodiment, a trickle and repair application receives data from a sending computer system and trickles the data to a target computer system over an in-band communication channel. The received data is evaluated for the presence of malicious code. When malicious code is detected in the data, trickling of the data is terminated. If the infected data is repairable, the data is repaired and an out-of-band target data notification is generated and sent to the target computer system. In one embodiment, receipt of the out-of-band target data notification causes the target computer system to flush the current buffer and any local files containing the trickled data. The target computer system returns an out-of-band target acknowledgement to the trickle and repair application and the repaired data is sent to the target computer system.
    Type: Grant
    Filed: April 20, 2007
    Date of Patent: April 19, 2011
    Assignee: Symantec Corporation
    Inventors: William Joseph Gauvin, Edward James Taranto, Steve Y. Zhou
  • Patent number: 7930481
    Abstract: An application may issue write operations intended for a SAN via a server cache. Monitoring of the SAN (e.g., the autonomous persistent cache of the storage arrays of the SAN), allows caching performance to be controlled by a write caching policy. The server cache memory may be increased, decreased or eliminated according to the write caching policy. In one embodiment, a storage volume manager may adjust the latency of write operations in the server cache. In some embodiments, the write caching policy may adapt and learn characteristics of the storage environment, which may include calibrated values for messaging timestamps.
    Type: Grant
    Filed: December 18, 2006
    Date of Patent: April 19, 2011
    Assignee: Symantec Operating Corporation
    Inventors: Jim Nagler, Ramesh Balan
  • Patent number: 7930583
    Abstract: Systems, methods, apparatus and software can implement a SAN monitoring scheme for determining changes in SAN topology, such as device failure and state changes. These changes are recorded in a SAN topology data structure. Information in the SAN topology data structure is used, for example, to identify a suspect path or set of paths, and to make decisions about communications pathways used by a multipath device driver.
    Type: Grant
    Filed: September 14, 2006
    Date of Patent: April 19, 2011
    Assignee: Symantec Operating Corporation
    Inventors: Hari Krishna Vemuri, Venkata Sreenivasa Rao Nagineni, Siddhartha Nandi
  • Patent number: 7930739
    Abstract: Evaluating a data transmission is disclosed. In various embodiments evaluating the data transmission may include transforming a parameter associated with the data transmission into an augmented parameter wherein the augmented parameter represents a plurality of binned parameters. The augmented parameter is matched to a scaled parameterized rule set wherein the scaled parameterized rule set references the augmented parameter. The scaled parameterized rule set is applied to the data transmission.
    Type: Grant
    Filed: May 24, 2005
    Date of Patent: April 19, 2011
    Assignee: Symantec Corporation
    Inventor: Carey Nachenberg
  • Patent number: 7925888
    Abstract: A virus detection system (VDS) (400) operates under the control of P-code to detect the presence of a virus in a file (100) having multiple entry points. P-code is an intermediate instruction format that uses primitives to perform certain functions related to the file (100). The VDS (400) executes the P-code, which provides Turing-equivalent capability to the VDS. The VDS (400) has a P-code data file (410) for holding the P-code, a virus definition file (VDF) (412) for holding signatures of known viruses, and an engine (414) for controlling the VDS. The engine (414) contains a P-code interpreter (418) for interpreting the P-code, a scanning module (424) for scanning regions of the file (100) for the virus signatures in the VDF (412), and an emulating module (426) for emulating entry points of the file. When executed, the P-code examines the file (100), posts (514) regions that may be infected by a virus for scanning, and posts (518) entry points that may be infected by a virus for emulating.
    Type: Grant
    Filed: November 22, 2004
    Date of Patent: April 12, 2011
    Assignee: Symantec Corporation
    Inventor: Carey S. Nachenberg
  • Patent number: 7926111
    Abstract: A method/system for determining a group of related entities of interest in one or more processing systems. The method comprises identifying a starting entity from one or more entities in the one or more processing systems, then obtaining, based on an entity type of the starting entity, a first set of rules for determining at least one other related entity, and then determining, using the first set of rules, the at least one related entity.
    Type: Grant
    Filed: February 16, 2007
    Date of Patent: April 12, 2011
    Assignee: Symantec Corporation
    Inventors: Ian Oliver, Ryan Pereira
  • Patent number: 7925856
    Abstract: A method and apparatus for maintaining an amount of reserve space using virtual placeholders. In one embodiment, a method of using placeholders for log files to maintain an amount of reserve storage space comprises determining a first required log file, wherein the first required log file is to be used to recover a database volume, generating at least one placeholder for representing at least one required log file in a log volume and storing the first required log file and the at least one placeholder in a portion of the log volume, wherein the at least one placeholder is used to control a size of the portion of the log volume.
    Type: Grant
    Filed: December 28, 2007
    Date of Patent: April 12, 2011
    Assignee: Symantec Corporation
    Inventor: Christopher Greene
  • Patent number: 7926106
    Abstract: Upon detection of a rootkit, a host computer system is rebooted. The boot process is interrupted. Access to a media, e.g., a volume or disk, containing the rootkit is gained and the media is directly accessed. The rootkit is disabled, e.g., renamed or deleted, and the host computer system is rebooted a second time. If the rootkit has not been previously removed, e.g., only renamed, the rootkit is removed, e.g., using a conventional antivirus application. Thus, upon detection of a rootkit, the rootkit is removed without a clean boot.
    Type: Grant
    Filed: April 6, 2006
    Date of Patent: April 12, 2011
    Assignee: Symantec Corporation
    Inventors: Mark Kennedy, Michael Spertus, Peter Linhardt, Richard Gough, Adam Glick, Patrick Gardner, Spencer Smith, Tim Naftel