Abstract: A system and method are disclosed for detecting malicious computer applications. According to an embodiment of the present invention, it is determined whether a communication is attempting to occur, wherein the communication is associated with a first application. It is also determined whether there is a second application associated with the first application; and also determined whether the second application is trusted.

Abstract: Apparati, computer-implemented methods, and computer-readable media for thwarting map-loaded module (8) attacks on a digital computer (1). Within the computer (1) is an intermediate location such as a registry (10) containing mappings from generic names (4) of map-loaded modules (8) to specific locations (5) of the map-loaded modules (8). Coupled to the intermediate location (10) is a monitor module (20) adapted to monitor attempts to replace existing mappings (5) of map-loaded modules (8) with replacement mappings (5). Coupled to the map-loaded modules (8) is a file system monitor;module (70) adapted to monitor attempts to insert new map-loaded modules (8) into the computer (1). Coupled to the monitor module (20) and to the file system monitor module (70) is a programmable control module (30) adapted to determine when a change in mapping constitutes a malicious code attack.

Abstract: A kernel mode memory scanning driver for use in safely scanning loaded drivers in the memory of computer systems utilizing Windows® NT based operating systems, such as Windows® 2000, Windows® XP, and other operating systems utilizing the Windows® NT kernel base, for viruses. Prior to scanning the loaded drivers for viruses, the kernel mode memory scanning driver hooks a driver unload function of the operating system, and stalls any calls to the driver unload function to prevent the loaded drivers from being unloaded during scanning. After scanning is complete, any stalled calls to the driver unload function are released. In one embodiment, the kernel mode memory scanning driver is implemented as a Windows® NT 4.0 kernel mode memory scanning driver, and thus can be used on computer systems utilizing Windows® 2000 or Windows® NT without platform specific code.

Abstract: A system and method are disclosed for providing an expert system. In an embodiment of the present invention, a selected goal is received and a first record obtained. The first record is used to produce a second record, wherein the second record has a record type associated with it. It is then determined whether the record type is directly associated with the selected goal, and the second record is outputted if the record type is directly associated with the selected goal.

Abstract: A method includes hooking a critical operating system function, originating a call to the critical operating system function with a call module of a parent application, stalling the call, determining a location of the call module in memory, and determining whether the location is in an executable area of the memory. Upon a determination that the call module is not in the executable area, the method further includes terminating the call. By terminating the call, execution of a child application that would otherwise allow unauthorized remote access is prevented.

Abstract: A system and method are disclosed for analyzing security risks in a computer network. The system constructs asset relationships among a plurality of objects in the computer network and receives an event associated with a selected object, where the event has an event risk level. The system also propagates the event to objects related to the selected object if the event risk level exceeds a propagation threshold.

Abstract: A method for performing full optimization of most of the files on a volume in accordance with a composed optimization plan, is performed, including the separation of less frequently accessed files from those whose number or location of clusters is being more frequently modified by user applications. Optimization does not continue indefinitely—it reaches a final state even if a small percentage of its file data is still out of place under the optimization plan and therefore not in the planned part of a plan-defined, Placed Files Area. Each time a Push of out-of-place file data is attempted, or a Pull of file data into a correspondingly planned free space within the Placed Files Area is attempted, a copy of the current volume bitmap is made in order to determine what is the largest free space currently available in the Placed Files Area. Once determined, the size of the largest free space is compared to the size of the largest out-of-place range of corresponding clusters in the Placed Files Area.

Abstract: A method includes detecting a potentially malicious action of a potentially unsafe application on a host computer system; sending an application characteristic of the potentially unsafe application to a server system; and receiving a response from the server system indicating whether the potentially unsafe application is a safe application, an unsafe application or an unknown application. If the potentially unsafe application in an unknown application, the potentially unsafe application is executed in a sandbox on the server system.

Abstract: A server generates an update file for transmission to a client that permits the client to generate a copy of a current version of a subscription file from a copy of an earlier version of the subscription file. For each segment of the current version of the subscription file, the server searches an earlier version of a signature list for an old segment signature which matches a new segment signature corresponding to the segment. When a match is detected, the server writes a command in the update file for the client to copy an old segment of the client's copy of the earlier version of the subscription file into the client's copy of the current version of the subscription file, where the old segment corresponds to the segment for which a match was detected.

Abstract: A machine system includes bubble protection for protecting the information of certain classes of files from unauthorized access by way of unauthorized classes of programs at unauthorized periods of time. The machine system additionally may have OTF mechanisms for automatic decryption of confidential file data on a per-use basis and automatic later elimination of the decrypted data by scorching and/or re-encrypting is disclosed. The system can operate within a multi-threaded environment. The machine system additionally may have a digital signature mechanism for protecting file data from unauthorized tampering. The machine system additionally may have a volume-encryption mechanism for protecting plaintext versions of file data from exposure in events of power outages.

Abstract: An invention is disclosed for recovering data in computer environment. Initially a record of historic states of a disk is created, wherein the disk includes various disk locations, such as a disk location X, a disk location Y, and a disk location Z. In response to a request to overwrite original data at the disk location X with new data, the new data is stored at the disk location Y. Then, an indication is established in the record of historic states that indicates the roles of disk location X and Y. These roles could establish the role of disk location X as including historic data, and the role of location Y as including new data for location X. In addition, the method includes intercepting a command to Ski release data at the disk location Z, and establishing an indication in the record of historic states indicating the disk location Z stores historic data.

Abstract: A remote application on a remote computer interacts with a host application on a host computer so as to present in a remote application display window of the remote computer display a portion of the host computer screen image which intersects the foreground window of the host computer. In the preferred embodiment, a position of a moveable viewport rectangle is calculated so as to center the image of the host active window within the remote application display window if the active window rectangle's dimensions are less than the moveable viewport rectangle's dimensions; if the moveable viewport rectangle's dimensions are less than the active window rectangle's dimensions, then the new position of the moveable viewport rectangle is calculated so as to left and/or top align the moveable viewport rectangle and the active window rectangle.

Abstract: A machine-automated system tries to save vital-data of a crashed or otherwise frozen application program by: (a) identifying the apparently-frozen program; (b) identifying one or more windows within the identified program that are most likely to immediately contain data which the user is likely to consider as vital and in need of saving; and (c) instructing the frozen application program to itself transfer the data of said one or more of said identified windows to a separate, data-saving thread. A profiling database may be constructed for helping to identify the vital data-containing windows of both popular (well known) and obscure application programs. One such profiling database has ID records which define parent/child hierarchy relationships between vital data-containing windows and other windows of various application programs.

Abstract: A server computer updates client computers' copies of subscription files stored on a network. The server computer retrieves a database record from a subscription database. The database record includes at least client computer and subscription file information. The server computer checks the subscription file stored on the network for any changes which may have occurred to the file since the previous checking of the subscription file preferably by comparing the last save time stamp to a time stamp on the subscription file stored on the network. If changes have occurred, the server computer creates an update file for the client computer and transmits the update file to the client computer, preferably by electronic mail. Each database record may further contain a check interval indicating the periodicity of the checking of the subscription file for changes. The database record may further contain a time last checked field which is updated each time the subscription file is checked for changes.

Abstract: A software application (110) is updated to a newer version by means of incremental update patches (122). The incremental update patches (122) each contain that information necessary to transform one version of an application to another version. Any version of an application (110) may be upgraded to any other version of the application, through the use of a series of incremental update patches (122). The appropriate incremental update patches (122) are distributed in a multi-tiered manner, such that some update patches (122) update the application (110) by only one version, and others update the application (110) by several versions.

Abstract: A system and method are disclosed for detecting intrusions in a host system on a network. The intrusion detection system comprises an analysis engine configured to use continuations and apply forward- and backward-chaining using rules. Also provided are sensors, which communicate with the analysis engine using a meta-protocol in which the data packet comprises a 4-tuple. A configuration discovery mechanism locates host system files and communicates the locations to the analysis engine. A file processing mechanism matches contents of a deleted file to a directory or filename, and a directory processing mechanism extracts deallocated directory entries from a directory, creating a partial ordering of the entries. A signature checking mechanism computes the signature of a file and compares it to previously computed signatures. A buffer overflow attack detector compares access times of commands and their associated files.

Abstract: A server computer generates an update file for transmission to a client computer that permits the client computer to generate a copy of a current version of a subscription file from a copy of an earlier version of the subscription file. For each segment of the current version of the subscription file, the server computer searches an earlier version of a signature list for an old segment signature which matches a new segment signature corresponding to the segment. When a match is detected, the server computer writes a command in the update file for the client computer to copy an old segment of the client computer's copy of the earlier version of the subscription file into the client computer's copy of the current version of the subscription file, where the old segment corresponds to the segment for which a match was detected.

Abstract: A machine-automated system tries to save vital-data of a crashed or otherwise frozen application program by: (a) attempting to revive a program that has apparently become frozen; (b) identifying the apparently-frozen program; (c) identifying one or more windows within the identified program that are most likely to immediately contain data which the user is likely to consider as vital and in need of saving; (d) sending one or both of a SAVE and a CLOSE command message to each of the identified one or more windows so as to thereby cause that window to itself save its vital data contents and to thereafter gracefully close itself. A profiling database may be constructed for helping to identify the vital data-containing windows of both popular (well known) and obscure application programs. One such profiling database has ID records which define parent/child hierarchy relationships between vital data-containing windows and other windows of various application programs.

Abstract: The present invention is directed toward creating backup copies of previously saved data before it is modified by a crashed computer program executing in a preemptive multitasking operating system environment. The invention is advantageous in that it protects against data loss and corruption caused by operating system calls issued by malfunctioning, crashed computer programs. A method in accordance with the invention comprises the steps of: (a) monitoring operating system calls made by a crashed program; (b) intercepting a selected group of operating system calls made by a crashed program before they are executed by an operating system; (c) logging a subset of the selected group of intercepted operating system calls in a memory; (d) creating backup copies of data potentially modified by a further subset of the selected group of intercepted operating system calls; and (e) passing intercepted operating system calls to an operating system.

Abstract: A server computer generates an update file for transmission to a client computer that permits the client computer to generate a copy of a current version of a subscription file from a copy of an earlier version of the subscription file. For each segment of the current version of the subscription file, the server computer searches an earlier version of a signature list for an old segment signature which matches a new segment signature corresponding to the segment. When a match is detected, the server computer writes a command in the update file for the client computer to copy an old segment of the client computer's copy of the earlier version of the subscription file into the client computer's copy of the current version of the subscription file, where the old segment corresponds to the segment for which a match was detected.