Abstract: An integrated secured open database connectivity (ODBC) application programming interface (API) arrangement is provided. The arrangement includes a driver manager, which is configured for at least handling a function call from an application program. The arrangement also includes a set of drivers, which is configured for at least accessing a data source and applying the function call to the data source. The arrangement further includes a security module, which is configured for performing at least one of scanning the function call for malicious content and preventing an unauthorized user from accessing the data source.

Abstract: A data access policy is configured and stored on a computing device, including a list of secure gateway IP addresses and optionally secure geographic regions. A time parameter defines how long a digital file will remain not in use before deletion and a degree parameter defines how fast the file will be deleted. Once a digital file is downloaded to the computing device the device is checked periodically to determine whether or not it is in a secure location. If not in a secure location then a data deletion process is initiated which begins by checking whether or not the digital file is currently being used on the computing device. If the file is being used, then no deletion is performed. If the file is not in use (or has not been used after a certain amount of time) then the file is deleted. The file may be deleted gradually.

Abstract: Any number of mobile devices each execute an application allowing them to subscribe to a group. Alternatively, the devices subscribe at a Web server. A percentage of the group and a distance threshold from a target device are defined. Each device sends its GPS data to a Web server or to one of the designated mobile devices. Alternatively, the target device calculates its distance to the other devices using wireless signals. The designated device or the Web server calculates the distance from the target device to the other devices. If the distance is over the threshold then an alert is generated and sent from the Web server to designated recipients, or sent from the designated device to the recipients. Distance from the target device to the group members may be calculated based upon a majority, a percentage of the group, or a special cluster of the group.

Abstract: A Web browser or operating system of a computer maintains a historical URL list of Web sites and Web pages that have been accessed in the past. When a prescan module of antivirus software performs an initial prescan of a computer before the antivirus software is installed, it queries this historical URL list to obtain the URLs that have been accessed in the past. These URLs are sent to a URL online query service located remotely over the Internet in order to determine the status of any of these URLs. Each URL is attempted to be matched with a database of known malicious URLs including associated malicious files and associated cleanup patterns. The query service then informs the requesting computer of the status of a particular URL sent, sending back any related malicious files and any appropriate cleanup pattern. A time period associated with each URL in the database indicates when it is known that the URL was malicious.

Abstract: A server access log includes data records each describing a previous query regarding a suspect computer file of a client computer. Each record includes the CRC code for the suspect computer file, the result of the malware analysis performed on the backend server and other attributes and values. The log is analyzed to retrieve relevant attributes and values from each record. Key attributes and values are generated such as region and continuous query. All CRC codes are grouped according to attribute values. Each group is analyzed to determine the network traffic associated with downloading the entire group to all user computers and the network traffic associated with not downloading the group but responding to future malware queries regarding CRC codes in the group. CRC codes are removed from each group if necessary. CRC code-result pairs for each group are downloaded to all user computers as a pre-fetch cache.

Abstract: A dummy debugger program is installed within the user computer system. The dummy program is registered with the operating system as a debugger and may also be registered as a system service as if it is a kernel mode debugger. The dummy debugger program may have the name of a popular debugging program. Dummy registry keys are created that are typically used by a debugger to make it appear as if a debugger is present within the operating system of the user computer. Dummy program folders or dummy program names are created to make it appear as if a debugger is present within the operating system of the user computer. API calls are intercepted by using API hooks and modified to always return a meaningful value indicating that a debugger is present. Malware performing any checks to see if a debugger is present will be informed that a debugger is present and will then shutdown, sleep, terminate, etc.

Abstract: A computing device is capable of automatically detecting malware execution and cleaning the effects of malware execution using a malware repair module that is customized to the operating features and characteristics of the computing device. The computing device has software modules, hardware components, and network interfaces for accessing remote sources which, collectively, enable the device to restore itself after malware has executed on it. These modules, components, and interfaces may also enable the apparatus to delete the malware, if not entirely, at least partially so that it can no longer execute and cause further harm. The malware repair module is created from a detailed malware behavior data set retrieved from a remote malware behavior database and then modified to take into account specific operating features of the computing device. The repair module executes on a repair module execution engine and the effects of the malware on the device are minimized.

Abstract: A virtualization platform includes a number of virtual machines, one of which is configured as a driver domain and includes the network service control for routing network traffic between the other virtual machines. The privileged domain does not include the network service control. The network service control includes network backend interfaces and a virtual switch or bridge. The driver domain includes a PCI driver for direct communication with a network interface card. The driver domain includes hooking software and an inspection agent. Packets passing between the other virtual machines pass through the driver domain, are hooked, and are inspected by inspection agent to determine if they are malicious or not. Malicious packets are blocked. The driver domain may also utilize a PCI driver of the privileged domain for access to the network interface card. Platforms with or without pass-through mode may be used.

Abstract: Building a kernel hook module (KHM) on a build machine in an automated manner uses a script file to control the process. A user requests a KHM for a particular Linux kernel of a Linux distribution. The build machine is rebooted if necessary to run the target Linux distribution. Kernel source files for the Linux distribution are loaded and installed on the build machine. Various parameters are set and source code representing the functionality of the KHM (or that of a related software product) are loaded onto the build machine. The KHM is then built automatically under direction of the script file. A control machine receives the user request for a particular KHM over the Internet and directs operation of the build machine. A test machine tests the KHM once built. The KHM works in conjunction with anti-virus software or other software.

Abstract: Collected information is analyzed by the mobile device to determine whether the device is displaced from the owner. The mobile device monitors and detects a reduction of ambient light to automatically enter into protection mode without manual activation. If an increase of ambient light and movement of the mobile device are both detected, then the device enters into authentication mode. Various techniques to verify the user's identity may be implemented in authentication mode. The user must correctly match an input key code, button combination, or an image recognition photograph against the stored information according to the method of verification chosen in each respective process. An alarm is activated if the device determines authentication is not received but may be disabled when the user's identity is verified after another authentication attempt.

Abstract: Providing malware-free web content to a user is disclosed. The web content is any type of web content that may potentially be infected by any type of malware. Upon receiving a request for a piece of web content from the user, the requested piece of web content is obtained from the appropriate source, and a dynamic template for the piece of web content is retrieved. The dynamic template indicates whether the requested piece of web content includes any malware and what actions are to be performed if any malware is included in the piece of web content. The requested piece of web content is cleaned up by performing the actions indicated in the dynamic template. Thereafter, the piece of web content is provided to the user. The dynamic template is updated from time to time based on the currently available information regarding the piece of web content.

Abstract: A Web site uses a behavior monitor that operates as a gatekeeper for a browser. The attack injects Web content with malicious executable code that executes on an end user device when the code executes in a browser on the device. A message is received at the monitor from a browser for retrieving Web content; the browser executes on a computing device having sensitive information. The Web content is retrieved from a target Web server and analyzed for XSS. If found, the destination to which some or all of the sensitive information will be sent if the XSS executes is determined. A message is displayed in the browser regarding whether the Web content that was requested should be viewed in the browser. In this manner, execution of the XSS in the browser is prevented. The analyzing and determining steps are performed before the Web content is received by the browser.

Abstract: Detection and prevention of botnet behavior is accomplished by monitoring access request in a network. Each request includes a domain of content to access and a path of content to access, and each path includes a file name and query string. Once obtained, the query strings for each of these requests are normalized. A signature is then created for each of the normalized query strings. The obtained requests can then be grouped by signature. Once the requests have been grouped by signature, each grouping is examined to identify suspicious signatures based on common botnet behavior. Suspicious requests are used in back-end and front-end defenses against botnets.

Abstract: Daily query counts for e-mail messages sent from a number of IP addresses having unknown reputations are collected and logged, and optionally plotted. The logged query count data may optionally be normalized. The normalized query count data may also be plotted. The normalized data is divided into regions (numerically or graphically). Next, the divided regions are tagged (symbolically or graphically) with unique, symbolic identifiers such as letters, numbers, symbols or colors. Patterns for each unknown IP address are formed based upon the tagged regions. Common good and bad patterns are also identified for known good and bad IP addresses. The reputation of these unknown IP addresses are then predicted using these identified good and bad patterns using a suffix tree (for example). Finally, an output identifying the determined reputations of these unknown IP addresses is generated and output.

Abstract: A Web site reputation service automatically redirects a browsing request for analysis by a rating server. On the browsing request, a proxy autoconfiguration (PAC) file is downloaded from a PAC server to a Web browser of a user computer. The function of the PAC file is executed, sending a request to a rating server along with a host name of a target Web site. The function does not immediately return a proxy server, but first requests a rating of the Web site. A rating result associated with the Web site is produced by the rating server. The rating server returns the rating result and the function returns an address of a proxy server to the Web browser based upon the rating result. A user can enable the Web Proxy Autodiscovery Protocol to use the service. Access control may be implemented by applying an HTTP authentication mechanism on the Web server that hosts the PAC file.

Abstract: A password management service located either on a user computer or in the cloud intercepts a user's attempt to create an account on a Web site. The user enters a sequence of a physical key combination and the service assigns a particular keyboard layout for this Web site. The service generates a password by combining the key combination with the assigned keyboard layout and returns this password to the user or to the Web site. The service stores the name of the Web site in association with the designated keyboard layout. Upon a subsequent login attempt, the service again intercepts the user's typing of the same physical key combination, generates the same password by combining the key combination with the previously assigned and stored keyboard layout, and returns the generated password to the Web site for authentication. A keyboard layout for a site may be chosen by the user, may be selected by the service, or a random layout may be generated.

Abstract: Applications running in an API-proxy-based emulator are prevented from infecting a PC's hard disk when executing file I/O commands. Such commands are redirected to an I/O redirection engine instead of going directly to the PC's normal operating system where it can potentially harm files in on the hard disk. The redirection engine executes the file I/O command using a private storage area in the hard disk that is not accessible by the PC's normal operating system. If a file that is the subject of a file I/O command from an emulated application is not in the private storage area, a copy is made from the original that is presumed to exist in the public storage area. This copy is then acted on by the command and is stored in the private storage area, which can be described as a controlled, quarantined storage space on the hard disk. In this manner the PC's (or any computing device's) hard disk is defended from potential malware that may originate from applications running in emulated environments.

Abstract: Detection of malicious URLs in a Web page retrieved by a computer user is based in a backend security service or upon the user's computer. The HTML code download by the user is first scanned to detect any embedded links such as URLs found in frames or scripts. Features related to the layout of such a URL (position, visibility) are identified. Features related to the referring nature of the URL (page rank of parent, page rank of child) are identified. Features indicating the relevancy between the content of the parent Web page and the content of the Web page identified by the embedded URL identified. Each set of features is transformed into a binary vector and these vectors are fed into a decision engine such as a classifier algorithm. The classifier algorithm outputs a score indicating whether or not the suspect URL (and the Web page to which it links) is malicious or not. The user may be warned by a display message.

Abstract: A file policy is created for each confidential file in a server computer including a list of events and a corresponding action. The file policies for the confidential files are sent to each client computer in the computer network. A software agent on each client computer detects when an activity occurs that affects one of the confidential files having a file policy. The activity is reported to the server computer and, if the activity matches an event in the policy, the corresponding action is taken. Events include: copying a file, printing, accessing, sending via e-mail, renaming, etc. Actions include: alerting an administrator, temporary blocking the activity or preventing the activity. If the activity is temporarily blocked from occurring, the agent queries the user as to whether the user wishes to request approval, and forwards that requests on to the server computer.

Abstract: A monitor agent monitors every write request for files that are capable of being patched (executable files). Once a write request is requested for one of these files, the agent creates a copy of the file and also saves the original file version number. If the program that is requesting the write access has not been digitally signed then that program is flagged as being suspicious. The write request is allowed to proceed and the file is modified by the requesting program. After the modification, if the file version number is not higher then the write is flagged as being suspicious. If both the requesting program has been flagged as suspicious and the file version number has been flagged as suspicious, then the requesting program is labeled as being malware. The monitor agent restores the modified file using the original copy. If either the requesting program is flagged as suspicious or the file version number is flagged as suspicious, then the requesting program is labeled as being suspicious.