Abstract: Hackers and other malicious users are prevented from injecting harmful SQL into a database and from retrieving confidential data. SQL statements formed by an application in response to user input (e.g., user Id and password), are scanned and compared to patterns of SQL commands and data embodied in one or more anti-SQL injection policies. If there is a match, the SQL statement is in violation of the policy. A severity level of the violation may be checked, for example, it may be determined whether the violation is critical or non-critical (normal). Different actions are taken depending on the severity of the violation. If the violation is critical, the SQL statement is dropped and the administrator is notified immediately and a trace of the violation is provided. If the violation is not critical, the data is retrieved and is compared against data in a confidential data registry. If any of the data is found to be confidential, that data is encrypted and then sent to the hacker.

Abstract: The raw data for a plurality of numerical reports (distributions or histograms) concerning malware infection in a computer network are stored in a data source. The data source is queried to produce any number of reports. Each report's content comes from a distribution of data within a time interval, and a baseline distribution is formed for comparison by the corresponding historical data. The shape change for the distributions is determined by using Kullback-Leibler divergence. The change of volume (i.e., total sample count) for the distributions is determined using the L1 norm ratio. A cutoff threshold is determined for the K-L divergence and the volume ratio threshold is determined for the count change. A measure value for each report is determined by multiplying the shape change by the volume change (modified by raising it to a particular power). The reports are ranked based upon their measure values.

Abstract: Upon detection of a suspicious file, a client computer sends feedback data to an anti-malware service over the Internet. Files that are not suspicious or that are known clean are not reported; files that are known malware are acted upon immediately without needing to report them to the anti-malware service. Upon detection, no alert or warning is provided to the user of the client computer. The anti-malware service correlates data from other detection engines on the client computer or from other client computers and determines whether the file is malware or not. A new virus pattern is generated if the file is malware and includes the virus signature of the file; the new virus pattern is distributed back to the client computers. If not malware, no action need be taken, or, the virus signature of the file is removed from existing pattern files.

Abstract: A trust network database has any number of nodes, each node representing a user e-mail address. Links between nodes represent whether one user trusts another. Trust (that the recipient is trusted) is established when a sender sends an e-mail message to a recipient. The recipient is effectively placed on the white list for the sender. A legitimate e-mail address creates a strong trust link, otherwise it is weak. A spam count tracks by an amount of spam sent by each node. Outgoing e-mail messages are screened to make a determination that the sender trusts the recipient and that information is added to a local or remote trust network. Incoming e-mail messages are first screened to determine that the sender is legitimate. Then, the sender and recipient e-mail addresses are forwarded to the trust network to make a determination as to whether the recipient trusts the sender. A score (based upon number and type of links into or out of a node, the spam count for the node, etc.

Abstract: A user is able to save his operating system settings to a web server. The user may then download these known, clean operating system over the Internet to the same computer in the future or to a different computer. Or, a user is able to save a known, good restore point to a secure site on the web. If the user suspects that his computer has been compromised by malware, the user downloads this original restore point from over the Internet. The computer is then restored to a known, good state prior to the malware infection. In addition, an entire operating system is present on a USB drive and the user runs his computer from the USB drive. The USB drive is inserted into a publicly-accessible computer. Drivers and network settings from the computer are installed on the USB drive and the operating system on the USB drive then reboots and executes on the computer.

Abstract: A training model for malware detection is developed using common substrings extracted from known malware samples. The probability of each substring occurring within a malware family is determined and a decision tree is constructed using the substrings. An enterprise server receives indications from client machines that a particular file is suspected of being malware. The suspect file is retrieved and the decision tree is walked using the suspect file. A leaf node is reached that identifies a particular common substring, a byte offset within the suspect file at which it is likely that the common substring begins, and a probability distribution that the common substring appears in a number of malware families. A hash value of the common substring is compared (exact or approximate) against the corresponding substring in the suspect file. If positive, a result is returned to the enterprise server indicating the probability that the suspect file is a member of a particular malware family.

Abstract: Prevention of sensitive images such as photographs and video clips from being leaked from an organization uses geo-tagging metadata. A mobile computing device includes a software agent that implements a data loss prevention policy and a database of sensitive geographic areas defined by latitude and longitude coordinates. When an image is attempted to be stored on the device (or sent, received, renamed, copied, etc.) a software hook module detects the operation and obtains the geo-tagging metadata from the image for the agent. The agent compares the metadata of the image with each sensitive area found in its database to determine if the image was taken at a location within a sensitive area. If not, the operation is allowed, if so, the operation may be blocked, restricted or a warning may be sent to the user of the device or to another computer within the organization.

Abstract: A DNS engine monitors domain name system (DNS) network activity occurring between a user computer and a remote computer server. The engine collects DNS traffic information during a specified time window at the user computer using the monitored DNS network activity. The engine generates a local DNS reputation for the user computer and stores the local DNS reputation on the user computer. When a triggering event is received at the user computer the engine determines that the triggering event is abnormal in comparison to the stored local DNS reputation. An alert is issued to a software product on the user computer. The engine takes an action using a software product upon the alert. The reputation may be a frequency distribution for each accessed domain name and IP address. A triggering event may be an abnormal access to a domain name or IP address, or a mismatch between DNS queries and DNS responses of the user computer.

Abstract: The invention provides an antivirus network or Internet appliance and methods therefor. A preferred embodiment of the Internet appliance according to the invention comprises an interface connecting the Internet appliance to a terminal, a memory, and a network connection connecting the Internet appliance to a network (such as a wide area network (WAN) or the Internet) wherein data in the network are operable with a corresponding network protocol (such as TCP/IP). Protocol-level programs are stored in the memory for receiving data being transmitted from the network to the terminal through the Internet appliance wherein the protocol-level programs are compatibly operable with the network protocol. Application-level antivirus programs are stored in the memory for detecting computer viruses in the received data serving as a firewall against the detected computer viruses for the terminal.

Abstract: A malware detection system capable of detecting and removing malware from a computer system. The malware detection system determines whether there are files potentially related to a selected malware file using a time-based embodiment based on whether files were installed around the time of the malware. A cache-based embodiment searches an Internet cache to determine the URLs that might be the source of the malware. A location-based embodiment dissects the file system path to determine an application related to the malware. Results are displayed to the user for action.

Abstract: Detection for pharming attacks and specifically for changes in name-to-IP resolutions on a computer system using rules is described. The DNS settings and the Hosts file on a computer system are monitored and their modification information is saved as a part of the historical data over time. When an IP address is determined for a host name, various rules are applied to the IP address in connection with the saved historical data, such that each rule produces a score based on various criteria. Different rules may have different weights assigned to their scores. The scores of all the rules are summed up to produce a final score. If the final score is above a predefined value, then there is a suspicious change in the IP address, and an alert is sent. Otherwise, the host name and the IP address are saved as a part of the historical data.

Abstract: A plug-in module of a DHCP server enforces a security policy of a computer network. The module receives a request to provide an IP address for an end-user computer. A blacklist database is consulted to determine if the computer is not in compliance with the policy. If not compliant, the module returns to the computer a special IP address, a special default gateway and a lease time; the special IP address places the computer in a restricted network segment of the network where it cannot send network packets to other computers. If compliant, the computer receives an IP address and a lease time. The first time an IP address is requested a probe is triggered to determine if the computer is compliant using software not present on the computer. A cleanup service located in the restricted segment remove malware and updates software. Lease times increase after each successful request of an IP address.

Abstract: Unique digital signatures of sensitive or restricted image files are calculated and stored in a database. A hook routine hooks an open or read command when an application opens an image file in order to check for a restricted digital signature of that image file. If present, a digital watermark is added to the image before the application edits that image. A user may then modify the image. A hook routine also hooks a close or write command in order to check for a digital watermark. If present, the digital watermark is removed and a new digital signature for the revised image is calculated. The digital signature for the revised image is then uploaded to a database associated with a DLP server software product, and then pushed periodically down to endpoint DLP client products.

Abstract: Generating an exception list by a service provider for use in behavior monitoring programs for malware detection is described. A feedback server controlled by a malware prevention service provider receives client process reports from client devices owned by the service provider's customers and others using the provider's behavior monitoring software. The process reports contain data on processes that were evaluated (on the client device) as being processes that require a significant amount of CPU resources (i.e., above a certain threshold) to monitor and that have previously executed on the client device and were considered safe or non-harmful to the device. The feedback server receives the process reports and creates a statistics summary report, which is used by the service provider in evaluating whether to include the processes in the provider's official exception list which is distributed to its customers for use in their behavior monitoring programs.

Abstract: Scanning of the shadow copy instead of the hard disk of a computer (using an accessing interface instead of the file system interface or an API of the operating system) enables the scanning software to access any files that might have been locked by the malware on the hard disk and avoids root kits. Files cannot be locked because a disk parser is used instead of the operating system or normal file system interface. It is possible for malware to change or reinfect files during the scanning and cleaning process. Files on the hard disk in existence at the time a manual scan is begun are scanned and backed up to the cache if changed during scanning. Dropped malware is removed by reverting the hard disk to the shadow copy once scanning and cleaning has been performed. Even if a watchdog drops a file during the scanning and cleaning process (because it detects that other malware components are being affected) these dropped files will be removed.

Abstract: A method of creating a protected software program operates upon an executable program that has a number of sections. The sections include an entry section and any number of user sections. An ability set for the executable program is defined that describes allowed behaviors of said executable program and behaviors that are not allowed. The ability set is inserted into the executable program as an ability section. A vaccine code section is inserted into the executable program; the vaccine code section is arranged to monitor behaviors of said executable program for comparison with the allowed and not allowed behaviors of the ability section. A hash value is calculated for the executable program; the hash value is stored in the program itself or in another secure location.

Abstract: An antivirus agent located on a user computer, local area network or standalone hardware device includes a statistical module, a control unit, a timeslot generator and a dispatcher. The statistical module calculates statistics for incoming request packets including the burstiness degree H. A number of normal distributions are predefined. A number of probability sequences are predefined. An input statistic is used to select one of the probability sequences. This probability sequence is used to select a timer value from the distributions. Packets are loaded into a variable-length buffer in the dispatcher to form the timer expires or when the buffer is full. The rate of the output traffic from the dispatcher depends upon a selected distribution value by the timeslot generator and not by any manufactured timing by an attacker. Output traffic frequency is shaped by the dispatcher; packets may go out faster or slower, thus thwarting an attacker who relies upon their own inserted packet timing.

Abstract: Two images are compared to determine how similar they are. First, a process normalizes each image, then horizontal and vertical byte sequences are derived from each image. A similarity formula is used to obtain a similarity value that represents the similarity between the two images. An approximate pattern matching algorithm is used to determine the error distance between the horizontal byte sequences for the images and to determine the error distance between the vertical byte sequences for the images. The error distances and the length of the byte sequences are used to determine the similarity value. Padding is used to make the aspect ratios the same.

Abstract: An anti-virus program executes simultaneously with another anti-virus program by accessing a function (target) driver in the driver model directly instead of traversing each filter driver in the driver model as is conventionally done. The filter driver component of the anti-virus program avoids deadlock and infinite execution loops by bypassing filter drivers of other executing anti-virus programs and other filter drivers and going straight to the driver that will be performing the specific function, such as opening a file for scanning. This is done by having the filter driver component of the anti-virus program obtain directly the handle of the function driver that will perform the function needed by the anti-virus program and thereby avoiding the filter drivers of other programs, specifically other anti-virus programs, that can prevent completion of the required function.

Abstract: A white list (or exception list) for a behavior monitoring system for detecting unknown malware on a computing device is maintained automatically without human intervention. A white list contains process IDs and other data relating to processes that are determined to be (or very likely be) free of malware. If a process is on this list, the rule matching operations of a conventional behavior monitor are not performed, thereby saving processing resources on the computing device. When a process start up is detected, the behavior monitor performs a series of checks or tests. If the process has all valid digital signatures and is not launched from a removable storage device (such as a USB key) and is not enabled to make any inbound or outbound connections, it is eligible for being on the white list. The white list is also automatically maintained by removing process IDs for processes that have terminated or which attempt to make a new outbound or inbound connection, such as a TCP/UDP connection.