Abstract: The present invention provides a network and data security testing app for mobile devices such as an Apple iPad, which is connected to the Internet via a wireless network. The app downloads and stores one or more network security or data loss test cases from a centralized server, which are then executed on the mobile device. For example, a test case attempts to access predetermined web pages through the wireless network and then determines whether access was granted. In another example, a test case attempts to transmit sensitive data through the network. Results of the test case are displayed on the mobile device and uploaded to the centralized server. The network and data security testing app also identifies whether access was granted to web pages hosting botnets, malicious web exploits, malicious web obfuscation, malicious iframe redirection, and malware files.

Abstract: A system and method for updating a system that controls files executed on a workstation. The workstation includes a workstation management module configured to detect the launch of an application. A workstation application server receives data associated with the application from the workstation. This data can include a hash value. The application server module can determine one or more categories to associate with the application by referencing an application inventory database or requesting the category from an application database factory. The application database factory can receive applications from multiple application server modules. The application database factory determines whether the application was previously categorized by the application database factory and provides the category to the application server module. Once the application server module has the category, it forwards a hash/policy table to the workstation management module.

Abstract: A system and method for updating, monitoring, and controlling applications on a workstation. The workstation includes a workstation management module configured to detect the launch or request to access a network by an application. A workstation application server receives data associated with the application from the workstation. The application server module can determine one or more policies or categories to associate with the application by referencing an application inventory database. Once the application server module has the category or policy, it forwards a hash/policy table to the workstation management module. Upon receipt of the hash/policy table, the workstation management module applies the policy that is associated with the application to control network access by the application.

Abstract: Methods and apparatus provide data loss protection for mobile devices. In one aspect, data is analyzed by a data loss protection server to determine if it is authorized by data loss protection policies to be transferred to a mobile device. The time necessary to analyze the data may exceed a mobile device timeout value. To prevent the mobile device from timing out, the DLP server may send one or more portions of a response to the mobile device at a time interval less than the mobile device timeout value. Some portions of the response may be sent before the analyzing of the data is completed.

Abstract: A system and method that trusts software executables existent on a machine prior to activation for different types of accesses e.g. execution, network, and registry. The system detects new executables added to the machine as well as previously existent executables that have been modified, moved, renamed or deleted. In certain embodiments, the system will tag the file with a flag as modified or newly added. Once tagged, the system intercepts particular types of file accesses for execution, network or registry. The system determines if the file performing the access is flagged and may apply one or more policies based on the requested access. In certain embodiments, the system intercepts I/O operations by file systems or file system volumes and flags metadata associated with the file. For example, the NT File System and its extended attributes and alternate streams may be utilized to implement the system.

Abstract: A system and method for identifying infection of unwanted software on an electronic device is disclosed. A software agent configured to generate a bait and is installed on the electronic device. The bait can simulate a situation in which the user performs a login session and submits personal information or it may just contain artificial sensitive information. Parameters may be inserted into the bait such as the identity of the electronic device that the bait is installed upon. The output of the electronic device is monitored and analyzed for attempts of transmitting the bait. The output is analyzed by correlating the output with the bait and can be done by comparing information about the bait with the traffic over a computer network in order to decide about the existence and the location of unwanted software.

Abstract: The disclosed embodiments provide systems, methods, and apparatus for efficient detection of fingerprinted content and relate generally to the field of information (or data) leak prevention. Particularly, a compact and efficient repository of fingerprint ingredients is used to analyze content and determine the content's similarity to previously fingerprinted content. Some embodiments employ probabilistic indications regarding the existence of fingerprint ingredients in the repository.

Abstract: Methods and apparatus provide resource authorization based on a computer's presence information. Presence information may include information relating to a computer's operating environment. In some implementations, a presence detector on a computer determines presence information and provides the information to a resource manager. The computer may then generate a resource access request. A resource manager may then determine whether the resource request is authorized based, at least in part, on the presence information. The resource manager then responds to the resource access request, either granting or denying the request for resources.

Abstract: A system and method for identifying infection of unwanted software on an electronic device is disclosed. A software agent configured to generate a bait and is installed on the electronic device. The bait can simulate a situation in which the user performs a login session and submits personal information or it may just contain artificial sensitive information. Parameters may be inserted into the bait such as the identity of the electronic device that the bait is installed upon. The output of the electronic device is monitored and analyzed for attempts of transmitting the bait. The output is analyzed by correlating the output with the bait and can be done by comparing information about the bait with the traffic over a computer network in order to decide about the existence and the location of unwanted software.

Abstract: A system and computer based method are provided for identifying active content in websites on a network. One embodiment includes a computer based method of classifying web content. The method receives content of a web page, and determines a first property associated with the content, the first property including static content. The method executes active content associated with the webpage, and determines a second property associated with the content based at least in part on the executing, the second property including the active content. The method also evaluates a logical expression relating the first property and the second property, and associates the web page with a category based on a result of the evaluation. The evaluation of the logical expression at least in part evaluates whether a constant value matches at least a portion of the content of the web page.

Abstract: A system and method are provided for identifying inappropriate content in websites on a network. Unrecognized uniform resource locators (URLs) or other web content are accessed by workstations and are identified as possibly having malicious content. The URLs or web content may be preprocessed within a gateway server module or some other software module to collect additional information related to the URLs. The URLs may be scanned for known attack signatures, and if any are found, they may be tagged as candidate URLs in need of further analysis by a classification module.

Abstract: Methods and systems reduce exposure to a dictionary attack while verifying whether data transmitted over a computer network is a password. In one aspect, a method includes performing a search of network traffic based, at least in part, on a weak validation using a Bloom filter based on an organizational password file, determining the existence of a password in the network traffic based only on the weak validation, and determining whether to block, alert, or quarantine the network traffic based at least in part on the existence of the password in the network traffic.

Abstract: A system and method that trusts software executables existent on a machine prior to activation for different types of accesses e.g. execution, network, and registry. The system detects new executables added to the machine as well as previously existent executables that have been modified, moved, renamed or deleted. In certain embodiments, the system will tag the file with a flag as modified or newly added. Once tagged, the system intercepts particular types of file accesses for execution, network or registry. The system determines if the file performing the access is flagged and may apply one or more policies based on the requested access. In certain embodiments, the system intercepts I/O operations by file systems or file system volumes and flags metadata associated with the file. For example, the NT File System and its extended attributes and alternate streams may be utilized to implement the system.

Abstract: The present invention provides a network and data security testing app for mobile devices such as an Apple iPad, which is connected to the Internet via a wireless network. The app downloads and stores one or more network security or data loss test cases from a centralized server, which are then executed on the mobile device. For example, a test case attempts to access predetermined web pages through the wireless network and then determines whether access was granted. In another example, a test case attempts to transmit sensitive data through the network. Results of the test case are displayed on the mobile device and uploaded to the centralized server. The network and data security testing app also identifies whether access was granted to web pages hosting botnets, malicious web exploits, malicious web obfuscation, malicious iframe redirection, and malware files.

Abstract: Systems and methods for adding context to prevent data leakage over a computer network are disclosed. Data is classified and contextual information of the data is determined. A transmission policy is determined in response to the classification and contextual information. The data is either transmitted or blocked in response to the classification and the contextual information.

Abstract: A system and method for updating a filtering system which controls access to a website/page between a local area network (LAN) and an Internet. The LAN includes an Internet gateway system coupled to a workstation and configured to receive a URL request. The system controls access to the website/page associated with the URL based on one or more categories that are associated with the URL. The Internet gateway system can determine the category that is associated with the URL by referencing a master database or requesting the category from a database factory. The database factory can receive URLs from multiple Internet gateway systems. The database factory determines whether the identifier was previously categorized by the database factory and provides the category to the Internet gateway system. Once the Internet gateway system has the category, it applies rules associated with the category and user to filter access to the requested website/page.

Abstract: Methods and apparatus provide resource authorization based on a computer's presence information. Presence information may include information relating to a computer's operating environment. In some implementations, a presence detector on a computer determines presence information and provides the information to a resource manager. The computer may then generate a resource access request. A resource manager may then determine whether the resource request is authorized based, at least in part, on the presence information. The resource manager then responds to the resource access request, either granting or denying the request for resources.

Abstract: A system and method for updating a filtering system which controls access to a website/page between a local area network (LAN) and an Internet. The LAN includes an Internet gateway system coupled to a workstation and configured to receive a URL request. The system controls access to the website/page associated with the URL based on one or more categories that are associated with the URL. The Internet gateway system can determine the category that is associated with the URL by referencing a master database or requesting the category from a database factory. The database factory can receive URLs from multiple Internet gateway systems. The database factory determines whether the identifier was previously categorized by the database factory and provides the category to the Internet gateway system. Once the Internet gateway system has the category, it applies rules associated with the category and user to filter access to the requested website/page.

Abstract: A system and method for updating, monitoring, and controlling applications on a workstation. The workstation includes a workstation management module configured to detect the launch or request to access a network by an application. A workstation application server receives data associated with the application from the workstation. The application server module can determine one or more policies or categories to associate with the application by referencing an application inventory database. Once the application server module has the category or policy, it forwards a hash/policy table to the workstation management module. Upon receipt of the hash/policy table, the workstation management module applies the policy that is associated with the application to control network access by the application.

Abstract: Methods and apparatus provide data loss protection for mobile devices. In one aspect, data is analyzed by a data loss protection server to determine if it is authorized by data loss protection policies to be transferred to a mobile device. The time necessary to analyze the data may exceed a mobile device timeout value. To prevent the mobile device from timing out, the DLP server may send one or more portions of a response to the mobile device at a time interval less than the mobile device timeout value. Some portions of the response may be sent before the analyzing of the data is completed.