Abstract: In accordance with an embodiment of this invention, a mechanism for managing a plurality of access requests for a data object is provided. The mechanism includes a lock control identifying whether a requested data object is in use and a waiter control identifying whether at least one of the plurality of access requests have been denied immediate access to the data object and is currently waiting for access to the data object. Additionally, the mechanism maintains a list optimize control identifying whether one of the plurality of access requests is currently optimizing a waiters list of access requests waiting to access to the data object.

Abstract: Generally described, embodiments of the present invention provide a system and method for protecting a computer from malicious attacks and buffer overrun (intentional or unintentional). In particular, embodiments of the present invention protect the contents of block headers of data blocks and enable the ability for a memory manager to determine if a portion of a block header has been modified. In accordance with one aspect of the present invention, a method for securing data having a plurality of fields is provided. The method includes grouping the plurality of fields into at least a first group and a second group and generating a first identifier for the first group and a second identifier for the second group. Additionally, the first and second groups are encoded to protect the information contained in the fields of the groups. Still further, the first and second identifiers may also be encoded into the groups.

Abstract: A method and computing device for providing concurrent read and write access to a linked list of elements is presented. A linked list is provided wherein read access by a reader process and write access by a writer process may occur substantially concurrently. The linked list includes three internal lists for processes to reference elements of the linked list. The linked list also includes an updated indicator. Read access to the linked list is provided to a reader process such that the reader process accesses elements in the linked list according to a read list of the three internal lists. Write access to the linked list is provided to a writer process such that the writer process accesses elements in the linked list according to a write list of the three internal lists.

Abstract: The present invention is directed to a method and system for automatically classifying an application into an application group which is previously classified in a knowledge base. More specifically, a runtime behavior of an application is captured as a series of events which are monitored and recorded during the execution of the application. The series of events are analyzed to find a proper application group which shares common runtime behavior patterns with the application. The knowledge base of application groups is previously constructed based on a large number of sample applications. The construction of the knowledge base is done in such a manner that each sample application can be classified into application groups based on a set of classification rules in the knowledge base. The set of classification rules are applied to a new application in order to classify the new application into one of the application groups.

Abstract: Generally described, a method, software system, and computer-readable medium are provided for preventing a malware from colliding on a named object. In accordance with one aspect, a method is provided for creating a private namespace. More specifically, the method includes receiving a request to create a private namespace that contains data for defining the boundary of the private namespace from the current process. Then a determination is made regarding whether a principle associated with the current process has the security attributes that are alleged in the request. In this regard, if the principle that is associated with the current process has the security attributes that are alleged in the request, the method creates a container object to implement the private namespace that is defined by the data received in the request.

Abstract: A technology for exclusively acquiring a shared resource is disclosed. In one method approach, the method determines that a shared resource is available to be exclusively acquired by a first thread. The method also prevents partial execution of operations by a second thread, during operations to exclusively acquire the shared resource by the first thread, which may be accomplished by using an interrupt. The preventing of partial execution of operations by the second thread may be initiated by the first thread. The method embodiment then performs operations to exclusively acquire the shared resource by the first thread.

Abstract: Sharing access to resources using an inter-process communication (“IPC”) provides a connection in which references to resources may be passed from a sender to a receiver in a trusted third party environment. A sender in possession of a reference to a resource, such as a handle to an object, may initiate the connection with the receiver. In turn, the receiver may accept or refuse the connection, and may further specify the types of resources in which the receiver is interested when accepting through the connection. Sharing access to resources in this manner advantageously insures that only a process that already has access to a resource is able to share that access with another process, and further that only processes that wish to do so will accept such access.

Abstract: The number of copies of a message to be transferred from one process to another process in a computer where each process has a differing address space may be reduced through the use of a message-passing data structure. The sending process generates an operating system service call to copy the message to be transferred into the message-passing data structure. The receiving process need not generate a system service request to the kernel in order to retrieve the sent message and also does not require an additional copy of the transferred message to be made by the kernel, in order to read the message content. The data structure permits a mapping of the message into the address space of the receiving process as well as the address space of the kernel. The inter-process mechanism for exchanging messages provides proper flow control, synchronization, and security when two processes exchange data.

Abstract: The present invention is directed toward a system, method, and a computer-readable medium for efficiently loading data into memory in order to scan the data for malware. The logic provided in the present invention improves the experience of a user when operating a computer protected with antivirus software. One aspect of the present invention is a method that identifies a pattern in which data in a file is loaded into memory from a computer-readable medium. Then the method identifies a pattern in which data in the file may be loaded into memory in a way that minimizes the time required to read data in the file. When a subsequent scan of the file is scheduled to occur, the method causes data in the file to be loaded in memory using the pattern that minimizes the time required to read data in the file.

Abstract: Object virtualization provides a hierarchy of layers of spaces in which an object is accessible. The hierarchy of layers may include a physical layer containing the physical space in which the object is accessible, and virtual layers containing an arbitrary number of virtual spaces in which an object is accessible. Each virtual space is isolated from one another, so that objects accessible in one virtual space may not necessarily be accessible in another. Interfaces to objects that may be accessible in spaces in the hierarchy of layers facilitate accessing objects in the appropriate space. The appropriate space may be determined from the order of the layers in the hierarchy, alone or in combination with other information about the object and/or the component accessing the object. Accessing the objects in the appropriate space advantageously reduces or eliminates the number of namespace collisions in a computer system.

Abstract: The present invention is directed toward a system, method, and computer-readable medium that scan a file for malware that maintains a restrictive access attribute that limits access to the file. In accordance with one aspect of the present invention, a method for performing a scan for malware is provided when antivirus software on a computer encounters a file with a restrictive access attribute that prevents the file from being scanned. More specifically, the method includes identifying the restrictive access attribute that limits access to the file; bypassing the restrictive access attribute to access data in the file; and using a scan engine to scan the data in the file for malware.

Abstract: The present invention provides a system, method, and computer-readable medium that opportunistically install a software update on a computer that closes a vulnerability that existed on the computer. In accordance with one aspect of the present invention, when antivirus software on a computer identifies malware, a method causes a software update that closes the vulnerability exploited by the malware to be installed on the computer. The method includes identifying the vulnerability exploited by the malware, using a software update system to obtain a software update that is configured to close the vulnerability; and causing the software update to be installed on the computer where the vulnerability exists.

Abstract: In accordance with the present invention, a system, method, and computer-readable medium for identifying malware in a request to a Web service is provided. One aspect of the present invention is a computer-implemented method for protecting a computer that provides a Web service from malware made in a Web request. When a request is received, an on-demand compilation system compiles high-level code associated with the request into binary code that may be executed. However, before the code is executed, antivirus software designed to identify malware scans the binary code for malware. If malware is identified, the antivirus software prevents the binary code associated with the request from being executed.

Abstract: The present invention is directed to improving the usage of kernel mode memory in computing environments. The invention is useful in offsetting the effects of abandonment of kernel mode memory objects. Objects in kernel mode memory space are identified and a determination is made whether all references to particular kernel objects are known by examining an object container referring to each kernel object. If all references to a kernel object are known, a determination is made whether the kernel object should be classified as a moveable object. Kernel objects classified as movable are retrievably moved to a new memory location and all references to the kernel object are updated to the new memory location. Retrievably moving kernel objects allows abandoned kernel objects to be readily detected.

Abstract: In accordance with the present invention, a system, method, and computer-readable medium for identifying malware at a network transit point such as a computer that serves as a gateway to an internal or private network is provided. A network transmission is scanned for malware at a network transit point without introducing additional latency to the transmission of data over the network. In accordance with one aspect of the present invention, a computer-implemented method for identifying malware at a network transit point is provided. More specifically, when a packet in a transmission is received at the network transit point, the packet is immediately forwarded to the target computer. Simultaneously, the packet and other data in the transmission are scanned for malware by an antivirus engine. If malware is identified in the transmission, the target computer is notified that the transmission contains malware.

Abstract: Generally described, embodiments of the present invention provide a system and method for protecting a computer from malicious attacks and buffer overrun (intentional or unintentional). In particular, embodiments of the present invention protect the contents of block headers of data blocks and enable the ability for a memory manager to determine if a portion of a block header has been modified. In accordance with one aspect of the present invention, a method for securing data having a plurality of fields is provided. The method includes grouping the plurality of fields into at least a first group and a second group and generating a first identifier for the first group and a second identifier for the second group. Additionally, the first and second groups are encoded to protect the information contained in the fields of the groups. Still further, the first and second identifiers may also be encoded into the groups.

Abstract: In accordance with this invention, a system, method, and computer-readable medium that selectively scans files stored on a computing device for malware is provided. One aspect of the present invention includes identifying files that need to be scanned for malware when a software update that includes a malware signature is received. More specifically, attributes of the new malware are identified by searching metadata associated with the malware. Then, the method searches a scan cache and determines whether each file with an entry in the scan cache is the type that may be infected by the malware. If a file is the type that may be infected by the malware, the file is scanned for malware when a scanning event such as an I/O request occurs. Conversely, if the file is not the type that may be infected by the malware, the file may be accessed without a scan being performed.

Abstract: The present invention provides a system, method, and computer-readable medium for quarantining a file. Embodiments of the present invention are included in antivirus software that maintains a user interface. From the user interface, a user may issue a command to quarantine a file or the quarantine process may be initiated automatically by the antivirus software after malware is identified. When a file is marked for quarantine, aspects of the present invention encode file data with a function that is reversible. Then a set of metadata is identified that describes attributes of the file including any heightened security features that are used to limit access to the file. The metadata is moved to a quarantine folder, while the encoded file remains at the same location in the file system. As a result, the encoded file maintains the same file attributes as the original, non-quarantined file, including any heightened security features.

Abstract: A self-healing device is provided in which changes made between the time that an infection resulting from an attack on the device was detected and an earlier point in time to which the device is capable of being restored may be recovered based, at least in part, on what kinds of changes were made, whether the changes were bona fide or malware induced, whether the changes were made after the time that the infection likely occurred, and whether new software was installed.

Abstract: The present invention provides a system, method, and computer-readable medium for identifying and removing active malware from a computer. Aspects of the present invention are included in a cleaner tool that may be obtained automatically with an update service or may be downloaded manually from a Web site or similar distribution system. The cleaner tool includes a specialized scanning engine that searches a computer for active malware. Since the scanning engine only searches for active malware, the amount of data downloaded and resource requirements of the cleaner tool are less than traditional antivirus software. The scanning engine searches specific locations on a computer, such as data mapped in memory, configuration files, and file metadata for data characteristic of malware. If malware is detected, the cleaner tool removes the malware from the computer.