Abstract: The present invention includes a system and method for translating potential malware devices into safe program code. The potential malware is translated from any one of a number of different types of source languages, including, but not limited to, native CPU program code, platform independent .NET byte code, scripting program code, and the like. Then the translated program code is compiled into program code that may be understood and executed by the native CPU. Before and/or during execution, the present invention causes a scanner to search for potential malware stored in memory. If malware is not detected, the computing device causes the CPU to execute the translated program code. However, execution and/or analysis of potential malware may be interrupted if computer memory that stores potential malware is altered during execution. In this instance, the potential malware now stored in memory is translated into safe program code before being executed.

Abstract: In accordance with this invention, a system, method, and computer-readable medium that aggregates the knowledge base of a plurality of antivirus software applications are provided. User mode applications, such as antivirus software applications, gain access to file system operations through a common information model, which obviates the need for antivirus software vendors to create kernel mode filters. When file system operations are available to antivirus software applications, the present invention may cause each antivirus software application installed on a computing device to perform a scan to determine if the data is malware.

Abstract: In accordance with this invention, a system, method, and computer-readable medium that aggregates the knowledge base of a plurality of antivirus software applications are provided. User mode applications, such as antivirus software applications, gain access to file system operations through a common information model, which obviates the need for antivirus software vendors to create kernel mode filters. When file system operations are available to antivirus software applications, the present invention may cause each antivirus software application installed on a computing device to perform a scan to determine if the data is malware.

Abstract: In accordance with this invention, a system, method, and computer-readable medium that aggregates the knowledge base of a plurality of antivirus software applications are provided. User mode applications, such as antivirus software applications, gain access to file system operations through a common information model, which obviates the need for antivirus software vendors to create kernel mode filters. When file system operations are available to antivirus software applications, the present invention may cause each antivirus software application installed on a computing device to perform a scan to determine if the data is malware.

Abstract: In accordance with an embodiment of this invention, a mechanism for managing a plurality of access requests for a data object is provided. The mechanism includes a lock control identifying whether a requested data object is in use and a waiter control identifying whether at least one of the plurality of access requests have been denied immediate access to the data object and is currently waiting for access to the data object. Additionally, the mechanism maintains a list optimize control identifying whether one of the plurality of access requests is currently optimizing a waiters list of access requests waiting to access to the data object.

Abstract: The present invention is directed to improving the usage of kernel mode memory in computing environments. The invention is useful in offsetting the effects of abandonment of kernel mode memory objects. Objects in kernel mode memory space are identified and a determination is made whether all references to particular kernel objects are known by examining an object container referring to each kernel object. If all references to a kernel object are known, a determination is made whether the kernel object should be classified as a moveable object. Kernel objects classified as movable are retrievably moved to a new memory location and all references to the kernel object are updated to the new memory location. Retrievably moving kernel objects allows abandoned kernel objects to be readily detected.

Abstract: The present invention is directed to improving the usage of kernel mode memory in computing environments. The invention is useful in offsetting the effects of abandonment of kernel mode memory objects. Objects in kernel mode memory space are identified and a determination is made whether all references to particular kernel objects are known by examining an object container referring to each kernel object. If all references to a kernel object are known, a determination is made whether the kernel object should be classified as a moveable object. Kernel objects classified as movable are retrievably moved to a new memory location and all references to the kernel object are updated to the new memory location. Retrievably moving kernel objects allows abandoned kernel objects to be readily detected.

Abstract: A malware detection system that determines whether an executable code module is malware according to behaviors exhibited while executing is presented. The malware detection system determines the type of code module and executes the code module in a behavior evaluation module for evaluating code corresponding to the code module's type. Some behaviors exhibited by the code module, while executing in the behavior evaluation module, are recorded as the code module's behavior signature. After the code module has completed its execution, the code module's behavior signature is compared against known malware behavior signatures stored in a malware behavior signature store. A determination as to whether the code module is malware is based on the results of the comparison.

Abstract: A system, method, and computer readable medium for the proactive detection of malware in operating systems that receive application programming interface (API) calls is provided. A virtual operating environment for simulating the execution of programs and determining if the programs are malware is created. The virtual operating environment confines potential malware so that the systems of the host operating environment will not be adversely effected. During simulation, a behavior signature is generated based on the API calls issued by potential malware. The behavior signature is suitable for analysis to determine whether the simulated executable is malware.

Abstract: A malware detection system and method for determining whether an executable script is malware is presented. The malware detection system determines whether the executable script is malware by comparing the functional contents of the executable script to the functional contents of known malware. In practice, the executable script is obtained. The executable script is normalized, thereby generating a script signature corresponding to the functionality of the executable script. The script signature is compared to known malware script signatures in a malware signature store to determine whether the executable script is malware. If a complete match is made, the executable script is considered to be malware. If a partial match is made, the executable script is considered to likely be malware. The malware detection system may perform two normalizations, each normalization generating a script signature which is compared to similarly normalized known malware script signatures in the malware signature store.

Abstract: A system and method for gathering exhibited behaviors of a .NET executable module in a secure manner is presented. In operation, a .NET behavior evaluation module presents a virtual .NET environment to a Microsoft Corporation .NET code module. The .NET behavior evaluation module implements a sufficient number of aspects of an actual Microsoft Corporation .NET environment that a .NET code module can execute. As the .NET code module executes, the .NET behavior evaluation module records some of the exhibited behaviors, i.e., .NET system supplied libraries/subroutines, that are associated with known malware. The recorded behaviors are placed in a behavior signature for an external determination as to whether the .NET code module is malware, i.e., an unwanted computer attack.

Abstract: A system and method for determining whether a packed executable is malware is presented. In operation, a malware evaluator intercepts incoming data directed to a computer. The malware evaluator evaluates the incoming data to determine whether the incoming data is a packed executable. If the incoming data is a packed executable, the malware evaluator passes the packed executable to an unpacking module. The unpacking module includes a set of unpacker modules for unpacking a packed executable of a particular type. The unpacking module selects an unpacker module according to the type of the packed executable, and executes the selected unpacker module. Executing the unpacker module generates an unpacked executable corresponding to the packed executable. The unpacked executable is returned to the malware evaluator where it is evaluated to determine whether the packed executable is malware.

Abstract: The present invention is directed to improving the usage of kernel mode memory in computing environments. The invention is useful in offsetting the effects of abandonment of kernel mode memory objects. Objects in kernel mode memory space are identified and a determination is made whether all references to particular kernel objects are known by examining an object container referring to each kernel object. If all references to a kernel object are known, a determination is made whether the kernel object should be classified as a moveable object. Kernel objects classified as movable are retrievably moved to a new memory location and all references to the kernel object are updated to the new memory location. Retrievably moving kernel objects allows abandoned kernel objects to be readily detected.

Abstract: A system and method for automatically updating software components on a running computer system without requiring any interruption of service. A software module is hotpatched by loading a patch into memory and modifying an instruction in the original module to jump to the patch. A coldpatching technique places a coldpatch version of the module on disk for subsequent loading by processes, after hotpatching occurred. The coldpatch has the entry points to its functions at the same relative locations within the module as the hotpatch, which facilitates subsequent hotpatching. A hotpatch and coldpatch are automatically generated by deriving differences between changed and original binary files, and establishing the point to insert the jump. Validation is performed to ensure that the hotpatch is applied to the correct version, and that the coldpatch is replacing the correct version. Version management is also provided to control the number of patches via support rules.