Abstract: Detecting heap spraying on a computer by detecting a plurality of requests to allocate portions of heap memory, measuring the plurality of requests to determine a value of a characteristic of the plurality of requests, identifying an activity consistent with heap spraying by determining that the value of the characteristic is consistent with a benchmark value of the characteristic, wherein the benchmark value of the characteristic is associated with heap spraying, and performing a computer-security-related remediation action responsive to determining that the value of the characteristic is consistent with the benchmark value of the characteristic.

Abstract: A process for identifying potentially harmful malware, comprises the steps of: a) identifying an executable that is about to run; b) providing a monitoring agent that monitors all threads that are descendent of a thread initiated by the process of said executable; and c) configuring said monitoring agent to conclude that a high probability of malware presence exists, if one of said descendent threads reaches a target process in which suspicious patches are created.

Abstract: A method for preventing the acquisition of data by a screen capturing malware, comprises preventing an unidentified process that does not open a window from performing screen capture.

Abstract: Detecting proxy-based communications via a computer network by sending a uniform resource locator via a computer network to a recipient at a first computer network address, identifying a request associated with the uniform resource locator, where the request is associated with a second computer network address, and determining that a value of a characteristic of the second computer network address is inconsistent with a value associated with the recipient, thereby identifying the first computer network address as being associated with a proxy.

Abstract: Detecting malware-related activity on a computer by detecting activity associated with the creation of a data object, where the activity is performed by a process, where the process is an instance of a computer software application that resides in a computer memory and that is executed by a computer, and where the data object is configured to persist after termination of the process, determining a string that identifies the data object, searching for a portion of the string that identifies the data object within any areas of the computer memory storing static portions of the computer software application, and performing a computer-security-related remediation action responsive to determining that the portion of the string that identifies the data object is absent from the searched areas of the computer memory.

Abstract: Detecting heap spraying on a computer by detecting a plurality of requests to allocate portions of heap memory, measuring the plurality of requests to determine a value of a characteristic of the plurality of requests, identifying an activity consistent with heap spraying by determining that the value of the characteristic is consistent with a benchmark value of the characteristic, wherein the benchmark value of the characteristic is associated with heap spraying, and performing a computer-security-related remediation action responsive to determining that the value of the characteristic is consistent with the benchmark value of the characteristic.

Abstract: A method for detecting HTML-modifying malware present in a computer includes providing a server which serves a web page (HTML) to a browser. A determination is made whether a modified string exists in the page received by the browser and if a modifying element is found, determining the malware is present in the computer.

Abstract: Dynamic verification of a computer software application execution path by detecting execution of a target instruction of a computer software application, wherein the computer software application is configured to generate a token at an instruction near a waypoint instruction of the computer software application, and wherein the waypoint instruction lies along an execution path that leads to the target instruction. Determining, responsive to detecting execution of the target instruction, whether a token exists. Performing a computer-security-related remediation action responsive to determining that the token does not exist.

Abstract: Detecting proxy-based communications via a computer network by sending a uniform resource locator via a computer network to a recipient at a first computer network address, identifying a request associated with the uniform resource locator, where the request is associated with a second computer network address, and determining that a value of a characteristic of the second computer network address is inconsistent with a value associated with the recipient, thereby identifying the first computer network address as being associated with a proxy.

Abstract: A method for protecting a browser from malicious processes, comprises providing at least one process-proxy object and at least a browser-proxy object, interposed between the browser and a process, such that when the process invokes one of the DOM entry points, the process-proxy object isolates it from the real browser implementation and executes the process-proxy object's code instead.

Abstract: A method for alerting a service provider and/or a user of a web browser of a phishing attempt comprises providing on a page that it is desired to protect against phishing, a Javascript that when caused by a phishing page to run not in the context of the original page generates an indication that a phishing attempt may exist.

Abstract: A computer security method including periodically recording a screenshot of what is displayed on a display of a computer, thereby recording a plurality of screenshots, selecting, in accordance with predefined selection criteria, any of the screenshots that were recorded near detection of a security-related condition, and providing any of the selected screenshots in association with the detection of the security-related condition.

Abstract: Detecting malware-related activity on a computer by detecting activity associated with the creation of a data object, where the activity is performed by a process, where the process is an instance of a computer software application that resides in a computer memory and that is executed by a computer, and where the data object is configured to persist after termination of the process, determining a string that identifies the data object, searching for a portion of the string that identifies the data object within any areas of the computer memory storing static portions of the computer software application, and performing a computer-security-related remediation action responsive to determining that the portion of the string that identifies the data object is absent from the searched areas of the computer memory.

Abstract: Detecting the operation of a virtual machine by identifying seed candidates from sets of random numbers generated at a computer, where each of the sets includes multiple random numbers, identifying candidate performance counter frequencies from the seed candidates and from timing information associated with the sets of random numbers, and determining that the computer is operating as a virtual machine if any of the candidate performance counter frequencies is consistent with a predefined virtual machine performance counter frequency.

Abstract: A process for finding potentially harmful malware dropper on an infected computer system includes the steps of a) identifying an executable file that is about to run, and b) providing a storage agent that stores a copy of said executable file for a later inspection.

Abstract: A method for alerting a service provider and/or a user of a web browser of a phishing attempt comprises providing on a page that it is desired to protect against phishing, a Javascript that when caused by a phishing page to run not in the context of the original page generates an indication that a phishing attempt may exist.

Abstract: A method for protecting a browser from malicious processes, comprises providing at least one process-proxy object and at least a browser-proxy object, interposed between the browser and a process, such that when the process invokes one of the DOM entry points, the process-proxy object isolates it from the real browser implementation and executes the process-proxy object's code instead.

Abstract: A method for protecting a browser from malicious processes, comprises providing at least one process-proxy object and at least a browser-proxy object, interposed between the browser and a process, such that when the process invokes one of the DOM entry points, the process-proxy object isolates it from the real browser implementation and executes the process-proxy object's code instead.

Abstract: An Agent for detecting and/or preventing an Exploit attack, comprises: a) means for monitoring the operation of one or more process elements in a computer system; b) means for determining whether said one or more process elements has initiated, or is about to initiate a “create process” operation; and c) means for performing preventive activities as a result of the determination.

Abstract: A method for preventing the acquisition of data by a screen capturing malware, comprises preventing an unidentified process that does not open a window from performing screen capture.