Abstract: Controlling access to a protected network is disclosed. In some embodiments, one or more events that occur will a host is disconnected from the protected network are logged. The log is provided to one or more devices associated with the protected network when the host requests access to the protected network after a period in which it was not connected. In some embodiments, a network access control or other device or process uses the log to determine whether and/or an extent to which the host should be permitted to connect to the network.

Abstract: The performance and hence the user experience of just-in-time application streaming is significantly enhanced by predicting which sections of an application are likely to execute next, and transmitting those sections from the server to the endpoint. A control flow graph of the application is created and analyzed against the execution state of the application such that it can be predicated which code pages the application is likely to utilize next. This analysis can be performed on the server, endpoint or any combination of the two. The predicted code pages are proactively pushed and/or pulled such that the application can continue executing without delay. This significantly enhances the performance of application streaming and network file system technologies, and is especially beneficial for very performance sensitive applications.

Abstract: A computer has a hypervisor that supervises a virtual machine. The virtual machine includes a guest security module that enforces a security policy on network traffic entering and exiting the virtual machine. Malicious software (malware) uses stealth network communications to avoid the guest security module and attempts to communicate with its home base. A security module within the hypervisor has access to all network communications entering and exiting the computer. The security module communicates with the guest security module to identify communications of which the guest security module is aware. The security module analyzes the network communications for the computer to identify a stealth network communication of which the guest security module is unaware. The security module alters the stealth network communication, thereby prevent the malware from communicating with its home base.

Abstract: Capturing information associated with a document is disclosed. An indication that a request to print a document is being transmitted is observed in network traffic associated with a printer. At a node other than the printer, data associated with the observed network traffic is processed to determine information associated with the request to print the document.

Abstract: Intentionally dropping packets to prevent unauthorized transfer of data through multimedia tunnels is disclosed. A stream of media transport protocol packets is received. One or more packets are dropped intentionally from the stream to render unusable at the destination a file or other data transported through the multimedia tunnel without authorization.

Abstract: A computer-implemented method for filtering electronic messages. The method may include identifying a first time period during which a user accesses electronic messages less than during a second time period. The method may also include associating a first filtering level with the first time period and associating a second filtering level with a second time period. The method may further include, during the first time period, setting a spam filter to the first filtering level. The first filtering level may cause the spam filter to perform stronger filtering than the second filtering level. The method may include, during the second time period, setting the spam filter to the second filtering level. Corresponding systems and computer-readable media are also disclosed.

Abstract: Analyzing security risk in a computer network includes receiving an event associated with a selected object in the computer network, and determining an object risk level for the selected object based at least in part on an event risk level of the event received, wherein the event risk level accounts for intrinsic risk that depends at least in part on the event that is received and source risk that depends at least in part on a source from which the event originated.

Abstract: A system and a method are disclosed for authenticating a user of a mobile computing device. Information is received describing the location of the mobile computing device. The information can include the current location of the device or a current type of user activity associated with a location. A current timeout length is determined based on this information. If the mobile computing device has remained idle for a time period equal to the current timeout length, the user of the mobile computing device is authenticated.

Abstract: A system and a method are disclosed for managing applications on a mobile computing device. A command message is received at the mobile computing device specifying a command and a target application. The command message may have been sent by a application provider server. The command may be a removal command, an enable command, or a disable command. A removal or disable command may be used to remove or disable a problematic target application. The specified command is performed on the target application.

Abstract: Method and apparatus for searching a storage system for confidential data is described. One aspect of the invention relates to searching a computer for confidential data related to user. User information comprising the confidential data is obtained from a digital identity for the user. A rule that provides a secure representation of the user information is generated. A storage system in the computer is searched using the rule to detect one or more instances of the user information within at least one file.

Abstract: Behavior based processing of a new version or variant of a previously characterized program is disclosed. An indication is received that a process with respect to which a trust decision was made previously has undergone a change. The process is allowed to continue to engage, after the change, in a network behavior associated with the process prior to the change, without first prompting a user, subsequent to the change, to provide an input indicating whether the changed process is to be allowed to engage in the network behavior subsequent to the change.

Abstract: User account control (such as the UAC component of Windows Vista) is extended to enable users to allow their decisions on how to respond to managed events to be applied to equivalent events for groups, without any further prompting. When a managed event first occurs, the user is presented with an extended dialog prompting for input not only on whether to allow the event for just the user, but also on whether to allow the event for any groups the user manages. Managed groups can comprise all of the user's computers, or multiple user accounts the user manages. The user's response to the prompt and information concerning the managed event are stored. Matching events within a group context are recognized, and appropriate stored responses are automatically applied, without any additional user prompting.

Abstract: The performance of a remotely originated application is improved by determining the most popular application features, and proactively making the corresponding application content available to local computers on which the application runs. An application streaming or network file system transmits an application to a plurality of endpoints for execution. The server determines the relative popularity of the application features, and maps the features to corresponding application content. The server proactively pushes the application content corresponding to the most popular features to the endpoints. The popularity of application features is dynamically updated on a regular, ongoing basis. The proactive pushing of code pages is kept current with the updated popularity determinations.

Abstract: Detecting a variant of a known threat is disclosed. A portion of network traffic is matched with at least a portion of a signature associated with the known threat. If the portion of network traffic being matched with the signature does not exactly match the signature, the extent of match between the portion of network traffic and the signature is determined. If the extent of match satisfies a threshold, a security response is triggered based upon the extent of match.

Abstract: Configuring a device operating in a network environment comprises receiving a network policy from a policy authority, classifying the network policy based on the identity of the policy authority, determining a local policy according to the classification, and determining a device configuration change to comply with the network policy in accordance with the local policy. Configuring a device joining a network environment includes detecting that a device has joined the network environment, sending a network policy from a policy authority to the device, the network policy including authentication information for the policy authority, and notifying the presence of the device to a policy monitor.

Abstract: A method, system and computer-readable medium for authenticating a wireless access point is described. The method comprises upon initially connecting to the wireless access point, storing a first service set identifier associated with the wireless access point, storing a first media access control address for the wireless access point and associating the first media access control address for the wireless access point with the first service set identifier for the wireless access point. The system comprises a computing device for executing wireless security software wherein the wireless security software upon initial connection of the computing device to the wireless access point, stores a first service set identifier associated with the wireless access point, stores a first media access control address for the wireless access point and associates the first media access control address for the wireless access point with the first service set identifier for the wireless access point.

Abstract: Preventing continued distribution of a software update that is causing problems in computers is a challenging problem, particularly where the update causes a catastrophic failure such that the problem cannot be reported by the computer since the computer has been completely disabled. To manage this problem, when an update is delivered for installation, it first installs a program and configures it to execute at a specified reporting time. When that time is reached, the program sends a positive operations notification to the update server indicating that the program is okay or sends a notification that the program is okay so far, but the user is now shutting down the computer. The number of notifications received is tracked by the system in comparison to the number of software updates sent.

Abstract: Providing security for a network is disclosed. Network traffic associated with a host is monitored. If an activity pattern associated with a reboot of the host is observed, access by the host to the network is restricted based at least in part on the observed activity pattern.

Abstract: A cookie monitoring manager detects fraudulent updates to cookies on a computer. The cookie monitoring manager monitors cookies, and detects attempted write operations thereto. The cookie monitoring manager determines whether each detected attempted write operation is an attempt to write a fraudulent affiliate identifier to a cookie. The cookie monitoring manager detects fraudulent write attempts, for example, by detecting an attempt to write a known fraudulent affiliate identifier to a cookie, by detecting an attempt to write to a cookie by a process other than a browser or by detecting multiple attempts to write affiliate identifiers to a cookie within a sufficiently short period of time. When the cookie tracking manager detects an attempt to write a fraudulent affiliate identifier to a cookie, it can block the write attempt and/or run an adware removal program on the computer.

Abstract: Method and apparatus for managing digital identities through a single interface is described. One aspect of the invention relates to managing digital identities related to a user. An identity policy of an entity is obtained. At least one relevant digital identity is selected from the digital identities. Each relevant digital identity includes information required by the identity policy. A selected digital identity is obtained from the relevant digital identity or identities. A representation of the selected digital identity is provided to the entity that complies with the identity policy.