Abstract: Computer-implemented methods and systems for creating or updating approved-file and trusted-domain databases and verifying the legitimacy of files are disclosed. A method for creating or updating an approved-file database may comprise intercepting a first file, identifying a source domain associated with the first file, identifying a trusted-domain database, determining whether a database record for the source domain associated with the first file exists within the trusted-domain database, creating a hash value for the first file if a database record for the source domain associated with the first file exists within the trusted-domain database, and storing the hash value for the first file in an approved-file database. Methods and systems for verifying the legitimacy of a file and for creating or updating a trusted-domain database are also disclosed.

Abstract: An image detection manager uses run length encoding to detect a target image in a candidate image. The image detection manager extracts run length encoding data from the candidate image. The image detection manager distinguishes between a foreground and background of the candidate image and target image, and takes into account an interval of scale factors for matching color runs in the foreground and length runs in the background. The image detection manager treats background pixels as wildcards, and utilizes fuzzy color matching in which color levels of adjacent pixels in the foreground are allowed a specified variation. Using such functionality, the image detection manager compares rows of the run length encoding data from the candidate image to rows of run length encoding data from the target image, and determines whether the target image is present in the candidate image.

Abstract: Methods, apparatuses, and computer-readable media for preventing the spread of malicious computer code. An embodiment of the inventive method comprises the steps of: identifying (110) a computer application that is data mining an e-mail address; determining (130) whether the computer application associates at least one executable application and the data mined e-mail address with an e-mail message (120); and blocking (140) the transmission of the e-mail message when the e-mail message is associated with the at least one executable application and the data mined e-mail address.

Abstract: Computer-implemented methods, apparati, and computer-readable media for detecting the presence of viral infections in target files (10) located within a computer. The invention has broad applicability to a number of different platforms, including Windows.

Abstract: Systems, methods, and computer readable media for determining whether a computer file (340) has been infected by an attacking agent. A scanning engine (205) generates a new hash of a critical viral target region of the file (340) and compares it to a stored hash of the critical viral target region. The scanning engine (205) determines whether the file (340) has been scanned by the most recent version of a detection module (425) associated with the attacking agent. If the hashes are identical and the file (340) has been scanned by the most recent version of the detection module (425), the scanning engine (205) determines that the file (340) is free of infection by the attacking agent.

Abstract: Methods, apparati, and computer-readable media for protecting computer code (1) from malicious retrievers (3). A method embodiment of the present invention comprises the steps of generating (22) retrieval information characteristic of data sent to a retriever (3) by the computer code (1) in response to a retrieval command (5) issued by the retriever (3); accessing at least one rule (6) using at least some of said retrieval information as an input to said at least one rule (6); and, when said at least one rule (6) informs that the retrieval is not acceptable, flagging (28) the retrieval command (5) as suspicious.

Abstract: Prior to a modification of an executable computer file (101), a modification analysis manager (111) stores (1101) content concerning a specified number of specified sized blocks (115) of a specified section of the executable file (101). After the modification of the executable file (101), the modification analysis manager (111) compares (1103), for each block (115), the content at the location of the block (115) after the modification of the executable file (101) with the content of the block (115) prior to the modification. The modification analysis manager (101) determines (1105) the status of the modification, responsive to a result of the comparison.

Abstract: Methods, apparati, and computer-readable media for countering malicious code infections to computer files (20). A preferred embodiment comprises selecting (40) an invariant section of each file (20), wherein said invariant section is invariant to malicious code infections and to repair thereof; for each of a set of known malicious code files, using an algorithm to generate (41) a template corresponding to the invariant section; using said algorithm to define a target (29), corresponding to said invariant section, within a test file (20); comparing (46) the target (29) with the templates; and declaring (48) the presence of malicious code in the test file (20) when the target (29) matches a template.

Abstract: System, methods, and computer readable media for determining whether a computer file (340) has been infected by an attacking agent. A scanning engine (205) generates a new hash of a critical viral target region of the file (340) and compares it to a stored hash of the critical viral target region. The scanning engine (205) determines whether the file (340) has been scanned by the most recent version of a detection module (425) associated with the attacking agent. If the hashes are identical and the file (340) has been scanned by the most recent version of the detection module (425), the scanning engine (205) determines that the file (340) is free of infection by the attacking agent.

Abstract: A software application (110) is updated to a newer version by means of incremental update patches (122). The incremental update patches (122) each contain that information necessary to transform one version of an application to another version. Any version of an application (110) may be upgraded to any other version of the application, through the use of a series of incremental update patches (122). The appropriate incremental update patches (122) are distributed in a multi-tiered manner, such that some update patches (122) update the application (110) by only one version, and others update the application (110) by several versions.

Abstract: A scanning manager (101) dynamically resizes (205) a flow scanning cache (109) based on signature (105) content in order to scan a flow (103) for signatures (105). The scanning manager (101) reads a directive (107) in a signature (105) to resize (205) the cache (109) in order to scan the flow (103) for the signature (105). The scanning manager (101) dynamically resizes (205) the cache (109) responsive to the directive (107), and scans for the signature (105) within the resized cache (109).

Abstract: A worm detection module (WDM) (212) stops worms and other malicious software from spreading among computer systems (100) on a network (210) via open drive shares. The WDM (212) monitors (310) a storage device (108) for activity (314, 316) directed to executable files by remote processes. The WDM (212) flags (318) files (216) that are the target of such activity. If a flagged file (216) attempts to create an executable file (218) on a networked computer system (100B), the WDM (212) detects (322) that the flagged file (216) is a worm. In response, the WDM (212) blocks the write to the networked computer system (100B) and thereby prevents the worm from propagating.

Abstract: System, methods, and computer readable media for determining whether a computer file (340) has been infected by an attacking agent. A scanning engine (205) generates a new hash of a critical viral target region of the file (340) and compares it to a stored hash of the critical viral target region. The scanning engine (205) determines whether the file (340) has been scanned by the most recent version of a detection module (425) associated with the attacking agent. If the hashes are identical and the file (340) has been scanned by the most recent version of the detection module (425), the scanning engine (205) determines that the file (340) is free of infection by the attacking agent.

Abstract: A software application (110) is updated to a newer version by means of incremental update patches (122). The incremental update patches (122) each contain that information necessary to transform one version of an application to another version. Any version of an application (110) may be upgraded to any other version of the application, through the use of a series of incremental update patches (122). The appropriate incremental update patches (122) are distributed in a multi-tiered manner, such that some update patches (122) update the application (110) by only one version, and others update the application (110) by several versions.

Abstract: A software application (110) is updated to a newer version by means of incremental update patches (122). The incremental update patches (122) each contain that information necessary to transform one version of an application to another version. Any version of an application (110) may be upgraded to any other version of the application, through the use of a series of incremental update patches (122). The appropriate incremental update patches (122) are distributed in a multi-tiered manner, such that some update patches (122) update the application (110) by only one version, and others update the application (110) by several versions.

Abstract: Incremental updating of a file (100) that has been rebased or realigned is accomplished through the use of a canonical form (100B). In terms of rebasing, a canonical form (100B) is one that has been rebased to a predetermined base address (104). In one embodiment this predetermined base address (104) is zero. In terms of realigning, a canonical form (100B) is one that has been realigned in a predetermined way. In one embodiment, the segments (110) of the file (100) are realigned such that there is no gap (114) between the end of one segment (110) and the start of the next segment (110). In another embodiment, the segments (110) of the file (100) are realigned to page boundaries (112) of a predetermined size. An incremental update (124) for the file (100) is determined that transforms the file from the canonical form (100B) to the desired update form (100C).

Abstract: System, method, and computer readable medium for examining a file (1) associated with an originating computer (2) to determine whether a virus is present within the file (1). File (1) contains at least one sector and is scanned by an antivirus module (3). An identification and hash value of each scanned sector, a date of an update to antivirus module (3), and a version number of antivirus module (3) are stored into a critical sectors file (4). Hash values can be calculated by an antivirus accelerator module (5). An authentication module (12) affixes a digital signature to critical sectors file (4). File (1), critical sectors file (4), and digital signature (15) are then transmitted over network (14) to a recipient computer (11). File (1) sectors that were scanned by originating computer (2) are examined by antivirus module (3'). Each of these sectors again has its hash value calculated and compared with the hash value of the corresponding sector as stored within critical sectors file (4).

Abstract: An emulation repair system (200) restores virus-infected computer files (220) to their uninfected states without risk of infecting the rest of the computer system (202), by providing a virtual machine (216) for emulating the virus-infected computer file (220), a foundation module (240) including generic, machine language repair routines (242), and a virus specific overlay module (262). Emulation repair system (200) receives the identity of the infected computer file (220) and the infecting virus (224) from a virus scanning module, and uses the received information to access a virus definition (232) that includes decryption information on the identified virus (224). The infected computer file (220) is emulated in the virtual machine (216) until it is determined from comparison with the decryption information that the virus (224) is fully decrypted.

Abstract: A software application (110) is updated to a newer version by means of incremental update patches (122). The incremental update patches (122) each contain that information necessary to transform one version of an application to another version. Any version of an application (110) may be upgraded to any other version of the application, through the use of a series of incremental update patches (122). The appropriate incremental update patches (122) are distributed in a multi-tiered manner, such that some update patches (122) update the application (110) by only one version, and others update the application (110) by several versions.

Abstract: System and method for examining a file (1) associated with a digital computer (2) to determine whether a computer virus is present within the file (1). The file (1) contains at least one numbered sector. When the file (1) is examined for an initial time, the file (1) is scanned by an antivirus module (3, 5). At that time, the numbers of the sectors being scanned and a hash value for each scanned sector are stored into a critical sector file (4). The hash values can be calculated by an antivirus accelerator module (5). When the file (1) is examined a subsequent time, all of the file (1) sectors that were scanned the initial time are examined by the antivirus accelerator module (5). Each of these sectors again has its hash value calculated and compared with the hash value of the corresponding sector as stored within the critical sector file (4).