Abstract: A host operating system running on a computing device monitors resource access by an application running in a container that is isolated from the host operating system. In response to detecting resource access by the application, a security event is generated describing malicious activity that occurs from the accessing the resource. This security event is analyzed to determine a threat level of the malicious activity. If the threat level does not satisfy a threat level threshold, the host operating system allows the application to continue accessing resources and continues to monitor resource access. When the threat level satisfies the threat level threshold, the operating system takes corrective action to prevent the malicious activity from spreading beyond the isolated container. Through the use of security events, the host operating system is protected from even kernel-level attacks without using resources required to run anti-virus software in the isolated container.

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.

Abstract: A host operating system running on a computing device monitors resource access by an application running in a container that is isolated from the host operating system. In response to detecting resource access by the application, a security event is generated describing malicious activity that occurs from the accessing the resource. This security event is analyzed to determine a threat level of the malicious activity. If the threat level does not satisfy a threat level threshold, the host operating system allows the application to continue accessing resources and continues to monitor resource access. When the threat level satisfies the threat level threshold, the operating system takes corrective action to prevent the malicious activity from spreading beyond the isolated container. Through the use of security events, the host operating system is protected from even kernel-level attacks without using resources required to run anti-virus software in the isolated container.

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.

Abstract: Data stored on a storage medium can be referenced by multiple independently addressable active symbolic links, with each active symbolic link representing the data through a different transformation. The active symbolic links can be in the form of file system objects, such as files or directories. A single active symbolic link can reference the data stored in multiple collections, or, conversely, a subset of data from a single collection. Active symbolic links can be automatically created for common data transformations. Searching across active symbolic links referencing encrypted data can be performed by multiple protection-specific search engines, or a single search engine that can generate a protection-level aware search index.

Abstract: Single-use authentication methods for accessing encrypted data stored on a protected volume of a computer are described, wherein access to the encrypted data involves decrypting a key protector stored on the computer that holds a volume-specific cryptographic key needed to decrypt the protected volume. Such single-use authentication methods rely on the provision of a key protector that can only be used once and/or that requires a new access credential for each use. In certain embodiments, a challenge-response process is also used as part of the authentication method to tie the issuance of a key protector and/or access credential to particular pieces of information that can uniquely identify a user.

Abstract: A portable secure data file includes an encrypted data portion and a metadata portion. When a request associated with a current user of a device to access a portable secure data file is received, one or more records in the metadata portion are accessed to determine whether the current user is permitted to access the file data in the encrypted data portion. If a record indicates the user is permitted to access the file data, a content encryption key in that record is used to decrypt the encrypted data portion.

Abstract: A security system is provided for use with computer systems. In various embodiments, the security system can analyze the state of security of one or more computer systems to determine whether the computer systems comply with expressed security policies and to remediate the computer systems so that they conform with the expressed security policies. In various embodiments, the security system can receive compliance documents, determine whether one or more computer systems comply with portions of security policies specified in the compliance documents, and take actions specified in the compliance documents to cause the computer systems to comply with the specified security policies. The security system may provide a common, unified programming interface that applications or tools can employ to verify or enforce security policies.

Abstract: An online key stored by a remote service is generated or otherwise obtained, and a storage media (as it applies to the storage of data on a physical or virtual storage media) master key for encrypting and decrypting a physical or virtual storage media or encrypting and decrypting one or more storage media encryption keys that are used to encrypt a physical or virtual storage media is encrypted based at least in part on the online key. A key protector for the storage media is stored, the key protector including the encrypted master key. The key protector can be subsequently accessed, and the online key obtained from the remote service. The master key is decrypted based on the online key, allowing the one or more storage media encryption keys that are used to decrypt the storage media to be decrypted.

Abstract: A portable secure data file includes an encrypted data portion and a metadata portion. When a request associated with a current user of a device to access a portable secure data file is received, one or more records in the metadata portion are accessed to determine whether the current user is permitted to access the file data in the encrypted data portion. If a record indicates the user is permitted to access the file data, a content encryption key in that record is used to decrypt the encrypted data portion.

Abstract: A security health reporting system provides an application program interface (API) for use by independent software vendors (ISVs) to extend the security health reporting capabilities of the security health reporting system. An ISV security solution can register with the security health reporting system, create a schema that describes a new security class, and use the API to publish an instance of the schema for the new security class with the security health reporting system. When an instance of a schema for a new security class is published, the security health reporting system creates the new security class, and recognizes the definition for the security class within the security health reporting system. Registered ISV security solutions can then use the published schema to report their health statuses for the new security class.

Abstract: Single-use authentication methods for accessing encrypted data stored on a protected volume of a computer are described, wherein access to the encrypted data involves decrypting a key protector stored on the computer that holds a volume-specific cryptographic key needed to decrypt the protected volume. Such single-use authentication methods rely on the provision of a key protector that can only be used once and/or that requires a new access credential for each use. In certain embodiments, a challenge-response process is also used as part of the authentication method to tie the issuance of a key protector and/or access credential to particular pieces of information that can uniquely identify a user.

Abstract: An online key stored by a remote service is generated or otherwise obtained, and a storage media (as it applies to the storage of data on a physical or virtual storage media) master key for encrypting and decrypting a physical or virtual storage media or encrypting and decrypting one or more storage media encryption keys that are used to encrypt a physical or virtual storage media is encrypted based at least in part on the online key. A key protector for the storage media is stored, the key protector including the encrypted master key. The key protector can be subsequently accessed, and the online key obtained from the remote service. The master key is decrypted based on the online key, allowing the one or more storage media encryption keys that are used to decrypt the storage media to be decrypted.

Abstract: Data stored on a storage medium can be referenced by multiple independently addressable active symbolic links, with each active symbolic link representing the data through a different transformation. The active symbolic links can be in the form of file system objects, such as files or directories. A single active symbolic link can reference the data stored in multiple collections, or, conversely, a subset of data from a single collection. Active symbolic links can be automatically created for common data transformations. Searching across active symbolic links referencing encrypted data can be performed by multiple protection-specific search engines, or a single search engine that can generate a protection-level aware search index.

Abstract: A security health reporting system provides an application program interface (API) for use by independent software vendors (ISVs) to extend the security health reporting capabilities of the security health reporting system. An ISV security solution can register with the security health reporting system, create a schema that describes a new security class, and use the API to publish an instance of the schema for the new security class with the security health reporting system. When an instance of a schema for a new security class is published, the security health reporting system creates the new security class, and recognizes the definition for the security class within the security health reporting system. Registered ISV security solutions can then use the published schema to report their health statuses for the new security class.

Abstract: A security health reporting system provides an application program interface (API) for use by independent software vendors (ISVs) to extend the security health reporting capabilities of the security health reporting system. An ISV security solution can register with the security health reporting system, create a schema that describes a new security class, and use the API to publish an instance of the schema for the new security class with the security health reporting system. When an instance of a schema for a new security class is published, the security health reporting system creates the new security class, and recognizes the definition for the security class within the security health reporting system. Registered ISV security solutions can then use the published schema to report their health statuses for the new security class.

Abstract: A portable secure data file includes an encrypted data portion and a metadata portion. When a request associated with a current user of a device to access a portable secure data file is received, one or more records in the metadata portion are accessed to determine whether the current user is permitted to access the file data in the encrypted data portion. If a record indicates the user is permitted to access the file data, a content encryption key in that record is used to decrypt the encrypted data portion.

Abstract: A security system is provided for use with computer systems. In various embodiments, the security system can analyze the state of security of one or more computer systems to determine whether the computer systems comply with expressed security policies and to remediate the computer systems so that they conform with the expressed security policies. In various embodiments, the security system can receive compliance documents, determine whether one or more computer systems comply with portions of security policies specified in the compliance documents, and take actions specified in the compliance documents to cause the computer systems to comply with the specified security policies. The security system may provide a common, unified programming interface that applications or tools can employ to verify or enforce security policies.

Abstract: A security health reporting system provides an application program interface (API) for use by independent software vendors (ISVs) to extend the security health reporting capabilities of the security health reporting system. An ISV security solution can register with the security health reporting system, create a schema that describes a new security class, and use the API to publish an instance of the schema for the new security class with the security health reporting system. When an instance of a schema for a new security class is published, the security health reporting system creates the new security class, and recognizes the definition for the security class within the security health reporting system. Registered ISV security solutions can then use the published schema to report their health statuses for the new security class.