Abstract: Provided herein are systems and methods for determining a likelihood that an executable comprises malware. A learning engine may determine a plurality of attributes of an executable identified in a computing environment, and a corresponding weight to assign to each of the plurality of attributes. Each of the plurality of attributes may be indicative of a level of risk for the computing environment. The learning engine may generate, according to the determined plurality of attributes and the corresponding weights, one or more scores indicative of a likelihood that the executable comprises malware. A rule engine may perform an action to manage operation of the executable, according to the generated one or more scores.

Abstract: Provided herein are systems and methods for determining a likelihood that an executable comprises malware. A learning engine may determine a plurality of attributes of an executable identified in a computing environment, and a corresponding weight to assign to each of the plurality of attributes. Each of the plurality of attributes may be indicative of a level of risk for the computing environment. The learning engine may generate, according to the determined plurality of attributes and the corresponding weights, one or more scores indicative of a likelihood that the executable comprises malware. A rule engine may perform an action to manage operation of the executable, according to the generated one or more scores.

Abstract: Provided herein are systems and methods for protecting data from injected malware. In some embodiments, a virtual memory validator may execute in user mode memory space on a computing device. The virtual memory validator may monitor an execution stack of an executing thread of a process. The virtual memory validator may identify a memory address referenced in the execution stack, responsive to the process attempting to access a protected resource. The virtual memory validator may determine that the memory address refers to a memory region that is designated as executable. The virtual memory validator may determine that the memory address is outside memory regions identified in a memory range map. The virtual memory validator may, responsive to the determination, identify the process as a potential malware process.

Abstract: The present disclosure pertains to methods and systems for protecting data or other resources from malware. A driver executing in kernel mode of an operating system on a computing device may monitor one or more processes allowed to execute on the computing device. The one or more processes may include a first executing process. The driver may detect an attempt by a first thread of execution of the first executing process to access a protected file. The driver, responsive to the detection may identify a file type of the protected file. The driver, responsive to the identification of the file type, may determine whether the process is in a list of processes allowed for the file type. The drive may, responsive to determination, determine whether to deny or allow the first thread to access the protected file while allowing another thread of the executing process to execute on the computing device.

Abstract: Provided herein are systems and methods for protecting data from injected malware. In some embodiments, a virtual memory validator may execute in user mode memory space on a computing device. The virtual memory validator may monitor an execution stack of an executing thread of a process. The virtual memory validator may identify a memory address referenced in the execution stack, responsive to the process attempting to access a protected resource. The virtual memory validator may determine that the memory address refers to a memory region that is designated as executable. The virtual memory validator may determine that the memory address is outside memory regions identified in a memory range map. The virtual memory validator may, responsive to the determination, identify the process as a potential malware process.

Abstract: Provided herein are systems and methods for protecting data from injected malware. In some embodiments, a virtual memory validator may execute in user mode memory space on a computing device. The virtual memory validator may monitor an execution stack of an executing thread of a process. The virtual memory validator may identify a memory address referenced in the execution stack, responsive to the process attempting to access a protected resource. The virtual memory validator may determine that the memory address refers to a memory region that is designated as executable. The virtual memory validator may determine that the memory address is outside memory regions identified in a memory range map. The virtual memory validator may, responsive to the determination, identify the process as a potential malware process.

Abstract: Provided herein are systems and methods for determining a likelihood that an executable comprises malware. A learning engine may determine a plurality of attributes of an executable identified in a computing environment, and a corresponding weight to assign to each of the plurality of attributes. Each of the plurality of attributes may be indicative of a level of risk for the computing environment. The learning engine may generate, according to the determined plurality of attributes and the corresponding weights, one or more scores indicative of a likelihood that the executable comprises malware. A rule engine may perform an action to manage operation of the executable, according to the generated one or more scores.

Abstract: Provided herein are systems and methods for preventing or controlling data movement. A learning engine may detect capabilities of a computing environment for allowing data access or transfer, and activities relating to data access or transfer from the computing environment. Data assets of the computing environment that are protected may be identified, according to metadata of the data assets. The learning engine may, according to the identified data assets and at least one of the detected capabilities or activities, determine a situation within the computing environment that represents potential or actual exfiltration of one of the identified data assets. A rule engine may perform an action to prevent or control the potential or actual data movement of the one of the identified data assets, responsive to applying one or more rules to the determined situation.

Abstract: The present disclosure pertains to methods and systems for protecting data or other resources from malware. A driver executing in kernel mode of an operating system on a computing device may monitor one or more processes allowed to execute on the computing device. The one or more processes may include a first executing process. The driver may detect an attempt by a first thread of execution of the first executing process to access a protected file. The driver, responsive to the detection may identify a file type of the protected file. The driver, responsive to the identification of the file type, may determine whether the process is in a list of processes allowed for the file type. The drive may, responsive to determination, determine whether to deny or allow the first thread to access the protected file while allowing another thread of the executing process to execute on the computing device.

Abstract: Provided herein are systems and methods for protecting data from injected malware. In some embodiments, a virtual memory validator may execute in user mode memory space on a computing device. The virtual memory validator may monitor an execution stack of an executing thread of a process. The virtual memory validator may identify a memory address referenced in the execution stack, responsive to the process attempting to access a protected resource. The virtual memory validator may determine that the memory address refers to a memory region that is designated as executable. The virtual memory validator may determine that the memory address is outside memory regions identified in a memory range map. The virtual memory validator may, responsive to the determination, identify the process as a potential malware process.

Abstract: A technique for establishing a perimeter of accountability for usage of digital assets such as data files. The accountability model not only tracks authorized users' access to files, but monitors passage of such files to uncontrollable removable storage media or through network connections and the like which may indicate possible abuse of access. In accordance with a preferred embodiment, an autonomous independent agent process running at a point of use, such as in the background of a client operating system kernel, interrupts requests for access to resources. The agent process senses low level system events, filters, aggregates them, and makes reports to a journaling server. The journaling server analyzes sequences of low level events to detect when aggregate events of interest occur, such as “FileEdit”, network file transfers and the like. Reports can be generated to provide an understanding of how digital assets have been accessed, used or communicated by individuals in an enterprise.

Abstract: A technique for establishing usage control over digital assets such as computer files. The system model not only tracks authorized users' access to files, but monitors passage of such files to uncontrollable removable storage media or through network connections and the like which may indicate possible abuse of access rights. In accordance with a preferred embodiment, an autonomous independent agent process running at a point of use, such a background process in a client operating system kernel, interrupts requests for access to resources. The agent process senses low level system events, filters, and aggregates them. A policy engine analyzes sequences of aggregate events to determine when policy violations occur.

Abstract: A technique for establishing a perimeter of accountability for usage of digital assets such as data files. The accountability model not only tracks authorized users' access to files, but monitors passage of such files to uncontrollable removable storage media or through network connections and the like which may indicate possible abuse of access. In accordance with a preferred embodiment, an autonomous independent agent process running at a point of use, such as in the background of a client operating system kernel, interrupts requests for access to resources. The agent process senses low level system events, filters, aggregates them, and makes reports to a journaling server. The journaling server analyzes sequences of low level events to detect when aggregate events of interest occur, such as “FileEdit”, network file transfers and the like. Reports can be generated to provide an understanding of how digital assets have been accessed, used or communicated by individuals in an enterprise.

Abstract: A system for backing up desired data includes a communication link configured to transfer information between the system and a backup storage for storing backed up data, and a processor coupled to the communication link and configured to: determine associated substantive data of the desired data, compare the associated substantive data of the desired data with stored data, and transfer the associated substantive data over the communication link for storage based on the comparison of the associated substantive data with the stored data.

Abstract: A data processing application logging, recording, and reporting process and infrastructure. Compliance with regulatory directives such as HIPAA, internal organizational and corporate, personal information privacy, and other security policies can thus be enforced without the need to recode legacy application software. In one preferred embodiment, a core agent process provides “listener” functionality that captures user input events, such as keyboard and mouse interactions, between a user and a legacy application of interest. The agent obtains instructions for how to deal with such events, accessing information that describes the application's behavior as already captured by an application profiler tool. Keyboard and mouse data entry sequences, screen controls and fields of interest are tagged during application profiling process. This data is stored in application profile developed for each mode of a legacy application.

Abstract: A technique for efficient representation of dependencies between electronically-stored documents, such as in an enterprise data processing system. A document distribution path is developed as a directional graph that is a representation of the historic dependencies between documents, which is constructed in real time as documents are created. The system preferably maintains a lossy hierarchical representation of the documents indexed in such a way that allows for fast queries for similar but not necessarily equivalent documents. A distribution path, coupled with a document similarity service, can be used to provide a number of applications, such as a security solution that is capable of finding and restricting access to documents that contain information that is similar to other existing files that are known to contain sensitive information.

Abstract: A technique for establishing a perimeter of accountability for usage of digital assets such as data files. The accountability model not only tracks authorized users' access to files, but monitors passage of such files to uncontrollable removable storage media or through network connections and the like which may indicate possible abuse of access. In accordance with a preferred embodiment, an autonomous independent agent process running at a point of use, such as in the background of a client operating system kernel, interrupts requests for access to resources. The agent process senses low level system events, filters, aggregates them, and makes reports to a journaling server. The journaling server analyzes sequences of low level events to detect when aggregate events of interest occur, such as “FileEdit”, network file transfers and the like. Reports can be generated to provide an understanding of how digital assets have been accessed, used or communicated by individuals in an enterprise.

Abstract: A technique for adaptive encryption of digital assets such as computer files. The system model monitors passage of files to uncontrollable removable storage media or through network connections and the like which may indicate possible abuse of access rights. In accordance with a preferred embodiment, an autonomous independent agent process running at a point of use, such a background process in a client operating system kernel, interrupts requests for access to resources. The agent process senses low level system events, filters, and aggregates them. A policy engine analyzes sequences of aggregate events to determine when to apply encryption.

Abstract: A trusted transaction architecture that provides security from a client side input device to a merchant server by installing a secure custom browser process on the client side computer via an ActiveX control or the equivalent. This Secure Browser Process (SBP) may then be inspected to ensure that no external codes exist in its application space, that no subsequently loaded Dynamic Link Library (DLL), or equivalent, has been tampered with or modified, that no Application Programming Interface (API) has been overwritten or redirected, and that no input device driver has been hooked by a digital signature. The SBP then creates a secure channel to the input device(s) that are used to enter data into the browser application, and creates a secure channel to the merchant's destination server to ensure that data cannot be intercepted, even on the client side computer.

Abstract: A technique for adaptive encryption of digital assets such as computer files. The system model monitors passage of files to uncontrollable removable storage media or through network connections and the like which may indicate possible abuse of access rights. In accordance with a preferred embodiment, an autonomous independent agent process running at a point of use, such a background process in a client operating system kernel, interrupts requests for access to resources. The agent process senses low level system events, filters, and aggregates them. A policy engine analyzes sequences of aggregate events to determine when to apply encryption.