Abstract: A method of detecting and blocking a malicious SSL connection at a client computer. The method includes identifying, at a network firewall level, an outbound SSL connection being set up at the client computer; detecting an SSL certificate associated with the SSL connection; sending a request to a central server for reputation information on the SSL certificate; at the central server, determining reputation information in dependence upon the SSL certificate; providing said reputation information from the central server to the client computer; and using the reputation information at the client computer to determine whether or not to block the connection.

Abstract: In accordance with an example embodiment of the present invention, there is provided a method including: detecting a malware in a computer system and in response to the detection of the malware in the computer system initiating a deactivation of malware; detecting a file altered by the malware in response to a successful deactivation of the malware; and initiating a restoration of the altered file in response to the detection of the file altered by the malware.

Abstract: A method and apparatus for determining the identity of suspected malware on a client device. Information pertaining to the malware is sent from the client device to a server. The server determines a first required information set, and sends a request to the client device for the required information set. The client device compares the required information set with information stored at the client device, and returns the results of the comparison to the server. The server uses the results of the comparison to attempt to determine an identity of the malware. If the results of the comparison indicate that the suspected malware is one of a plurality of types of malware, a new required information set is determined, which is sent back to the client device, and the process repeated. Otherwise the identity of the suspected malware is determined, or it is determined that the suspected malware is unknown to the server.

Abstract: A method and apparatus for detected a Trojan in a suspicious software application in the form of at least one electronic file. A computer device determines the source from which the suspicious software application was obtained. A comparison is then made between the source from which the suspicious software application was obtained and a source from which an original, clean version of the software application was obtained. If the sources differ, then it is determined that the suspicious application is more likely to contain a Trojan horse than if the sources were the same.

Abstract: A method of performing a security check at a user computer on web page content downloaded to the user computer over the Internet. The method includes retrieving rating information for the web page from a web service over the Internet, the rating information including one or more content ratings and a first signature generated from the content, using a specified algorithm, at substantially the same time as the or each content rating was determined. The downloaded web page content is then processed using said specified algorithm to generate a second signature, and said first and second signatures are compared and the differences therebetween quantified. It is then determined if the quantified difference exceeds a threshold value. If not, then the received content rating(s) is(are) trusted. If yes, then the result is reported to said web service.

Abstract: A method of controlling internet access on a client computer. The method comprises identifying a DNS request generated on the client computer and which is addressed to a specific DNS root server, and sending an information request to a central server identifying said DNS root server. Then, at the central server, reputation information for said DNS root server is determined, and said reputation information is provided from the central server to the client computer. The reputation information is then used at the client computer to handle the DNS request or a response to that request.

Abstract: A method and apparatus for managing communications in a communication network. A telephony device determines that a software application is attempting to contact an E.164 number. It then determines that the E.164 number matches at least one predetermined criterion, such as the E.164 number being a premium rate number or having a different country code to that of the device. The device then sends a query to a reputation server. The query includes information identifying the software application. The device receives a response from the reputation server, the response including a reputation relating to the software application. On the basis of the received reputation relating to the software application, the device can take further action such as preventing contact from being established.

Abstract: A method of controlling access to web content at a client computer. The method includes registering an access control status at the client computer, and detecting an attempt to access a website having an access control mechanism. In response to such detection, the access attempt is suspended and said access control status registered at the client computer compared with an access control status currently registered at the website. If these do not correspond, then the access control status registered at the website is changed to correspond with that registered at the client computer.

Abstract: A method and apparatus for detecting a suspicious entity in a communication network. A receiving device receives a message from a sender. A processor obtains domain information or a user identity, and further contact information from data contained in the message. A reputation query message is sent to a Network Reputation Server (NRS), the reputation query message including the domain information or user identity. A reply is received from the NRS that indicates that the domain information or user identity is related to a suspicious entity. The receiving device then associates the contact information with the suspicious entity. In this way, if a user of the receiving device attempts to use the contact information, they can be prevented from doing this or informed that it relates to a suspicious entity.

Abstract: A method and apparatus for a determining whether an electronic file stored at a client device is malware. A server receives from the client device a request message that signature information of the electronic file. The server queries a database of signature information of a multiplicity of electronic files. If the signature information of the electronic file corresponds to signature information stored on the database, a determination is made as to whether the electronic file is malware. If the signature information of the electronic file does not correspond to signature information stored on the database, a determination is made as to whether a predetermined number of further request messages for the electronic file are received from further client devices within a predetermined time period. If fewer request messages are received within the time period, it is likely that the electronic file is malware.

Abstract: According to a first aspect of the present invention there is provided a method of protecting a computer system from malware, which malware attempts to prevent detection or analysis when executed in an emulated computer system. The method comprises determining if an executable file should be identified as being legitimate and, if not, executing the executable file whilst providing indications to the executable file that it is being executed within an emulated computer system.

Abstract: According to a first aspect of the present invention there is provided a malware detection method implemented within a computer. The method includes, for a given electronic file, determining if the file is associated with a valid digital signature. If the file is associated with a valid digital signature, then verifying that the signature belongs to a trusted source. If the signature does belong to a trusted source then not performing a malware scan of said file, and if the signature cannot be verified as belonging to a trusted source then performing said scan.

Abstract: A method of controlling a process on a computer system for backing-up files stored in a primary storage medium, to a secondary storage medium. The method comprises monitoring a file system implemented on the computer system in order to detect write operations made by the file system to said primary storage medium. Upon detection of a write operation, the integrity of a file being written is verified and/or changes in the file identified with respect to a version of the file currently stored in the primary storage medium and which is being replaced. In the event that the integrity of a file being written by the file system is compromised, and/or any identified changes in the file are suspicious, then the file is identified to the back-up process such that automatic back-up of the file is inhibited.

Abstract: A method and apparatus for disinfecting an infected electronic file in a file system. A file system is scanned using an anti-virus application to identify the infected electronic file. Once the infected file has been identified, information identifying the infected electronic file is sent to a remote node, which queries a database storing a plurality commonly used electronic files to determine whether a clean version of the electronic file is stored at the database. If so, then all or part of the clean version of the infected electronic file is sent from the remote node, and used to replace all or part of the electronic file stored in the file system.

Abstract: A method and apparatus for determining the identity of suspected malware on a client device. Information pertaining to the malware is sent from the client device to a server. The server determines a first required information set, and sends a request to the client device for the required information set. The client device compares the required information set with information stored at the client device, and returns the results of the comparison to the server. The server uses the results of the comparison to attempt to determine an identity of the malware. If the results of the comparison indicate that the suspected malware is one of a plurality of types of malware, a new required information set is determined, which is sent back to the client device, and the process repeated. Otherwise the identity of the suspected malware is determined, or it is determined that the suspected malware is unknown to the server.

Abstract: There is provided a method and apparatus for executing an anti_virus application on a mobile communications device. A memory card for coupled to a mobile communications device, and a boot sequence is initiated on the mobile communications device. Prior to completion of the boot sequence, a Symbian recognizer is loaded to the communications device from the memory card. The loaded Symbian recognizer is executed on the mobile communications device to automatically execute an anti-virus application, the anti-virus application also being stored on the memory card.

Abstract: According to a first aspect of the present invention there is provided a method of detecting malware in a mobile telecommunications device 101. In the method, maintaining a database 109 of legitimate applications and their respective expected behaviours, identifying legitimate applications running on the device 101, monitoring the behaviour of the device 101, comparing this monitored behaviour with that expected according to the database 109 for those legitimate applications identified as running on the device 101, and analyzing deviations from the expected behaviour of the device 101 to identify the potential presence of malware.