Abstract: Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed and counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers. The counted number is then compared with the expected number based on past observations, and if the comparison exceeds a predetermined threshold, the objects are flagged as unsafe or as suspicious.

Abstract: Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed and counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers. The counted number is then compared with the expected number based on past observations, and if the comparison exceeds a predetermined threshold, the objects are flagged as unsafe or as suspicious.

Abstract: Methods and systems for providing forensic visibility into systems and networks are provided. More particularly, a sensor agent may receive events defining an action of a first object acting on a target. The object, the event, and the target are then correlated to at least one originating object such that an audit trail for each individual event is created. A global perspective indicating an age, popularity, a determination as to whether the object may be malware, and IP/URL information associated with the event may then be applied to at least one of the object, the event, the target, and the originating object. A priority may then be determined and assigned to the event based on at least the global perspective. An event line containing event information is then transmitted to an end recipient where the information may be heuristically displayed.

Abstract: Methods and apparatus for managing the expiration and execution of commands sent from a remote system having administration functions to an agent residing on a computer system are disclosed. An exemplary method includes receiving, at an agent, one or more commands, storing the one or more received commands, retrieving the one or more stored commands, and determining whether the one or more retrieved commands can be executed by comparing at least one time parameter associated with the agent to at least one time parameter associated with the one or more retrieved commands.

Abstract: Methods and systems for providing forensic visibility into systems and networks are provided. More particularly, a sensor agent may receive events defining an action of a first object acting on a target. The object, the event, and the target are then correlated to at least one originating object such that an audit trail for each individual event is created. A global perspective indicating an age, popularity, a determination as to whether the object may be malware, and IP/URL information associated with the event may then be applied to at least one of the object, the event, the target, and the originating object. A priority may then be determined and assigned to the event based on at least the global perspective. An event line containing event information is then transmitted to an end recipient where the information may be heuristically displayed.

Abstract: Methods and systems for providing forensic visibility into systems and networks are provided. More particularly, a sensor agent may receive events defining an action of a first object acting on a target. The object, the event, and the target are then correlated to at least one originating object such that an audit trail for each individual event is created. A global perspective indicating an age, popularity, a determination as to whether the object may be malware, and IP/URL information associated with the event may then be applied to at least one of the object, the event, the target, and the originating object. A priority may then be determined and assigned to the event based on at least the global perspective. An event line containing event information is then transmitted to an end recipient where the information may be heuristically displayed.

Abstract: Methods and apparatus for managing the expiration and execution of commands sent from a remote system having administration functions to an agent residing on a computer system are disclosed. An exemplary method includes receiving, at an agent, one or more commands, storing the one or more received commands, retrieving the one or more stored commands, and determining whether the one or more retrieved commands can be executed by comparing at least one time parameter associated with the agent to at least one time parameter associated with the one or more retrieved commands.

Abstract: Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored or processed wherein the base computer comprises plural threat servers arranged to receive the data from the plural remote computers and apply rules or heuristics against the data in real time to determine whether or not the object is malware and to communicate the determination to the remote computers. The base computer includes at least one central server in communication with the threat servers and arranged to receive the data about objects from the threat servers to maintain a master database of data received about objects from all threat servers.

Abstract: Examples provided relate to methods and apparatus for managing the expiration and execution of commands sent from a remote system having administration functions to an agent residing on a computer system. An exemplary method may include receiving, at an agent, one or more commands, storing the one or more received commands, retrieving the one or more stored commands, and determining whether the one or more retrieved commands can be executed by comparing at least one time parameter associated with the agent to at least one time parameter associated with the one or more retrieved commands.

Abstract: Methods and systems for providing forensic visibility into systems and networks are provided. More particularly, a sensor agent may receive events defining an action of a first object acting on a target. The object, the event, and the target are then correlated to at least one originating object such that an audit trail for each individual event is created. A global perspective indicating an age, popularity, a determination as to whether the object may be malware, and IP/URL information associated with the event may then be applied to at least one of the object, the event, the target, and the originating object. A priority may then be determined and assigned to the event based on at least the global perspective. An event line containing event information is then transmitted to an end recipient where the information may be heuristically displayed.

Abstract: Methods and apparatus for providing protection against malware are disclosed. An exemplary method includes executing an agent program on a remote computer connected to a network, the agent program being configured to communicate with a base computer via the network, the agent program including a firewall arranged to block communications between the remote computer and entities on the network in accordance with predetermined rules; and configuring the firewall in accordance with rules received from the base computer.

Abstract: Methods and apparatus for managing the expiration and execution of commands sent from a remote system having administration functions to an agent residing on a computer system are disclosed. An exemplary method includes receiving, at an agent, one or more commands, storing the one or more received commands, retrieving the one or more stored commands, and determining whether the one or more retrieved commands can be executed by comparing at least one time parameter associated with the agent to at least one time parameter associated with the one or more retrieved commands.

Abstract: Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed and counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers. The counted number is then compared with the expected number based on past observations, and if the comparison exceeds a predetermined threshold, the objects are flagged as unsafe or as suspicious.

Abstract: Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored or processed wherein the base computer comprises plural threat servers arranged to receive the data from the plural remote computers and apply rules or heuristics against the data in real time to determine whether or not the object is malware and to communicate the determination to the remote computers. The base computer includes at least one central server in communication with the threat servers and arranged to receive the data about objects from the threat servers to maintain a master database of data received about objects from all threat servers.

Abstract: Methods and apparatus for providing protection against malware are disclosed. An exemplary method includes executing an agent program on a remote computer connected to a network, the agent program being configured to communicate with a base computer via the network, the agent program including a firewall arranged to block communications between the remote computer and entities on the network in accordance with predetermined rules; and configuring the firewall in accordance with rules received from the base computer.