Abstract: Techniques for conserving battery power in devices are provided. One or more deferrable tasks are queued for later execution. An initiation of a subsequent charging event for a battery of the device is detected. The queued deferrable task(s) are enabled to be executed during the charging event. For instance, the queued deferrable task(s) may be enabled to be executed if the charging event is predicted to be a long duration charging event, such as by referring to a charging profile of the mobile device. In this manner, battery power is conserved while the device is in use and not connected to a battery charger.

Abstract: A malware analysis system is described that provides information about malware execution history on a client computer and allows automated back-end analysis for faster creation of identification signatures and removal instructions. The malware analysis system collects threat information on client computers and sends the threat information to a back-end analysis component for automated analysis. The back-end analysis component analyzes the threat information by comparing the threat information to information about known threats. The system builds a signature for identifying the threat family and a mitigation script for neutralizing the threat. The system sends the signature and mitigation data to client computers, which use the information to mitigate the threat. Thus, the malware analysis system detects and mitigates threats more quickly than previous systems by reducing the burden on technicians to manually create environments for reproducing the threats and manually analyze the threat behavior.

Abstract: Techniques for conserving battery power in devices are provided. One or more deferrable tasks are queued for later execution. An initiation of a subsequent charging event for a battery of the device is detected. The queued deferrable task(s) are enabled to be executed during the charging event. For instance, the queued deferrable task(s) may be enabled to be executed if the charging event is predicted to be a long duration charging event, such as by referring to a charging profile of the mobile device. In this manner, battery power is conserved while the device is in use and not connected to a battery charger.

Abstract: Various principles for maintaining a shared repository of authorization scanning results, which may be populated with results of authorization scans of particular files (and other content units) as well as a signature for those particular files. When a particular file is to be scanned by a client computing device to determine whether it contains unauthorized software, a signature for the file may be calculated and provided to the shared repository. If the repository has a result for that file—as indicated by a signature for the file being present in the repository—the result in the repository may be provided to the client computing device that issued the query, and the client computing device may accept the answer in the shared repository. If the result is not in the repository (i.e., the file has not been scanned), then the file may be scanned, and a result may be placed in the repository.

Abstract: Detection of code-free files is described. According to one implementation, an input file is parsed to recognize a file format. Contents of the input file are checked according to the recognized file format, if available, in an effort to determine whether executable code might exist within the input file. A status is then sent in response to the checking.

Abstract: A malware analysis system is described that provides information about malware execution history on a client computer and allows automated back-end analysis for faster creation of identification signatures and removal instructions. The malware analysis system collects threat information on client computers and sends the threat information to a back-end analysis component for automated analysis. The back-end analysis component analyzes the threat information by comparing the threat information to information about known threats. The system builds a signature for identifying the threat family and a mitigation script for neutralizing the threat. The system sends the signature and mitigation data to client computers, which use the information to mitigate the threat. Thus, the malware analysis system detects and mitigates threats more quickly than previous systems by reducing the burden on technicians to manually create environments for reproducing the threats and manually analyze the threat behavior.

Abstract: Methods, systems, and computer program products for customizing content based on at least one operating characteristic of a mobile client. A mobile gateway receives content from a content source, such as an email server, a Web server, or some other content server. For example, content may include email, calendar, contact, task, Web, notification, financial, sports data, configuration information, etc. The mobile gateway customizes the content based on transforms assigned to each mobile client. Transforms account for differences in the software, display, processor, memory, communication channel, and the like, of each mobile client, without imposing additional processing burdens on the content server. Processing that is common among several transforms may be shared. Mobile clients may be any type of computer, including telephones, pagers, PDAs, laptops, and other mobile gateways.

Abstract: Architecture for controlling access to a service. The architecture allows denial of regular and periodic service to all but a selected number of concurrent clients associated with a subscriber, and without any manual administration at the server of a list of specific computers. Rather than require an administered list, the system discovers which clients are active, places the active clients on an active list, and excludes all client not on the active list. The system includes rules the enforcement of which provide a mechanism for ensuring that the subscriber is not adding an unlimited number of clients or rotating clients in and out of the pool to effectively maintain service on a larger number of computers to which the subscriber is entitled.

Abstract: Public-key authentication, based on public key cryptographic techniques, is utilized to authenticate a person opening an account. The person provides a declaration to use only public-key authentication and a copy of his/her public key to an authorized agent, such as a credit bureau. The person provides a signed request to open an account with a merchant based on public-key authentication. This merchant requests a credit report from the credit bureau, providing the credit bureau the applicant's public key. The credit bureau uses the public key to locate a credit report. Barring theft of the user's private key, the credit report will be that of the requesting user with a high probability. The credit bureau can then provide the requested information to the merchant, and the merchant can provide notification to the person that the account is authorized or not, based on what the merchant reads in the credit report.

Abstract: Methods, systems, and computer program products for customizing content based on at least one operating characteristic of a mobile client. A mobile gateway receives content from a content source, such as an email server, a Web server, or some other content server. For example, content may include email, calendar, contact, task, Web, notification, financial, sports data, configuration information, etc. The mobile gateway customizes the content based on transforms assigned to each mobile client. Transforms account for differences in the software, display, processor, memory, communication channel, and the like, of each mobile client, without imposing additional processing burdens on the content server. Processing that is common among several transforms may be shared. Mobile clients may be any type of computer, including telephones, pagers, PDAs, laptops, and other mobile gateways.

Abstract: Malware recovery optimization is provided in which malware detection processes and protocol processes on a device are monitored for events indicating a breach of security of the device, such as the presence of an infection or other evidence of a malware attack. The devices report the events for collection on a centralized event collector that issues alerts of the events to other devices that may have been compromised as a result of the breach of security. Upon receipt of the alert, the receiving devices may initiate malware recovery optimization, including activating anti-virus software to initiate a targeted scan of those resources that may have been compromised. In this manner, malware recovery processes are optimized to recover the receiving device and/or resources when indicated.

Abstract: The present invention provides a system, method, and computer-readable medium that opportunistically install a software update on a computer that closes a vulnerability that existed on the computer. In accordance with one aspect of the present invention, when antivirus software on a computer identifies malware, a method causes a software update that closes the vulnerability exploited by the malware to be installed on the computer. The method includes identifying the vulnerability exploited by the malware, using a software update system to obtain a software update that is configured to close the vulnerability; and causing the software update to be installed on the computer where the vulnerability exists.

Abstract: In accordance with the present invention, a system, method, and computer-readable medium for identifying malware in a request to a Web service is provided. One aspect of the present invention is a computer-implemented method for protecting a computer that provides a Web service from malware made in a Web request. When a request is received, an on-demand compilation system compiles high-level code associated with the request into binary code that may be executed. However, before the code is executed, antivirus software designed to identify malware scans the binary code for malware. If malware is identified, the antivirus software prevents the binary code associated with the request from being executed.

Abstract: The present invention is directed to a system and methods for protecting a limited resource computer from malware. Aspects of the present invention use antivirus software on a general purpose computer to prevent malware from infecting a limited resource computer. Typically, antivirus software on the general purpose computer is kept “up-to-date” with the most recent software updates. When a connection is established between the limited resource computer and the general purpose computer, a signature of each application installed on the limited resource computer is transmitted to the general purpose computer. Then antivirus software on the general purpose computer compares the received signatures to known malware. Finally, the results of the scan are reported to the limited resource computer.

Abstract: In accordance with the present invention, a system, method, and computer-readable medium for identifying malware at a network transit point such as a computer that serves as a gateway to an internal or private network is provided. A network transmission is scanned for malware at a network transit point without introducing additional latency to the transmission of data over the network. In accordance with one aspect of the present invention, a computer-implemented method for identifying malware at a network transit point is provided. More specifically, when a packet in a transmission is received at the network transit point, the packet is immediately forwarded to the target computer. Simultaneously, the packet and other data in the transmission are scanned for malware by an antivirus engine. If malware is identified in the transmission, the target computer is notified that the transmission contains malware.

Abstract: A system and method for identifying and removing potentially unwanted software. A mechanism is provided that identifies suspect programs to a user and allows the user to prevent the suspect programs from running without actually deleting them. In one embodiment, scanner data identifying potentially unwanted software is displayed in a GUI that allows the user to inhibit its continued execution. For example, any software not on a list of known, benign applications/processes may be identified as potentially unwanted. Similarly, software that displays one or more suspect behaviors may be so identified, allowing the user to distinguish between normal and suspect software without irreversibly altering the user's system.

Abstract: A self-healing device is provided in which changes made between the time that an infection resulting from an attack on the device was detected and an earlier point in time to which the device is capable of being restored may be recovered based, at least in part, on what kinds of changes were made, whether the changes were bona fide or malware induced, whether the changes were made after the time that the infection likely occurred, and whether new software was installed.

Abstract: The present invention provides a system, method, and computer-readable medium for identifying and removing active malware from a computer. Aspects of the present invention are included in a cleaner tool that may be obtained automatically with an update service or may be downloaded manually from a Web site or similar distribution system. The cleaner tool includes a specialized scanning engine that searches a computer for active malware. Since the scanning engine only searches for active malware, the amount of data downloaded and resource requirements of the cleaner tool are less than traditional antivirus software. The scanning engine searches specific locations on a computer, such as data mapped in memory, configuration files, and file metadata for data characteristic of malware. If malware is detected, the cleaner tool removes the malware from the computer.

Abstract: An expert proxy server is described that is coupled to a number of wireless devices through a wireless network, and to a number of server computer systems through an external network such as, for example, the Internet. The expert proxy server acts as an agent for a wireless device by providing a service for the wireless device. Specifically, the expert proxy server determines that a service is to be provided to the wireless device. Next, the expert proxy server identifies an application that provides the service and then communicates with the identified application that provides the service. The expert proxy server compiles the results of the communication with the application and then transmits the compilation to the wireless device over the wireless network. Thus, the relatively smaller bandwidth of the wireless network is preserved by transmitting a minimal amount of information over the wireless network while leaving more extensive communications to occur over higher bandwidth external networks.

Abstract: Methods, systems, and computer program products for negotiating a secure end-to-end connection using a proxy server as an intermediary. The client first negotiates a secure connection between the client and the proxy so that any credentials exchanged will be encrypted. After the exchange of authentication credentials, the secure client-proxy connection is altered so that no further encryption takes place. The client and server then negotiate a secure end-to-end connection through the proxy, with the secure end-to-end connection being encapsulated within the insecure client-proxy connection. In this way, the overhead of creating a separate client-proxy connection for the secure end-to-end connection may be avoided, but the insecure client-proxy connection introduces only minimal overhead because it no longer encrypts any data that it carries.