Abstract: A computer-implemented method for securely managing file-attribute information for files in a file system may comprise: 1) identifying at least one file, 2) identifying file-attribute information that identifies at least one file attribute for the file, 3) identifying volatile metadata associated with the file that contains file-attribute information, 4) determining that the file has been modified, and 5) automatically deleting the volatile metadata. Corresponding systems and computer-readable media are also disclosed.

Abstract: Threat emergence dates as well as file modification and scanning history are tracked to determine which files need to be scanned for possible infection by various attacking agents. Information concerning which scan engines are used to scan for the presence of different attacking agents is also tracked. Where given files only need to be scanned for a subset of all possible threats and the relevant scanning code resides in only a subset of all the scan engines, only the required scan engines are initialized, loaded or called in order to scan those files.

Abstract: A system and method are disclosed for detecting malicious computer applications. According to an embodiment of the present invention, it is determined whether a communication is attempting to occur, wherein the communication is associated with a first application. It is also determined whether there is a second application associated with the first application; and also determined whether the second application is trusted.

Abstract: A computer includes a filter module providing a standardized interface for intercepting file access requests. The computer also includes a cache manager that manages the caching mode used with the requests. An application on the computer issues a file access request and explicitly or implicitly specifies a cache hint informing the cache manager of a desired caching mode. A security scanner module scans files on the computer for malicious software. The security scanner module intercepts a file access request and alters the caching mode, if necessary, to one optimized for security scanning. The security scanner module performs the file scan using the optimal caching mode, and, if necessary, resets the caching mode to its original state.

Abstract: In the method of the present invention, an anti-virus scan of a file is performed in real time. A thread manager (101) detects (202) that an activity concerning a file has been initiated by a first thread. Responsive to the detection, the thread manager (101) determines (204) that a scan of the file should be conducted. The thread manager (101) initiates (206) the scan of the file by a second thread, thereby enabling the first thread to complete the activity concerning the file and to perform other tasks while the scan occurs. The thread manager (101) blocks (212) access to the file while the scan occurs.

Abstract: Computer implemented methods, apparati, and computer-readable media for quickly and safely opening computer files over a network. In a method embodiment of the present invention, a local computer (10) initiates a test open of a file (14) associated with a remote computer (12) that is coupled to the local computer (10) over the network (15). When the test open discloses that the remote computer (12) has an acceptable malicious code scanning means (13), the local computer (10) performs an actual open of the file (14).

Abstract: Methods, apparati, and computer program products for detecting and responding to fast-spreading network worm attacks include a network monitoring module, which observes failed network connection attempts from multiple sources. A logging module logs the failed connection attempts. An analysis module uses the logged data on the failed connection attempts to determine whether a sources is infected with a worm using a set of threshold criteria. The threshold criteria indicate whether a source's failed connection attempts are non-normal. In one embodiment, a response module responds to the computer worm by, e.g., alerting a user or system administrator, terminating an infected process, or terminating the infected source's network access.

Abstract: Methods, apparati, and computer program products for detecting and responding to fast-spreading network worm attacks include a network monitoring module (110), which observes (205) failed network connection attempts from multiple sources. A logging module (120) logs (220) the failed connection attempts. An analysis module (150) uses the logged data on the failed connection attempts to determine (225) whether a sources is infected with a worm using a set of threshold criteria. The threshold criteria indicate whether a source's failed connection attempts are non-normal. In one embodiment, a response module (160) responds (240) to the computer worm by, e.g., alerting a user or system administrator, terminating an infected process (20), or terminating the infected source's network access.

Abstract: A system and method are disclosed for detecting malicious computer applications. According to an embodiment of the present invention, it is determined whether a communication is attempting to occur, wherein the communication is associated with a first application. It is also determined whether there is a second application associated with the first application; and also determined whether the second application is trusted.

Abstract: Methods, apparati, and computer program products for detecting and responding to fast-spreading network worm attacks include a network monitoring module (110), which observes (205) failed network connection attempts from multiple sources. A logging module (120) logs (220) the failed connection attempts. An analysis module (150) uses the logged data on the failed connection attempts to determine (225) whether a sources is infected with a worm using a set of threshold criteria. The threshold criteria indicate whether a source's failed connection attempts are non-normal. In one embodiment, a response module (160) responds (240) to the computer worm by, e.g., alerting a user or system administrator, terminating an infected process (20), or terminating the infected source's network access.