Abstract: Component-level sandboxing is implemented in the example context of an enterprise rights management system. A policy enforcement module monitors an application executing on a client to detect and evaluate data access requests in view of a rights policy. The policy enforcement module determines how to handle the request based on the whether the policy permits the request. If the request is permitted, the policy enforcement module allows the requests and sandboxes it using virtualization. The sandbox virtualizes the thread making the request and/or a data access component involved in the request. Other aspects of the application that do not implicate the rights policy are not sandboxed. In this way, sandboxing is used to enforce the rights policy in a manner that is transparent to the user and consumes relatively few resources of the client.

Abstract: In one example, a server-based system may provide a recursive classification of the contents of a URL by: 1) receiving a request for a URL-classification list associated with a base URL, 2) constructing the URL-classification list, and 3) providing, in response to the request, the URL-classification list. The resulting URL-classification list may comprise: 1) content categories occurring in the base URL and 2) content categories occurring in any URLs embedded in the base URL. In another example, a client-based system may restrict access to network resources, based on the contents of a base URL, by: 1) identifying a request from a user to access a base URL, 2) requesting a URL-classification list associated with the base URL, 3) receiving the URL-classification list, and 4) determining, based on the URL-classification list, that access to the base URL is authorized. Corresponding computer-readable media are also disclosed.

Abstract: A reputation server is coupled to multiple clients via a network. A security module at a client identifies an application and determines whether it is on a white list. If the application is not on the white list, the security module monitors the application using a strict set of signatures. If the application is on the white list, the security module monitors the application using a relaxed set of signatures. The relaxed set of signatures can exclude legitimate characteristics possessed by the application as specified by the white list. The security module evaluates whether the application is malicious based at least in part on whether it possesses suspicious characteristics described by the signatures. The reputation server receives reports from clients identifying applications and describing characteristics possessed by the applications and uses the reports to generate the white list.

Abstract: Upon detection of a rootkit, a host computer system is rebooted. The boot process is interrupted. Access to a media, e.g., a volume or disk, containing the rootkit is gained and the media is directly accessed. The rootkit is disabled, e.g., renamed or deleted, and the host computer system is rebooted a second time. If the rootkit has not been previously removed, e.g., only renamed, the rootkit is removed, e.g., using a conventional antivirus application. Thus, upon detection of a rootkit, the rootkit is removed without a clean boot.

Abstract: A computer system and method for performing restore operations. A computer system includes one or more hosts. At least one host includes a backup agent. In response to a request to restore a file to a first host, a backup component identifies copies of portions of the file stored on a second host, retrieves the copies, and restores the file on the first host from the copies. The backup component maintains a catalog of entries corresponding to copies of portions of files stored on the hosts. In response to a request to restore the file to a first host, the backup component queries the catalog to identify one or more candidate locations where copies of portions of the file have been stored. The first and second hosts may be the same. The backup component may be located on a host or on a backup server.

Abstract: Computer-implemented methods and systems for creating or updating approved-file and trusted-domain databases and verifying the legitimacy of files are disclosed. A method for creating or updating an approved-file database may comprise intercepting a first file, identifying a source domain associated with the first file, identifying a trusted-domain database, determining whether a database record for the source domain associated with the first file exists within the trusted-domain database, creating a hash value for the first file if a database record for the source domain associated with the first file exists within the trusted-domain database, and storing the hash value for the first file in an approved-file database. Methods and systems for verifying the legitimacy of a file and for creating or updating a trusted-domain database are also disclosed.

Abstract: An interactive system for debugging programs in which a persistent data base system responds to update queries containing debugging information from a debugging information source and to read queries on the debugging information from an interactive interface. The interactive interface produces the read queries in response to inputs from users and formats the results of the read queries as required by the user. One source of inputs is a standard Web browser for which the interactive interface functions as a Web server. The system also includes a command channel by which the source of debugging information receives commands from the interactive interface. In one embodiment, the command channel is implemented in the data base. In a disclosed implementation, the source of debugging information provides memory debugging information. Also disclosed are techniques for using an automatic memory management system to reduce memory fragmentation and heap footprint size.

Abstract: An incremental garbage collector which permits a memory allocator's decommit mechanism to operate while the garbage collector is detecting memory that a program being executed is certainly not using. The garbage collector includes a decommit barrier which prevents the garbage collector from referencing memory that the allocator has decommitted from the address space of the process on which the program is executing. In mark-sweep incremental garbage collectors, the decommit barrier may be implemented in two ways: by means of a table which the allocator marks whenever it determines that a portion of memory is subject to being decommitted from the process's address space and which the garbage collector examines before scanning the portion and by means of a table which the garbage collector marks when it finds that a portion of memory must be scanned and which the allocator examines before decommitting the portion.