Abstract: A network node of a threat detection network, a backend server of a threat detection network, a threat detection network and a threat detection method in a threat detection network. The threat detection network comprises interconnected network nodes and a backend system, wherein at least part of the nodes comprise security agent modules which collect data related to the respective network node. The method comprises collecting and/or analyzing at the network node data related to a network node, generating at least one local behavior model at the network node related to the network node on the basis of the collected and/or analyzed data, sharing at least one generated local behavior model related to the network node with one or more other nodes and/or with the backend system, comparing user activity in a node to the generated local behavior model and/or a received behavior model, and alerting the backend and/or the other nodes, e.g.

Abstract: First data relating to a selected file is obtained. Based upon the first data it is determined if malware detection processing can be selected. Malware detection processing of the file is selected based upon said first data if it is determined that malware detection processing can be selected based upon the first data. If it is determined that, based upon the first data, malware detection processing cannot be selected based upon the first data, second data relating to the selected file is obtained and malware detection processing of the file is selected based upon said first and second obtained data. The selected malware detection processing is applied to said selected file. In an exemplary embodiment the first data is metadata and represents a faster scan of the file, and the second data is content of the file's header and represents a more in-depth scan of the file.

Abstract: A method of detecting malware on a computer and comprising scanning a system memory of the computer, and/or code being injected into the system memory, for known strings indicative of banking trojans. These strings may be Universal Resource Locators and/or partial Universal Resource Locators.

Abstract: The present invention relates to a method for synchronizing files between devices between two devices. The method includes creating a rule to control the synchronization of the file. The rule includes at least one condition for synchronization which is dependent upon a property of a device.

Abstract: A method for determining appropriate actions to remedy potential security lapses following infection of a device by malware. Following detection of infection of the device the device undergoes a cleaning operation. As part of the cleaning operation infected electronic files and any other associated files or objects are removed from the device. From timestamps associated with the infected files and associated files and objects, either directly or from another source such as an anti-virus trace program, the time of infection can be estimated. This allows the system to reference timestamps on the device to determine the source of the infection. Additionally, if the type of infection is identified timestamps on the device can be used to determine where there are particular areas of vulnerability due to user actions on the device.

Abstract: According to a first aspect of the present invention there is provided a method for implementation on a computer system in order to remove or disable a program that generates dialog boxes on a display of the computer system. The method includes accepting input from a user input device that identifies a dialog box displayed on the display of the computer system, identifying the process or process module and program components associated with the identified dialog box, and attempting to terminate or disable the identified process or process module, and remove or disable the identified program components.

Abstract: A method and apparatus for detecting a Trojan horse in a suspicious version of a software application in the form of at least one electronic file. A computer device determines a source from which the suspicious version of the software application was obtained. A comparison is then made between the source from which the suspicious version of the software application was obtained and a source from which an original, clean version of the software application was obtained. If the sources differ, then it is determined that the suspicious version of the software application is more likely to contain a Trojan horse than if the sources were the same.

Abstract: According to aspects of the present invention there are provided methods and apparatus for detecting a suspect wireless access point in a communication network including a plurality of wireless access points providing access services to client devices. Identity information associated with the wireless access points is collected from a multiplicity of client devices. A reputation request is received from a client device, the request including identity information of an available wireless access point. The received identity information is compared with the collected identity information for determining an indication of trust of the available wireless access point. The indication of trust of the available wireless access point is transmitted to the client device. The wireless access points may include a cellular wireless access point or base station, wireless access point, a Wi-Fi access point, or a femto-cell access point.

Abstract: A method for determining appropriate actions to remedy potential security lapses following infection of a device by malware. Following detection of infection of the device the device undergoes a cleaning operation. As part of the cleaning operation infected electronic files and any other associated files or objects are removed from the device. From timestamps associated with the infected files and associated files and objects, either directly or from another source such as an anti-virus trace program, the time of infection can be estimated. This allows the system to reference timestamps on the device to determine the source of the infection. Additionally, if the type of infection is identified timestamps on the device can be used to determine where there are particular areas of vulnerability due to user actions on the device.

Abstract: A method and apparatus for detected a Trojan in a suspicious software application in the form of at least one electronic file. A computer device determines the source from which the suspicious software application was obtained. A comparison is then made between the source from which the suspicious software application was obtained and a source from which an original, clean version of the software application was obtained. If the sources differ, then it is determined that the suspicious application is more likely to contain a Trojan horse than if the sources were the same.

Abstract: According to a first aspect of the present invention there is provided a method of detecting potential malware. The method comprises, at a server, receiving a plurality of code samples, the code samples including at least one code sample known to be malware and at least one code sample known to be legitimate, executing each of the code samples in an emulated computer system, extracting bytestrings from any changes in the memory of the emulated computer system that result from the execution of each sample, using the extracted bytestrings to determine one or more rules for differentiating between malware and legitimate code, and sending the rule(s) to one or more client computers.