Abstract: A method including: establishing an internal swarm intelligence network including security agent modules of a plurality of interconnected network nodes of a local computer network, collecting data related to the respective network nodes, sharing information based on the collected data in the established internal swarm intelligence network, and using the collected data and information received from the internal swarm intelligence network for generating and adapting models related to the respective network node nodes. In case a new threat is identified, the threat is verified and contained, a new threat model is generated and the generated new threat model is shared. The security alert and/or the generated new threat model is transmitted to a security service network for enabling the security service network to share the received security alert and/or the new threat model.

Abstract: A network node of a threat detection network, a backend server of a threat detection network, a threat detection network and a threat detection method in a threat detection network. The threat detection network comprises interconnected network nodes and a backend system, wherein at least part of the nodes comprise security agent modules which collect data related to the respective network node. The method comprises collecting and/or analyzing at the network node data related to a network node, generating at least one local behavior model at the network node related to the network node on the basis of the collected and/or analyzed data, sharing at least one generated local behavior model related to the network node with one or more other nodes and/or with the backend system, comparing user activity in a node to the generated local behavior model and/or a received behavior model, and alerting the backend and/or the other nodes, e.g.

Abstract: There is provided a method of detecting a threat against a computer system. The method comprises: creating a modular representation of behavior of known applications on the basis of sub-components of a set of known applications; entering the modular representation to an evolutionary analysis system for generating previously unknown combinations of the procedures; storing the generated previously unknown combinations as candidate descendants of known applications to a future threat candidate database; monitoring the behavior of the computer system to detect one or more procedures matching the behavior of a stored candidate descendant in the future threat candidate database; and upon detection of one or more procedures matching the behavior of the stored candidate descendant and if the stored candidate descendant is determined to be malicious or suspicious, identifying the running application as malicious or suspicious.

Abstract: A method including: establishing an internal swarm intelligence network including security agent modules of a plurality of interconnected network nodes of a local computer network, collecting data related to the respective network nodes, sharing information based on the collected data in the established internal swarm intelligence network, and using the collected data and information received from the internal swarm intelligence network for generating and adapting models related to the respective network node nodes. In case a new threat is identified, the threat is verified and contained, a new threat model is generated and the generated new threat model is shared. The security alert and/or the generated new threat model is transmitted to a security service network for enabling the security service network to share the received security alert and/or the new threat model.

Abstract: There is provided a method of detecting a threat against a computer system. The method includes creating a modular representation of behavior of known applications on the basis of sub-components of a set of known applications; entering the modular representation to an evolutionary analysis system for generating previously unknown combinations of the procedures; storing the generated previously unknown combinations as candidate descendants of known applications to a future threat candidate database; monitoring the behavior of the computer system to detect one or more procedures matching the behavior of a stored candidate descendant in the future threat candidate database; and upon detection of one or more procedures matching the behavior of the stored candidate descendant and if the stored candidate descendant is determined to be malicious or suspicious, identifying the running application as malicious or suspicious.

Abstract: A method and apparatus for performing an anti-virus scan of a file system. Intermediate scanning results are obtained for a file in the file system, prior to a scan of the file being completed. The intermediate scanning results are then stored in a database. The intermediate scanning results can be used to speed up subsequent scans, and to provide other useful information to an on-line anti-virus server. In a subsequent scan of the file system, a determination is made whether intermediate scanning results relating to the file are available in the database. If they are available for a particular type of intermediate scan, then a scan need not be performed for the file. If they are not, then the scan can be performed.

Abstract: A method and device for preventing a browser-originating attack in a local area network. A security device in the local area network intercepts a message from a first device in the local area network towards a second device in the local area network. The message requests connection between the first device and the second device. The security device prompts a user of the first device to approve the connection. In the event that the user approves the connection the first device is allowed to connect to the second device, and in the event that the user does not approve the connection the connection attempt is terminated.

Abstract: A method and device for preventing a browser-originating attack in a local area network. A security device in the local area network intercepts a message from a first device in the local area network towards a second device in the local area network. The message requests connection between the first device and the second device. The security device prompts a user of the first device to approve the connection. In the event that the user approves the connection the first device is allowed to connect to the second device, and in the event that the user does not approve the connection the connection attempt is terminated.

Abstract: First data relating to a selected file is obtained. Based upon the first data it is determined if malware detection processing can be selected. Malware detection processing of the file is selected based upon said first data if it is determined that malware detection processing can be selected based upon the first data. If it is determined that, based upon the first data, malware detection processing cannot be selected based upon the first data, second data relating to the selected file is obtained and malware detection processing of the file is selected based upon said first and second obtained data. The selected malware detection processing is applied to said selected file. In an exemplary embodiment the first data is metadata and represents a faster scan of the file, and the second data is content of the file's header and represents a more in-depth scan of the file.

Abstract: A method of detecting malware on a computer and comprising scanning a system memory of the computer, and/or code being injected into the system memory, for known strings indicative of banking trojans. These strings may be Universal Resource Locators and/or partial Universal Resource Locators.

Abstract: A method and apparatus for providing information to a security application at a client device. A server receives a request from the client device for information of an object at the client device. The request includes the signature information required by the server to identify the object. The server queries a database to determine the required information of the object and to determine information of at least one further object, and a response is sent to the client device. The response includes the information relating to the object, an identity of the at least one further object, and the information relating to the at least one further object.

Abstract: The present invention relates to a method for synchronizing files between devices between two devices. The method includes creating a rule to control the synchronization of the file. The rule includes at least one condition for synchronization which is dependent upon a property of a device.

Abstract: A method for determining appropriate actions to remedy potential security lapses following infection of a device by malware. Following detection of infection of the device the device undergoes a cleaning operation. As part of the cleaning operation infected electronic files and any other associated files or objects are removed from the device. From timestamps associated with the infected files and associated files and objects, either directly or from another source such as an anti-virus trace program, the time of infection can be estimated. This allows the system to reference timestamps on the device to determine the source of the infection. Additionally, if the type of infection is identified timestamps on the device can be used to determine where there are particular areas of vulnerability due to user actions on the device.

Abstract: According to a first aspect of the present invention there is provided a method for implementation on a computer system in order to remove or disable a program that generates dialog boxes on a display of the computer system. The method includes accepting input from a user input device that identifies a dialog box displayed on the display of the computer system, identifying the process or process module and program components associated with the identified dialog box, and attempting to terminate or disable the identified process or process module, and remove or disable the identified program components.

Abstract: A method and apparatus for detecting a Trojan horse in a suspicious version of a software application in the form of at least one electronic file. A computer device determines a source from which the suspicious version of the software application was obtained. A comparison is then made between the source from which the suspicious version of the software application was obtained and a source from which an original, clean version of the software application was obtained. If the sources differ, then it is determined that the suspicious version of the software application is more likely to contain a Trojan horse than if the sources were the same.

Abstract: According to aspects of the present invention there are provided methods and apparatus for detecting a suspect wireless access point in a communication network including a plurality of wireless access points providing access services to client devices. Identity information associated with the wireless access points is collected from a multiplicity of client devices. A reputation request is received from a client device, the request including identity information of an available wireless access point. The received identity information is compared with the collected identity information for determining an indication of trust of the available wireless access point. The indication of trust of the available wireless access point is transmitted to the client device. The wireless access points may include a cellular wireless access point or base station, wireless access point, a Wi-Fi access point, or a femto-cell access point.

Abstract: The present invention relates to a method for synchronising files between devices between two devices. The method includes creating a rule to control the synchronisation of the file. The rule includes at least one condition for synchronisation which is dependent upon a property of a device.

Abstract: A method for determining appropriate actions to remedy potential security lapses following infection of a device by malware. Following detection of infection of the device the device undergoes a cleaning operation. As part of the cleaning operation infected electronic files and any other associated files or objects are removed from the device. From timestamps associated with the infected files and associated files and objects, either directly or from another source such as an anti-virus trace program, the time of infection can be estimated. This allows the system to reference timestamps on the device to determine the source of the infection. Additionally, if the type of infection is identified timestamps on the device can be used to determine where there are particular areas of vulnerability due to user actions on the device.

Abstract: According to aspects of the present invention there are provided methods and apparatus for detecting a suspect wireless access point in a communication network including a plurality of wireless access points providing access services to client devices. Identity information associated with the wireless access points is collected from a multiplicity of client devices. A reputation request is received from a client device, the request including identity information of an available wireless access point. The received identity information is compared with the collected identity information for determining an indication of trust of the available wireless access point. The indication of trust of the available wireless access point is transmitted to the client device. The wireless access points may include a cellular wireless access point or base station, wireless access point, a Wi-Fi access point, or a femto-cell access point.

Abstract: A method and apparatus for detected a Trojan in a suspicious software application in the form of at least one electronic file. A computer device determines the source from which the suspicious software application was obtained. A comparison is then made between the source from which the suspicious software application was obtained and a source from which an original, clean version of the software application was obtained. If the sources differ, then it is determined that the suspicious application is more likely to contain a Trojan horse than if the sources were the same.