Abstract: A method of protecting a computer system against remote exploitation attacks performed over a network to which the computer system is connected. The method includes: a) identifying a network connection that is not associated with a successful authentication and which carries a traffic level in excess of a predefined threshold; b) reporting the identified network connection as a real or potential remote exploitation attack; and c) taking an action or actions to mitigate against the real or potential remote exploitation attack.

Abstract: There is provided a method of detecting a threat against a computer system. The method includes monitoring installation and operation of multiple different versions of the same application in a computer system; analysing evolutionary changes between the behaviours of the different versions of the same application; detecting and monitoring a new version of the same application in a computer system; monitoring the behavior of the computer system to detect one or more procedures of the monitored application that do not match expected behaviors of the monitored application on the basis of the analysis; and upon detection of one or more procedures not matching the expected behaviors of the monitored application, identifying the monitored application as malicious or suspicious.

Abstract: A method of protecting a computer system against remote exploitation attacks performed over a network to which the computer system is connected. The method includes: a) identifying a network connection that is not associated with a successful authentication and which carries a traffic level in excess of a predefined threshold; b) reporting the identified network connection as a real or potential remote exploitation attack; and c) taking an action or actions to mitigate against the real or potential remote exploitation attack.

Abstract: There is provided a method of detecting a threat against a computer system. The method includes monitoring installation and operation of multiple different versions of the same application in a computer system; analysing evolutionary changes between the behaviours of the different versions of the same application; detecting and monitoring a new version of the same application in a computer system; monitoring the behavior of the computer system to detect one or more procedures of the monitored application that do not match expected behaviors of the monitored application on the basis of the analysis; and upon detection of one or more procedures not matching the expected behaviors of the monitored application, identifying the monitored application as malicious or suspicious.

Abstract: A nozzle (10) for contact-free treatment of a running web, having a main frame (11) forming an outer part of the nozzle, and two side chambers (14, 15) on each of the longitudinal sides of the nozzle (10). The side chambers having openings (17A, 17B, 16A, 16B) for the air to blow toward a fiber web. A U-shaped air channel (20), through which the air is lead to the side chambers (14, 15), located between the side chambers (14, 15), having at least one opening (19, 18) on each side wall for leading the air into the side chambers (14, 15). A U-shaped inner part (13) which is movable by a mechanism (12) comprising a screw (21) and bushings (22) to at least partially open and close the opening (18, 19).

Abstract: A method of detecting suspicious code that has been injected into a process. The method includes identifying suspicious executable memory areas assigned to the process and, for each thread in the process, inspecting a stack associated with the thread to identify a potential return address; determining whether or not the potential return address is located within a suspicious memory area; and, if the potential return address is located within a suspicious memory area, determining whether or not the instruction at the address preceding the potential return address is a function call and, if yes, determining that the potential return address is a true return address and identifying the thread and associated code as suspicious.

Abstract: A nozzle (10) for contact-free treatment of a running web, having a main frame (11) forming an outer part of the nozzle, and two side chambers (14, 15) on each of the longitudinal sides of the nozzle (10). The side chambers having openings (17A, 17B, 16A, 16B) for the air to blow toward a fiber web. A U-shaped air channel (20), through which the air is lead to the side chambers (14, 15), located between the side chambers (14, 15), having at least one opening (19, 18) on each side wall for leading the air into the side chambers (14, 15). A U-shaped inner part (13) which is movable by a mechanism (12) comprising a screw (21) and bushings (22) to at least partially open and close the opening (18, 19).

Abstract: There is provided a malware analysis method including at a computer device having an operating system and a memory: collecting Dynamic Link Library (DLL) data under a system folder, the data including at least the DLL name and all pairs of exported function names and function addresses relative to the starting address of the DLL once it has been loaded into memory; comparing the two least significant bytes of the collected function addresses with the two least significant bytes of absolute virtual addresses in a memory dump; deducing a list of potential targets for API function calls when there is a match between the compared two least significant bytes of the collected function addresses and the absolute virtual addresses; and quarantining or deleting malware from which the suspicious API function calls originated.

Abstract: There is provided a malware analysis method including at a computer device having an operating system and a memory: collecting Dynamic Link Library (DLL) data under a system folder, the data including at least the DLL name and all pairs of exported function names and function addresses relative to the starting address of the DLL once it has been loaded into memory; comparing the two least significant bytes of the collected function addresses with the two least significant bytes of absolute virtual addresses in a memory dump; deducing a list of potential targets for API function calls when there is a match between the compared two least significant bytes of the collected function addresses and the absolute virtual addresses; and quarantining or deleting malware from which the suspicious API function calls originated.

Abstract: A method, apparatus, and computer program for improving security in connection with online transactions are provided. A security application configured to monitor received text messages of a short message service is executed in an apparatus. The security application is arranged to have prioritized access to process the received text messages before other applications executed in the apparatus, to identify from contents of a received text message whether or not the received text message includes a transaction authentication message and, upon detecting that the received text message includes the transaction authentication message, prevent the processing of the transaction authentication message by the other applications and carry out user interfacing related to the transaction authentication message within a secured environment provided by the security application.

Abstract: A method in a computer for detecting a file encryption attack. The computer detects an attempt to overwrite current file data of a file with new file data. The computer then compares the new file data to the current file data to obtain a measure of the difference between the current and the new file data, and if the difference exceeds a threshold, the computer considers this to identify a file encryption attack.

Abstract: A method of detecting suspicious code that has been injected into a process. The method includes identifying suspicious executable memory areas assigned to the process and, for each thread in the process, inspecting a stack associated with the thread to identify a potential return address; determining whether or not the potential return address is located within a suspicious memory area; and, if the potential return address is located within a suspicious memory area, determining whether or not the instruction at the address preceding the potential return address is a function call and, if yes, determining that the potential return address is a true return address and identifying the thread and associated code as suspicious.

Abstract: A method in a computer for detecting a file encryption attack. The computer detects an attempt to overwrite current file data of a file with new file data. The computer then compares the new file data to the current file data to obtain a measure of the difference between the current and the new file data, and if the difference exceeds a threshold, the computer considers this to identify a file encryption attack.

Abstract: A method, apparatus, and computer program for improving security in connection with online transactions are provided. A security application configured to monitor received text messages of a short message service is executed in an apparatus. The security application is arranged to have prioritized access to process the received text messages before other applications executed in the apparatus, to identify from contents of a received text message whether or not the received text message includes a transaction authentication message and, upon detecting that the received text message includes the transaction authentication message, prevent the processing of the transaction authentication message by the other applications and carry out user interfacing related to the transaction authentication message within a secured environment provided by the security application.