Abstract: An arrangement (410) and a method, e.g. a computer implemented method, of threat detection in a computer or computer network, includes determining that an application is starting at a computer (1), such as a network node or an endpoint, monitoring the application for a predetermined duration after the application start in order to recognize malicious activity by the application. The monitoring of the application includes monitoring the application for accessing a predefined storage area, e.g. a security sensitive area, of the computer, and if access to the predefined storage area, e.g. the security sensitive area, of the computer is determined during the monitoring, denying access to the predefined storage area of the computer for the monitored application and/or denying or throttling network access of the monitored application.

Abstract: An arrangement and a method, e.g. a computer implemented method, for preventing file share related threats in a computer, such as a server (2), or computer network, wherein the method comprises: intercepting an attempt to access a file, such as an attempt to modify, create, rename and/or delete a file, in a monitored location of a computer file system, e.g. in a folder (4) on a server, determining a user identification of a user, such as a remote user, attempting to access the file, creating a backup copy of the file, allowing the attempt to access the file in a monitored location of computer file system, e.g.

Abstract: A method of threat detection in a computing device or network includes determining that a financial related service is accessed with the computing device, determining during an active session or connection to the financial related service that an application of the computing device is requesting network access and checking the reputation of the application. Based thereon, blocking network access if the application or the process is not a trusted application or a trusted process, scanning memory of the computing device used by the application or the process for malicious or unusual content if the application is a trusted application or the process is a trusted process, and if scanning indicates no malicious or unusual content, granting network access to the application or the process, and if scanning of the application or the process indicates malicious or unusual content, blocking network access for the application or the process.

Abstract: Disclosed is an arrangement and a method, e.g. a computer implemented method, of threat detection in a computer or computer network, wherein the method includes determining that an application is starting at a computer, such as a network node or an endpoint, intercepting the application start, identifying the risk rating of the application, based on the identified risk rating of the application creating a snapshot of the computer if the risk rating of the application is high, such as above a certain risk rating threshold value, and/or if the risk rating of the application is unknown, and allowing the application to run after the identification of the risk rating of the application. If the application is determined to be malware when the application is running, stopping the application, removing the malware and reverting changes made to the computer based on the snapshot of the computer.

Abstract: An arrangement and a method of threat detection in a computer or computer network, which method includes providing an thread and/or process to be analyzed for malware to a sandbox environment monitoring attempts of the thread or the process to create remote threads in the sandbox environment, and adding newly created thread(s) to a list of monitored threads, monitoring threads on the list of the monitored threads, providing a result of the malware analysis of the thread or the process on the basis of the execution in the sandbox environment based on the monitored threads, identifying the thread or the process as malicious or suspicious on the basis of the provided result, and taking an action for protecting the computer from the thread or the process identified as malicious or suspicious.

Abstract: An arrangement and a method of threat detection in a computer or computer network in which a virtual machine or a software emulator is started and/or initialized in response to starting a software application at a local machine. The software application is passed to the virtual machine or the software emulator. The software application is started at the virtual machine or the software emulator, and changes made by the software application run on the local machine to at least one file and/or system configuration value, e.g. registry value, of the local machine are determined and backed-up. Application events and/or behavior is analyzed at the virtual machine or the software emulator to determine malicious behavior of the application. Based on the detected malicious behavior of the software application at the virtual machine or the software emulator, the local machine is notified about the malicious behavior and the virtual machine or the software emulator session is ended.

Abstract: There is provided a method for application behaviour control on a computer system. The method includes grouping applications into a set of clusters, wherein each application is grouped to a specific cluster on the basis of predefined event profiles for applications in the specific cluster; monitoring procedures that a specific cluster performs on one or more computer devices; and generating a list of expected events and prohibited events of the specific cluster based on monitoring for enabling the one or more client computer devices and/or an administrator of the one or more client computer devices to take further action related to the applications installed on the one or more client computer devices.

Abstract: There is provided a method for application behaviour control on a computer system. The method includes grouping applications into a set of clusters, wherein each application is grouped to a specific cluster on the basis of predefined event profiles for applications in the specific cluster; monitoring procedures that a specific cluster performs on one or more computer devices; and generating a list of expected events and prohibited events of the specific cluster based on monitoring for enabling the one or more client computer devices and/or an administrator of the one or more client computer devices to take further action related to the applications installed on the one or more client computer devices.

Abstract: A method of capturing photographs or videos and associated metadata. The method includes capturing a photograph or video using a mobile camera device at a shooting location and encompassing a shooting area, identifying a shooting area using positional and orientational detectors of the mobile camera device and known camera properties and recording a definition of the shooting area, and sending the captured photograph or video to a server system. Either at the mobile camera device or at the server system, the presence of peer mobile devices within the shooting area is identified using positional information reported by those peer mobile devices, and the captured photograph or video is tagged with identities associated with those peer mobile devices.

Abstract: A method of discovering suspect IP addresses, the method including, at a client computer: monitoring the computer for malware; on detection of malware, obtaining a list of IP addresses with which a connection has been made or attempted at the client computer within a preceding time frame; sending the list of IP addresses to a central server; and receiving from the central server a blacklist of suspect IP addresses to allow the client computer to block connections with IP addresses within said blacklist.

Abstract: A method of protecting a computer against malware infection. The method includes during operation of the computer, reading master boot record code from a removable storage device into the computer and inspecting said code to identify any instructions associated with suspicious behaviour. In the event that suspicious instructions are identified, the master boot record code on the removable storage device is modified and/or the behaviour of the computer adapted in order to prevent said master boot record code installing malware into the computer. Examples of suspicious behaviour include hard disk read or write operations.

Abstract: In accordance with an example embodiment of the present invention, there is provided an apparatus, comprising: at least one processor; and at least one memory including executable instructions. The at least one memory and the executable instructions are configured to, in cooperation with the at least one processor, cause the apparatus to perform at least the following: during the loading of an operating system, loading a boot time driver installed by an anti-virus application; reading a master boot record data by the boot time driver as soon as the operating system is ready to handle the request for reading the master boot record data; analyzing the collected master boot record data to identify any malicious entities; and in the event that malicious entities are identified, controlling the behavior of the processing system in order to disable the malicious entity.

Abstract: A method of updating an anti-virus application including an updatable module running on a client terminal. The method includes receiving an update at the client terminal, initializing the updatable module within a sandbox environment and applying the update to the updatable module. Control tests are then run on the updated sandboxed module and if the control tests are passed, the updated module is brought out of the sandbox environment and normal scanning is allowed to proceed using the updated module. If the control tests are not passed, however, normal scanning using the updated module is prevented.

Abstract: First data relating to a selected file is obtained. Based upon the first data it is determined if malware detection processing can be selected. Malware detection processing of the file is selected based upon said first data if it is determined that malware detection processing can be selected based upon the first data. If it is determined that, based upon the first data, malware detection processing cannot be selected based upon the first data, second data relating to the selected file is obtained and malware detection processing of the file is selected based upon said first and second obtained data. The selected malware detection processing is applied to said selected file. In an exemplary embodiment the first data is metadata and represents a faster scan of the file, and the second data is content of the file's header and represents a more in-depth scan of the file.

Abstract: A method of capturing photographs or videos and associated metadata. The method includes capturing a photograph or video using a mobile camera device at a shooting location and encompassing a shooting area, identifying a shooting area using positional and orientational detectors of the mobile camera device and known camera properties and recording a definition of the shooting area, and sending the captured photograph or video to a server system. Either at the mobile camera device or at the server system, the presence of peer mobile devices within the shooting area is identified using positional information reported by those peer mobile devices, and the captured photograph or video is tagged with identities associated with those peer mobile devices.

Abstract: There are provided measures for enabling event scene identification in a group event, in particular in a content storing and sharing service with a central storage. Such measures could exemplarily comprise tracking a rate of submissions for a group event from one or more agent devices of participants in the group event to a central storage, the submission from an agent device including content data relating to an event scene in the group event, detecting a time period of the event scene in the group event on the basis of the tracked rate of submissions for the group event, and detecting the location of the event scene in the group event on the basis of meta data for the content data of the submissions, said meta data relating at least to a location of the event scene in the group event.

Abstract: A method of discovering suspect IP addresses, the method including, at a client computer: monitoring the computer for malware; on detection of malware, obtaining a list of IP addresses with which a connection has been made or attempted at the client computer within a preceding time frame; sending the list of IP addresses to a central server; and receiving from the central server a blacklist of suspect IP addresses to allow the client computer to block connections with IP addresses within said blacklist

Abstract: According to a first aspect of the present invention there is provided a method of scanning a computer system for malware. The method includes determining when an application being executed on the computer system is attempting to open a file, adding data written to the open file by the application into a malware scanner queue, and ensuring that the application has been notified that the file has been closed before scanning the queued file data to determine if it relates to potential malware.

Abstract: A method and apparatus for populating a trusted files database for an anti-virus application. A determination is made from several files stored in a file system of a set of files likely to be accessed from the file system. For each file that is likely to be accessed from the file system, a further determination is made to ascertain if the file is trusted by the anti-virus application. If the file is likely to be accessed from the file system, and is trusted, then it is identified in a trusted files database. By only including files that are likely to be accessed by the file system, the time to populate the trusted files database is greatly reduced.

Abstract: In accordance with an example embodiment of the present invention, there is provided an apparatus, comprising: at least one processor; and at least one memory including executable instructions. The at least one memory and the executable instructions are configured to, in cooperation with the at least one processor, cause the apparatus to perform at least the following: during the loading of an operating system, loading a boot time driver installed by an anti-virus application; reading a master boot record data by the boot time driver as soon as the operating system is ready to handle the request for reading the master boot record data; analyzing the collected master boot record data to identify any malicious entities; and in the event that malicious entities are identified, controlling the behavior of the processing system in order to disable the malicious entity.