Abstract: An arrangement and a method of threat detection in a computer or computer network, which method includes providing an thread and/or process to be analyzed for malware to a sandbox environment monitoring attempts of the thread or the process to create remote threads in the sandbox environment, and adding newly created thread(s) to a list of monitored threads, monitoring threads on the list of the monitored threads, providing a result of the malware analysis of the thread or the process on the basis of the execution in the sandbox environment based on the monitored threads, identifying the thread or the process as malicious or suspicious on the basis of the provided result, and taking an action for protecting the computer from the thread or the process identified as malicious or suspicious.

Abstract: Disclosed is an arrangement and a method, e.g. a computer implemented method, of threat detection in a computer or computer network, wherein the method includes determining that an application is starting at a computer, such as a network node or an endpoint, intercepting the application start, identifying the risk rating of the application, based on the identified risk rating of the application creating a snapshot of the computer if the risk rating of the application is high, such as above a certain risk rating threshold value, and/or if the risk rating of the application is unknown, and allowing the application to run after the identification of the risk rating of the application. If the application is determined to be malware when the application is running, stopping the application, removing the malware and reverting changes made to the computer based on the snapshot of the computer.

Abstract: An arrangement and a method of threat detection in a computer or computer network in which a virtual machine or a software emulator is started and/or initialized in response to starting a software application at a local machine. The software application is passed to the virtual machine or the software emulator. The software application is started at the virtual machine or the software emulator, and changes made by the software application run on the local machine to at least one file and/or system configuration value, e.g. registry value, of the local machine are determined and backed-up. Application events and/or behavior is analyzed at the virtual machine or the software emulator to determine malicious behavior of the application. Based on the detected malicious behavior of the software application at the virtual machine or the software emulator, the local machine is notified about the malicious behavior and the virtual machine or the software emulator session is ended.

Abstract: There is provided a method for application behaviour control on a computer system. The method includes grouping applications into a set of clusters, wherein each application is grouped to a specific cluster on the basis of predefined event profiles for applications in the specific cluster; monitoring procedures that a specific cluster performs on one or more computer devices; and generating a list of expected events and prohibited events of the specific cluster based on monitoring for enabling the one or more client computer devices and/or an administrator of the one or more client computer devices to take further action related to the applications installed on the one or more client computer devices.

Abstract: There is provided a method for application behaviour control on a computer system. The method includes grouping applications into a set of clusters, wherein each application is grouped to a specific cluster on the basis of predefined event profiles for applications in the specific cluster; monitoring procedures that a specific cluster performs on one or more computer devices; and generating a list of expected events and prohibited events of the specific cluster based on monitoring for enabling the one or more client computer devices and/or an administrator of the one or more client computer devices to take further action related to the applications installed on the one or more client computer devices.

Abstract: A method of capturing photographs or videos and associated metadata. The method includes capturing a photograph or video using a mobile camera device at a shooting location and encompassing a shooting area, identifying a shooting area using positional and orientational detectors of the mobile camera device and known camera properties and recording a definition of the shooting area, and sending the captured photograph or video to a server system. Either at the mobile camera device or at the server system, the presence of peer mobile devices within the shooting area is identified using positional information reported by those peer mobile devices, and the captured photograph or video is tagged with identities associated with those peer mobile devices.

Abstract: A method of discovering suspect IP addresses, the method including, at a client computer: monitoring the computer for malware; on detection of malware, obtaining a list of IP addresses with which a connection has been made or attempted at the client computer within a preceding time frame; sending the list of IP addresses to a central server; and receiving from the central server a blacklist of suspect IP addresses to allow the client computer to block connections with IP addresses within said blacklist.

Abstract: A method of protecting a computer against malware infection. The method includes during operation of the computer, reading master boot record code from a removable storage device into the computer and inspecting said code to identify any instructions associated with suspicious behaviour. In the event that suspicious instructions are identified, the master boot record code on the removable storage device is modified and/or the behaviour of the computer adapted in order to prevent said master boot record code installing malware into the computer. Examples of suspicious behaviour include hard disk read or write operations.

Abstract: In accordance with an example embodiment of the present invention, there is provided an apparatus, comprising: at least one processor; and at least one memory including executable instructions. The at least one memory and the executable instructions are configured to, in cooperation with the at least one processor, cause the apparatus to perform at least the following: during the loading of an operating system, loading a boot time driver installed by an anti-virus application; reading a master boot record data by the boot time driver as soon as the operating system is ready to handle the request for reading the master boot record data; analyzing the collected master boot record data to identify any malicious entities; and in the event that malicious entities are identified, controlling the behavior of the processing system in order to disable the malicious entity.

Abstract: A method of updating an anti-virus application including an updatable module running on a client terminal. The method includes receiving an update at the client terminal, initializing the updatable module within a sandbox environment and applying the update to the updatable module. Control tests are then run on the updated sandboxed module and if the control tests are passed, the updated module is brought out of the sandbox environment and normal scanning is allowed to proceed using the updated module. If the control tests are not passed, however, normal scanning using the updated module is prevented.

Abstract: First data relating to a selected file is obtained. Based upon the first data it is determined if malware detection processing can be selected. Malware detection processing of the file is selected based upon said first data if it is determined that malware detection processing can be selected based upon the first data. If it is determined that, based upon the first data, malware detection processing cannot be selected based upon the first data, second data relating to the selected file is obtained and malware detection processing of the file is selected based upon said first and second obtained data. The selected malware detection processing is applied to said selected file. In an exemplary embodiment the first data is metadata and represents a faster scan of the file, and the second data is content of the file's header and represents a more in-depth scan of the file.

Abstract: A method of capturing photographs or videos and associated metadata. The method includes capturing a photograph or video using a mobile camera device at a shooting location and encompassing a shooting area, identifying a shooting area using positional and orientational detectors of the mobile camera device and known camera properties and recording a definition of the shooting area, and sending the captured photograph or video to a server system. Either at the mobile camera device or at the server system, the presence of peer mobile devices within the shooting area is identified using positional information reported by those peer mobile devices, and the captured photograph or video is tagged with identities associated with those peer mobile devices.

Abstract: There are provided measures for enabling event scene identification in a group event, in particular in a content storing and sharing service with a central storage. Such measures could exemplarily comprise tracking a rate of submissions for a group event from one or more agent devices of participants in the group event to a central storage, the submission from an agent device including content data relating to an event scene in the group event, detecting a time period of the event scene in the group event on the basis of the tracked rate of submissions for the group event, and detecting the location of the event scene in the group event on the basis of meta data for the content data of the submissions, said meta data relating at least to a location of the event scene in the group event.

Abstract: A method of discovering suspect IP addresses, the method including, at a client computer: monitoring the computer for malware; on detection of malware, obtaining a list of IP addresses with which a connection has been made or attempted at the client computer within a preceding time frame; sending the list of IP addresses to a central server; and receiving from the central server a blacklist of suspect IP addresses to allow the client computer to block connections with IP addresses within said blacklist

Abstract: According to a first aspect of the present invention there is provided a method of scanning a computer system for malware. The method includes determining when an application being executed on the computer system is attempting to open a file, adding data written to the open file by the application into a malware scanner queue, and ensuring that the application has been notified that the file has been closed before scanning the queued file data to determine if it relates to potential malware.

Abstract: A method and apparatus for populating a trusted files database for an anti-virus application. A determination is made from several files stored in a file system of a set of files likely to be accessed from the file system. For each file that is likely to be accessed from the file system, a further determination is made to ascertain if the file is trusted by the anti-virus application. If the file is likely to be accessed from the file system, and is trusted, then it is identified in a trusted files database. By only including files that are likely to be accessed by the file system, the time to populate the trusted files database is greatly reduced.

Abstract: In accordance with an example embodiment of the present invention, there is provided an apparatus, comprising: at least one processor; and at least one memory including executable instructions. The at least one memory and the executable instructions are configured to, in cooperation with the at least one processor, cause the apparatus to perform at least the following: during the loading of an operating system, loading a boot time driver installed by an anti-virus application; reading a master boot record data by the boot time driver as soon as the operating system is ready to handle the request for reading the master boot record data; analyzing the collected master boot record data to identify any malicious entities; and in the event that malicious entities are identified, controlling the behavior of the processing system in order to disable the malicious entity.

Abstract: According to a first aspect of the present invention there is provided a method of scanning for malware during execution of an application on a computer system. The method includes detecting accesses by the application to files within a common directory, using the detected accesses to identify one or more groups of files within said common directory that the application may subsequently want to access, and scanning said one or more groups of files for malware prior to the application attempting to access files of the group or groups.

Abstract: According to a first aspect of the present invention there is provided a method of operating a computer to detect malware, which malware writes a copy of an executable file to a non-volatile memory of the computer and creates a launch point that causes that executable file to be run at start-up of the computer. The method includes, during the shutdown procedures of the computer, monitoring the creation and/or modification of any launch points and, for any such modification or creation, saving a further copy of any executable file associated with the launch point to the non-volatile memory, and, following a subsequent start-up of the computer, examining said further copy to determine if it is potential malware.

Abstract: A computer-implemented method of scanning a plurality of files stored in a memory of a computer for malware. The computer includes a processor. The method includes, for each respective file of said plurality of files in said memory determining, using said processor, whether a relationship between the respective file and stored data satisfies a predetermined criterion. The stored data indicates one or more files determined not to contain malware and for which data associated with each of said one or more files has a predetermined characteristic. If the relationship satisfies the predetermined criterion, the respective file is processed according to said first processing method and if said relationship does not satisfy said predetermined criterion, the respective file is processed according to said second processing method.