Abstract: Security is provided for a client by replacing a volume boot module adapted to execute during a boot process of the client with a repair module. The client is booted to start the boot process and to execute a master boot module. The repair module is executed in place of the volume boot module. The repair module determines whether the master boot module is infected with malware. If the master boot module is infected, the repair module repairs the malware infection by disabling and/or removing the malware.

Abstract: A valid entry point for each boot driver running under an operating system is gleaned. When the operating system is rebooted, a security boot driver is loaded prior to loading other boot drivers. The security boot driver reads the actual entry points of each boot driver, before the boot drivers have run. The security boot driver compares the actual entry points to the corresponding valid entry points. Responsive to an actual entry point not matching its corresponding valid entry point, it is determined that the boot driver is infected. Infected boot drivers are corrected, by replacing their actual entry points with the corresponding, valid entry points. After infected boot drivers have been corrected, the infecting malicious code can be identified and disabled. Sections of boot drivers other than entry points can be gleaned, read and compared, up to entire boot drivers.

Abstract: Upon detection of a rootkit, a host computer system is rebooted. The boot process is interrupted. Access to a media, e.g., a volume or disk, containing the rootkit is gained and the media is directly accessed. The rootkit is disabled, e.g., renamed or deleted, and the host computer system is rebooted a second time. If the rootkit has not been previously removed, e.g., only renamed, the rootkit is removed, e.g., using a conventional antivirus application. Thus, upon detection of a rootkit, the rootkit is removed without a clean boot.

Abstract: Methods, apparati, and computer-readable media for associating computer network identifications with network policies. A plurality of network detectors (3) are coupled to a client computer (1). A network probe (4), coupled to the network detectors (3), associates each network identification revealed by a network detector (3) with a netspec. A netspec database (6), coupled to the network probe (4), associates netspecs with locations. A policy guide (8), coupled to the network probe (4), associates network identifications with locations. A network interface module (9), coupled to the policy guide (8), implements network policies based upon locations.