Abstract: An endpoint computer in an enterprise network is configured to detect computer security threat events, such as presence of a computer virus. Upon detection of a threat event, the endpoint computer generates computer security threat data for the threat event. The threat data may include user identifiable data that can be used to identify a user in the enterprise network. The endpoint computer encrypts the user identifiable data prior to sending the threat data to a smart protection network or to an enterprise server where threat data from various enterprise networks are collected for analysis. The endpoint computer may also encrypt an identifier for the threat data and provide the encrypted identifier to the smart protection network and to an enterprise server in the enterprise network. The enterprise server may use the encrypted identifier to retrieve the threat data from the smart protection network to generate user-specific reports.

Abstract: Files of computer documents are classified into confidential levels without extracting and analyzing contents of the files. Files created by particular users may be clustered into groups of files based on file characteristics, such as file type (e.g., file extension) and file naming convention. A prediction confidential score may be generated for each group of files. A log of a file retention resource may be consulted to identify files created by users. A file created by a user may be assigned a prediction confidential score of a group of files having the same file characteristic as the file and created by the same user. The prediction confidential score may be used to determine a confidential level of the file when the file is found to be inaccessible.

Abstract: In one embodiment, an authentication protocol used in a network security service is performed over non-secure connection, such as HTTP. A router subscribing to the service may send a service request for information about a URL to a server computer providing the service. The service request may be included in a first data set posted by the router to the server computer. The first data set may be described by an HTML form and include an encrypted device authenticator used by the server computer to validate the router. The first data set may further include a server authentication code. In responding to the service request, the server computer returns the server authentication code to the router along with information about the URL. The response may be in a second data set, such as an XML document sent by the server computer to the router over an HTTP connection.

Abstract: A method and apparatus for improving the system response time when URL filtering is employed to provide security for web access. The method involves gathering the attributes of the user, and pre-populating a local URL-rating cache with URLs and corresponding ratings associated with analogous attributes from a URL cache database. Thus, the cache hit rate is higher with a pre-populated local URL rating cache, and the system response time is also improved.

Abstract: An endpoint computer in an enterprise network is configured to detect computer security threat events, such as presence of a computer virus. Upon detection of a threat event, the endpoint computer generates computer security threat data for the threat event. The threat data may include user identifiable data that can be used to identify a user in the enterprise network. The endpoint computer encrypts the user identifiable data prior to sending the threat data to a smart protection network or to an enterprise server where threat data from various enterprise networks are collected for analysis. The endpoint computer may also encrypt an identifier for the threat data and provide the encrypted identifier to the smart protection network and to an enterprise server in the enterprise network. The enterprise server may use the encrypted identifier to retrieve the threat data from the smart protection network to generate user-specific reports.

Abstract: Content, such as confidential information of an organization, may be protected by automatically categorizing the content. The automatic categorization may be performed by calculating a sensititiy score of the content, the sensitivity score being indicative of whether or not the content is confidential. The sensitivity score may be compared to a threshold. Metadata of the content may be provided to collaborating computers outside the computer network where the content was created. The collaborating computers may compare the metadata to received content to determine if the received content discloses confidential information described by the metadata.

Abstract: In one embodiment, an authentication protocol used in a network security service is performed over non-secure connection, such as HTTP. A router subscribing to the service may send a service request for information about a URL to a server computer providing the service. The service request may be included in a first data set posted by the router to the server computer. The first data set may be described by an HTML form and include an encrypted device authenticator used by the server computer to validate the router. The first data set may further include a server authentication code. In responding to the service request, the server computer returns the server authentication code to the router along with information about the URL. The response may be in a second data set, such as an XML document sent by the server computer to the router over an HTTP connection.

Abstract: Methods and apparatus for rating Uniform Resource Locators (URLs) are disclosed. The method includes determining a request size pertaining to a length of the URL to be rated and for generating a rating request message containing the URL. The rating request message is a DNS (domain name system) message if the request size is less than or equal to a predefined size limitation, and the rating request message is a HTTP (hypertext transfer protocol) message if the request size is greater than the predefined size limitation.

Abstract: A method and apparatus for improving the system response time when URL filtering is employed to provide security for web access. The method involves gathering the attributes of the user, and pre-populating a local URL-rating cache with URLs and corresponding ratings associated with analogous attributes from a URL cache database. Thus, the cache hit rate is higher with a pre-populated local URL rating cache, and the system response time is also improved.

Abstract: A method and apparatus for improving the system response time when URL filtering is employed to provide security for web access. The method involves gathering the attributes of the user, and pre-populating a local URL-rating cache with URLs and corresponding ratings associated with analogous attributes from a URL cache database. Thus, the cache hit rate is higher with a pre-populated local URL rating cache, and the system response time is also improved.

Abstract: In one embodiment, a router inspects at a network layer source addresses of network layer packets flowing through the router. The router compares the source addresses to addresses of computers employed by spammers, and performs a predetermined action on a particular network layer packet having a source address that belongs to a computer of a spammer. The predetermined action may involve dropping the particular network layer packet or limiting the data transfer rate of the particular network layer packet.

Abstract: In one embodiment, a content filtering system scans an incoming data for malicious content against a portion or the entirety of its knowledge base. If the incoming data is not detected to contain malicious content, the incoming data is forwarded to a content filtering agent that may perform further scanning of the incoming data against portions of its knowledge base that were not employed by the content filtering system. This advantageously allows a complete knowledge base to be segmented, with different computers scanning an incoming data using different segments of the knowledge base. The content filtering system and content filtering agent may be antivirus programs, while the knowledge bases may be virus/pattern files, for example.

Abstract: A method and apparatus for improving the system response time when URL filtering is employed to provide security for web access. The method involves gathering the attributes of the user, and pre-populating a local URL-rating cache with URLs and corresponding ratings associated with analogous attributes from a URL cache database. Thus, the cache hit rate is higher with a pre-populated local URL rating cache, and the system response time is also improved.

Abstract: In one embodiment, a content filtering system scans an incoming data for malicious content against a portion or the entirety of its knowledge base. If the incoming data is not detected to contain malicious content, the incoming data is forwarded to a content filtering agent that may perform further scanning of the incoming data against portions of its knowledge base that were not employed by the content filtering system. This advantageously allows a complete knowledge base to be segmented, with different computers scanning an incoming data using different segments of the knowledge base. The content filtering system and content filtering agent may be antivirus programs, while the knowledge bases may be virus/pattern files, for example.

Abstract: A method and apparatus for discovering IP and MAC addresses by an application program in a network. The network includes a number of SNMP-manageable and non-SNMP-manageable devices. Active devices can be discovered by the discovery node through a serial pinging mechanism which populates the MIB of the discovery node with IP and/or MAC addresses of all the devices on the network. An SNMP agent on the network is then used to perform a GetNext request that returns to the process layer the IP and MAC addresses of the non-SNMP manageable and SNMP-manageable devices.

Abstract: A link device establishes links automatically to all 10Base-T and 100Base-TX partners regardless of their capability thereby assuring that the link device establishes links with all partners without the need to select a mode of operation manually. The modes of operation provided include 10Base-T half duplex, 100Base-TX half duplex, and 100Base-TX full duplex. The technique includes an algorithm that assures linkability between 10Base-T and 100Base-TX devices that are not 100% compliant with IEEE 802.3u, Clause 28. Using this algorithm, a link device links with 10Base-T and 100Base-TX half duplex legacy partners. Such devices also link with compliant 10Base-T and 100Base-TX auto-negotiating partners at 100Base-TX full duplex, and with non-compliant 10Base-T and 100Base-TX auto-negotiating devices at 100Base-TX half duplex.