公开(公告)号：US11516249B1

公开(公告)日：2022-11-29

申请号：US17234676

申请日：2021-04-19

Applicant: TREND MICRO INC.

Inventor： Jing Cao ,  Quan Yuan ,  Bo Liu

IPC: H04L29/06 ,  H04L9/40 ,  H04L67/02 ,  H04L51/08

Abstract: An attachment to an e-mail message received at an e-mail gateway is scanned by a scan server and then is converted into an HTML file. The HTML file includes preview data of the attachment (minus any macro scripts), the entire original data of the attachment, scan functionality enabling a user to send the attachment back to a scan server for a second scan, or extract functionality enabling a user to extract the original attachment data for saving or opening in an application. The recipient is able to open or save the attachment directly if he or she believes it comes from a trusted sender. If the attachment seems suspicious, the recipient previews the attachment first before performing a scan, opening the attachment or deleting it. The recipient performs a scan of the attachment by clicking a “scan” button to send the attachment to a backend server for a second scan where an updated virus pattern file may be available to detect any zero-day malware.

公开(公告)号：US10771620B1

公开(公告)日：2020-09-08

申请号：US16439454

申请日：2019-06-12

Applicant: Trend Micro Inc.

Inventor： Minmin Li ,  Gang Chen ,  Xiaoming Zhao

IPC: H04M1/725

Abstract: A mobile virtualization application allows a VR application user to access mobile telephone basic functions in a third-party VR application. This virtualization application may be a virtualization plugin or an independent application which virtualizes mobile functions and creates VR models. The virtualization plugin bridges between the VR application and the mobile telephone operating system allowing the user to use directly mobile telephone basic functions in the VR application. VR application users can read directly their incoming text messages, e-mail messages, application notifications, etc., in the form of VR model, and, they can use a VR application input device to control their mobile telephone basic functions in order to send messages, control a camera, etc.

公开(公告)号：US10452817B1

公开(公告)日：2019-10-22

申请号：US12420525

申请日：2009-04-08

Applicant: Sun Mingyan ,  Lo Chien Ping ,  Fan Chi-Huang

Inventor： Sun Mingyan ,  Lo Chien Ping ,  Fan Chi-Huang

IPC: G06F21/00

Abstract: Applications running in an API-proxy-based emulator are prevented from infecting a PC's hard disk when executing file I/O commands. Such commands are redirected to an I/O redirection engine instead of going directly to the PC's normal operating system where it can potentially harm files in on the hard disk. The redirection engine executes the file I/O command using a private storage area in the hard disk that is not accessible by the PC's normal operating system. If a file that is the subject of a file I/O command from an emulated application is not in the private storage area, a copy is made from the original that is presumed to exist in the public storage area. This copy is then acted on by the command and is stored in the private storage area, which can be described as a controlled, quarantined storage space on the hard disk. In this manner the PC's (or any computing device's) hard disk is defended from potential malware that may originate from applications running in emulated environments.

公开(公告)号：US09756063B1

公开(公告)日：2017-09-05

申请号：US14553879

申请日：2014-11-25

Applicant: Yueh Hsuan Chung

Inventor： Yueh Hsuan Chung

IPC: H04L29/06 ,  H04L12/26

CPC classification number: H04L63/1425 ,  G06F21/552 ,  H04L43/04

Abstract: Host name raw data from access logs of computers is grouped into distinct groups. At least one feature, an alphanumeric or alphabetic-only digest, is extracted from each group and its characters are ordered depending upon their frequency of use. Sampling is performed upon host names from a database of known normal host names to generate groups of randomly selected host names. Similar digests are also extracted from these groups. The digest from the raw data is compared to each of the digests from the normal host names using a string matching algorithm to determine a value. If the value is above a threshold then it is likely that the host names from the raw data group are domain-generated. The suspect host names are used to reference the raw data access log in order to determine which user computers have accessed these host names and these user computers are alerted.

公开(公告)号：US09355246B1

公开(公告)日：2016-05-31

申请号：US14098488

申请日：2013-12-05

Applicant: Xiaochuan Wan ,  Ben Huang ,  Xuebin Chen ,  Xiaodong Huang ,  Hailiang Fan

Inventor： Xiaochuan Wan ,  Ben Huang ,  Xuebin Chen ,  Xiaodong Huang ,  Hailiang Fan

IPC: G06F11/00 ,  G06F21/53 ,  H04L29/06

CPC classification number: G06F21/53 ,  G06F21/566 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1441

Abstract: An emulator on a host computer includes a static analysis module that analyzes executable code of a suspicious sample to determine whether the code identifies that a particular packing program (packer) has packed the sample. Once identified, a custom configuration file is generated that identifies particular API hooks or instructions that should be disabled (or enabled) so that the sample file cannot use these hooks or instructions to detect that it is executing within an emulator. The emulator (such as a virtual machine or sandbox) is configured using the configuration file. The suspicious sample is then executed and its behaviors are collected. The sample is prevented from detecting that it is operating within an emulator and thus prevented from terminating prematurely. Malicious behaviors are scored and a total score indicates whether or not the suspicious sample is malicious or not. Static analysis identifies signatures, instructions or strings.

Abstract translation: 主计算机上的仿真器包括静态分析模块，其分析可疑样本的可执行代码，以确定代码是否识别特定打包程序（打包程序）已打包样本。 一旦识别出来，就会生成一个自定义配置文件，该文件标识特定的API钩子或应禁用（或启用）的指令，以便样本文件不能使用这些钩子或指令来检测它在仿真器中的执行情况。 使用配置文件配置仿真器（如虚拟机或沙盒）。 然后执行可疑样本，并收集其行为。 防止样品检测其在仿真器内操作，从而防止过早终止。 恶意行为得分，总分表示可疑样本是否恶意。 静态分析识别签名，指令或字符串。

公开(公告)号：US09119068B1

公开(公告)日：2015-08-25

申请号：US13737825

申请日：2013-01-09

Applicant: Jeremy Hubble

Inventor： Jeremy Hubble

IPC: H04W12/06 ,  H04W4/02 ,  H04W88/02

CPC classification number: H04W12/06 ,  H04W4/027 ,  H04W88/02

Abstract: A gesture with a mobile device by the user is required for authorized access to the mobile device. An activating motion is performed to trigger authentication mode. Sensors detect the current geographic location of the device and a gesture performed by the user. Geographic location and a gesture are matched against stored data. Optionally, the detected data may fall within a tolerance range for both the geographic location and a gesture to be authorized access. Various techniques to permit different access levels are implemented based upon the type of gesture performed or the location where performed. During authentication setup a performed gesture at a particular geographic location is stored in the device. Performance of the same gesture multiple times allows for tolerance ranges to be established.

Abstract translation: 需要用户使用移动设备的手势才能授权访问移动设备。 执行激活运动以触发认证模式。 传感器检测设备的当前地理位置和用户执行的手势。 地理位置和手势与存储的数据匹配。 可选地，检测到的数据可以落在地理位置和要被授权访问的手势的容限范围内。 基于执行的手势的类型或执行的位置来实现允许不同访问级别的各种技术。 在认证设置期间，在特定地理位置处执行的手势被存储在设备中。 相同手势的多次性能允许建立公差范围。

公开(公告)号：US09117078B1

公开(公告)日：2015-08-25

申请号：US12212378

申请日：2008-09-17

Applicant: Hao-Liang Chien ,  Ming-Chang Shih ,  Ya-Hsuan Tsai

Inventor： Hao-Liang Chien ,  Ming-Chang Shih ,  Ya-Hsuan Tsai

IPC: G06F21/56

CPC classification number: G06F21/566

Abstract: Creating a policy to be used by a malware prevention system uses multiple events triggered by malware. A sample of malicious computer code or malware is executed in a computer system having a kernel space and a user space. Event data relating to multiple events caused by the malicious code executing on the computer system are captured and stored. The event data is configured using a specific property that facilitates malware behavior analysis. A behavior list is then created utilizing the multiple events and associated event data. The behavior list, together with data in a malware behavior database, is used to derive a policy for use in a malware prevention system. The computer system is free of any malicious code, including viruses, Trojan horses, or any other unwanted software code. The malicious computer code executes without any constraints so that the execution behavior of the malicious code may be observed and captured. Critical events are selected based on the user's expertise and experience in dealing with malware and a sequential stream including the event as the events occur is created.

Abstract translation: 创建恶意软件防护系统使用的策略会使用恶意软件触发的多个事件。 在具有内核空间和用户空间的计算机系统中执行恶意计算机代码或恶意软件的示例。 捕获和存储与在计算机系统上执行的恶意代码引起的多个事件有关的事件数据。 事件数据使用特定的属性进行配置，有助于恶意软件行为分析。 然后使用多个事件和相关联的事件数据来创建行为列表。 行为列表连同恶意软件行为数据库中的数据一起用于导出用于恶意软件防护系统的策略。 计算机系统没有任何恶意代码，包括病毒，特洛伊木马或任何其他不需要的软件代码。 恶意的计算机代码执行没有任何限制，从而可以观察和捕获恶意代码的执行行为。 基于用户处理恶意软件的专业知识和经验，创建关键事件，并创建包括事件在内的顺序流。

公开(公告)号：US09117075B1

公开(公告)日：2015-08-25

申请号：US12951785

申请日：2010-11-22

Applicant: Anne Yeh

Inventor： Anne Yeh

IPC: G06F21/00 ,  G06F21/56 ,  H04L29/06

CPC classification number: G06F21/56 ,  G06F21/566 ,  G06F21/567 ,  H04L63/1425 ,  H04L63/145

Abstract: A computer network of an enterprise includes a central management computer linking at least one trusted host computer with at least one user computer. The trusted host computer is not used for normal day-to-day activities within the enterprise, and may also not be used for reading electronic mail nor for accessing the Internet and downloading Web site content. Antivirus software on the user computer screens for suspect activity or features and, if found, the suspect activity or features are compared to rules database. If a determination of malware cannot be made, then these unresolved activities or features are sent to the central management computer to be compared to the trusted, known activities and features of the trusted computer. The suspect activities may be deemed acceptable if activities are shared amongst a certain number of user computers all configured to perform the same function. A user computer may be compared against itself over time.

Abstract translation: 企业的计算机网络包括将至少一个可信主机与至少一个用户计算机连接的中央管理计算机。 可信主机不用于企业内正常的日常活动，也不能用于阅读电子邮件，也不能用于访问互联网和下载网站内容。 用户计算机屏幕上的防病毒软件可疑活动或功能，如果发现可疑活动或功能与规则数据库进行比较。 如果无法确定恶意软件，则将这些未解决的活动或功能发送到中央管理计算机，以与受信任计算机的受信任的已知活动和功能进行比较。 如果活动在一定数量的用户计算机之间共享，这些用户计算机全部配置为执行相同的功能，则可疑活动可能被认为是可以接受的。 用户计算机可能会随时间与自己进行比较。

公开(公告)号：US09117068B1

公开(公告)日：2015-08-25

申请号：US14037314

申请日：2013-09-25

Applicant: Lei Zhang ,  Zhiwei Zhu

Inventor： Lei Zhang ,  Zhiwei Zhu

IPC: G06F21/00 ,  G06F21/45

CPC classification number: G06F21/36

Abstract: A user creates a pattern in a two-dimensional grid by entering a password and enters a user name. This user name, password and pattern are stored locally on a computing device or are transmitted to a remote computer server for later authentication. Upon authentication, a choice of input grids is displayed. The user chooses a grid, enters the password into the grid in the form of the pattern, and also enters the user name. The computer retrieves the previously stored pattern and password with the user name. A match with the stored password indicates authentication. Each cell of the input grid may contain more than one symbol of the password. The input grid may also be filled with random characters to improve security. A grid may be a rectangular matrix, a circular region, an asymmetrical region, or other.

Abstract translation: 用户通过输入密码并输入用户名，在二维网格中创建模式。 该用户名，密码和模式本地存储在计算设备上，或者被发送到远程计算机服务器以供稍后认证。 验证后，会显示输入网格的选择。 用户选择网格，以模式的形式将密码输入网格，并输入用户名。 计算机使用用户名检索先前存储的模式和密码。 与存储的密码匹配表示认证。 输入网格的每个单元格可能包含多个密码符号。 输入网格也可以用随机字符填充以提高安全性。 网格可以是矩形矩阵，圆形区域，不对称区域等。

公开(公告)号：US08938807B1

公开(公告)日：2015-01-20

申请号：US13663406

申请日：2012-10-29

Applicant: Lung-Chu Huang ,  Ho-Hsuan Lee ,  Chung-Chih Hsieh

Inventor： Lung-Chu Huang ,  Ho-Hsuan Lee ,  Chung-Chih Hsieh

IPC: G06F11/00 ,  G06F21/56

CPC classification number: G06F21/568 ,  G06F21/56 ,  G06F21/564 ,  G06F21/566 ,  H04L63/145

Abstract: Antivirus software detects malware on a computer and the landing time of the malware is determined; a time window around the landing time is determined. Optionally requiring the landing time of the malware to be before the installation time of the antivirus software eliminates false positives. Any files of the computer systems that have a creation time within the time window are suspect. If the prevalence value and the maturity value of the suspect file are below respective thresholds then it is concluded that the file is malware and it is deleted. No virus signature or virus pattern that matches the deleted file need be relied upon or used. The detected malware may be the original mother file or a dropped file. An online prevalence and maturity database is used. The launching time of the malware may be used instead of the landing time.

Abstract translation: 防病毒软件检测计算机上的恶意软件，并确定恶意软件的着陆时间; 确定着陆时间周围的时间窗。 可选地，要求防病毒软件的安装时间之前恶意软件的着陆时间消除了假阳性。 在时间窗口内创建时间的计算机系统的任何文件都是可疑的。 如果可疑文件的流行度值和成熟度值低于相应的阈值，则可以断定该文件是恶意软件，并将其删除。 不需要依赖或使用与删除的文件匹配的病毒签名或病毒码。 检测到的恶意软件可能是原始的母版文件或丢失的文件。 使用在线流行和成熟度数据库。 可以使用恶意软件的启动时间，而不是着陆时间。