公开(公告)号：US09135442B1

公开(公告)日：2015-09-15

申请号：US12130827

申请日：2008-05-30

申请人： Mark Kennedy

发明人： Mark Kennedy

IPC分类号： G06F9/44 ,  G06F21/56 ,  G06F9/445

CPC分类号： G06F21/563 ,  G06F9/44589

摘要： A computer-implemented method for detecting an obfuscated executable may include identifying an executable file programmed to execute on a target architecture. The method may also include disassembling a first section of the executable file and determining whether the first section of the executable file comprises a valid instruction. The method may further include determining, based on whether the first section of the executable file comprises a valid instruction, whether the executable file poses a security risk. Various other methods, computer-readable media, and systems are also disclosed.

摘要翻译： 用于检测混淆的可执行程序的计算机实现的方法可以包括识别被编程为在目标架构上执行的可执行文件。 该方法还可以包括拆卸可执行文件的第一部分并确定可执行文件的第一部分是否包括有效指令。 该方法还可以包括基于可执行文件的第一部分是否包括有效指令来确定可执行文件是否构成安全风险。 还公开了各种其它方法，计算机可读介质和系统。

公开(公告)号：US08635171B1

公开(公告)日：2014-01-21

申请号：US12542099

申请日：2009-08-17

申请人： Mark Kennedy

发明人： Mark Kennedy

IPC分类号： G06F15/18

CPC分类号： G06K9/6256 ,  G06F21/55 ,  G06F21/56

摘要： An exemplary method for reducing false positives produced by heuristics may include: 1) training a heuristic using a set of training data, 2) deploying the heuristic, 3) identifying false positives produced by the heuristic during deployment, and then 4) tuning the heuristic by: a) duplicating at least a portion of the false positives, b) modifying the training data to include the duplicate false positives, and c) re-training the heuristic using the modified training data. Corresponding systems and computer-readable media are also disclosed.

摘要翻译： 用于减少启发式产生的假阳性的示例性方法可以包括：1）使用一组训练数据训练启发式，2）部署启发式，3）识别在部署期间由启发式产生的误报，然后4）调整启发式 通过：a）复制至少一部分假阳性，b）修改训练数据以包括重复的假阳性，以及c）使用修改的训练数据重新训练启发式。 还公开了相应的系统和计算机可读介质。

公开(公告)号：US08578345B1

公开(公告)日：2013-11-05

申请号：US12761364

申请日：2010-04-15

申请人： Mark Kennedy ,  Sourabh Satish ,  Alexander Danileiko ,  Ming-Jen Wang

发明人： Mark Kennedy ,  Sourabh Satish ,  Alexander Danileiko ,  Ming-Jen Wang

IPC分类号： G06F9/44 ,  G06F9/445 ,  G06F11/00

CPC分类号： G06F21/566 ,  G06F21/57

摘要： The launch of an installer or uninstaller is detected. A process lineage tree is created representing the detected launched installer/uninstaller process, and all processes launched directly and indirectly thereby. The detected installer/uninstaller process is represented by the root node in the process lineage tree. Launches of child processes by the installer/uninstaller process and by any subsequently launched child processes are detected. The launched child processes are represented by child nodes in the tree. As long as the installer/uninstaller process represented by the root node in the tree is running, the processes represented by nodes in tree are exempted from anti-malware analysis. The termination of the installer/uninstaller process is detected, after which the processes represented by nodes in the process lineage tree are no longer exempted from anti-malware analysis.

摘要翻译： 检测到启动安装程序或卸载程序。 创建一个进程谱系树，表示检测到的启动的安装程序/卸载程序进程，以及由此直接和间接启动的所有进程。 检测到的安装程序/卸载程序进程由进程谱系树中的根节点表示。 检测到安装程序/卸载程序进程和任何后续启动的子进程启动子进程。 启动的子进程由树中的子节点表示。 只要树中的根节点所表示的安装程序/卸载程序进程正在运行，树中节点所代表的进程将被免除防恶意软件分析。 检测到安装程序/卸载程序进程的终止，之后，进程谱系树中由节点表示的进程不再被免除防恶意软件分析。

公开(公告)号：US08205263B1

公开(公告)日：2012-06-19

申请号：US12335890

申请日：2008-12-16

申请人： Mark Kennedy

发明人： Mark Kennedy

IPC分类号： G06F21/00 ,  G06F12/14 ,  G06F11/10 ,  G06F12/16 ,  G08B23/00 ,  H04L9/32

CPC分类号： G06F21/564

摘要： A method for analyzing an unverified executable file within an antivirus engine in order to identify the executable file as being obfuscated by an unknown obfuscator program is described. An unverified executable file comprising obfuscated library strings is received. A list of pre-verified library strings is accessed. A determination is made as to whether the unverified executable file comprises one or more of the pre-verified library strings. The unverified executable file is identified as being obfuscated by an unknown obfuscator program if the file does not comprise one or more of the pre-verified library strings.

摘要翻译： 描述了用于分析防病毒引擎内的未验证可执行文件以便将可执行文件识别为由未知混淆器程序模糊化的方法。 收到包含模糊化库字符串的未验证的可执行文件。 访问预验证的库字符串的列表。 确定未验证的可执行文件是否包括一个或多个预验证的库字符串。 未验证的可执行文件被识别为由未知的混淆器程序模糊，如果该文件不包括一个或多个预验证的库字符串。

公开(公告)号：US07934259B1

公开(公告)日：2011-04-26

申请号：US11290235

申请日：2005-11-29

申请人： Mark Kennedy

发明人： Mark Kennedy

IPC分类号： G06B12/16 ,  G06F11/00 ,  G06F12/14 ,  G06F12/16

CPC分类号： G06F21/554

摘要： A stealth threat detection manager detects stealth threats. The stealth threat detection manager monitors system activities that are vulnerable to being used by stealth threats. Dynamic link libraries are often used by stealth threats, so in some embodiments the stealth threat detection manager monitors for the loading thereof. The stealth threat detection manager detects when a system activity being monitored occurs, and after the occurrence of the activity, determines whether a specific component associated with the activity (e.g., the dynamic link library being loaded) is accessible on the computer. If the component is accessible, the stealth threat detection manager concludes that the component is non-stealthed. On the other hand, if the component is not accessible, the stealth threat detection manager concludes that the component is a stealth threat, and takes appropriate action in response.

摘要翻译： 隐身威胁检测管理员可以侦测隐身威胁。 隐身威胁检测管理员监视易受隐身威胁使用的系统活动。 动态链接库通常由隐身威胁使用，因此在一些实施例中，隐身威胁检测管理器监视其加载。 隐身威胁检测管理器检测何时发生被监视的系统活动，并且在活动发生之后，确定与活动相关联的特定组件（例如，正在加载的动态链接库）是否可在计算机上访问。 如果该组件可访问，隐身威胁检测管理员认为该组件是非窃取的。 另一方面，如果组件无法访问，隐身威胁检测管理员认为该组件是隐身威胁，并采取适当的措施作出响应。

公开(公告)号：US07665123B1

公开(公告)日：2010-02-16

申请号：US11292687

申请日：2005-12-01

申请人： Peter Szor ,  Mark Kennedy

发明人： Peter Szor ,  Mark Kennedy

IPC分类号： G06F12/14 ,  G06F11/00

CPC分类号： G06F21/566 ,  G06F21/554 ,  G06F21/56

摘要： In one embodiment an IO request packet (IRP) attempting to access a computer disk is evaluated to determine if the request identifies an area of a computer disk to be accessed that is marked as bad in a file system. When the request identifies an area of the computer disk to be accessed that is marked as bad in a file system, the request is assumed to be indicative of a rootkit. In another embodiment an IO request packet is evaluated to determine if the request identifies an area of the computer disk to be accessed that was not identified in requests detected in the file system level of the kernel. When the stalled request identifies an area of the computer disk to be accessed not detected in requests detected in the file system level of the kernel, the request is assumed to be indicative of a rootkit.

摘要翻译： 在一个实施例中，评估尝试访问计算机磁盘的IO请求分组（IRP），以确定该请求是否识别在文件系统中标记为不良的要访问的计算机磁盘的区域。 当请求标识要在文件系统中被标记为坏的要访问的计算机磁盘的区域时，该请求被假定为指示rootkit。 在另一个实施例中，评估IO请求分组以确定该请求是否识别在内核的文件系统级别中检测到的请求中未识别的要访问的计算机磁盘的区域。 当停止的请求标识在内核的文件系统级别中检测到的请求中未被检测到的要访问的计算机磁盘的区域时，该请求被假定为指示rootkit。

公开(公告)号：US07490244B1

公开(公告)日：2009-02-10

申请号：US10941527

申请日：2004-09-14

申请人： Mark Kennedy ,  William E. Sobel ,  Bruce McCorkendale ,  Carey Nachenberg

发明人： Mark Kennedy ,  William E. Sobel ,  Bruce McCorkendale ,  Carey Nachenberg

IPC分类号： H04L9/00

CPC分类号： H04L63/1408 ,  G06F21/566 ,  H04L51/12

摘要： Methods, apparatuses, and computer-readable media for preventing the spread of malicious computer code. An embodiment of the inventive method comprises the steps of: identifying (110) a computer application that is data mining an e-mail address; determining (130) whether the computer application associates at least one executable application and the data mined e-mail address with an e-mail message (120); and blocking (140) the transmission of the e-mail message when the e-mail message is associated with the at least one executable application and the data mined e-mail address.

摘要翻译： 用于防止恶意计算机代码扩散的方法，装置和计算机可读介质。 本发明方法的实施例包括以下步骤：识别（110）数据挖掘电子邮件地址的计算机应用程序; 确定（130）计算机应用程序是否将至少一个可执行应用程序和数据挖掘的电子邮件地址与电子邮件消息（120）相关联; 以及当所述电子邮件消息与所述至少一个可执行应用程序和所述数据挖掘的电子邮件地址相关联时，阻止（140）所述电子邮件消息的发送。

公开(公告)号：US20050048640A1

公开(公告)日：2005-03-03

申请号：US10921824

申请日：2004-08-20

申请人： Mark Kennedy ,  Byron Knight

发明人： Mark Kennedy ,  Byron Knight

IPC分类号： A61M5/14 ,  A61M5/142 ,  A61M5/145 ,  F16B2/06 ,  F16B2/20 ,  F16B2/22 ,  F16B5/06 ,  F16L3/12 ,  C12M1/00

CPC分类号： A61M5/1456 ,  A61M5/1418 ,  A61M5/14216 ,  A61M5/1452 ,  F16B2/065 ,  F16B2/20 ,  F16B2/22 ,  F16B5/0685 ,  F16L3/1203 ,  Y10T24/44538 ,  Y10T24/44872

摘要： A clamp includes a hoop section and actuating elements. The hoop section forms a cavity for holding a tubular object. The hoop section has first and second ends. First and second actuating elements are respectively coupled with the first and second ends of the hoop section. Squeezing the ends of the actuating members together causes the hoop section to expand to facilitate installation of the clamp onto an object to be clamped and removal of the clamp from the object. Thus, the clamping force generated by the clamp is limited by the restoring forces inherent in the shape, sized, and material of the hoop section when the actuating members are released. The actuating members include expansion limiting extensions which contact each other after a prescribed amount of expansion of the hoop section to thereby prevent further expansion, and possible yielding, of the hoop section. The clamp can be employed as an anti-rotation device secured to a syringe of a syringe pump.

摘要翻译： 夹具包括箍部和致动元件。 环形部分形成用于保持管状物体的空腔。 箍部分具有第一和第二端。 第一和第二致动元件分别与箍部分的第一和第二端连接。 将致动构件的端部挤压在一起使得环箍部分膨胀以便于将夹具安装到待夹紧的物体上并且将夹具从物体上移除。 因此，当释放致动构件时，由夹具产生的夹持力受到固定在形状，尺寸和箍部分的材料上的恢复力的限制。 致动构件包括在箍部的规定量的膨胀之后彼此接触从而防止箍部的进一步膨胀和可能屈服的膨胀限制延伸部。 夹具可用作固定到注射器泵的注射器的防旋转装置。

公开(公告)号：US08230500B1

公开(公告)日：2012-07-24

申请号：US12163731

申请日：2008-06-27

申请人： Michael Spertus ,  Mark Kennedy

发明人： Michael Spertus ,  Mark Kennedy

IPC分类号： G06F12/14 ,  G06F11/00

CPC分类号： G06F21/566

摘要： A computer-implemented method for detecting rootkits. The method may include identifying, from a control platform, a first directory listing. The first directory listing may be associated with a file system. The method may include identifying, from a target platform, a second directory listing. The second directory listing may be associated with the file system. The target platform and the control platform may be running concurrently on a computing device. The method may also include detecting a discrepancy between the first directory listing and the second directory listing and determining that the discrepancy is a result of the target platform being infected with a rootkit. Various other methods, systems, and computer-readable media are also disclosed.

摘要翻译： 用于检测rootkit的计算机实现的方法。 该方法可以包括从控制平台识别第一目录列表。 第一个目录列表可能与文件系统相关联。 该方法可以包括从目标平台识别第二目录列表。 第二个目录列表可能与文件系统相关联。 目标平台和控制平台可以在计算设备上同时运行。 该方法还可以包括检测第一目录列表和第二目录列表之间的差异，并确定差异是目标平台被rootkit感染的结果。 还公开了各种其它方法，系统和计算机可读介质。

公开(公告)号：US08176554B1

公开(公告)日：2012-05-08

申请号：US12130206

申请日：2008-05-30

申请人： Mark Kennedy

发明人： Mark Kennedy

IPC分类号： H04L29/06

CPC分类号： H04L63/145 ,  H04L63/1416

摘要： A security module identifies symbols within an executable file. The security module compares these identified symbols to a set of symbols expected to be present in a legitimate executable file. Based at least in part on an identified symbol not being within the set of expected symbols, the security module determines that the executable file poses a heightened security risk. In one embodiment, a remediation module takes an appropriate response to prevent potential malware exploits by the executable file.

摘要翻译： 安全模块识别可执行文件中的符号。 安全模块将这些识别的符号与预期存在于合法可执行文件中的一组符号进行比较。 至少部分地基于不在所述期望符号集合内的识别符号，所述安全模块确定所述可执行文件具有较高的安全风险。 在一个实施例中，修复模块采取适当的响应来防止可执行文件潜在的恶意软件漏洞利用。