摘要:
The present invention is directed to a method for emulating an executable code, whether it is a human-readable code (e.g., macro and script) or a compiled code (e.g. Windows executable). At the design time, one or more content attributes are defined for the variables of the code. A content attribute indicates a property with relevance to maliciousness, e.g. Windows directory, a random value, “.EXE” at the right of a string, etc. A content attribute may be implemented, for example, by a flag. Also defined at the design time, is a list of malicious states, where a malicious state comprises at least the combination of a call to a certain system function with certain content, as the calling parameter(s). When emulating an assignment instruction, the attributes of the assigned variable are set according to the assigned content. When emulating a mathematical operator, a content mathematics is also applied. When emulating a function call, the current state (i.e. the function identity and the calling content and values) is compared with the pre-defined malicious states, and if at least one malicious state corresponds, then the maliciousness of the code is determined.
摘要:
A method and system for indicating an executable as Trojan Horse, based on the CRC values of the routines of an executable. The method comprising a preliminary stage in which the CRC values of the routines of known Trojan Horses are gathered in a database, and a stage in which indicating an executable as Trojan Horse is carried out by the correspondence of the CRC values of the routines of said executable to the CRC values of the known Trojan Horses, as gathered in said database. The system comprising means for calculating the CRC values of routines; means for identifying the borders of the routines of an executable; a database system, for storing the CRC values of routines of known Trojan Horses; and means for determining the correspondence between two groups of CRC values, thereby enabling detection of the correspondence of an executable to at least one known Trojan Horse.
摘要:
A method and system for indicating an executable as Trojan Horse, based on the CRC values of the routines of an executable. The method comprising a preliminary stage in which the CRC values of the routines of known Trojan Horses are gathered in a database, and a stage in which indicating an executable as Trojan Horse is carried out by the correspondence of the CRC values of the routines of said executable to the CRC values of the known Trojan Horses, as gathered in said database. The system comprising means for calculating the CRC values of routines; means for identifying the borders of the routines of an executable; a database system, for storing the CRC values of routines of known Trojan Horses; and means for determining the correspondence between two groups of CRC values, thereby enabling detection of the correspondence of an executable to at least one known Trojan Horse.
摘要:
A method for preventing activating a malicious object passing through a checkpoint, and decreasing the overall inspection delay thereof, the method comprising the steps of: (a) at the checkpoint, creating an envelope file, being an executable file comprising: the object; code for extracting the object from the envelope file; and an indicator for indicating the integrity of the object; (b) forwarding the envelope file instead of the object toward its destination, while holding at least a part of the envelope file which comprises the indicator; (c) inspecting the object; and (d) setting the indicator on the envelope file to indicate the inspection result thereof, and releasing the rest of the envelope file.
摘要:
The present invention relates to a method for preventing exploiting an email message and a system thereof. The method comprising: decomposing the email message to its components; for each of the components, correcting the structural form (e.g. structure, format, and content) of the component to comply with common rules thereof whenever the structural form of the component deviates from the rules; and recomposing the email message from its components (in their recent state). The rules relate to email messages structure, for preventing malformed structure of email messages, for preventing exploiting an email message, etc. In case where the structural form of the component cannot be identified, the component may not be included within the recomposed email message, or included as is to the recomposed email message.
摘要:
A method for preventing activating a malicious object passing through a checkpoint, and decreasing the overall inspection delay thereof, the method comprising the steps of: (a) at the checkpoint, creating an envelope file, being an executable file comprising: the object; code for extracting the object from the envelope file; and an indicator for indicating the integrity of the object; (b) forwarding the envelope file instead of the object toward its destination, while holding at least a part of the envelope file which comprises the indicator; (c) inspecting the object; and (d) setting the indicator on the envelope file to indicate the inspection result thereof, and releasing the rest of the envelope file.
摘要:
In an inspection facility (e.g. at a gateway server, at a proxy server, at a firewall to a network, at an entrance to a local area network or even at the user's computer) connected to an anti-virus center for updates, a method for protecting a computer from suspicious objects (e.g. a file, an executable, a Web page, an email message, etc.), the method comprising the steps of: inspecting an object; upon determining the object as suspicious, holding the object in quarantine (e.g. preventing from the object to be forwarded to its destination) for a time period, thereby enabling the inspection facility to be updated during the time period by the anti-virus center; upon ending of the time period, re-inspecting the object, thereby inspecting the object by updated inspection tests; and upon determining the object as malicious by the re-inspection, blocking the object, otherwise forwarding the object toward its destination.
摘要:
In one aspect, the present invention is directed to a method for identifying and blocking spam email messages at an inspecting point, the method comprises the steps of: measuring the flow rate of email messages sent from an originator through the inspecting point; and if the measured flow rate exceeds a given threshold, email messages transmitted from the originator are classified as spam and/or the originator is classified as a spammer. In another aspect, the present invention is directed to a system for identifying and blocking spam email messages at an inspecting point, the system comprising: a spam detector, for classifying an email message as spam-suspected; a flow rate calculator, for calculating a flow rate of spam-suspected email messages that have reached the inspecting point; a spam indicator, for classifying spam-suspected email messages as spam by their flow rate and a threshold thereof.
摘要:
A smart card—host system that operates without the intermediation of a smart card reader. The smart card—host system comprises a host, which has a USB interface, and a portable device, which provides smart card function(s). The portable device has a smart card chip for performing the smart card function(s); a USB interface for connecting the portable device with the host via USB protocol; and a microprocessor for controlling the transfer of data between the USB interface and the smart card chip, for converting data from a USB format to the format of the smart card chip and for converting data from the format of the smart card chip to a USB format.
摘要:
This invention discloses a cable apparatus for use in conjunction with a computer system having a first socket disposed in the rear thereof in order to accommodate at least one cable without occupying a workspace of a user of the computer system, and a frequently disconnected peripheral unit which includes a second socket via which a peripheral unit is frequently connected to the computer system and frequently disconnected therefrom, the cable apparatus including a cable, at a first end of the cable, a third socket mating with the first socket, and at a second end of the cable, the cable includes a fourth socket mating with the second socket and a cable end adherent operative to attach the second end of the cable to a user-selected surface within the workspace.