公开(公告)号：US08745742B1

公开(公告)日：2014-06-03

申请号：US12264101

申请日：2008-11-03

申请人： Sourabh Satish ,  William E. Sobel ,  Bruce McCorkendale

发明人： Sourabh Satish ,  William E. Sobel ,  Bruce McCorkendale

IPC分类号： G06F12/14 ,  G06F7/00 ,  G06F17/30

CPC分类号： G06F7/00 ,  G06F17/30 ,  G06F21/00 ,  G06F21/568

摘要： A computer-implemented method for processing web content may comprise receiving web content encoded with malicious steganographic code. Before presenting the web content, the method may comprise modifying the web content to create modified content such that information conveyed by the malicious steganographic code is at least partially corrupted in the modified content. Additionally, a functionality of the modified content may be at least substantially similar to a functionality of the web content following modification of the web content to create the modified content. Various other methods, computer-readable media, and systems are also disclosed.

摘要翻译： 用于处理网页内容的计算机实现的方法可以包括接收用恶意隐写代码编码的网络内容。 在呈现网络内容之前，该方法可以包括修改网络内容以创建修改的内容，使得恶意隐身代码传达的信息在修改的内容中至少部分地被破坏。 此外，修改的内容的功能可以至少基本上类似于web内容的修改之后的web内容的功能，以创建修改的内容。 还公开了各种其它方法，计算机可读介质和系统。

公开(公告)号：US08353058B1

公开(公告)日：2013-01-08

申请号：US12410166

申请日：2009-03-24

申请人： Bruce McCorkendale ,  Sourabh Satish ,  William E. Sobel

发明人： Bruce McCorkendale ,  Sourabh Satish ,  William E. Sobel

IPC分类号： G08B29/00 ,  G08B23/00 ,  G06F12/14 ,  G06F15/173 ,  H04L9/00

CPC分类号： G06F21/55 ,  G06F21/56 ,  H04L63/1416

摘要： A computer-implemented method for detecting rootkits is disclosed. The computer-implemented method may include sending periodic security communications from a privileged-processor-mode region of a computing device. The computer-implemented method may also include identifying at least one of the periodic security communications. The computer-implemented method may further include determining, based on the periodic security communications, whether the privileged-processor-mode region of the computing device has been compromised. Various other methods, systems, and computer-readable media are also disclosed.

摘要翻译： 公开了一种用于检测rootkit的计算机实现方法。 计算机实现的方法可以包括从计算设备的特权处理器模式区域发送周期性安全通信。 计算机实现的方法还可以包括识别周期性安全通信中的至少一个。 计算机实现的方法还可以包括基于周期性安全通信来确定计算设备的特权处理器模式区域是否已被破坏。 还公开了各种其它方法，系统和计算机可读介质。

公开(公告)号：US08434073B1

公开(公告)日：2013-04-30

申请号：US12263739

申请日：2008-11-03

申请人： Sourabh Satish ,  Bruce McCorkendale ,  William E. Sobel

发明人： Sourabh Satish ,  Bruce McCorkendale ,  William E. Sobel

IPC分类号： G06F9/44 ,  G06F9/45 ,  G06F9/445 ,  G06F12/00 ,  G06F12/14

CPC分类号： G06F21/54

摘要： An exemplary method for preventing exploitation of byte sequences that violate compiler-generated instruction alignment may comprise: 1) identifying instantiation of a process, 2) identifying an address space associated with the process, 3) identifying, within the address space associated with the process, at least one control-transfer instruction, 4) determining that at least one byte preceding the control-transfer instruction is capable of resulting in an out-of-alignment instruction, and then 5) preventing the control-transfer instruction from being executed. In one example, the system may prevent the control-transfer instruction from being executed by inserting a hook in place of the intended instruction that executes the intended instruction and then returns control flow back to the instantiated process. Corresponding systems and computer-readable media are also disclosed.

摘要翻译： 用于防止违反编译器生成的指令对准的字节序列的示例性方法可以包括：1）识别过程的实例化，2）识别与该过程相关联的地址空间，3）在与该过程相关联的地址空间内识别 ，至少一个控制传输指令，4）确定控制传输指令之前的至少一个字节能够导致不对齐指令，然后5）防止执行控制传输指令。 在一个示例中，系统可以通过插入钩来代替执行预期指令的预期指令来防止控制传输指令被执行，然后将控制流程返回到实例化的进程。 还公开了相应的系统和计算机可读介质。

公开(公告)号：US08171256B1

公开(公告)日：2012-05-01

申请号：US12340968

申请日：2008-12-22

申请人： Sourabh Satish ,  William E. Sobel ,  Bruce McCorkendale

发明人： Sourabh Satish ,  William E. Sobel ,  Bruce McCorkendale

IPC分类号： G06F12/00 ,  G06F11/00 ,  G06F12/14 ,  G06F12/16

CPC分类号： G06F21/52

摘要： A method for preventing subversion of address space layout randomization (ASLR) in a computing device is described. An unverified module attempting to load into an address space of memory of the computing device is intercepted. Attributes associated with the unverified module are analyzed. A determination is made, based on the analyzed attributes, whether a probability exists that the unverified module will be loaded into a number of address spaces that exceeds a threshold. The unverified module is prevented from loading into the address space if the probability exists that the unverified module will be loaded into a number of address spaces that exceeds the threshold.

摘要翻译： 描述了一种用于防止计算设备中的地址空间布局随机化（ASLR）的颠覆的方法。 试图加载到计算设备的存储器的地址空间中的未验证的模块被截取。 分析与未验证模块相关联的属性。 基于分析的属性确定是否存在将未验证的模块加载到超过阈值的多个地址空间的概率。 如果未验证的模块将被加载到超过阈值的多个地址空间的概率存在，则未经验证的模块被阻止加载到地址空间中。

公开(公告)号：US08645923B1

公开(公告)日：2014-02-04

申请号：US12263362

申请日：2008-10-31

申请人： Sourabh Satish ,  Bruce McCorkendale ,  William E. Sobel

发明人： Sourabh Satish ,  Bruce McCorkendale ,  William E. Sobel

IPC分类号： G06F9/45

CPC分类号： G06F9/44589 ,  G06F21/52

摘要： When a program is loaded for execution, all code pages of the program except the one containing the entry point are set to be non-executable. When the executing program attempts to jump between code pages, an exception is thrown. Responsive to such an exception, a control flow graph of the program is examined, to determine if the attempted jump between code pages is expected. If the attempted jump is not expected, it is determined that the program is attempting a malicious activity. If the attempted jump is expected, the code page to which the program is attempting to jump is set to be executable, and control is returned to the program such that the jump executes.

摘要翻译： 当程序加载执行时，除了包含入口点的程序之外，程序的所有代码页都被设置为不可执行。 当执行程序尝试在代码页之间跳转时，抛出异常。 响应于这种异常，检查程序的控制流程图，以确定是否期望在代码页之间尝试跳转。 如果不希望尝试跳转，则确定程序正在尝试恶意活动。 如果尝试跳转，程序尝试跳转的代码页被设置为可执行，并且控制返回到程序，使得跳转执行。

公开(公告)号：US08112806B1

公开(公告)日：2012-02-07

申请号：US12259212

申请日：2008-10-27

申请人： William E. Sobel ,  Sourabh Satish ,  Bruce McCorkendale

发明人： William E. Sobel ,  Sourabh Satish ,  Bruce McCorkendale

IPC分类号： G06F11/00

CPC分类号： G06F21/85 ,  G06F21/55 ,  H04L63/1425

摘要： Computers are monitored for malware communicating directly with the NIC. The infection of computers with NIC level malware is detected. Operating system level network packet transmission statistics are monitored, as are transmission counters maintained by the NIC. The operating system level transmission statistics are compared to the NIC level transmission counters for a given period of time. If the NIC counters indicate the occurrence of a greater number of transmissions than as is indicated by the operating system level statistics, it is concluded that the computer is infected with NIC level malware.

摘要翻译： 监视计算机，以直接与NIC通信的恶意软件。 检测到具有NIC级恶意软件的计算机感染。 监视操作系统级网络数据包传输统计信息，以及由NIC维护的传输计数器。 将操作系统级传输统计信息与NIC级传输计数器进行比较，给定的时间段。 如果NIC计数器指示比操作系统级别统计信息显示更多的传输次数，则可以断定计算机感染了NIC级恶意软件。

公开(公告)号：US08949187B1

公开(公告)日：2015-02-03

申请号：US12130786

申请日：2008-05-30

申请人： Sourabh Satish ,  William E. Sobel

发明人： Sourabh Satish ,  William E. Sobel

IPC分类号： G06F7/00 ,  G06F17/30

CPC分类号： G06F11/1461 ,  G01R31/3679 ,  G06F11/1441

摘要： A computer-implemented method may include performing an evaluation of the computing system's health. The computer-implemented method may also include comparing results of the evaluation with the results of at least one prior evaluation of the computing system's health and then determining, based on the comparison, that a current state of health of the computing system is healthier than at least one prior state of health of the computing system. In addition, the computer-implemented method may include creating a backup of the computing system. A computer-implemented method for managing backups of a computing system based on health information is also disclosed. Corresponding systems and computer-readable media are also disclosed.

摘要翻译： 计算机实现的方法可以包括对计算系统的健康进行评估。 计算机实现的方法还可以包括将评估的结果与计算系统的健康的至少一个先前评估的结果进行比较，然后基于比较来确定计算系统的当前健康状况比在 至少一个计算系统的健康状况。 此外，计算机实现的方法可以包括创建计算系统的备份。 还公开了一种用于管理基于健康信息的计算系统的备份的计算机实现的方法。 还公开了相应的系统和计算机可读介质。

公开(公告)号：US08667592B2

公开(公告)日：2014-03-04

申请号：US13048380

申请日：2011-03-15

申请人： William E. Sobel ,  Sourabh Satish

发明人： William E. Sobel ,  Sourabh Satish

IPC分类号： G06F11/00

CPC分类号： G06F21/564

摘要： A computer-implemented method for looking up anti-malware metadata may include identifying a plurality of executable objects to be scanned for malware before execution. The computer-implemented method may also include, for each executable object within the plurality of executable objects, assessing an imminence of execution of the executable object. The computer-implemented method may further include prioritizing, based on the assessments, a retrieval order for anti-malware metadata corresponding to the plurality of executable objects. The computer-implemented method may additionally include retrieving anti-malware metadata corresponding to an executable object within the plurality of executable objects based on the retrieval order. Various other methods, systems, and computer-readable media are also disclosed.

摘要翻译： 用于查找反恶意软件元数据的计算机实现的方法可以包括在执行之前识别要扫描恶意软件的多个可执行对象。 对于多个可执行对象中的每个可执行对象，计算机实现的方法还可以包括执行可执行对象的即将来临。 计算机实现的方法还可以包括基于评估来优先考虑与多个可执行对象相对应的反恶意软件元数据的检索顺序。 计算机实现的方法可以另外包括基于检索顺序检索对应于多个可执行对象内的可执行对象的反恶意软件元数据。 还公开了各种其它方法，系统和计算机可读介质。

公开(公告)号：US08499063B1

公开(公告)日：2013-07-30

申请号：US12059258

申请日：2008-03-31

申请人： Sourabh Satish ,  William E. Sobel

发明人： Sourabh Satish ,  William E. Sobel

IPC分类号： G06F15/173

CPC分类号： G06F21/552 ,  G06F8/62 ,  G06F11/3419 ,  G06F2201/81 ,  G06F2201/86 ,  G06F2201/865 ,  G06F2221/2135

摘要： Installation events associated with a software application are received from a plurality of clients. A rate at which the software application was uninstalled on the plurality of clients is determined based on the installation events. A reputation score is generated based on the rate at which the software application was uninstalled on the plurality of clients. A reputation score is generated for the software application responsive to the installation event and the performance data. The reputation score storied in association with the software application.

摘要翻译： 从多个客户端接收与软件应用相关联的安装事件。 基于安装事件确定在多个客户端上卸载软件应用程序的速率。 基于在多个客户端上卸载软件应用程序的速率生成信誉分数。 响应于安装事件和性能数据，为软件应用程序生成声誉分数。 信誉评分与软件应用程序相关联。

公开(公告)号：US08468608B1

公开(公告)日：2013-06-18

申请号：US12414466

申请日：2009-03-30

申请人： Brian Hernacki ,  Sourabh Satish ,  William E. Sobel

发明人： Brian Hernacki ,  Sourabh Satish ,  William E. Sobel

IPC分类号： G06F7/04

CPC分类号： G06F21/10 ,  G06F2221/0728

摘要： A DRM server parses a request received from a client for a content identifier and client classification information. The content identifier identifies the requested content and client classification information describes the capabilities of the client. The DRM server determines a policy for the requested content. The policy specifies rules for determining access rights for the content responsive to the capabilities of the client. The DRM server determines access rights for the requested content responsive to the capabilities of the client and the policy. The DRM manager then provides the requested content and the determined access rights to the client.

摘要翻译： DRM服务器解析从客户端接收到的用于内容标识符和客户端分类信息的请求。 内容标识符识别所请求的内容，并且客户端分类信息描述客户端的能力。 DRM服务器确定所请求内容的策略。 该策略指定响应于客户端的能力确定内容的访问权限的规则。 响应于客户端的能力和策略，DRM服务器确定所请求的内容的访问权限。 然后，DRM管理器向客户端提供所请求的内容和确定的访问权限。