US Pat. No. 9,239,907

TECHNIQUES FOR IDENTIFYING MISLEADING APPLICATIONS

Symantec Corporation, Mo...

1. A method for identifying misleading applications comprising:
receiving a request for network data;
parsing the request for network data, using a misleading application identification device, to determine if one or more portions
of the request match a suspicious indicator, wherein parsing the request for network data comprises matching a portion of
the request for network data against one or more keywords, and wherein the suspicious indicator is a portion of the request
other than a source address and a connection port;

identifying, using the misleading application identification device, the suspicious indicator without using a known malware
domain, a known malware signature, or a known malware network indicia, wherein identification is performed prior to receiving
any network data from a target of the request; and

performing a specified action in the event one or more portions of the request match the suspicious indicator.

US Pat. No. 9,330,274

METHODS AND SYSTEMS FOR APPLYING PARENTAL-CONTROL POLICIES TO MEDIA FILES

Symantec Corporation, Mo...

1. A computer-implemented method comprising:
intercepting, by a file-system driver, a file-system call associated with a media file, the file-system driver being configured
to intercept file-system calls issued by multiple applications through which a child is capable of attempting to access the
media file;

determining, in response to the file-system driver intercepting the file-system call, whether the file-system call comprises
an attempt to access a file that includes media content by checking whether a file extension of the media file identified
by the file-system call matches a file extension included within a set of certain file extensions for at least one of e-book
files, audio files, and video files;

determining, in response to determining that the file extension of the media file identified by the file-system call matches
a file extension included within the set of certain file extensions for at least one of e-book files, audio files, and video
files, an attribute of the media file;

identifying a parental-control policy associated with the attribute of the media file;
applying the parental-control policy to the media file.

US Pat. No. 9,402,181

SYSTEMS AND METHODS FOR COMPLETING MULTI-FACTOR AUTHENTICATION VIA MOBILE DEVICES

Symantec Corporation, Mo...

1. A computer-implemented method for completing multi-factor authentication via mobile devices, at least a portion of the
method being performed by a computing device comprising at least one processor, the method comprising:
identifying a request to communicate with a user's mobile device to complete multi-factor authentication of the user to an
online service;

determining that authentication notifications are disabled for attempts made by the user to login to the online service;
in response to determining that authentication notifications are disabled, preventing an authentication notification from
being displayed on the user's mobile device;

receiving an out-of-band authentication communication from the user's mobile device that was prevented from displaying the
authentication notification;

determining that the user's mobile device that sent the out-of-band authentication communication is the same user's mobile
device that was prevented from displaying the authentication notification and is therefore trusted to complete the multi-factor
authentication of the user to the online service;

in response to determining that the out-of-band authentication communication was received from a device trusted to complete
the multi-factor authentication of the user to the online service, enabling the user to login to the online service.

US Pat. No. 9,336,384

SYSTEMS AND METHODS FOR REPLACING APPLICATION METHODS AT RUNTIME

Symantec Corporation, Mo...

1. A computer-implemented method for replacing application methods at runtime, at least a portion of the method being performed
by a computing device comprising at least one processor, the method comprising:
identifying a class-based object-oriented application at runtime that comprises a target method to replace at runtime with
a source method that comprises a wrapper method with at least one instruction to prevent an unsecure use of the target method;

locating, within memory for a DALVIK file, by calling a DALVIK application programming interface reflection function, a target
address of a target method data structure at runtime that describes the target method and is referenced by a target class
within the application, the target method data structure comprising a target code pointer to method code of the target method;

determining a source address of a source method data structure at runtime that describes the source method, the source method
data structure comprising a source code pointer to method code of the source method;

modifying the application at runtime to have the target class reference the source method in place of the target method by
copying at least a portion of the source method data structure from the source address of the source method data structure
to the target address of the target method data structure such that the target code pointer is replaced with the source code
pointer.

US Pat. No. 9,231,969

DETERMINING FILE RISK BASED ON SECURITY REPUTATION OF ASSOCIATED OBJECTS

Symantec Corporation, Mo...

1. A computer implemented method for tracking security risks of a polymorphic file by tracking static objects generated by
the polymorphic file, the method comprising the steps of:
tracking, by a computer, a first object created by a first mutation of a polymorphic file at a first time wherein the polymorphic
file has not been previously identified as comprising malware and said first object is tracked for performing a malware service;

determining whether a security reputation for the first object meets a security threshold;
determining, by a computer, a security risk of the polymorphic file that created the first object based on the security reputation
of the first object, wherein, responsive to a determination that the security reputation for the first object meets the predetermined
security threshold, the polymorphic file is determined to comprise malware if it meets a security threshold determined based
on at least one of: the number of distinct first objects created by the polymorphic file and the number of times a distinct
first object is created by the polymorphic file;

storing, by a computer, the security reputation for the first object in a database;
linking, by a computer, a second mutation of the polymorphic file to the first mutation by subsequently identifying the first
object created by a second mutation of the polymorphic file at a second time; and

receiving, by a computer, the security risk of the polymorphic file that created the first object at the first and second
times based on the determined security reputation of the first object.

US Pat. No. 9,094,291

PARTIAL RISK SCORE CALCULATION FOR A DATA OBJECT

Symantec Corporation, Mo...

1. A computer-implemented method comprising:
determining one or more hazards for a data object, wherein each hazard represents a violation of a data loss prevention (DLP)
policy by the data object, each hazard comprising a set of characteristics and a stored risk score calculated for the violation;

identifying a request to calculate a partial risk score for the data object, wherein the request comprises a partial risk
score filter;

for each of the one or more hazards, performing partial risk score determination comprising:
determining whether a characteristic of the set of characteristics associated with the hazard matches a parameter in the partial
risk score filter, and

when the characteristic associated with the hazard matches the parameter in the partial risk score filter, adding a respective
stored risk score to the partial risk score for the data object; and

upon completing the partial risk score determination for the one or more hazards, providing the partial risk score in response
to the request to a data loss prevention system to protect sensitive information associated with the data object from being
exposed outside of a computer network.

US Pat. No. 9,083,527

USING MOBILE DATA TO ESTABLISH A SHARED SECRET IN SECOND-FACTOR AUTHENTICATION

Symantec Corporation, Mo...

1. A method comprising:
receiving, by a server computer system, mobile device activity data from a mobile device;
verifying that the mobile device activity data matches mobile device activity data that is stored at the mobile device, wherein
the mobile device activity data comprises mobile device location data, mobile device usage data, mobile application usage
data, and mobile application inventory data;

generating a shared secret at the server computer system using the received mobile device activity data, wherein the shared
secret at the server computer system matches a shared secret generated at the mobile device; and

sending a message to the mobile device indicating criteria for the mobile device to use to generate a shared secret at the
mobile device, wherein the criteria comprises at least one of the mobile device activity data to use to generate the shared
secret, one or more sampling algorithms to use to generate the shared secret, a length of the shared secret, or an order of
the mobile device activity data to use to generate the shared secret.

US Pat. No. 9,235,647

SYSTEMS AND METHODS FOR PREDICTIVE RESPONSES TO INTERNET OBJECT QUERIES

Symantec Corporation, Mo...

1. A computer-implemented method for predictive responses to internet object queries, at least a portion of the method being
performed by a computing device comprising at least one processor, the method comprising:
receiving a query from a client to evaluate whether a first internet object constitutes spam, the first internet object comprising
an e-mail message;

analyzing the query to predict a set of additional internet objects for which the client may subsequently request an evaluation
at least in part by:

identifying a set of previous queries from a plurality of clients to evaluate internet objects;
performing a statistical analysis on the set of previous queries from the plurality of clients, the statistical analysis comprising
a frequency analysis that indicates frequencies of internet objects queried subsequent to an earlier query for the first internet
object;

applying the received query to the statistical analysis on the set of previous queries from the plurality of clients to predict
the set of additional internet objects for which the client may subsequently request an evaluation;

transmitting an evaluation of the first internet object and a separate evaluation of each additional internet object in the
predicted set of additional internet objects to the client.

US Pat. No. 9,218,345

SYSTEM AND METHOD FOR BACKING UP A COMPUTER SYSTEM

Symantec Corporation, Mo...

8. A method comprising:
associating a production volume set with an application on a computing system;
capturing all data writes from the application, wherein the captured data is associated with at least one of a logical volume
and a physical volume;

duplicating all of the data writes on a predetermined logical volume, wherein a plurality of logical volumes is selectively
advanced upon determining that at least one logical volume of the plurality of logical volumes is without errors, wherein
selectively advancing the plurality of logical volumes further comprises selectively advancing through a plurality of captured
data writes to replicate a former state of the physical volume;

simultaneously forwarding the data writes from the application to the production volume set;
forwarding the data writes to at least one sequential logging storage device; and
associating metadata with the data writes, wherein the metadata includes a size associated with the data writes.

US Pat. No. 9,286,302

INODE REUSE SYSTEMS AND METHODS

Symantec Corporation, Mo...

1. An inode reuse method comprising:
receiving an indication of an operation to be executed with respect to a file, the operation including access to information
related to the file;

assigning an inode from a plurality of inodes to said access based upon a position of the inode in an inode use queue, wherein
the indication of the operation is separate from the plurality of inodes;

determining a type of the operation to be executed by analyzing the received indication of the operation to be executed;
selecting one of a plurality of predetermined inode reuse scenarios for said inode based on the determined type of the operation
to be executed; and

making said inode available for reuse in accordance with said one of said plurality of inode reuse scenarios by placing the
inode in the inode use queue,

wherein when a first one of said plurality of inode reuse scenarios is selected for a first type of operation, the inode is
placed at a head queue position of the inode use queue, and wherein when a second one of said plurality of inode reuse scenarios
is selected for a second type of operation, the inode is placed in a tail queue position of the inode use queue.

US Pat. No. 9,323,930

SYSTEMS AND METHODS FOR REPORTING SECURITY VULNERABILITIES

Symantec Corporation, Mo...

1. A computer-implemented method for reporting security vulnerabilities, at least a portion of the method being performed
by a computing device comprising at least one processor, the method comprising:
detecting that a malware application is present on an endpoint computing system;
determining a window of time during which the malware application was present in a specified condition on the endpoint computing
system;

logging a list of sensitive data items accessed during the window of time;
performing a security action to report the list of sensitive data items based on a determination that both:
a length of the window of time is longer than a security threshold length and is indicative of the malware application being
located on the endpoint computing system long enough to potentially compromise a sensitive data item;

the malware application was accessed during the window of time.

US Pat. No. 9,143,497

SYSTEMS AND METHODS FOR SECURING EMAIL IN MOBILE DEVICES

Symantec Corporation, Mo...

1. A computer-implemented method for providing secure mobile email communications, the method comprising:
hooking at least one application programming interface (API) associated with a native email client in order to transmit data
securely via email, the native email client being native to an operating system of a mobile device;

detecting, via the hooked API, an email originating from a registered application, the email comprising the data to transmit
securely, the registered application being registered in a registry according to a mobile application authentication procedure,
the registry comprising a plurality of registered applications authenticated according to the mobile application authentication
procedure;

determining whether a registered email client different than the native email client is located on the mobile device, the
registered email client being registered in the registry according to the mobile application authentication procedure; and

upon detecting, via the hooked API, a call to the native email client from the registered application, emailing the data via
the registered email client based on the determining.

US Pat. No. 9,065,849

SYSTEMS AND METHODS FOR DETERMINING TRUSTWORTHINESS OF SOFTWARE PROGRAMS

Symantec Corporation, Mo...

1. A computer-implemented method for determining trustworthiness of software programs, at least a portion of the method being
performed by a computing device comprising at least one processor, the method comprising:
determining, for at least one software program, a prevalence score that indicates a prevalence of the software program within
a local network;

obtaining, for the software program, a reputation score that indicates a prevalence of the software program outside the local
network;

comparing the prevalence score with the reputation score to a determine trustworthiness of the software program based on both
the reputation score of the software program and the prevalence score of the software program;

performing a security action based on the trustworthiness of the software program.

US Pat. No. 9,083,531

PERFORMING CLIENT AUTHENTICATION USING CERTIFICATE STORE ON MOBILE DEVICE

Symantec Corporation, Mo...

1. A non-transitory computer-readable storage medium storing instructions, which, when executed on a processor, performs an
operation for authenticating a user requesting access to a computing resource, the operation comprising:
receiving, over a first network connection, a request from a client device to access an application,
generating, by operation of the processor, a nonce and a network address to encode in a barcode graphic;
sending, over the first network connection, the barcode graphic to the client device;
receiving, over a second network connection, a response which includes a digital signature signing the nonce, wherein a mobile
device generates the response by:

scanning the barcode graphic to decode the nonce and to recover the network address,
accessing a private key from a certificate store on the mobile device, wherein the private key corresponds to a public key
identified in a digital certificate associated with the user, wherein the mobile device prompts the user to supply authenticating
credentials prior to accessing the private key from the certificate store on the mobile device, and

signing, with the private key, the decoded nonce; and
upon determining the digital signature is valid, granting the client device access to the application.

US Pat. No. 9,256,612

SYSTEMS AND METHODS FOR MANAGING REFERENCES IN DEDUPLICATING DATA SYSTEMS

Symantec Corporation, Mo...

1. A computer-implemented method for managing references in deduplicating data systems, at least a portion of the method being
performed by a computing device comprising at least one processor, the method comprising:
identifying a first instance of a data segment stored within a deduplicating data system that reduces redundant data storage
by storing at least two data objects such that each of the two data objects references the first instance of the data segment;

identifying an additional data object to be stored by the deduplicating data system, wherein the additional data object comprises
the data segment;

determining that an age limit of the first instance of the data segment has been reached, wherein the age limit of the first
instance of the data segment:

limits the amount of time during which the first instance of the data segment is available to be referenced; and
indicates an age of the first instance of the data segment after which the first instance of the data segment cannot be referenced
by any additional data objects that are later stored to the deduplicating data system;

preventing storage-space fragmentation within the deduplicating data system by storing, based at least in part on determining
that the age limit of the first instance of the data segment has been reached, a second instance of the data segment within
the deduplicating data system that is referenced by the additional data object while also retaining the first instance of
the data segment within the deduplicating data system.

US Pat. No. 9,219,611

SYSTEMS AND METHODS FOR AUTOMATING CLOUD-BASED CODE-SIGNING SERVICES

Symantec Corporation, Mo...

1. A computer-implemented method for automating cloud-based code-signing services, at least a portion of the method being
performed by a computing device comprising at least one processor, the method comprising:
identifying, at a cloud-based code-signing service, an automatically generated request from a signing automation agent on
a remote client to sign at least one file, the signing automation agent comprising a software module;

verifying a security credential that authorizes the remote client to access the cloud-based code-signing service, the security
credential having been submitted by the signing automation agent for verification by the cloud-based code-signing service;

receiving, at the cloud-based code-signing service, the file from the signing automation agent;
signing, by the cloud-based code-signing service, the file;
sending the signed file from the cloud-based code-signing service to the remote client.

US Pat. No. 9,088,604

SYSTEMS AND METHODS FOR TREATING LOCALLY CREATED FILES AS TRUSTWORTHY

Symantec Corporation, Mo...

1. A computer-implemented method for treating locally created files as trustworthy, at least a portion of the method being
performed by a computing device comprising at least one processor, the method comprising:
identifying at least one file created on a computing system protected by a security system that determines whether files encountered
by the computing system are trustworthy;

determining that the security system has classified the file created on the computing system as untrustworthy;
identifying a software application used to create the file on the computing system;
determining that the software application used to create the file on the computing system is a reputable software application
used to create trustworthy files within a user community comprising users of computing systems protected by the security system;

in response to determining that the software application used to create the file is a reputable software application, mitigating
false positives associated with the file on the computing system where the file was created by establishing a trustworthiness
exception that:

causes the security system to treat the file as trustworthy on the computing system where the file was created even though
the security system has classified the file as untrustworthy;

does not cause the security system to treat the file as trustworthy on an additional computing system protected by the security
system due at least in part to the file not having been created on the additional computing system.

US Pat. No. 9,401,925

SYSTEMS AND METHODS FOR DETECTING SECURITY THREATS BASED ON USER PROFILES

Symantec Corporation, Mo...

1. A computer-implemented method for detecting security threats based on user profiles, at least a portion of the method being
performed by a computing device comprising at least one processor, the method comprising:
identifying behavior by a user on a computing system that is potentially indicative of a security threat by identifying at
least one of:

use of an administrative tool that causes remote execution on other computing systems;
execution of a network command that allows attackers to identify at least one of domain controllers and accounts with domain
administrator credentials;

identifying a profile for the user that estimates a level of the user's technical sophistication at least in part by:
accessing a history of behavior by the user;
matching the user, by analyzing the history of behavior, to a group of non-administrators having a lower level of technical
sophistication than a group of administrators;

comparing the identified behavior of the user with the estimated level of the user's technical sophistication;
determining that the identified behavior of the user indicates a security threat at least in part by determining that the
identified behavior is inconsistent with the estimated level of the user's technical sophistication associated with the group
of non-administrators.

US Pat. No. 9,235,629

METHOD AND APPARATUS FOR AUTOMATICALLY CORRELATING RELATED INCIDENTS OF POLICY VIOLATIONS

Symantec Corporation, Mo...

1. A method, comprising:
identifying a plurality of incidents of violations of a policy upon detecting presence of confidential information in a plurality
of messages;

storing the plurality of violation incidents of the policy in a data repository, wherein each of the plurality of violation
incidents is associated with one or more message attribute values;

receiving a user request to correlate one of the plurality of violation incidents of the policy stored in the data repository
to other incidents of the plurality of violation incidents of the policy based on at least one common message attribute value;

in response to the user request, correlating, by a processing device, a requested violation incident with the other incidents
of the plurality of violation incidents of the policy based on the at least one common message attribute value of the one
or more message attribute values, wherein the correlating comprises searching the data repository using the at least one common
message attribute value;

providing, for a user interface, resulting correlation information that identifies, for each of a plurality of time periods,
a count of a number of incidents similar to the one of the plurality of violation incidents that occurred during a corresponding
time period of the plurality of time periods; and

providing the incidents similar to the one of the plurality of violation incidents that occurred during the corresponding
time period of the plurality of time periods in response to a selection associated with the count for the corresponding time
period of the plurality of time periods.

US Pat. No. 9,622,081

SYSTEMS AND METHODS FOR EVALUATING REPUTATIONS OF WIRELESS NETWORKS

Symantec Corporation, Mo...

1. A computer-implemented method for evaluating reputations of wireless networks, at least a portion of the method being performed
by a computing device comprising at least one processor, the method comprising:
identifying an endpoint computing system that is connected to a wireless network;
receiving, by a backend security server from the endpoint computing system:
information that identifies the wireless network;
information that indicates in part a security state of the wireless network by indicating at least:
a degree of trust of the wireless network provided by a user of the endpoint computing system; and
a hygiene score of the endpoint computing system;
calculating, by the backend security server, a reputation of the wireless network based at least in part on:
the received information that identifies the wireless network and that indicates in part the security state of the wireless
network; and

a number of endpoint computing systems that are associated with the wireless network that have hygiene scores below a threshold
score; and

improving a security state of another endpoint computing system that is within range of the same wireless network by transmitting
information about the calculated reputation of the wireless network to the another endpoint computing system to prevent the
another endpoint computing system from connecting to the wireless network in response to determining that the wireless network
represents a security risk based on the calculated reputation.

US Pat. No. 9,608,916

COLLABORATIVE APPLICATION CLASSIFICATION

Symantec Corporation, Mo...

1. A method for performing collaborative application classification in a system including a classification aggregator communicatively
coupled to a plurality of traffic classifiers, the plurality of traffic classifiers including a first and second traffic classifier,
the method comprising:
receiving, at the classification aggregator, classification information from the first traffic classifier, the classification
information including a destination Internet protocol (IP) address, a destination port number, a protocol and a first application
name associated with a first communication flow classified by the first traffic classifier;

storing the classification information in a data store of the classification aggregator, the data store containing multiple
entries, each of the entries mapping a group of characteristics, including a destination IP address, a destination port number
and a protocol, to a corresponding application name;

receiving, at the classification aggregator, a query requesting an application name associated with a second communication
flow from a second classifier; and

providing the first application name, in response to determining that the second communication flow is associated with the
first application name, to the second classifier, wherein determining that the second communication flow is associated with
the first application name is based on one or more of the entries of the data store of the classification aggregator.

US Pat. No. 9,465,937

METHODS AND SYSTEMS FOR SECURELY MANAGING FILE-ATTRIBUTE INFORMATION FOR FILES IN A FILE SYSTEM

Symantec Corporation, Mo...

1. A computer-implemented method for securely managing file-attribute information for files in a file system, the method comprising:
identifying at least one file;
identifying at least one file attribute of the file that would be useful to a security software program when analyzing the
file;

storing the file attribute as volatile metadata for the file that is automatically deleted when the same file is modified;
ensuring that the security software program can rely upon the file attribute identified within the volatile metadata for the
file by, upon determining that the file has been modified, automatically deleting the volatile metadata for the file in response
to the determination that the same file has been modified;

identifying non-volatile metadata associated with the file;
after determining that the file has been modified, updating the non-volatile metadata.

US Pat. No. 9,298,808

ENCRYPTED SEARCH ACCELERATION

SYMANTEC CORPORATION, Mo...

1. A method for managing an encrypted search index, the method comprising:
retrieving a first ID and a plurality of terms from a document;
identifying a plurality of normalized IDs in a normalization table, wherein the normalization table is a false positive-prone
data structure, and wherein the first ID maps to the plurality of normalized IDs identified in the normalization table;

identifying a respective search index for each of the plurality of normalized IDs, wherein a first one of the search indices
is associated with a given user associated with the first ID, and wherein each of the other search indices are false positive
matches each associated with a respective other user;

updating each of the search indices based on the plurality of terms; and
receiving a search request, wherein the search request includes a first one of the plurality of normalized IDs;
identifying a first one of the search indices, wherein the first search index corresponds to the first normalized ID;
querying the first search index to retrieve a set of search results from the identified search index, wherein the set of search
results includes one or more false positive values;

removing the one or more false positive values from the set of search results; and
returning the search results.

US Pat. No. 9,223,562

CONTROLLABLE DEPLOYMENT OF SOFTWARE UPDATES

Symantec Corporation, Mo...

1. A computer program product comprising a non-transitory computer-readable medium having computer program logic embodied
therein for controllably providing software updates from an update server to a random sample of computers with updateable
software, the computer program logic comprising:
a sampling range-generating module for generating at the update server a sampling range of values as a proper subset of a
population range of possible values;

a receiving module for receiving at the update server from a computer a generated random value, the random value falling within
the population range;

an eligibility determination module for determining at the update server whether the computer is eligible to receive a software
update, the computer being determined eligible responsive to whether the received random value falls within the sampling range;
and

an update module for providing the software update from the update server to the computer based on the eligibility determination.

US Pat. No. 9,231,936

CONTROL AREA NETWORK AUTHENTICATION

Symantec Corporation, Mo...

1. A computer-implemented method for authenticating messages, comprising:
receiving, by a receiving device, a data message from a sending device, wherein each receiving and sending device is assigned
one of two or more trust levels;

receiving, by the receiving device, an authentication message from the sending device, the authentication message comprising
an authentication code;

determining a message identifier for the data transmission, wherein each receiving device is associated with at least one
of two or more message identifiers, the two or more message identifiers being assigned to one of two or more message groups,
wherein a particular message identifier is assigned to one of the two or more message groups based on a device with the lowest
trust level among the receiving and sending devices that use that particular message identifier;

authenticating the received data message by using a group key assigned to the receiving device to verify the authentication
code.

US Pat. No. 9,298,724

SYSTEMS AND METHODS FOR PRESERVING DEDUPLICATION EFFORTS AFTER BACKUP-JOB FAILURES

Symantec Corporation, Mo...

1. A computer-implemented method for preserving deduplication efforts after backup-job failures at least a portion of the
method being performed by a computing device comprising at least one processor, the method comprising:
identifying a deduplicated data system that reduces redundant data storage by storing and referencing a plurality of deduplicated
data segments, wherein the deduplicated data system reclaims storage space by deleting data segments that are not referenced
from the deduplicated data system;

identifying a backup job that backs up data to the deduplicated data system, wherein a first performance of the backup job:
causes the deduplicated data system to store at least one new data segment that is available to be referenced within the deduplicated
data system; and

fails after the deduplicated data system stores the new data segment within the deduplicated data system, wherein failure
of the first performance of the backup job causes the new data segment to not be referenced within the deduplicated data system;

causing the deduplicated data system to wait at least until a second performance of the backup job occurs by causing the deduplicated
data system to retain the new data segment until the second performance of the backup job occurs successfully despite the
new data segment being not referenced.

US Pat. No. 9,274,897

BACKUP POLICY MIGRATION AND IMAGE DUPLICATION

Symantec Corporation, Mo...

1. A method comprising:
selecting a policy to migrate from a source storage device to a target storage device, wherein the policy comprises information
identifying a plurality of clients;

selecting a most recent backup image for each client of the plurality of clients;
copying the most recent backup images from the source storage device to the target storage device, wherein said copying does
not include backup images which are not the most recent backup images;

updating the policy in response to detecting that the most recent backup images have been copied to the target storage device,
wherein the updating the policy comprises changing a destination value in the policy from the source storage device to the
target storage device.

US Pat. No. 9,230,096

SYSTEM AND METHOD FOR DATA LOSS PREVENTION IN A VIRTUALIZED ENVIRONMENT

Symantec Corporation, Mo...

1. A method comprising:
identifying, by a data loss prevention (DLP) manager, a startup event of a guest virtual machine, wherein the DLP manager
is in a security virtual machine;

installing, by the DLP manager, a DLP component in the guest virtual machine, the DLP component to communicate with the DLP
manager;

receiving, by the DLP manager, a file system event that is intercepted by the DLP component and that is initiated within the
guest virtual machine, wherein the file system event comprises a file in at least one of a write event, a copy event, a paste
event, a move event, or a deletion event, and wherein the file is not stored in the security virtual machine;

retrieving, by the DLP manager, a DLP profile associated with the guest virtual machine from a profile repository, the DLP
profile comprising a DLP policy and a response rule;

identifying, by the DLP manager, a device associated with the file system event;
determining, by the DLP manager, that the DLP profile requires monitoring of the identified device;
monitoring, by the DLP manager, data associated with the file system event that is to be stored on the identified device;
and

enforcing, by the DLP manager, the response rule associated with the file system event initiated within the guest virtual
machine when the file system event violates the DLP policy.

US Pat. No. 9,305,170

SYSTEMS AND METHODS FOR SECURELY PROVIDING INFORMATION EXTERNAL TO DOCUMENTS

Symantec Corporation, Mo...

1. A computer-implemented method for securely providing information external to documents, at least a portion of the method
being performed by a computing device comprising at least one processor, the method comprising:
identifying a document that comprises a file comprising at least one link to content external to the document, wherein the
document is destined for a restricted network environment that only allows secure content;

retrieving, prior to delivering the document to the restricted network environment, the content external to the document from
the link;

converting, prior to delivering the document to the restricted network environment, the content external to the document to
embeddable content in a secure format that can be embedded within the document by storing the embeddable content within the
file by rendering the content for display and creating an image of the rendered content;

creating, prior to delivering the document to the restricted network environment, a secure version of the document at least
in part by embedding the embeddable content that has been converted to the secure format into the document by storing the
embeddable content within the file, thereby providing secure access to the content external to the document via the file rather
than via a reference to data stored outside the file;

delivering the secure version of the document to the restricted network environment.

US Pat. No. 9,276,887

SYSTEMS AND METHODS FOR MANAGING SECURITY CERTIFICATES THROUGH EMAIL

Symantec Corporation, Mo...

1. A computer-implemented method for managing security certificates through email, at least a portion of the method being
performed by a computing device comprising at least one processor, the method comprising:
receiving an encrypted email that contains both identifying information that identifies a security certificate for authenticating
a website and a management command relating to the security certificate, the encrypted email comprising a reply to a notification
email, from a security certificate management service, that indicated an offer to issue the security certificate;

determining whether authentication of the encrypted email succeeded such that the management command is authorized;
when a determination is made that authentication of the encrypted email succeeded, identifying the security certificate using
the identifying information and executing the management command with respect to the identified security certificate.

US Pat. No. 9,268,689

SECURING VIRTUAL MACHINES WITH OPTIMIZED ANTI-VIRUS SCAN

Symantec Corporation, Mo...

1. A method comprising:
determining a first block address of a changed block, wherein
the changed block is stored in a first file system, and the first block address is relative to a first file in the first file
system; and

determining a second file that contains the changed block, wherein
the second file is stored in a file area of a second file system volume, and the second file system volume is stored in the
first file in the first file system.

US Pat. No. 9,251,261

METHOD AND SYSTEM FOR METADATA DRIVEN TESTING OF MALWARE SIGNATURES

Symantec Corporation, Mo...

1. A method for evaluating malware signatures, the method comprising:
receiving a candidate malware signature specified in a markup language, wherein the candidate malware signature specifies
a set of features associated with one or more files of a software application package used to identify a malware application
corresponding to the candidate malware signature;

translating the set of features candidate malware signature into a database query;
executing the database query to identify a set of applications detected by the candidate malware signature as being an instance
of a malware threat corresponding to the candidate malware signature; and

for each application in the set of applications:
determining whether the application was correctly identified by the candidate malware signature as instance of the malware
threat based on a previous classification of the application as being an instance of the malware threat or not being an instance
of the malware threat.

US Pat. No. 9,225,735

SYSTEMS AND METHODS FOR BLOCKING FLANKING ATTACKS ON COMPUTING SYSTEMS

Symantec Corporation, Mo...

1. A computer-implemented method for preventing flanking attacks on computing systems, at least a portion of the method being
performed by a computing device comprising at least one processor, the method comprising:
detecting a denial-of-service attack targeting a computing network, wherein the computing network comprises a software-defined
network;

inferring, based at least in part on detecting the denial-of-service attack, a secondary attack targeting at least one computing
resource within the computing network;

determining that the computing resource is subject to additional protection based on inferring the secondary attack targeting
the computing resource;

protecting the computing resource against the secondary attack by adding an authentication requirement for accessing the computing
resource, wherein adding the authentication requirement comprises:

modifying the software-defined network to interpose an authentication system that implements the authentication requirement
between the computing resource and at least a portion of the computing network;

adding a second authentication factor to accompany a first authentication factor for accessing the computing resource that
is already in place.

US Pat. No. 9,294,511

SENDING OUT-OF-BAND NOTIFICATIONS

Symantec Corporation, Mo...

1. A computer-implemented method for sending an out-of-band notification of a security policy enforcement action to a user
of a client within a network covered by a security policy, the method comprising:
receiving, at a security module, outbound network traffic sent from the client, the outbound network traffic addressed to
a destination outside of the network covered by the security policy;

performing, by the security module, an enforcement action on the outbound network traffic responsive to determining that the
outbound network traffic violates the security policy;

inserting, by the security module, an out-of-band notification message describing the enforcement action into a response to
the outbound network traffic; and

sending the response including the inserted out-of-band notification message to the client.

US Pat. No. 9,183,205

USER-BASED BACKUP

Symantec Corporation, Mo...

1. A method comprising:
receiving a request to perform a backup operation, wherein
the request includes information identifying a user;
receiving metadata from a plurality of collector modules, wherein
the metadata comprises user information and location information for each of a plurality of data objects stored in at least
one storage device;

automatically generating a list of locations at which data objects associated with the user are stored, wherein
the automatically generating is based on the location information;
selecting a set of data objects, wherein
the selecting is based on the user information,
each data object of the set of data objects is associated with the user,
the set of data objects comprises a first subset of the plurality of data objects, and
the plurality of data objects comprises a second subset associated with a second user; and
generating a user-based backup image, wherein
each data object included in the user-based backup image is included in the set of data objects.

US Pat. No. 9,297,882

SYSTEMS AND METHODS FOR TRACKING PAIRED COMPUTING DEVICES

Symantec Corporation, Mo...

1. A computer-implemented method for tracking paired computing devices, at least a portion of the method being performed by
at least one computing system comprising at least one processor, the method comprising:
determining that a plurality of computing devices comprising first and second computing devices of a user are paired via a
wireless communication technology that facilitates communication between the plurality of computing devices;

providing a plurality of modes for notifying the user when the first computing device or the second computing device is no
longer in the user's possession, wherein the plurality of modes comprise:

a first mode that causes notifications to be sent only to a device that is stationary;
a second mode that causes notifications to be sent only to a device that is moving; and
a third mode that causes notifications to be sent to both the first and second computing devices;
establishing a maximum distance that the first and second computing devices are allowed to move away from one another;
calculating a current distance between the first and second computing devices;
determining that the current distance between the first and second computing devices exceeds the maximum distance that the
first and second computing devices are allowed to move away from one another;

determining, due at least in part to the current distance between the first and second computing devices exceeding the maximum
distance, that at least one of the first and second computing devices is no longer in the user's possession; and

in response to determining that at least one of the first and second computing devices is no longer in the user's possession:
determining that the second computing device is no longer in the user's possession by determining that the first computing
device is moving and the second computing device is substantially stationary; and

providing, based at least in part on a selection by the user of the second mode that causes notifications to be sent only
to a device that is moving, one or more notifications only to the first computing device and not to the second computing device
due at least in part to the first computing device moving and the second computing device being substantially stationary,
wherein the one or more notifications:

alert the user that the second computing device is no longer in the user's possession due at least in part to the first computing
device moving and the second computing device being substantially stationary, and

include information that identifies a location of the second computing device.

US Pat. No. 9,286,477

SECURE APP ECOSYSTEM WITH KEY AND DATA EXCHANGE ACCORDING TO ENTERPRISE INFORMATION CONTROL POLICY

Symantec Corporation, Mo...

1. A computer implemented method for providing a secure ecosystem comprising at least a plurality of apps on a computing device,
wherein the apps in the ecosystem securely exchange encrypted data according to an information control policy of an enterprise,
without allowing unauthorized access from outside of the ecosystem, the method comprising:
creating, by an ecosystem agent on the computing device, an ecosystem directory, the ecosystem directory containing an entry
for each specific app in the ecosystem, each entry comprising policy information concerning the specific app and identification
information concerning the specific app, wherein the ecosystem agent is an app in the ecosystem;

generating, by each specific ecosystem-ready app on the computing device, an asymmetric key pair, a public key of which the
specific app shares only with apps in the ecosystem, and a private key of which the specific app does not share at all;

securely communicating data between apps in the ecosystem, such that the communicated data cannot be accessed from outside
of the ecosystem without authorization from within the ecosystem;

wherein securely communicating data between apps in the ecosystem further comprises encrypting data with a first key by a
providing app in the ecosystem, such that at least one receiving app in the ecosystem can decrypt the data with a second key;
reading, by a first ecosystem app, a public key of a second ecosystem app, from the ecosystem directory; encrypting, by the
first ecosystem app using the public key of the second ecosystem app, at least one from a group consisting of: a message to
securely communicate to the second ecosystem app and a data object to securely share with the second ecosystem app; performing
at least one from a group of steps consisting of: communicating the encrypted message from the first ecosystem app to the
second ecosystem app and sharing the encrypted data object with the second ecosystem app by the first ecosystem; and decrypting,
by the second ecosystem app, using a private key of the second ecosystem app, at least one from a group consisting of: the
communicated message and the data object; and

complying, by each specific app in the ecosystem, with enterprise information control policy.

US Pat. No. 9,197,662

SYSTEMS AND METHODS FOR OPTIMIZING SCANS OF PRE-INSTALLED APPLICATIONS

Symantec Corporation, Mo...

1. A computer-implemented method for optimizing scans of pre-installed applications, at least a portion of the method being
performed by a computing device comprising at least one processor, the method comprising:
identifying, by a processor on a client device, a plurality of applications that are subject to scan-based assessments;
determining that the plurality of applications were pre-installed on the client device via a system image for the client device;
generating a fingerprint that represents the system image;
fulfilling the scan-based assessments for the plurality of applications by transmitting the fingerprint that represents the
system image to an assessment server and receiving, in response, an assessment of the system image;

identifying, on the client device, an individual application that is subject to at least one scan-based assessment;
determining that the individual application was not pre-installed on the client device via the system image for the client
device;

generating, based on determining that the individual application was not-preinstalled on the client device via the system
image for the client device, an individual fingerprint that represents the individual application and no other application;

fulfilling the scan-based assessment for the individual application by transmitting the individual fingerprint that represents
the individual application to the assessment server and receiving, in response, an assessment of the individual application.

US Pat. No. 9,146,935

SYSTEMS AND METHODS FOR CLASSIFYING FILES AS CANDIDATES FOR DEDUPLICATION

Symantec Corporation, Mo...

11. A computer-implemented method for determining whether files are candidates for deduplication, at least a portion of the
method being performed by a computing device comprising at least one processor, the method comprising:
identifying at least a portion of a file;
identifying a classification assigned to the file that is suggestive of a duplicate instance of the portion of the file already
being stored within a storage device by identifying, within the file, an attribute associated with the file that indicates
that the file is a candidate for deduplication;

reducing the amount of time or resources needed to determine whether a set of files that includes the file qualify for deduplication
by determining, based on the classification assigned to the file, that the file is a candidate for deduplication prior to
determining whether the duplicate instance of the portion of the file is already stored within the storage device;

in response to determining that the file is a candidate for deduplication, determining whether the duplicate instance of the
portion of the file is already stored within the storage device.

US Pat. No. 9,311,242

SYSTEMS AND METHODS FOR ENABLING WRITE-BACK-CACHE AWARE SNAPSHOT CREATION

Symantec Corporation, Mo...

1. A computer-implemented method for enabling write-back-cache aware snapshot creation, at least a portion of the method being
performed by a computing device comprising at least one processor, the method comprising:
identifying a cache that implements write-back caching to selectively store at least one write to a backing store;
receiving, while the write is stored within the cache, a request to create a snapshot of the backing store, where the write
is to be included in the snapshot of the backing store;

creating, in response to the request and while the write is still stored within the cache, the snapshot of the backing store
by:

determining that the write is stored within the cache;
tracking the write while the write is still stored within the cache and while the snapshot is accessible to ensure that the
write is included in the snapshot of the backing store;

providing read access to the snapshot without first flushing the write to the backing store by receiving, while the write
is stored within the cache, a request to read from the snapshot;

satisfying the request to read from the snapshot.

US Pat. No. 9,256,738

SYSTEMS AND METHODS FOR PRE-INSTALLATION DETECTION OF MALWARE ON MOBILE DEVICES

Symantec Corporation, Mo...

1. A computer-implemented method for pre-installation detection of malware on mobile devices, at least a portion of the method
being performed by a mobile computing device comprising at least one processor, the method comprising:
intercepting one or more communications of an application installation agent that installs applications on the mobile computing
device by:

detecting, by a monitoring agent on the mobile computing device, an attempt to launch the application installation agent;
interrupting, by the monitoring agent, the attempt to launch the application installation agent;
re-launching the application installation agent as a process of the monitoring agent such that the monitoring agent is able
to intercept communications from the application installation agent;

identifying, based on the one or more intercepted communications, an application that has been at least partially downloaded
by the application installation agent;

in response to identifying the application, and before the application is installed on the mobile computing device, scanning
the application for malware;

determining, based on the scan, that the application contains malware;
performing a security action in response to determining that the application contains malware.

US Pat. No. 9,075,771

TECHNIQUES FOR MANAGING DISASTER RECOVERY SITES

Symantec Corporation, Mo...

1. A method for managing disaster recovery sites comprising the steps of:
generating a heartbeat at a first node;
transmitting the heartbeat from the first node to a second node;
determining whether a network connection between the first node and the second node has failed;
determining whether the second node has received an additional heartbeat from the first node; and
changing a state of the secondary node based on the determination of whether the second node has received the additional heartbeat,
wherein the first node and the second node are in communication via a replication channel separate from the network connection.

US Pat. No. 9,305,007

DISCOVERING RELATIONSHIPS USING DEDUPLICATION METADATA TO PROVIDE A VALUE-ADDED SERVICE

Symantec Corporation, Mo...

1. A method comprising:
identifying deduplication metadata for a plurality of files, wherein the deduplication metadata comprises block level information
for the plurality of files;

examining, by a first computer system, the deduplication metadata to discover a plurality of levels of relationships associated
with the plurality of files based on at least the block level information;

creating relationship data describing the plurality of levels of relationships, wherein the plurality of levels comprises
a level describing relationships between users of host machines that are used to access respective files; and

sending the relationship data describing the plurality of levels of relationships associated with the plurality of files to
a second computer system providing a data loss protection service to cause a data loss protection operation to be performed
based on the relationship data,

wherein examining the deduplication metadata comprises identifying files that are pointing to a same data segment, identifying
host machines that are used to access the files that point to the same data segments, and identifying respective users that
are associated with the host machines that are accessing the files.

US Pat. No. 9,256,727

SYSTEMS AND METHODS FOR DETECTING DATA LEAKS

Symantec Corporation, Mo...

1. A computer-implemented method for detecting data leaks, at least a portion of the method being performed by a computing
device comprising at least one processor, the method comprising:
identifying a plurality of computing devices that include multiple data-distribution channels utilized by at least one user
within an organization;

associating the multiple data-distribution channels with the user within the organization;
monitoring the multiple data-distribution channels associated with the user within the organization;
detecting, by analyzing data distributed from the plurality of computing devices by the user via the multiple data-distribution
channels, a plurality of partial data loss prevention (DLP) policy violations committed by the user, wherein a partial DLP
policy violation comprises a violation of a DLP policy that does not amount to a full violation of the DLP policy;

assigning a weight to each of the plurality of partial DLP policy violations that quantifies a degree to which the user violated
the DLP policy;

determining that the weights of the user's DLP policy violations cumulatively exceed a predetermined threshold;
performing a security action in response to determining that the weights of the user's DLP policy violations cumulatively
exceed the predetermined threshold.

US Pat. No. 9,122,690

SYSTEMS AND METHODS FOR IMPLEMENTING NON-NATIVE FILE ATTRIBUTES ON FILE SYSTEMS

Symantec Corporation, Mo...

9. A system for implementing non-native file attributes on file systems, the system comprising:
an application module, stored in memory, that stores, in a consolidated location, deduplicated extended attributes of files
within a file system that does not natively implement the extended attributes;

a receiving module, stored in memory, that receives at least one extended attribute to apply to at least one file within the
file system;

an identification module, stored in memory, that identifies an index file that:
indexes the deduplicated extended attributes of the files within the file system by file identifiers of the files;
references the deduplicated extended attributes that are stored in the consolidated location;
a determination module, stored in memory, that determines a file identifier that uniquely identifies the file within the file
system;

wherein the application module further applies the extended attribute to the file by:
storing the extended attribute in the consolidated location;
indexing the extended attribute stored in the consolidated location by the file identifier within the index file;
at least one processor configured to execute the receiving module, the identification module, the determination module, and
the application module.

US Pat. No. 9,363,259

PERFORMING CLIENT AUTHENTICATION USING ONETIME VALUES RECOVERED FROM BARCODE GRAPHICS

SYMANTEC CORPORATION, Mo...

1. A method for authenticating a client device requesting access to a computing application, the method comprising:
in response to receiving a request to access the computing application:
encrypting a first nonce using a public key associated with the user, and
encoding the encrypted nonce in a barcode graphic;
sending the barcode graphic to the client device as a second factor authentication challenge, wherein the client device renders
the barcode graphic on a display to be scanned by a mobile device and wherein the mobile device is configured to generate
a second nonce by:

scanning the barcode graphic to recover the encrypted first nonce,
accessing a private key from a certificate store on the mobile device,
decrypting the encrypted first nonce, and
presenting, on a display of the mobile device, as the second nonce, the decrypted first nonce;
receiving, from the client device, a response to the challenge which includes the second nonce; and
upon determining the second nonce matches the first nonce, granting the client device access to the computing application.

US Pat. No. 9,258,122

SYSTEMS AND METHODS FOR SECURING DATA AT THIRD-PARTY STORAGE SERVICES

Symantec Corporation, Mo...

1. A computer-implemented method for securing data at third-party storage services, at least a portion of the method being
performed by a computing device comprising at least one processor, the method comprising:
receiving, from a client-side computing device of a first user at a server-side computing system, a request to share with
a second user access to a file that is encrypted, wherein:

access to the file requires access to a decryption key with which the file may be decrypted;
the decryption key must be encrypted to be stored at the server-side computing system;
determining, in response to the request, whether a transitory symmetric key of the second user is available at the server-side
computing system to encrypt the decryption key, wherein the transitory symmetric key of the second user is generated at the
server-side computing system using information provided to the server-side computing system by the second user and discarded
at the server-side computing system when the second user logs out of the server-side computing system;

in response to determining that the transitory symmetric key of the second user is available at the server-side computing
system, encrypting the decryption key with the transitory symmetric key of the second user;

in response to determining that the transitory symmetric key of the second user is unavailable at the server-side computing
system:

identifying, at the server-side computing system, an asymmetric key pair designated for the second user, the asymmetric key
pair comprising:

a public key;
a private key that is encrypted, wherein the private key is decrypted using information provided to the server-side computing
system by the second user;

encrypting the decryption key with the public key;
storing the encrypted decryption key at the server-side computing system, wherein:
the server-side computing system comprises the computing device;
the computing device performs the step of determining whether the transitory symmetric key of the second user is available
at the server-side computing system.

US Pat. No. 9,275,060

METHOD AND SYSTEM FOR USING HIGH AVAILABILITY ATTRIBUTES TO DEFINE DATA PROTECTION PLANS

Symantec Corporation, Mo...

1. A method comprising:
receiving, by a data protection agent or server running on a computing device, a cluster configuration of a high availability
cluster, the cluster configuration indicating highly available data, specified by a first administrator, of a multi-tiered
application running on the high availability cluster, the high availability cluster comprising a plurality of clusters corresponding
to tiers of the multi-tiered application;

parsing, by the data protection agent or server, the cluster configuration to identify the highly available data residing
on the plurality of clusters corresponding to the tiers of the multi-tiered application;

providing information indicating the identified highly available data to back up to a second administrator having no information
of the highly available data to be backed up; and

implementing a data protection policy to back up the highly available data based on the information.

US Pat. No. 9,147,066

SYSTEMS AND METHODS FOR PROVIDING CONTROLS FOR APPLICATION BEHAVIOR

Symantec Corporation, Mo...

1. A computer-implemented method for providing controls for application behavior, at least a portion of the method being performed
by a computing device comprising at least one processor, the method comprising:
identifying, by the computing device, an application that is distributed via an application repository and that is configured
to use a permission on a computing platform that enables the application to access a feature of the computing platform;

receiving, by the computing device, a request from a user to reconfigure the application to control attempts by the application
to use the permission by intercepting and interfering with attempts by the application to use the permission;

reconfiguring, by the computing device in response to the request from the user, the application to control attempts by the
application to use the permission by intercepting and interfering with attempts by the application to use the permission;

determining, by the computing device, that an updated version of the application is available via the application repository;
reconfiguring the updated version of the application to continue controlling attempts by the application to use the permission
based at least in part on the request from the user by intercepting and interfering with attempts by the updated version of
the application to use the permission in response to an instruction to update the application.

US Pat. No. 9,083,729

SYSTEMS AND METHODS FOR DETERMINING THAT UNIFORM RESOURCE LOCATORS ARE MALICIOUS

Symantec Corporation, Mo...

1. A computer-implemented method for determining that uniform resource locators are malicious, the method being performed
by a computing device comprising at least one processor, the method comprising:
identifying a plurality of uniform resource locators that are posted on a social networking platform;
gathering contextual data from the social networking platform that describes a plurality of instances of the plurality of
uniform resource locators within the social networking platform, the contextual data comprising a number of multiple resource
locator masking services used by an instance of a uniform resource locator within the plurality of instances of the plurality
of uniform resource locators;

generating, based on the contextual data, a plurality of social fingerprints of the plurality of uniform resource locators;
determining whether some or all of the uniform resource locators within the plurality of uniform resource locators associated
with the plurality of social fingerprints are malicious by determining that some or all of the uniform resource locators within
the plurality of uniform resource locators that use above a certain number of multiple resource locator masking services are
malicious;

generating, based at least in part on the plurality of social fingerprints and the determination, a ground truth set comprising
training data for a machine learning system;

generating, based at least in part on the ground truth set, a social fingerprint classifier that classifies uniform resource
locators that use above the certain number of multiple resource locator masking services as malicious;

identifying at least one additional uniform resource locator that is posted on the social networking platform and that is
subject to a security assessment;

classifying the additional uniform resource locator as malicious using the social fingerprint classifier.

US Pat. No. 9,258,293

SAFE AND SECURE ACCESS TO DYNAMIC DOMAIN NAME SYSTEMS

Symantec Corporation, Mo...

1. A method comprising:
accessing a plurality of host records of a DNS server, wherein
the plurality of host records comprise a plurality of IP addresses, respectively;
categorizing an IP address in each of the plurality of host records as being a first type or not the first type;
adding a domain name of the DNS server to a list of domain names corresponding to a plurality of dynamic DNS (DDNS) service
providers if a total number of host records of the plurality of host records that contain at least one IP address that is
categorized as being the first type, exceeds a predetermined value;

accessing the list in response to receiving a DNS query from a client computer comprising a dynamic domain name;
determining that the dynamic domain name is included in the list;
transmitting the DNS query to a dynamic DNS (DDNS) server, wherein the DNS query comprises the dynamic domain name;
receiving a first type of IP address of the dynamic domain name from the DDNS server;
accessing a map to determine that the first type of IP address is included in the map and maps to a digital certificate; and
returning the first type of IP address to the client computer.

US Pat. No. 9,258,269

METHODS AND SYSTEMS FOR MANAGING DELIVERY OF EMAIL TO LOCAL RECIPIENTS USING LOCAL REPUTATIONS

Symantec Corporation, Mo...

1. A computer-implemented method for managing delivery of email to local recipients, at least a portion of the method being
performed by a computing system comprising at least one processor, the method comprising:
establishing, at a domain-name system, a local reputation for an email sender address;
storing a domain-name-system record associated with the local reputation on the domain-name system;
receiving, at the domain-name system, from a mail-transfer agent as part of a mail-transfer system, a request for the domain-name-system
record associated with the email sender address;

determining, by the domain-name system and based on the local reputation, not to send the domain-name-system record associated
with the email sender address to the mail-transfer agent;

determining, by the mail-transfer system, that a response to the request was not received from the domain-name system;
forming a spam verdict, by the mail-transfer system, of an email sent from the email sender address for which the mail-transfer
system had failed to receive the domain-name-system record;

transmitting, by the mail-transfer agent to the domain-name system, the spam verdict to the domain-name system as feedback;
updating, by the domain-name system, the local reputation based on the spam verdict received from the mail-transfer agent
after the mail-transfer agent failed to receive the domain-name-system record.

US Pat. No. 9,298,914

ENTERPRISE DATA ACCESS ANOMALY DETECTION AND FLOW TRACKING

Symantec Corporation, Mo...

1. A computer implemented method for automatically monitoring access of enterprise data on a plurality of client computers,
thereby detecting anomalous access activity and protecting against leakage of enterprise data, the method comprising the steps
of:
receiving log information from multiple ones of the plurality of client computers, log information received from a specific
client computer identifying specific units of enterprise data accessed on the specific client computer and information concerning
context in which the specific units were accessed;

amalgamating received log information concerning access of specific units of enterprise data on multiple client computers
over a period of time;

performing statistical analysis on amalgamated log information received from multiple client computers and concerning access
of specific units of enterprise data on multiple computers over time, thereby determining at least one access baseline concerning
access of specific units of enterprise data on multiple computers over time for enterprise data over the period of time, by
the computer,

wherein the at least one baseline concerns geographic locations from which a specific unit of enterprise data is accessed
over the period of time, based on amalgamated log information concerning access of the specific unit of enterprise data on
multiple client computers;

detecting an anomalous access of enterprise data as measured against at least one determined access baseline; and
automatically outputting an alert documenting the detected anomalous access in response to detecting the anomalous access
of enterprise data.

US Pat. No. 9,268,958

PREVENTING THE LOSS OF SENSITIVE DATA SYNCHRONIZED WITH A MOBILE DEVICE

Symantec Corporation, Mo...

1. A method comprising:
receiving, by a mobile device executing a viewer proxy, a secure document transformed from an original document format including
sensitive data, wherein the secure document comprises one or more context rules that correspond to the secure document, and
wherein the original document format differs from a format of the secure document;

authenticating, by the mobile device executing the viewer proxy, a user of the mobile device;
determining, by the mobile device executing the viewer proxy in response to authenticating the user, whether the user is authorized
to access the secure document based on the one or more context rules;

identifying, by the mobile device executing the viewer proxy, the original document format for the secure document upon determining
that the user is authorized to access the secure document;

determining, by the mobile device executing the viewer proxy, that an authorized application corresponding to the secure document
is installed on the mobile device; and

providing, by the mobile device executing the viewer proxy and responsive to determining that the authorized application is
installed on the mobile device, the secure document to the authorized application for accessing the sensitive data of the
secure document using the original document format.

US Pat. No. 9,122,503

SYSTEMS AND METHODS FOR ADAPTIVE THROTTLING OF INPUT/OUTPUT REQUESTS IN A VIRTUAL ENVIRONMENT

Symantec Corporation, Mo...

1. A computer-implemented method for adaptive throttling of input/output requests in a virtual environment, at least a portion
of the method being performed by a computing device comprising at least one processor, the method comprising:
monitoring input/output requests sent from a virtual machine to a storage system;
determining a latency of completing one or more of the monitored input/output requests by measuring an amount of time spent
by the virtual machine while completing the monitored input/output request;

determining that the latency of completing the monitored input/output request exceeds a threshold that specifies an additional
amount of time such that the amount of time of the latency is greater than the additional amount of time specified by the
threshold;

reducing, in response to determining that the latency exceeds the threshold, a rate at which an application on the virtual
machine sends input/output requests to the storage system.

US Pat. No. 9,286,369

DATA REPLICATION ACROSS ENTERPRISE BOUNDARIES

Symantec Corporation, Mo...

1. A method, comprising:
receiving a user token identifier and a one-time password from a client device at a first server;
validating the one-time password at the first server based on first verification information stored in a first database, the
first verification information being associated with the user token identifier, wherein the first database is within a first
network;

updating the first verification information in the first database to indicate that the one-time password has been used;
initiating an update to a second database by pushing the first verification information and a site ID of the first database
from the first database to the second database via a first SSL tunnel, wherein the second database is within a second network
that is outside an enterprise boundary of the first network;

initiating an update to the first database by pulling second verification information from the second database to the first
database via a second SSL tunnel; and

updating the first verification information in the first database based on the second verification information pulled from
the second database,

wherein at least one of the second database or the first database resolves which of the first verification information or
second verification information to apply based on at least one of: unique data within the first verification information or
the second verification information, timestamp data within the first verification information or the second verification information,
or an authority assigned to the at least one of the second database or the first database with the first verification information
or the second verification information.

US Pat. No. 9,270,685

SYSTEM TO IDENTIFY MACHINES INFECTED BY MALWARE APPLYING LINGUISTIC ANALYSIS TO NETWORK REQUESTS FROM ENDPOINTS

Symantec Corporation, Mo...

1. A method to identify machines infected by malware, comprising:
determining whether a universal resource locator (URL), in a network request from a computing device, is present in a first
cache coupled to a processor of a server;

determining whether a fully qualified domain name, extracted from the universal resource locator and distinct from the universal
resource locator, is present in a second cache coupled to the processor of the server, in response to determining that the
universal resource locator is not present in the first cache;

evaluating a parent hostname, extracted from the universal resource locator and distinct from the universal resource locator,
as to suspiciousness, in response to determining that the fully qualified domain name is not present in the second cache of
the server, wherein evaluating the parent hostname includes determining whether the parent hostname has a length greater than
a predetermined length; and

indicating the computing device has a likelihood of infection, responsive to one of: the universal resource locator being
present in the first cache of the server with a first indication of suspiciousness, the fully qualified domain name being
present in the second cache of the server with a second indication of suspiciousness, or the evaluating the parent hostname
having a third indication of suspiciousness, wherein at least one method operation is performed by the processor.

US Pat. No. 9,239,843

SCALABLE DE-DUPLICATION FOR STORAGE SYSTEMS

Symantec Corporation, Mo...

1. A method for performing storage system de-duplication, comprising:
accessing a plurality of initial partitions of files of a storage system, wherein each of the plurality of initial partitions
has object properties;

performing a de-duplication on each of the initial partitions;
for each duplicate partition found from the plurality of initial partitions, determining an indicator comprising metadata
that is similar across said each duplicate partition, wherein the metadata is determined based on the object properties of
the initial partitions;

for each of the determined indicators, determining a ratio of the number of times the respective metadata is common across
duplicate partitions of the initial partitions to the number of times the respective metadata is common across non-duplicate
partitions of the initial partitions, wherein the determined indicators having high ratios weighted across all of the initial
partitions are designated as chosen indicators;

generating optimized partitions in accordance with the chosen indicators, wherein the chosen indicators are combined to generate
the optimized partitions, wherein each optimized partition includes a separate de-duplication index structure, wherein each
separate de-duplication index structure is distributed across data servers, and wherein each data server is responsible for
performing de-duplication between a subset of the files according to the separate de-duplication index structure; and

performing a de-duplication on each of the optimized partitions.

US Pat. No. 9,311,481

SYSTEMS AND METHODS FOR CLASSIFYING PACKAGE FILES AS TROJANS

Symantec Corporation, Mo...

1. A computer-implemented method for classifying package files as Trojans, at least a portion of the method being performed
by a computing device comprising at least one processor, the method comprising:
detecting a resemblance between an unclassified package file and a known legitimate package file;
determining that the unclassified package file is signed by a different signatory than a signatory that signed the known legitimate
package file;

determining that a feature of the unclassified package file is suspicious, the feature being absent from the known legitimate
package file;

classifying the unclassified package file as a Trojan version of the known legitimate package file based on the unclassified
package file being signed by the different signatory and having the suspicious feature.

US Pat. No. 9,276,947

IDENTIFYING MISUSE OF LEGITIMATE OBJECTS

Symantec Corporation, Mo...

1. A computer-implemented method of identifying suspicious usage of an object, the method comprising:
receiving a query from a client device regarding an object trusted as non-malicious by a security module executing on the
client device, the query including an identifier of the object and a set of usage attributes describing a usage of the object
on the client device;

identifying a set of usage facts associated with the identified object, the set of usage facts describing typical usages of
the identified object on a plurality of client devices;

comparing, by a computer, the set of usage facts associated with the identified object and the set of usage attributes included
in the query from the client device;

responsive to a threshold number of usage attributes from the set of usage attributes not matching the set of usage facts
associated with the identified object, classifying the usage of the identified object on the client device as suspicious;

responsive to the threshold number of usage attributes from the set of usage attributes matching the set of usage facts associated
with the identified object, classifying the usage of the identified object on the client device as non-suspicious; and

providing a report to the client device including the classification of the usage of the identified object on the client device.

US Pat. No. 9,756,007

SYSTEMS AND METHODS FOR DETECTING COMPROMISED MESSAGING ACCOUNTS

Symantec Corporation, Mo...

1. A computer-implemented method for detecting compromised messaging accounts, at least a portion of the method being performed
by a computing device comprising at least one processor, the method comprising:
maintaining a behavior database that associates messaging accounts of a plurality of users with messaging behaviors that typify
each messaging account by:

extracting, from each of the messaging accounts, messaging features that describe stylistic and compositional traits of messages
sent by the messaging accounts;

for each messaging account, identifying, based on the extracted messaging features, messaging behaviors that typify the messaging
account by:

determining a frequency with which the messaging account displays at least one messaging behavior;
determining that the frequency with which the messaging account displays the messaging behavior exceeds a frequency with which
at least one other messaging account displays the messaging behavior; and

weighting the messaging behavior based on a comparison between the frequency with which the messaging account displays the
messaging behavior and the frequency with which the other messaging account displays the messaging behavior;

identifying, based on the extracted messaging features, messaging behaviors that do not typify any of the messaging accounts
of the plurality of users by identifying messaging behaviors that are displayed with a similar frequency by at least most
of the messaging accounts of the plurality of users; and

associating, in the behavior database, each of the messaging accounts of the plurality of users with the weighted messaging
behaviors that typify each messaging account and not the messaging behaviors that do not typify any of the messaging accounts
of the plurality of users;

detecting an attempt by a user to send a message from one of the messaging accounts of the plurality of users;
determining, by comparing features of the message with the weighted messaging behaviors associated with the messaging account
in the behavior database, that the messaging account has potentially been compromised; and

in response to the determination that the messaging account has potentially been compromised, verifying that the user is an
owner of the messaging account.

US Pat. No. 9,602,505

DYNAMIC ACCESS CONTROL

Symantec Corporation, Mo...

1. A method for securing data and computer systems, comprising:
receiving, at an intermediary network device, a request from a first client device to connect to a server;
verifying, by the intermediary network device, an identity of the server;
detecting, at the intermediary network device, that the server uses a one-time password (OTP) protocol, wherein detecting
that the server uses an OTP protocol comprises comparing the identity of the server with a list of information identifying
a plurality of servers that use the OTP protocol and associated user-defined policy protocol; and

performing, by the intermediary network device, an action according to the user-defined policy protocol based at least in
part on the detecting, wherein performing the action comprises at least one of:

blocking, at the intermediary network device, a first connection between the first client device and a first computing device
other than the server, the first computing device connected to the first client device via the intermediary network device;
and

allowing, at the intermediary network device, a second connection between the first client device and a second computing device
other than the server, the second computing device connected to the first client device via the intermediary network device.

US Pat. No. 9,292,371

SYSTEMS AND METHODS FOR PREVENTING FAILURES OF NODES IN CLUSTERS

Symantec Corporation, Mo...

1. A computer-implemented method for preventing failures of nodes in clusters, at least a portion of the method being performed
by a computing device comprising at least one processor, the method comprising:
identifying a node that is part of a cluster of nodes and that communicates, via a heartbeat sent at a regular interval to
the cluster of nodes, that the node is functional and connected to the cluster of nodes;

calculating a current workload being processed by the node based on a utilization of computing resources on the node;
determining, based on the current workload, that:
the node is functional and connected but is in an excessive load condition due to the current workload; and
a failure by the node to send the heartbeat within the regular interval is due to the excessive load condition; and
dynamically setting a new interval for the heartbeat of the node that is longer than the regular interval for the heartbeat
in response to determining that the node cannot send the heartbeat at the regular interval due to the excessive load condition.

US Pat. No. 9,275,129

METHODS AND SYSTEMS TO EFFICIENTLY FIND SIMILAR AND NEAR-DUPLICATE EMAILS AND FILES

Symantec Corporation, Mo...

1. A method comprising:
receiving a plurality of documents, each document in the plurality of documents having a plurality of terms;
for each document in the plurality of documents:
generating, by a processor, a first set of trigrams, each trigram in the first set of trigrams being a sequence of terms,
and

determining a second set of trigrams based on the first set of trigrams for the document and first filter criteria to filter
the first set of trigrams for the document for a predetermined number of most frequently occurring trigrams, the second set
of trigrams being a smaller subset of the first set of trigrams for the document, the second set of trigrams comprising a
trigram that satisfies the first filter criteria; and

generating a full text index indexing the second set of trigrams for the plurality of documents;
generating a query into the full text index for the plurality of documents indexing the second set of trigrams for each document
in the plurality of documents based on a third set of trigrams associated with a new document; and

identifying, in response to the query into the full text index, a set of documents in the plurality of documents that are
substantially similar to the new document by identifying matching trigrams between the third set of trigrams and the second
set of trigrams indexed in the full text index.

US Pat. No. 9,292,691

SYSTEMS AND METHODS FOR PROTECTING USERS FROM WEBSITE SECURITY RISKS USING TEMPLATES

Symantec Corporation, Mo...

1. A computer-implemented method for protecting users from website security risks using templates, at least a portion of the
method being performed by a computing device comprising at least one microprocessor, the method comprising:
identifying a section of a website, the section being arranged according to a template that defines a layout for the website;
identifying a profile for the section that includes an attribute specific to the section, the attribute indicating whether
content for the section of the website is non-malicious as distinct from indicating whether content for the entire website
is non-malicious;

identifying content placed within the section of the website in accordance with the template that defines the layout for the
website;

determining, by the computing device, whether the identified content is non-malicious by comparing the attribute specified
in the profile for the section of the website to an attribute of the content placed within the section of the website.

US Pat. No. 9,275,226

SYSTEMS AND METHODS FOR DETECTING SELECTIVE MALWARE ATTACKS

Symantec Corporation, Mo...

1. A computer-implemented method for detecting selective malware attacks, the method comprising:
identifying a website visited by a first device operating at a first location, wherein a number of visits to the website satisfies
a predetermined threshold;

identifying a low prevalence file based on a web crawl of the identified website performed by the first device at the first
location, wherein the low prevalence file comprises a file unclassified by a predetermined server;

determining whether a web crawl of the identified website performed by the predetermined server results in the predetermined
server detecting the low prevalence file;

determining whether a web crawl of the identified website performed by a second device operating at a second location results
in the second device detecting the low prevalence file;

analyzing, by at least one of the first device, second device, and the predetermined server, results of the web crawls to
determine whether the identified website distributes a malicious software attack designed to selectively attack visitors to
the website; and

upon determining the low prevalence file is detected by the second device and not detected by the predetermined server, generating
a notification comprising an alert that the identified website is suspected of distributing a malicious software attack designed
to target the first device.

US Pat. No. 9,396,328

DETERMINING A CONTRIBUTING ENTITY FOR A WINDOW

Symantec Corporation, Mo...

1. A method of presenting content indicative of one or more entities which contributed to a window being displayed using a
processing system, wherein the method comprises:
(a) setting the window as a starting entity, wherein the window comprises a webpage being displayed by an internet browser,
the webpage having a uniform resource locator (URL);

(b) determining one or more properties of the starting entity, the one or more properties including the URL of the webpage;
(c) identifying, using the one or more properties and at least one rule, the one or more entities related to the starting
entity which contributed to the window being displayed, wherein identifying the one or more entities comprises:

identifying a registry entry that corresponds to the starting entity based at least in part on a determination that a value
of the registry entry corresponds to the URL of the webpage;

determining a timestamp associated with the registry entry;
identifying one or more files of the processing system with timestamps within a predetermined range of the timestamp associated
with the registry entry; and

indicating each identified file as a contributing entity;
(d) determining, for each of the one or more entities related to the starting entity, whether a direct link or an indirect
link exists from a related entity to the starting entity;

(e) determining a link distance value between the starting entity and each of the one or more entities related to the starting
entity;

(f) determining, for each of the one or more entities related to the starting entity, a threat value based at least in part
on one or more characteristics of a respective entity related to the starting entity, wherein the one or more characteristics
of the respective entity related to the starting entity comprise at least a frequency of connecting to a remote network address
within the predetermined range of the timestamp associated with the registry entry;

(g) determining a weighted value for each of the one or more entities related to the starting entity, wherein the weighted
value comprises at least the link distance value;

(h) identifying whether each of the one or more entities related to the starting entity is malicious or non-malicious, wherein
the identification comprises determining whether the threat value is below a threshold value; and

(i) providing to a user, using the processing system, content indicative of the one or more entities which contributed to
the window being displayed, the content including the determined threat value for each of the one or more related entities.

US Pat. No. 9,246,933

SYSTEMS AND METHODS FOR DETECTING MALICIOUS EMAIL ATTACHMENTS

Symantec Corporation, Mo...

1. A computer-implemented method for detecting malicious email attachments, at least a portion of the method being performed
by a computing device comprising at least one processor, the method comprising:
identifying a shortcut file received as an attachment to an email, wherein the shortcut file is configured to open a target
file;

analyzing the shortcut file by parsing one or more sections of the shortcut file to identify a command line argument that
applies to the target file, wherein the command line argument comprises information about the target file useful for determining
whether text accurately characterizes the shortcut file;

identifying accompanying text in the email that characterizes the attachment;
determining that the attachment is malicious by:
comparing the command line argument that applies to the target file with the accompanying text in the email that characterizes
the attachment;

based on the comparison, determining that the accompanying text does not accurately characterize the shortcut file.

US Pat. No. 9,317,692

SYSTEM AND METHOD FOR VULNERABILITY RISK ANALYSIS

Symantec Corporation, Mo...

1. A method for analyzing risk, the method comprising:
accessing, within an electronic system, host configuration information of a host;
querying a vulnerability database based on said host configuration information;
receiving a list of vulnerabilities, wherein said list of vulnerabilities corresponds to vulnerabilities of said host;
accessing a plurality of vulnerability scores for said host and at least one software product of said host, wherein said plurality
of vulnerability scores measure access vulnerability and vulnerability impact, and wherein said host and said at least one
software product of said host are respectively associated with more than one of said plurality of vulnerability scores;

determining a composite risk score for at least one of said host and said at least one software product of said host based
on said plurality of vulnerability scores, wherein said composite risk score measures at least in part a severity reflecting
that an exploited vulnerability is needed by an attacker to compromise at least one of said host and said at least one software
product of said host, and wherein said composite risk score is based on a highest vulnerability score among the more than
one of said plurality of vulnerability scores respectively associated with at least one of said host and said at least one
software product of said host;

determining an aggregate risk score for at least one of said host and said at least one software product of said host based
on said plurality of vulnerability scores, wherein said aggregate risk score measures at least in part a number of options
available to said attacker for compromising at least one of said host and said at least one software product of said host,
and wherein said aggregate risk score is based on a summation among the more than one of said plurality of vulnerability scores
respectively associated with at least one of said host and said at least one software product of said host;

generating a graph representing said at least one software product of said host, wherein nodes of said graph represent software
states of said at least one software product, wherein edges of said graph represent vulnerabilities detected in said at least
one software product, wherein a path through said graph begins at a start node having relatively lower access vulnerability,
and wherein said path ends at an end node having relatively higher vulnerability impact; and

determining a risk score based on said path through said graph and at least one of said composite risk score and said aggregate
risk score.

US Pat. No. 9,268,940

SYSTEMS AND METHODS FOR ASSESSING INTERNET ADDRESSES

Symantec Corporation, Mo...

1. A computer-implemented method for assessing Internet addresses, at least a portion of the method being performed by a computing
device comprising at least one processor, the method comprising:
identifying an Internet Protocol address;
identifying a plurality of files downloaded from the Internet Protocol address via a plurality of Internet sites that resolve
to the Internet Protocol address;

generating an aggregation of security assessments that relates to the Internet Protocol address and that is based at least
in part on a security assessment of each of the plurality of files, wherein generating the aggregation comprises determining
a distribution identifying how the security assessments are distributed across the plurality of Internet sites;

determining a trustworthiness of the Internet Protocol address based at least in part on the aggregation of security assessments
by attributing the aggregation of security assessments to the trustworthiness of the Internet Protocol address as opposed
to attributing the security assessments to the plurality of Internet sites by:

determining that a subset of the plurality of Internet sites accounts for at least a predetermined amount of usage of the
Internet Protocol address;

determining, based on the distribution, that a concentration of negative security assessments within the subset of the plurality
of Internet sites falls below a predetermined threshold;

facilitating a security action based at least in part on the trustworthiness of the Internet Protocol address.

US Pat. No. 9,246,931

COMMUNICATION-BASED REPUTATION SYSTEM

Symantec Corporation, Mo...

1. A computer-implemented method of providing security against a first entity that communicates with a host, the method comprising:
identifying reputation information indicating reputations of second entities that communicate with the host;
generating a host reputation score indicating a reputation of the host based on the reputation information indicating reputations
of the second entities that communicate with the host;

generating, by a computer, an entity reputation score indicating a likelihood that the first entity that communicates with
the host is malware based on the host reputation score indicating the reputation of the host, the first entity comprising
a file or software application that communicates with the host when executing on a first client;

and transmitting the entity reputation score to the first client for malware remediation.

US Pat. No. 9,317,679

SYSTEMS AND METHODS FOR DETECTING MALICIOUS DOCUMENTS BASED ON COMPONENT-OBJECT REUSE

Symantec Corporation, Mo...

1. A computer-implemented method for detecting malicious documents based on component-object reuse, at least a portion of
the method being performed by at least one computing device comprising at least one processor, the method comprising:
identifying, by the at least one computing device, a plurality of malicious digital documents that contain malware;
extracting, by the at least one computing device, a plurality of benign digital component objects from the plurality of malicious
digital documents, wherein each benign digital component object from the plurality of benign digital component objects is:

contained within at least one malicious digital document from the plurality of malicious digital documents;
not known to contain malware;
receiving, by the at least one computing device from a digital-document source device, an unknown digital document that is
not known to be malicious or benign and that comprises:

at least one benign digital component object that is benign;
at least one malicious digital component object that is malicious;
extracting, by the at least one computing device, the benign digital component object from the unknown digital document;
determining, by the at least one computing device, that the benign digital component object extracted from the unknown digital
document matches one of the plurality of benign digital component objects;

determining, by the at least one computing device based at least in part on the benign digital component object extracted
from the unknown digital document matching one of the plurality of benign digital component objects, that an attacker likely
reused the benign digital component object extracted from the unknown digital document to create the unknown digital document;

disarming, by the at least one computing device, the malicious digital component object of the unknown digital document by
performing a security action on the unknown digital document based at least in part on determining that an attacker likely
reused the benign digital component object extracted from the unknown digital document to create the unknown digital document.

US Pat. No. 9,055,059

COMBINING MULTIPLE DIGITAL CERTIFICATES

Symantec Corporation, Mo...

1. A method comprising:
receiving, by at least one hardware processor, data from a first certificate and data from a second certificate;
determining, by the hardware processor, a certificate combination date, the certificate combination date directing a combining
of the first certificate and the second certificate to form a combined certificate;

detecting, by the hardware processor, an occurrence of the certificate combination date; and
combining, by the hardware processor, the first certificate and the second certificate to form the combined certificate in
response to detecting the occurrence of the certificate combination date.

US Pat. No. 9,256,739

SYSTEMS AND METHODS FOR USING EVENT-CORRELATION GRAPHS TO GENERATE REMEDIATION PROCEDURES

Symantec Corporation, Mo...

1. A computer-implemented method for using event-correlation graphs to generate remediation procedures, at least a portion
of the method being performed by at least one computing device comprising at least one processor, the method comprising:
detecting, by the at least one computing device, a suspicious event involving a first actor within a computing system, wherein
the suspicious event could not be individually classified as definitively malicious;

constructing, by the at least one computing device in response to detecting the suspicious event involving the first actor,
an event-correlation graph, wherein:

the event-correlation graph comprises at least:
a first node that represents the first actor;
a second node that represents a second actor; and
an edge that interconnects the first node and the second node and represents an additional suspicious event involving the
first actor and the second actor;

each suspicious event represented in the event-correlation graph could not be individually classified as definitively malicious;
calculating, by the at least one computing device based at least in part on the additional suspicious event involving the
first actor and the second actor, an attack score for the event-correlation graph;

determining that the attack score is greater than a predetermined threshold;
determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious
event comprises an attack on the computing system;

using the event-correlation graph to generate a procedure for remediating an effect of the attack on the computing system.

US Pat. No. 9,244,932

RESOLVING REPARSE POINT CONFLICTS WHEN PERFORMING FILE OPERATIONS

Symantec Corporation, Mo...

1. A method comprising:
receiving a request to perform a file operation on a file, wherein
the file operation includes generation of a reparse point associated with the file;
in response to receipt of the request, detecting a reparse point conflict, wherein
the detecting the reparse point conflict indicates that performing the file operation would cause existence of a plurality
of reparse points associated with the file,

the detecting is performed prior to performing the file operation, and
the plurality of reparse points comprises the reparse point and an existing reparse point associated with the file; and
in response to the detection of the reparse point conflict, resolving the reparse point conflict.

US Pat. No. 9,208,450

METHOD AND APPARATUS FOR TEMPLATE-BASED PROCESSING OF ELECTRONIC DOCUMENTS

Symantec Corporation, Mo...

1. A method for processing electronic documents comprising:
obtaining an electronic document being sent over a network toward a destination;
analyzing text content of the electronic documents to identify whether the electronic document matches any of a plurality
of predefined document templates, wherein the electronic document conforms to a structure of at least one of the plurality
of predefined document templates, and wherein the analyzing comprises executing at least one machine learning algorithm, the
at least one machine learning algorithm trained using at least one sample electronic document having a predefined template;

obtaining a document loss prevention (DLP) policy based on the at least one predefined document template associated with the
electronic document, wherein the DLP policy defines at least one rule to block sending of at least one of the electronic documents
if the at least one of the electronic documents matches any of the plurality of predefined document templates; and

selectively allowing the electronic document to continue toward the destination based on the DLP policy.

US Pat. No. 9,332,003

SYSTEMS AND METHODS FOR DISCOVERING WEBSITE CERTIFICATE INFORMATION

Symantec Corporation, Mo...

1. A computer-implemented method for discovering website certificate information, at least a portion of the method being performed
by a computing device comprising at least one processor, the method comprising:
receiving, from a plurality of computing devices within a community of users, information that identifies certificate statuses
of websites visited by the computing devices, wherein each of the computing devices comprises an instance of the same security
software;

identifying, by analyzing the information received from the plurality of computing devices within the community of users,
at least one issue with a certificate status of at least one website visited by at least one of the computing devices; and

performing at least one remedial action in an attempt to correct the issue with the certificate status of the website.

US Pat. No. 9,203,815

SYSTEMS AND METHODS FOR SECURE THIRD-PARTY DATA STORAGE

Symantec Corporation, Mo...

1. A computer-implemented method for secure third-party data storage,
at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
receiving, at a server-side computing system, a long poll request from a client system;
identifying, at the server-side computing system, a data access request from the client system to access an encrypted file
stored under a user account, wherein the requested access requires decryption of the encrypted file, wherein the data access
request is subsequent to the long poll request;

identifying, in reaction to the data access request, an asymmetric key pair designated for the user account, the asymmetric
key pair comprising an encryption key and a decryption key that has been encrypted with a client-side key;

responding to the long poll request, in reaction to the data access request, with a message notifying the client system to
transmit the client-side key;

receiving, from the client system, the client-side key;
decrypting the decryption key with the client-side key; and
using the decryption key to access an unencrypted version of the encrypted file.

US Pat. No. 9,356,941

SYSTEMS AND METHODS FOR DETECTING SUSPICIOUS WEB PAGES

Symantec Corporation, Mo...

1. A computer-implemented method for detecting suspicious web pages, at least a portion of the method being performed by a
computing device comprising at least one processor, the method comprising:
identifying a plurality of malicious web pages;
training a classification model for identifying suspicious web pages that comprises one or more classification algorithms
using:

features of the plurality of malicious web pages;
features of a web-page link graph that comprises at least:
a plurality of nodes, wherein each node within the plurality of nodes represents one of the plurality of malicious web pages;
a plurality of edges that join the plurality of nodes and that represent links between web pages represented within the web-page
link graph, wherein the one or more classification algorithms are configured to classify web pages as suspicious;

identifying a website after the classification model has been trained;
classifying a first web page of the website and a second web page of the website as suspicious using the classification model;
determining that a probability of maliciousness of the first web page is greater than a probability of maliciousness of the
second web page;

in response to classifying the first web page and the second web page as suspicious and based at least in part on the probability
of maliciousness of the first web page being greater than the probability of maliciousness of the second web page:

selectively applying heavy analysis to the first web page and the second web page in order to conserve system resources of
a monitored computer environment by:

executing the first web page within the monitored computer environment to determine whether the first web page is malicious;
refraining from executing the second web page within the monitored computer environment to determine whether the second web
page is malicious;

detecting a malicious behavior of the first web page resulting from executing the first web page;
classifying the website as malicious based on detecting the malicious behavior of the first web page;
when the website is classified as malicious, updating the classification model by updating the web-page link graph and the
one or more classification algorithms based at least in part on the website having been classified as malicious.

US Pat. No. 9,321,969

SYSTEMS AND METHODS FOR ENABLING USERS OF SOCIAL-NETWORKING APPLICATIONS TO INTERACT USING VIRTUAL PERSONAS

Symantec Corporation, Mo...

1. A computer-implemented method for enabling users of social-networking applications to interact using virtual personas,
at least a portion of the method being performed by at least one physical computing device comprising at least one hardware
processor, the method comprising:
creating, by the physical computing device, a social-networking identity associated with a user of a social-networking application;
creating, by the physical computing device and as part of the user's social-networking identity, a plurality of virtual personas
that represent different real-life roles of the user, the plurality of virtual personas comprising:

a first virtual persona of the user;
a second virtual persona of the user;
after creating the user's virtual personas, receiving a request at the physical computing device to establish a social-networking
relationship between the first virtual persona and another user of the social-networking application;

in response to receiving the request, directing the social-networking application by the physical computing device to establish
the social-networking relationship between the first virtual persona and the other user without establishing a social-networking
relationship between the second virtual persona and the other user;

defining, by the physical computing device and based at least in part on input from the user of the social-networking application,
a first geo-location associated with the first virtual persona and a second geo-location associated with the second virtual
persona;

upon defining the first and second geo-locations:
enabling the user to share, under the first virtual persona, at least one content instance that identifies the user's location
while the user is located at the first geo-location;

preventing the user from sharing, under the second virtual persona, the content instance that identifies the user's location
while the user is located at the first geo-location due at least in part to the first geo-location being associated with the
first virtual persona and not being associated with the second virtual persona;

associating at least one photograph previously shared via the social-networking application with the first virtual persona
by:

enabling the user to assume the first virtual persona within the social-networking application;
after the user has assumed the first virtual persona:
identifying a tag request submitted by the user to tag the user in the photograph previously shared via the social-networking
application;

ensuring that the user's tag in the photograph is associated with the first virtual persona and not associated with the second
virtual persona due at least in part to the user having assumed the first virtual persona prior to submitting the tag request.

US Pat. No. 9,182,982

TECHNIQUES FOR CREATING AN ENCRYPTED VIRTUAL HARD DISK

Symantec Corporation, Mo...

1. A method for encrypting a virtual hard disk comprising:
creating a volume of data stored on at least one drive to be mounted onto the virtual hard disk at a client;
encrypting the volume of data using a predetermined encryption algorithm;
mounting, via at least one computer processor, the encrypted volume of data onto the virtual hard disk at the client;
storing at least one bootable component on the virtual hard disk;
booting from the virtual hard disk based on the at least one bootable component stored on the virtual hard disk;
authenticating an encryption password; and
changing the client from a booting environment to a different operating environment after the encryption password has been
authenticated.

US Pat. No. 9,148,479

SYSTEMS AND METHODS FOR EFFICIENTLY DETERMINING THE HEALTH OF NODES WITHIN COMPUTER CLUSTERS

Symantec Corporation, Mo...

1. A computer-implemented method for efficiently determining the health of nodes within computer clusters, at least a portion
of the method being performed by a computing device comprising at least one processor, the method comprising:
identifying a computer cluster that comprises a plurality of nodes configured to provide continuous availability of at least
one application;

identifying a plurality operating system kernels installed on the plurality of nodes, each operating system kernel representing
part of an operating system installed on a node within the plurality of nodes and facilitating communication between the node's
hardware and software;

configuring at least one operating system kernel within the plurality of operating system kernels to:
asynchronously monitor performance of the node on which the operating system kernel is installed;
determine, based at least in part on the node's performance, whether the node is healthy to execute the application;
after configuring the operating system kernel installed on the node, receiving a notification generated by the operating system
kernel in response to a change in an operating status of the node, the notification indicating that the node is not healthy
to execute the application;

in response to receiving the notification, performing at least one action configured to enable the computer cluster to reduce
application downtime despite the unhealthy node.

US Pat. No. 9,300,478

SPLITTING CERTIFICATE STATUS RESPONSES EVENLY ACROSS MULTIPLE DISTRIBUTED CERTIFICATE STATUS RESPONDERS

SYMANTEC CORPORATION, Mo...

1. A method for responding to requests to determine a validity status of a digital certificate, the method comprising:
receiving, by a first response server, a request to provide a status of a digital certificate from a requesting client;
evaluating the request to identify a response server, of a plurality of response servers, assigned to process the request;
upon determining the identified response server is the first response server, sending a certificate status validity message
corresponding to the request to the requesting client; and

otherwise, forwarding the request to the identified response server, wherein the identified response server sends the certificate
status validity message, which indicates the certificate status as being either valid or invalid, to the requesting client.

US Pat. No. 9,235,486

TECHNIQUES FOR SPARE STORAGE POOL MANAGEMENT

Symantec Corporation, Mo...

1. A method for spare storage pool management comprising:
receiving spare storage configuration information for a storage drive pool comprising a plurality of storage drives;
maintaining spare storage mapping information to spare storage within the storage drive pool based at least in part on the
spare storage configuration information;

monitoring spare storage within the storage drive pool for detecting block failures within the storage drive pool;
detecting a failure of a block in a first storage drive of the plurality of storage drives; and
updating the spare storage mapping information associated with the failed block in the first storage drive to map to a spare
block in a second storage drive of the plurality of storage drives, wherein the updating further comprises determining that
mapping to the spare block of the second storage drive provides a higher fault tolerance for the storage drive pool than a
mapping to a second spare block of the first storage drive.

US Pat. No. 9,218,256

SYSTEMS AND METHODS FOR SHIPPING I/O OPERATIONS TO PREVENT REPLICATION FAILURE

Symantec Corporation, Mo...

1. A computer-implemented method for shipping I/O operations to prevent replication failure, at least a portion of the method
being performed by a computing device comprising at least one processor, the method comprising:
attempting to perform an I/O operation in a replication system configured to replicate data from a data cluster to another
data cluster, the replication system comprising a log maintenance node that maintains a replication log for replication;

detecting a failure in at least part of the attempt to perform the I/O operation that threatens to fail the replication system's
replication of data from the data cluster to the other data cluster, the replication system being configured in a synchronous
mode that attempts to perform arriving I/O operations through the log maintenance node;

determining that the I/O operation constitutes a replication I/O operation associated with the replication system's replication
of data from the data cluster to the other data cluster as opposed to an application I/O operation associated with servicing
an application, performance-related criteria indicating that application I/O is more time sensitive than replication I/O;

shipping the I/O operation, based at least in part on the detecting the failure in at least part of the attempt to perform
the I/O operation that threatens to fail the replication system's replication of data from the data cluster to the other data
cluster, from the log maintenance node to another node within the same data cluster to complete the I/O operation without
failing the replication system's replication of data from the data cluster to the other data cluster.

US Pat. No. 9,135,002

SYSTEMS AND METHODS FOR RECOVERING AN APPLICATION ON A COMPUTING DEVICE

Symantec Corporation, Mo...

1. A computer-implemented method for recovering an application having a plurality of processes, comprising:
assigning a first priority level to a first process that interacts with the application, wherein the first process is a first
plug-in application running on a computing device and loaded onto the computing device by a process loader associated with
the application;

assigning a second priority level to a second process that interacts with the application, wherein the second process is a
second plug-in application running on the computing device and loaded onto the computing device by the process loader associated
with the application;

determining if the first process shares the first priority level with at least one additional process;
upon determining that the first process shares the first priority level with at least one additional process, assigning a
category label to the first process;

monitoring a state of the application;
determining the state of the application is unstable;
selecting the first process to disable upon determining that the first priority level assigned to the first process is lower
than the second priority level assigned to the second process, wherein the first process is selected based at least in part
on randomly selecting the category label assigned to the first process if the first process shares the first priority level
with the at least one additional process;

disabling the first process that is assigned the first priority level;
upon disabling at least the first process, rebooting the process loader to regain functionalities of at least the first process;
determining whether the state of the application remains unstable; and
upon determining the application is returned to a stable state, re-enabling the first process.

US Pat. No. 9,418,222

TECHNIQUES FOR DETECTING ADVANCED SECURITY THREATS

Symantec Corporation, Mo...

1. A method for detecting a security threat comprising:
receiving resource information from a backend server via a network indicating a defined resource to be generated on a plurality
of clients, wherein the defined resource to be generated is specified by the backend server based on at least one computing
resource characteristic and at least one known usage of at least a first client of the plurality of clients, and wherein the
first client is separate from the backend server and associated with a known threat;

generating the defined resource at the plurality of clients respectively based on the received resource information, wherein
the defined resource is a decoy resource different from the received resource information and monitored differently from other
client resources;

implementing the decoy resource automatically on each respective client of the plurality of clients, wherein the implemented
decoy resource simulates on the respective client one of a physical computing resource of at least the first client and a
virtualized computing resource of at least the first client available to applications executing on at least the first client;

monitoring system behavior of the respective client having the decoy resource implemented thereon;
determining by the respective client whether a security event involving the implemented decoy resource has occurred based
on the monitored system behavior of the respective client including the at least one computing characteristic and the at least
one known usage of at least the first client; and

generating a report at the respective client including detailed information regarding the security event and the monitored
system behavior of the respective client when it has been determined that the security event has occurred and sending the
report to the backend server.

US Pat. No. 9,332,022

SYSTEMS AND METHODS FOR DETECTING SUSPICIOUS INTERNET ADDRESSES

Symantec Corporation, Mo...

1. A computer-implemented method for detecting suspicious Internet addresses, at least a portion of the method being performed
by a computing device comprising at least one processor, the method comprising:
monitoring Internet communications of an entity;
compiling an Internet-address history for the entity that comprises one or more Internet addresses involved in the Internet
communications of the entity;

after compiling the Internet-address history for the entity:
detecting an additional Internet address that may be used in future Internet communications involving the entity;
computing a lexical similarity between characters of the additional Internet address and characters of at least one Internet-address
in the Internet-address history;

determining that the lexical similarity indicates that the additional Internet address is suspicious;
performing a security action in response to determining that the lexical similarity indicates that the additional Internet
address is suspicious.

US Pat. No. 9,240,891

HYBRID AUTHENTICATION

Symantec Corporation, Mo...

1. A method comprising:
receiving, at an authentication device from a user, wherein the authentication device is a mobile device, a first personal
identification number;

retrieving a first cryptographic key from a removable memory coupled to the authentication device, wherein the removable memory
is a subscriber identity module (SIM) card;

generating, at the authentication device, an authentication code based upon the first personal identification number and the
first cryptographic key;

providing the authentication code to an authentication server;
receiving at the authentication device from the authentication server a second personal identification number through an electronic
communication interface coupling the authentication device to the authentication server in response to a correct authentication
code, wherein the second personal identification number is different from the first personal identification number; and

replacing the entire first personal identification number with the second personal identification number at the authentication
device, wherein the second personal identification number is later used to authenticate the user.

US Pat. No. 9,448,826

ENFORCING POLICY-BASED COMPLIANCE OF VIRTUAL MACHINE IMAGE CONFIGURATIONS

Symantec Corporation, Mo...

1. A method for enforcing policy-based compliance in launching a virtual machine image configuration, the method comprising:
receiving a request to launch a virtual machine image having a plurality of attributes, wherein the request specifies at least
a first storage volume to attach to the launched virtual machine image, wherein the first storage volume stores data accessible
to the launched virtual machine image once attached, and wherein the first storage volume has associated metadata indicating
a measure of sensitive of data on the first storage volume;

evaluating the virtual machine image identified in the request and the metadata associated with the first storage volume to
determine whether the request conforms to a policy; and

upon determining that the virtual machine image identified in request conforms to a policy, forwarding the request to a cloud
management platform, wherein the cloud management platform launches the virtual machine image and attaches the launched virtual
machine image to the first storage volume.

US Pat. No. 9,438,560

SYSTEMS AND METHODS FOR AUTOMATICALLY APPLYING FIREWALL POLICIES WITHIN DATA CENTER APPLICATIONS

Symantec Corporation, Mo...

1. A computer-implemented method for automatically applying firewall policies within data center applications, at least a
portion of the method being performed by a computing device comprising at least one processor, the method comprising:
identifying a data center application whose functionality is provided by a set of systems;
organizing, automatically by the computing device, the set of systems into one or more application model groups that each
comprise a group of applications with a same security context by, for each system in the set of systems:

identifying an attribute of the system within the set of systems that is indicative of a security context under which the
system should operate;

assigning the system to an application model group for which the security context will be provided;
for each application model group in the one or more application model groups, protecting the application model group by:
selecting a firewall configuration that, when applied, will provide the security context for the application model group based
at least in part on correlating metadata about the firewall configuration with the application model group;

using the selected firewall configuration to protect the application model group.

US Pat. No. 9,323,518

SYSTEMS AND METHODS FOR MODIFYING APPLICATIONS WITHOUT USER INPUT

Symantec Corporation, Mo...

1. A computer-implemented method for modifying applications without user input, at least a portion of the method being performed
by a computing device comprising at least one processor, the method comprising:
prompting a user of the computing device to enable permissions on the computing device required by an accessibility service
that provides user interface enhancements for disabled individuals on an operating system installed on the computing device;

after the permissions are enabled, identifying a need to modify at least one application on the computing device based on
an administrator-defined policy associated with the application;

in response to identifying the need to modify the application based on the administrator-defined policy, removing the user's
control of the computing device to prevent the user from interfering with the modification;

after removing the user's control of the computing device:
initiating modification of the application on the computing device;
while the application is being modified, monitoring event notifications generated by the accessibility service;
determining, based on an analysis of an event notification generated by the accessibility service, that the user of the computing
device is prompted, on the computing device, to enable permissions necessary to modify the application;

in response to determining that the user is prompted to enable the permissions, automatically enabling the permissions via
the accessibility service in order to complete the modification of the application.

US Pat. No. 9,298,445

SYSTEMS AND METHODS FOR CORRELATING SOFTWARE INVENTORY INFORMATION WITH DELIVERED SOFTWARE

Symantec Corporation, Mo...

1. A computer-implemented method for correlating software inventory information with delivered software, at least a portion
of the method being performed by a computing device comprising at least one processor, the method comprising:
delivering, from a client-management system to a first client system, an update to a previously installed software entity;
receiving, at the client-management system, from an agent that monitors installations on the first client system, application
registration information written to the first client system during installation of the update;

identifying, at the client-management system, delivery information from the client-management system, wherein:
the delivery information identifies the update;
the delivery information comprises a first delivery key that identifies at least one of a vendor name, a product name, or
a product version of the update;

the delivery information does not match the application registration information;
associating, at the client-management system, the application registration information with the delivery information by creating
a second delivery key that includes at least a portion of the application registration information, wherein associating the
application registration information with the delivery information comprises associating the application registration information
with the previously installed software entity;

delivering, from the client-management system, the update to a second client system by deploying the update to the second
client system with both the first delivery key and the second delivery key such that delivering the update to the second client
system does not result in duplicate application registration information being provided for the update in a registration area
of the second client system as a result of the delivery information not matching an instance of the application registration
information written to the second client system during installation of the update on the second client system.

US Pat. No. 9,185,081

FORMAT FRIENDLY ENCRYPTION

SYMANTEC CORPORATION, Mo...

1. A method for encrypting a first application data file, the method comprising:
determining, by operation of a processor, a file format of the first application data file;
encrypting the first application data file;
selecting a second application data file template having a file format matching the file format of the first application data
file, wherein a placeholder image is embedded in the second application data file template;

storing the first application data file as encrypted content in an image file container, wherein storing the first application
data file as the encrypted content in the image file container comprises:

generating the image file container having a first image format, and
embedding the encrypted content, as image data, in the image file container;
replacing the placeholder image in the second application data file template with the image file container storing the first
application data file as encrypted content;

embedding, in the second application data file template, textual instructions for accessing the encrypted content; and
generating a second application data file from the second application data file template, wherein the textual instructions
are presented to users when accessing the second application data file.

US Pat. No. 9,110,918

SYSTEMS AND METHODS FOR MEASURING COMPLIANCE WITH A RECOVERY POINT OBJECTIVE FOR AN APPLICATION

Symantec Corporation, Mo...

1. A computer-implemented method for measuring compliance with a recovery point objective for an application, at least a portion
of the method being performed by a computing device comprising at least one processor, the method comprising:
identifying a set of mount points on a primary site written to by the application;
identifying a secondary site used for asynchronous replication of the primary site;
periodically updating a time value on each mount point in the set of mount points on the primary site;
for each mount point in the set of mount points, measuring a replication lag by calculating a difference between the time
value on the mount point and a replication of the time value on a corresponding mount point on the secondary site.

US Pat. No. 9,390,128

DATASTORE FOR STORING FILE ACCESS EVENT DATA

Symantec Corporation, Mo...

1. A method, comprising:
a computer system receiving one or more access event logs from a first set of one or more storage devices, each access event
log including access event records of access events to files stored on at least one of the first set of one or more storage
devices, wherein each record includes one or more values for access event attributes; and

the computer system using the access event records to store a plurality of segment files on a second set of one or more storage
devices, wherein a first of the plurality of segment files includes access event data from a subset of the access event records
associated with access events occurring during a first interval, and wherein a second of the plurality of segment files includes
access event data from a subset of the access events records associated with access events occurring during a second interval
distinct from the first interval; and

wherein the access event data in the first segment file is arranged such that the access event data is able to be queried
for a name of a user that accessed one or more of the files on the at least one storage device.

US Pat. No. 9,300,691

SYSTEMS AND METHODS FOR ENFORCING SECURE NETWORK SEGMENTATION FOR SENSITIVE WORKLOADS

Symantec Corporation, Mo...

1. A computer-implemented method for enforcing secure network segmentation for sensitive workloads, at least a portion of
the method being performed by a computing device comprising at least one processor, the method comprising:
identifying a sensitive workload that is deployed within a subnet of a segmented network that is segmented within a remote
workload hosting platform;

identifying a security policy that applies to the sensitive workload, wherein a deployment of the sensitive workload within
the subnet of the segmented network complies with the security policy;

intercepting, at a proxy outside the segmented network, an attempt from outside the segmented network to reconfigure the deployment
of the sensitive workload within the segmented network on the remote workload hosting platform, wherein the attempt to reconfigure
the deployment of the sensitive workload comprises an attempt to move the sensitive workload from the subnet to an additional
subnet within the segmented network;

determining that the attempt to reconfigure the deployment of the sensitive workload could result in a violation of the security
policy based on a conflict between a configuration of the additional subnet and the security policy that applies to the sensitive
workload;

enforcing, on the proxy, the security policy on the attempt to reconfigure the deployment of the sensitive workload.

US Pat. No. 9,275,065

BEHAVIORAL ENGINE FOR IDENTIFYING ANOMALOUS DATA ACCESS PATTERNS

Symantec Corporation, Mo...

1. A method comprising:
receiving, from a data loss prevention (DLP) agent running on an endpoint device, data access records by a processing device
executing a DLP server;

determining, by the processing device, a data access behavior pattern for at least one of a file or a directory based on the
data access records, wherein the data access behavior pattern is user independent;

receiving, by the processing device, a confirmation request from the DLP agent that has blocked an access event for at least
one of the file or directory on a local storage device of the endpoint device on which the DLP agent runs, the confirmation
request comprising a new data access record associated with the blocked access event;

identifying deviation from the data access behavior pattern based on the new data access record;
determining, based on the data access behavior pattern and the new data access record, a risk rating indicating a risk that
the access event represents malicious activity;

responsive to determining that the deviation is below a threshold, sending a confirmation message to the DLP agent, the confirmation
message comprising an instruction to permit the access event for at least one of the file or the directory on the local storage
device of the endpoint device; and

responsive to determining that the deviation exceeds the threshold, generating an alert indicating that data access activity
for at least one of the file or the directory has deviated from the data access behavior pattern, wherein the alert comprises
the risk rating.

US Pat. No. 9,262,646

SYSTEMS AND METHODS FOR MANAGING WEB BROWSER HISTORIES

Symantec Corporation, Mo...

1. A computer-implemented method for managing web browser histories, at least a portion of the method being performed by a
computing device comprising at least one processor, the method comprising:
identifying a visit to a website, wherein the website was visited via a web browser installed on the computing device;
selecting at least one website category for which websites are not to be referenced in a web browser history that is accessible
to the web browser;

querying, with an identifier for the visited website, a remote centralized website categorization database that maps websites
to website categories for a category indication that indicates that the website belongs to the website category;

receiving, at the computing device from the remote centralized website categorization database, the category indication that
indicates that the website belongs to the website category;

using the category indication to cache, in a local cache at the computing device a history indication, in an encrypted form,
that indicates that the website belongs to the website category and as a result should not be referenced in the web browser
history;

after the category indication is received from the remote centralized website categorization database and without querying
the remote centralized website categorization database:

identifying a subsequent visit to the website;
querying the local cache to identify the history indication that indicates that the website should not be referenced in the
web browser history; and

blocking the website from being referenced in the web browser history in response to identifying the history indication that
indicates that the website should not be referenced in the web browser history.

US Pat. No. 9,213,578

CLUSTER SYSTEMS AND METHODS

Symantec Corporation, Mo...

1. A cluster method comprising:
issuing requests to bring a resource online, offline, and monitor the resource, wherein the requests are issued by at least
one processor in an engine;

interacting with the resource and directing the resource to comply with the requests, wherein the resource interactions are
performed by at least one processor in a resource interaction agent; and

performing predicate logic operations to determine if a predicate logic condition associated with the resource is satisfied
and forwarding an indication of the results of the predicate logic operations to the engine, wherein the predicate logic operations
are performed by at least one processor in a predicate logic agent, wherein the predicate logic agent is disposed between
and separate from the engine and the resource interaction agent.

US Pat. No. 9,107,147

SYSTEMS AND METHODS FOR DYNAMICALLY MODIFYING RULES FOR SELECTING SUITABLE MOBILE NETWORKS

Symantec Corporation, Mo...

1. A computer-implemented method for dynamically modifying rules for selecting suitable mobile networks, at least a portion
of the method being performed by a computing device comprising at least one processor, the method comprising:
identifying a set of predefined rules for selecting suitable mobile networks with which to connect;
receiving, after each rule in the set of predefined rules has been defined, user-provided data about at least one candidate
mobile network;

identifying, after each rule in the set of predefined rules has been defined, at least one characteristic of the candidate
mobile network;

predicting, after each rule in the set of predefined rules has been defined, a suitability of the candidate mobile network
using the set of predefined rules;

generating an additional rule for selecting suitable mobile networks using the user-provided data, the characteristic, and
the suitability as input to a machine-learning training algorithm that outputs the additional rule;

connecting to a suitable mobile network identified at least in part by the additional rule.

US Pat. No. 9,104,339

SUPPORT TRACK ALIGNED PARTITIONS INSIDE VIRTUAL MACHINES

Symantec Corporation, Mo...

9. A computer system comprising:
a guest alignment module comprising a guest interface module configured to
receive a request for a target starting location of a guest partition, wherein
the guest partition is operably coupled to a guest machine, wherein
the guest machine comprises
a virtual hard disk, and
a guest operating system; and
the virtual hard disk comprises the guest partition; and
a host alignment module comprising
an address translator configured to
obtain a virtual hard disk address of the guest partition, in response to
receipt of the request, wherein
the virtual hard disk address is relative to the virtual hard disk, and
translate the virtual hard disk address into a physical hard disk address
relative to a physical hard disk, wherein
the physical hard disk address corresponds to a hard disk track of the physical hard disk,
a partition address calculator configured to determine whether the physical hard disk address is track aligned, comprising
determining whether the physical hard disk is track aligned comprises
performing a modulo operation, wherein
the performing comprises dividing a disk track size into the physical hard disk address, and
calculating a new physical hard disk address of the guest partition,
wherein the calculating comprises
determining an interim hard disk address by, at least in part, adding the disk track size to the physical hard disk address,
and

calculating the new physical hard disk address by, at least in part, subtracting a modulo remainder from the interim hard
disk address, and

a migration module configured to
perform a migration of an image of the virtual hard disk, wherein
the migration is performed in response to determining that the physical hard disk address is not track aligned,
the migration comprises shifting the image of the virtual hard disk to the new physical hard disk address of the guest partition,
and

the migration is performed while the guest machine is powered on.

US Pat. No. 9,407,664

SYSTEMS AND METHODS FOR ENFORCING ENTERPRISE DATA ACCESS CONTROL POLICIES IN CLOUD COMPUTING ENVIRONMENTS

Symantec Corporation, Mo...

1. A computer-implemented method for enforcing enterprise data access control policies in cloud computing environments, at
least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
intercepting, at a proxy, an attempt to configure a computing instance that provides virtualized access to computing resources
on a cloud computing platform and that provides third-party processing for an enterprise with a permission that would provide
the computing instance with access to secured data on the cloud computing platform;

identifying, at the proxy, a user within the enterprise that initiated the attempt to configure the computing instance with
the permission;

determining, at the proxy, based on a data access control policy for the enterprise, that the user is not entitled to access
the secured data;

blocking, at the proxy, the attempt to configure the computing instance with the permission based on determining that the
user is not entitled to access the secured data;

identifying, subsequent to blocking the attempt, an entitled user within the enterprise that is entitled to access the secured
data;

initiating a request to the entitled user to approve the attempt to configure the computing instance with the permission that
would provide the computing instance with access to secured data on the cloud computing platform;

receiving, in response to the request, approval from the entitled user to configure the computing instance with the permission;
forwarding the attempt to configure the computing instance to the cloud computing platform.

US Pat. No. 9,356,843

FLOW SYSTEMS AND METHODS

Symantec Corporation, Mo...

1. A flow method comprising:
writing records during program execution, wherein the records include program execution events caused by execution of the
program, wherein each of the records is a trace record of a function called during execution of the program, and wherein each
trace record comprises an indication of a record file type;

collecting the written records for post-execution analysis, wherein the written records are associated with a flow;
performing a flow connection process associated with said flow, wherein said flow connection process determines the record
file type for each of the collected records based on the indication of the record file type included in the trace record,
determines which of a plurality of flow connection processes to perform based on the determined record file type, examines
information in one of a plurality of hash tables according to the selected process and the determined record file type, and
connects flow segments within said flow based upon connect IDs within the examined hash table and the determined flow connection
process, wherein the flow connection process is performed after the records have been written; and

performing a presentation process of displaying said flow on a graphical user interface in which said flow is at least one
of visualized, searched, and traversed.

US Pat. No. 9,235,595

STORAGE REPLICATION SYSTEMS AND METHODS

Symantec Corporation, Mo...

1. A method of efficient conversion of information associated with a node during file replication comprising:
receiving node information regarding an operation change of a particular node in a file system;
determining that the received node information is associated with the particular node of the file system identified in a file
change log;

in the event the received node information associated with the particular node identified in the file change log corresponds
to namespace changes of the particular node between session checkpoints, performing a changed node to pathname object conversion
process on the received node information using a name space conversion component, wherein said changed node to pathname object
conversion process utilizes a name space alteration tracking data structure to determine a changed object indicator;

in the event the received node information associated with the particular node identified in the file change log does not
correspond to namespace changes of the particular node between session checkpoints, performing an unchanged node to pathname
object conversion process on the received node information using the name space conversion component, wherein said unchanged
node to pathname object conversion process utilizes a longest path tracking data structure to determine an unchanged object
indicator;

inserting the changed or unchanged object indicator in a pathname of the particular node based upon results of at least one
of said changed node to pathname object conversion process and said unchanged node to pathname object conversion process;

forwarding said pathname with said inserted object indicator to a target storage resource;
receiving a call to roll back one or more changes between session checkpoints for the particular node using a roll back interface
and a marker uniquely identifying an entry in the file change log; and

restarting conversion of the node information associated with the particular node during file replication from a point indicated
by the marker.

US Pat. No. 9,182,969

USING DISASSOCIATED IMAGES FOR COMPUTER AND STORAGE RESOURCE MANAGEMENT

Symantec Corporation, Mo...

1. A method of computer resource management, the method comprising:
performing, in response to a predefined schedule, at least one resource-management task, the resource-management task comprising:
receiving, at a management node that comprises at least one management computer, at least one ample image captured from an
existing computer that is distinct from the management computer;

obtaining, at the management node, meta-data that is structurally associated with the ample image, the meta-data comprising
at least one of:

information stored in at least one of hidden partitions and hidden files;
information stored on sectors outside any defined partition;
information stored inside file system structures and outside any user-defined file;
indexing, at the management node, the ample image within a database that comprises a collection of a plurality of ample images
such that the ample image can be located by using at least part of the meta-data as a database key;

mounting the ample image at the management node;
modifying at least a portion of the ample image at the management node by splitting the ample image into two or more split
ample images such that functionality originally associated with the ample image is split between the two or more split ample
images;

upon splitting the ample image, deploying the two or more split ample images from the management node to two or more computers
that are distinct from the management node.

US Pat. No. 9,117,061

TECHNIQUES FOR SECURING AUTHENTICATION CREDENTIALS ON A CLIENT DEVICE DURING SUBMISSION IN BROWSER-BASED CLOUD APPLICATIONS

Symantec Corporation, Mo...

1. A method for securing authentication credentials on a client device comprising:
detecting, on the client device, display of an authentication form in a browser window associated with a first flow to a target
server, the authentication form requiring input of one or more authentication credentials associated with a user of the client
device in order to grant to the client device access to one or more resources;

accessing, on the client device, data corresponding to the one or more authentication credentials required by the authentication
form;

submitting, to the target server, the same one or more authentication credentials required by the authentication form associated
with the first flow via a second flow to the target server in order to bypass the first flow without providing the authentication
credentials via the first flow, wherein the second flow is not associated with the browser window such that the submission
of the authentication credentials is not subject to interception by one or more browser plug-ins; and

accessing, on the client device, the one or more resources without providing the one or more authentication credentials to
the authentication form in the browser window associated with the first flow.

US Pat. No. 9,110,965

SYSTEMS AND METHODS FOR DISASTER RECOVERY FROM BINARY LARGE OBJECTS

Symantec Corporation, Mo...

7. A system for disaster recovery from binary large objects, the system comprising:
an identification module programmed to:
identify a volume of data to be protected;
identify a binary large object storage system, wherein the binary large object storage system is a part of a third-party cloud
computing platform;

a replication module programmed to replicate the volume to the binary large object storage system by writing to a binary large
object file on the binary large object storage system to be readable as a consumable virtual disk that represents the volume,
wherein replicating the volume comprises determining that the volume uses a compression technique and replicating data from
the volume to a queue on the third-party cloud computing platform for decompression before writing the data to the binary
large object file;

a mounting module programmed to mount the consumable virtual disk directly from the binary large object file;
at least one processor configured to execute the identification module, the replication module and the mounting module.

US Pat. No. 9,104,873

SYSTEMS AND METHODS FOR DETERMINING WHETHER GRAPHICS PROCESSING UNITS ARE EXECUTING POTENTIALLY MALICIOUS PROCESSES

Symantec Corporation, Mo...

1. A computer-implemented method for determining whether graphics processing units are executing potentially malicious processes,
at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
identifying at least one graphics processing unit associated with the computing device;
analyzing the behavior of the graphics processing unit associated with the computing device by identifying a computing load
of the graphics processing unit;

determining, based at least in part on the analysis of the behavior of the graphics processing unit, that the computing load
on the graphics processing unit indicates that the graphics processing unit is executing malware by:

identifying computer graphics generated by the graphics processing unit;
determining that the computing load on the graphics processing unit is disproportionate to the computer graphics generated
by the graphics processing unit;

determining, based at least in part on the computing load on the graphics processing unit being disproportionate to the computer
graphics generated by the graphics processing unit, that the computing load on the graphics processing unit does not correspond
to the computer graphics generated by the graphics processing unit;

performing at least one security action on the graphics processing unit in response to determining that the computing load
on the graphics processing unit indicates that the graphics processing unit is executing the malware.

US Pat. No. 9,052,904

SYSTEM AND METHOD FOR DETERMINING WHETHER TO RESCHEDULE MALWARE SCANS BASED ON POWER-AVAILABILITY INFORMATION FOR A POWER GRID AND POWER-USAGE INFORMATION FOR THE SCANS

Symantec Corporation, Mo...

1. A system for determining whether to reschedule tasks on a plurality of computing devices based on needs of a power grid,
the system comprising:
a task-scheduling module and a power-estimation module programmed to:
receive power-availability information for the power grid from a power utility that supplies power via the power grid, wherein
the power-availability information identifies a low level of power availability on the power grid;

identify a plurality of instances of a scan for malicious software that are scheduled to simultaneously execute on the plurality
of computing devices at a scheduled time;

calculate a power-usage delta for the instances of the scan for malicious software that identifies an estimated amount of
power required to simultaneously execute the instances of the scan for malicious software on the plurality of computing devices
by measuring an amount of power that is expected to be consumed by the plurality of computing devices when simultaneously
executing the instances of the scan, wherein measuring the amount of power that is expected to be consumed by the plurality
of computing devices when simultaneously executing the instances of the scan comprises:

measuring an amount of power consumed by the plurality of computing devices when the plurality of computing devices are not
idle;

estimating a percentage of the plurality of computing devices' resources that the instances of the scan for malicious software
will consume;

subtracting an amount of power consumed by the plurality of computing devices when the plurality of computing devices are
idle from the amount of power consumed by the plurality of computing devices when the plurality of computing devices are not
idle; and

multiplying a result of subtracting the amount of power consumed by the plurality of computing devices when the plurality
of computing devices are idle from the amount of power consumed by the plurality of computing devices when the plurality of
computing devices are not idle by the estimated percentage;

determine, by analyzing both the power-availability information and the estimated amount of power required to simultaneously
execute the instances of the scan for malicious software on the plurality of computing devices, whether the estimated amount
of power required to simultaneously execute the instances of the scan for malicious software on the plurality of computing
devices is low enough to allow the instances of the scan for malicious software to simultaneously execute on the plurality
of computing devices at the scheduled time despite the low level of power availability on the power grid; and

determine, based on the determination of whether the estimated amount of power required to simultaneously execute the instances
of the scan for malicious software on the plurality of computing devices is low enough to allow the instances of the scan
for malicious software to simultaneously execute on the plurality of computing devices at the scheduled time despite the low
level of power availability on the power grid, whether to reschedule the instances of the scan for malicious software to a
different time; and

at least one processor configured to execute the task-scheduling module and the power-estimation module.

US Pat. No. 9,369,357

METHOD, SYSTEM, AND COMPUTER READABLE MEDIUM FOR REMOTE DEVICE MANAGEMENT

Symantec Corporation, Mo...

1. A remote device management system encoded on a remote device, said system comprising:
a tunnel client operable to connect to a tunnel server, said tunnel client and said tunnel server comprising a communications
link between said remote device and a management computer, the remote device being a mobile computer device; and

a service host on the remote device comprising a web server interface and a plurality of application plug-ins capable of communicating
over said communications link, the web server interface making each of the plurality of application plug-ins available as
web services description language (WSDL) documents as well as hypertext markup language (HTML) web pages, wherein said web
server interface enables the management computer to remotely execute one or more application plug-ins, the web server interface
providing simultaneous access to the application plug-ins via both the W SDL documents and the HTML web pages, said plurality
of application plug-ins comprising:

a file manager plug-in capable of providing information about a file system on said remote device and capable of making changes
to said file system;

a configuration plug-in capable of setting at least one configuration option on said remote device; and
a remote control plug-in capable of providing a view of a screen on said remote device to said management computer and further
capable of allowing said management computer to remotely control said remote device;

wherein at least one of said plurality of application plug-ins are encoded on the remote device as dynamically linked library
(DLL) files.

US Pat. No. 9,300,644

KNOWLEDGE-BASED AUTHENTICATION BASED ON TRACKED CREDENTIAL USAGE

Symantec Corporation, Mo...

1. A method comprising:
tracking credential usage of an end-user on one or more end-user devices by a cloud-based authentication service executing
by a server computing system;

receiving, at the cloud-based authentication service over a first connection between the server computing system and a relying
party website, a credential request for credentials associated with the end-user for the relying party website, wherein the
end-user no long has authentication credentials for access to the relying party website;

issuing, by the cloud-based authentication service over a second connection between the server computing system and a first
end-user device of the one or more end-user devices, a dynamic knowledge-based (KB) challenge to the end-user on the first
end-user device, wherein the dynamic KB challenge is based on the tracked credential usage of the end user, wherein at least
a portion of the dynamic KB challenge comprises information from the credential usage that is not site-centric to the relying
party website;

receiving, at the cloud-based authentication service over the second connection, a response to the dynamic KB challenge from
the end-user; and

sending temporary credentials over the first connection to the relying party website for the end-user when the response is
validated.

US Pat. No. 9,223,606

AUTOMATICALLY CONFIGURING AND MAINTAINING CLUSTER LEVEL HIGH AVAILABILITY OF A VIRTUAL MACHINE RUNNING AN APPLICATION ACCORDING TO AN APPLICATION LEVEL SPECIFIED SERVICE LEVEL AGREEMENT

Symantec Corporation, Mo...

1. A computer implemented method for automatically configuring failover according to an application level service level agreement
(SLA) for availability of a user application on a high-availability cluster, with a cluster infrastructure comprising:
at least one cluster of nodes, the user application running on a virtual machine, the virtual machine running on a specific
node of the at least one cluster, the method comprising the steps of:

gleaning parameters for failover from the application level SLA, by a first process running on the virtual machine, the user
application running on the virtual machine as an isolated environment from the cluster infrastructure;

wherein the application level SLA was specified at an application level, by a party with an application level access to the
virtual machine but without access to the cluster infrastructure;

configuring the virtual machine in accordance with the application level SLA;
detecting an application level failure of the virtual machine in accordance with the application level SLA;
transmitting the application level SLA through process-to-process communication to affect failover of the user application
within the cluster infrastructure, by sending the application level SLA by the first process running on the virtual machine
containing the user application to a second process running on the cluster infrastructure, wherein the first and second process
are on a different nodes within the cluster;

receiving, by the second process running on the cluster infrastructure, failover parameters specified by the application level
SLA; and

configuring failover of high-availability cluster functionality with a high-availability configuration script according to
the application level SLA, by the second process running on the cluster infrastructure, such that the cluster infrastructure
makes the user application available as specified by the application level SLA.

US Pat. No. 9,116,803

PLACEMENT OF VIRTUAL MACHINES BASED ON PAGE COMMONALITY

Symantec Corporation, Mo...

1. A method comprising:
generating a list, wherein
the list comprises a plurality of entries associated with a virtual machine,
the virtual machine is a new virtual machine that is not running when the list is generated,
the generating the list comprises
predicting portions of data likely to be used by the virtual machine based on metadata that includes information identifying
one or more characteristics of the virtual machine, and each entry indicates a respective portion of data associated with
the virtual machine;

for each candidate list of a plurality of candidate lists, calculating a number of common entries, wherein each candidate
list comprises a plurality of entries, and a common entry is an entry that is included in the respective candidate list and
in the list;

selecting a target candidate list of the plurality of candidate lists, wherein the target candidate list has the highest number
of common entries of the plurality of candidate lists,

an entry in the target candidate list identifies a portion of data associated with a second virtual machine, generating the
entry comprises

trapping a memory call made by a second virtual machine, wherein the memory call identifies a requested portion of data, and
calculating a fingerprint for the requested portion of data, wherein the entry comprises the fingerprint;
the second virtual machine is implemented on a computing device associated with the target candidate list; and
assigning the virtual machine to the computing device associated with the target candidate list.

US Pat. No. 9,111,069

LANGUAGE DETECTION TO IMPROVE EFFICIENCY OF CONTENT SCANNING ENGINE IN DATA LOSS PREVENTION (DLP) SYSTEMS

Symantec Corporation, Mo...

1. A method, implemented by a computing system programmed to perform the following, comprising:
monitoring, by a data loss prevention (DLP) product, data content associated with the computing system;
identifying, by the DLP product, a natural language of the data content;
based on the identified natural language, identifying from a plurality of DLP policies a first set of one or more DLP policies
that are applicable for the identified natural language;

identifying a second set of one or more DLP policies with a different natural language than the identified natural language,
wherein the first set one or more DLP policies are not in the second set one or more DLP policies;

scanning the data content using the first set and not the second set to detect a violation of one of the plurality of DLP
policies in the data content; and

performing a DLP action in response to the detected violation.

US Pat. No. 9,104,861

VIRTUAL SECURITY APPLIANCE

Symantec Corporation, Mo...

1. A computer implemented method for operating a computer system, the method comprising:
generating a virtualization environment for the computer system;
generating a user environment within the virtualization environment, the user environment comprising a user operating system
that executes in a first virtual machine of the computer system, the user operating system executing a plurality of applications
within the user environment;

generating a security environment within the virtualization environment, the security environment segregated from the user
environment to reduce an accessibility of the security environment to security threats targeting the user environment and
security threats operating in the user environment;

executing, by the computer system, a virtual security appliance within the security environment, the virtual security appliance
executed in a second virtual machine of the computer system and performing security functions for the user environment;

identifying, by the virtual security appliance, a security threat in network traffic directed to one of the plurality of user
applications operating in the user environment; and

preventing the security threat from being received by the one of the plurality of user applications.

US Pat. No. 9,076,004

SYSTEMS AND METHODS FOR SECURE HYBRID THIRD-PARTY DATA STORAGE

Symantec Corporation, Mo...

1. A computer-implemented method for secure hybrid third-party data storage, at least a portion of the method being performed
by a computing device comprising at least one processor, the method comprising:
identifying, at a trusted proxy system, an access request from a client system to access an encrypted file stored under a
user account at a third-party storage system, wherein the requested access requires decryption of the encrypted file, wherein
the trusted proxy system is owned by an owner of the encrypted file and the third-party storage system is not owned by the
owner of the encrypted file;

retrieving, in response to the request, from the third-party storage system and for the trusted proxy system:
the encrypted file;
a decryption key that has been encrypted with a client-side key, wherein an asymmetric key pair designated for the user account
comprises an encryption key and the encrypted decryption key;

receiving, at the trusted proxy system, the client-side key, without exposing the client-side key to the third-party storage
system;

decrypting the encrypted decryption key with the client-side key at the trusted proxy system rather than at the third-party
storage system responsive to the trusted proxy system being owned by the owner of the encrypted file and the third-party storage
system not being owned by the owner of the encrypted file;

using the decryption key to access an unencrypted version of the encrypted file at the trusted proxy system.

US Pat. No. 9,483,627

ABSTRACTING CREDENTIALS FOR MOBILE CLIENT AUTHENTICATION

Symantec Corporation, Mo...

1. A method comprising:
receiving, by a proxy server computer, an authentication request from a mobile user device for access to a web application
hosted in a cloud, wherein the authentication request comprises initial user credentials that are embedded in the mobile user
device, and wherein the authentication request to the web application is routed to the proxy server computer via a Virtual
Private Network (VPN) in view of a configuration profile of the mobile user device indicating that requests from a specific
domain be routed to the proxy server computer;

determining that the authentication request is a candidate for modification based on the initial user credentials in the authentication
request;

modifying, by the proxy server computer, the authentication request to include replacement user credentials that correspond
to the initial user credentials; and

transmitting the modified authentication request to the web application in the cloud, wherein the web application determines
whether the modified authentication request is valid based on the replacement user credentials.

US Pat. No. 9,455,892

DATA LOSS MONITORING OF PARTIAL DATA STREAMS

Symantec Corporation, Mo...

1. A computer-implemented method comprising:
identifying partial data streams containing segments lost while capturing network traffic at a network computing device, each
partial data stream corresponding to a session;

determining characteristics of the partial data streams, wherein determining characteristics of the partial data streams comprises
performing a protocol analysis for data stream elements of a partial data stream by determining a type for each data stream
element, parsing each data stream element based on the type to extract metadata, and storing the metadata in a metadata store;

padding content portions of the lost segments in the partial data streams to generate padded partial data streams; and
scanning the padded partial data streams for sensitive information according to at least one data loss prevention (DLP) policy,
wherein scanning the padded partial data streams comprises using signatures of the sensitive information to determine whether
content portions of the padded partial data streams contain the sensitive information.

US Pat. No. 9,300,693

SYSTEMS AND METHODS FOR PREVENTING DATA LOSS OVER VIRTUALIZED NETWORKS

Symantec Corporation, Mo...

1. A computer-implemented method for preventing data loss over virtualized networks, at least a portion of the method being
performed by a computing device comprising at least one processor, the method comprising:
receiving, by a data loss prevention callout driver registered to a switch, a network packet from a virtual machine;
identifying, by the data loss prevention callout driver registered to the switch, flow context information that specifies
a context associated with transmitting the network packet;

providing the flow context information and the network packet to a data loss prevention service;
applying, by the data loss prevention service, a data loss prevention policy to the network packet based on the flow context
information.

US Pat. No. 9,166,997

SYSTEMS AND METHODS FOR REDUCING FALSE POSITIVES WHEN USING EVENT-CORRELATION GRAPHS TO DETECT ATTACKS ON COMPUTING SYSTEMS

Symantec Corporation, Mo...

1. A computer-implemented method for reducing false positives when using event-correlation graphs to detect attacks on computing
systems, at least a portion of the method being performed by a computing device comprising at least one processor, the method
comprising:
detecting a suspicious event involving a first actor within a computing system;
constructing, in response to detecting the suspicious event involving the first actor, an event-correlation graph, wherein
the event-correlation graph comprises at least:

a first node that represents the first actor;
a second node that represents a second actor;
an edge that interconnects the first node and the second node and represents an additional suspicious event involving the
first actor and the second actor;

comparing, at a server device that collects event information from a plurality of computing systems including the computing
system, the event-correlation graph with at least one additional event-correlation graph that represents events generated
on at least one additional computing system within the plurality of computing systems;

determining that a similarity of the event-correlation graph and the additional event-correlation graph exceeds a predetermined
threshold;

classifying the suspicious event as benign based at least in part on determining that the similarity of the event-correlation
graph and the additional event-correlation graph exceeds the predetermined threshold.

US Pat. No. 9,081,958

USING CONFIDENCE ABOUT USER INTENT IN A REPUTATION SYSTEM

Symantec Corporation, Mo...

1. A method of using a computer to determine a reputation of an object in a reputation system, comprising:
receiving reports from clients in the reputation system, the reports identifying an object detected at the clients;
determining a prevalence of the object on the clients in the reputation system based on the reports received from the clients;
determining information about the clients from the reports received from the clients, wherein the determined information about
the clients includes an age of a client in the reputation system and the age of the client is determined responsive to an
elapsed time that the client has been active in the reputation system;

generating confidence metrics for the clients responsive to the determined information about the clients, the confidence metrics
indicating amounts of confidence in the veracity of the reports received from the clients, wherein a confidence metric for
the client is based at least in part on the age of the client, higher confidence metrics for the clients indicate that information
in reports received from the clients is more likely to be true, and an older client receives a higher confidence metric;

calculating a reputation score of the object responsive at least in part to the reports received from the clients, the prevalence
of the object, and the confidence metrics for the clients, wherein a higher prevalence causes the object to receive a higher
reputation score indicating that the object is unlikely to contain malicious software; and

storing the reputation score of the object.

US Pat. No. 9,047,414

METHOD AND APPARATUS FOR GENERATING AUTOMATED TEST CASE SCRIPTS FROM NATURAL LANGUAGE TEST CASES

Symantec Corporation, Mo...

1. A computer-implemented method comprising:
receiving, with a computing system from a user, a natural language test case for testing a software application, wherein the
natural language test case is a test case written in a natural language, the test case comprising at least one of a condition,
a variable, or a command that is executed by the software application to determine whether the software application is working
according to program specifications, the natural language test case comprising a natural language command, wherein the natural
language command is written as a user speaks and is distinct from a computer programming command;

parsing the natural language command of the received natural language test case to locate one or more search terms used to
search for a corresponding term associated with an automated testing script command;

causing a search of a testing framework system to be performed for the automated testing script command, wherein the one or
more search terms are used to search at least one of an index or a document to locate the corresponding term associated with
the automated testing script command, wherein the corresponding term is distinct from the automated testing script command
and used to locate the automated testing script command; and

generating an automated test case script that corresponds to the natural language test case based on a result of the search,
wherein the automated test case script comprises the automated test script command.

US Pat. No. 9,378,634

LEVERAGING NEIGHBORS' WIRELESS ACCESS POINTS IN WIRELESS-SIGNAL-VARIATION-BASED PHYSICAL INTRUDER DETECTION SYSTEMS

Symantec Corporation, Mo...

1. A method for intruder detection, comprising:
monitoring, at a wireless sniffer in a building, received signal strength relative to each of a plurality of wireless access
points, wherein a first wireless access point of the plurality of wireless access points is located within the building and
a second wireless access point of the plurality of wireless access points is located external to the building;

creating a profile of the received signal strength from each of the plurality of wireless access points, during a learn mode;
comparing activity of the received signal strength from each of the plurality of wireless access points to the profile, during
an intruder detection mode; and

issuing a notification, based on the comparing, wherein at least one step of the method is performed by a processor.

US Pat. No. 9,356,943

SYSTEMS AND METHODS FOR PERFORMING SECURITY ANALYSES ON NETWORK TRAFFIC IN CLOUD-BASED ENVIRONMENTS

Symantec Corporation, Mo...

1. A computer-implemented method for performing security analyses on network traffic in cloud-based environments, at least
a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
collecting network traffic exchanged between a source device and a destination device for a security analysis by:
receiving, at a server that handles at least a portion of the network traffic, a request sent by the source device;
determining that a size of at least a portion of the request is below a certain threshold;
in response to determining that the size of the portion of the request is below the certain threshold, creating a custom header
in the request that includes information that facilitates access to the portion of the request by inserting the portion of
the request into the custom header in the request;

forwarding the request with the custom header to the destination device;
receiving, from the destination device, a response to the request sent by the source device;
identifying, in a header of the response, the information that facilitates access to the portion of the request sent by the
source device;

obtaining, based at least in part on the information identified in the header of the response, the portion of the request
sent by the source device;

performing the security analysis on the network traffic by analyzing the portion of the request sent by the source device
and at least a portion of the response received from the destination device.

US Pat. No. 9,298,561

SYSTEMS AND METHODS FOR PRIORITIZING RESTORATION SPEED WITH DEDUPLICATED BACKUPS

Symantec Corporation, Mo...

1. A computer-implemented method for prioritizing restoration speed with deduplicated backups,
at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
receiving a request to store a backup image within a deduplicating data system;
evaluating an amount of data segments that match the backup image within a container of deduplicated data segments used by
the deduplicating data system;

identifying a restoration prioritization value that is separately assigned to the backup image and that indicates a degree
of priority placed on restoration performance of the backup image over backup performance of the backup image, wherein restoration
performance comprises at least one of speed with which restoration is completed and resource use of restoration and backup
performance comprises at least one of speed with which backup is completed and resource use of backup;

determining that the amount of data segments that match the backup image exceeds the restoration prioritization value by a
predetermined degree;

referencing previously stored data segments within the container of deduplicated data segments that match the backup image
when storing the backup image within the deduplicating data system based at least in part on the amount of data segments that
match the backup image exceeding the restoration prioritization value by the predetermined degree.

US Pat. No. 9,135,447

SYSTEMS AND METHODS FOR DEPLOYING A PRE-BOOT ENVIRONMENT TO ENABLE AN ADDRESS OFFSET MODE AFTER EXECUTION OF SYSTEM BIOS FOR BOOTING A OPERATING SYSTEM IN A PROTECTED AREA

Symantec Corporation, Mo...

1. A computer-implemented method to deploy a pre-boot environment in a computing system, comprising:
creating a protected area at a first location on a data storage device of the computing system;
installing an operating system in the protected area at the first location on the data storage device;
installing the pre-boot environment in an unprotected area at a second location on the data storage device, the pre-boot environment
comprising software configured to enable an address offset mode; and

initiating the pre-boot environment after executing the computing system's firmware and before booting the operating system.

US Pat. No. 9,124,623

SYSTEMS AND METHODS FOR DETECTING SCAM CAMPAIGNS

Symantec Corporation, Mo...

1. A computer-implemented method for detecting scam campaigns, the method comprising:
identifying a plurality of web pages that are pre-filtered according to predetermined criteria;
performing pattern detection on the pre-filtered web pages;
extracting at least one of text and an image from one or more of the pre-filtered web pages;
performing at least one of natural language processing on the extracted text to derive a meaning of the extracted text and
image analysis on the extracted image to recognize an aspect of the image;

detecting a pattern among the pre-filtered web pages based on at least one of the derived meaning of the extracted text and
the recognized aspect of the image;

comparing the detected pattern to a user input;
accessing the repository of common scam campaign techniques in real time relative to detecting a user generating the user
input; and

upon detecting the pattern among the pre-filtered web pages, storing the detected pattern in a database in order to build
a repository of common scam campaign techniques.

US Pat. No. 9,081,617

PROVISIONING OF VIRTUAL MACHINES USING AN N-ARY TREE OF CLUSTERS OF NODES

Symantec Corporation, Mo...

1. A method comprising:
generating a respective cluster rank for each of a plurality of clusters, wherein each of the clusters comprises a plurality
of potential nodes,

each of a plurality of second tree nodes calculates a respective node rank based, at least in part, on a virtual machine (VM)
configuration, wherein

an n-ary tree comprises at least two leaf levels,
a second leaf level of the n-ary tree comprises the plurality of second tree nodes, and
each of the second tree nodes represents one of the potential nodes, and
each of a plurality of first tree nodes calculates the respective cluster rank based, at least in part, on an aggregate rank
of the respective node ranks of the potential nodes in each cluster, wherein

a first leaf level of the n-ary tree comprises the plurality of first tree nodes, and
each of the first tree nodes represents one of the clusters;
selecting a selected cluster from the plurality of clusters, wherein
the plurality of potential nodes are configured to host one or more virtual machines,
each of the plurality of clusters comprises respective cluster information,
the respective cluster information comprises information for the plurality of potential nodes of the plurality of clusters,
a VM is to be hosted by one of the plurality of potential nodes,
a VM configuration of the VM comprises
one or more resource requirements,
the one or more resource requirements indicate one or more resources needed in a potential node for hosting the VM, and
the selecting is based on
the cluster rank of each cluster,
the respective cluster information, and
the VM configuration; and
provisioning the VM by a selected node, wherein
the selected cluster comprises the selected node.

US Pat. No. 9,378,367

SYSTEMS AND METHODS FOR IDENTIFYING A SOURCE OF A SUSPECT EVENT

Symantec Corporation, Mo...

1. A computer-implemented method for identifying a source of a suspect event, comprising:
registering system events in a database, wherein the system events include detected process launch events;
detecting a first process being launched, the first process being one of the detected process launch events;
detecting a suspicious event associated with the first process;
querying the registered system events in the database;
analyzing a result of the query, the result of the query indicating an association between a second process and the first
process, the second process being different from the first process;

based at least in part on analyzing the result of the query, determining the second process launches the first process; and
based at least in part on determining the second process launches the first process, identifying the first process as being
one of a plurality of potential puppet processes.

US Pat. No. 9,313,185

SYSTEMS AND METHODS FOR AUTHENTICATING DEVICES

Symantec Corporation, Mo...

1. A computer-implemented method for authenticating devices, at least a portion of the method being performed by a computing
device comprising at least one processor, the method comprising:
identifying, at a computing system, a request from a device for a credentialing service to issue a credential to the device,
the request comprising an application identifier encrypted with a first encryption key, the first encryption key having been
derived by the device based on a token provisioned to the device by a vendor of the device;

transmitting, from the computing system, the request to the credentialing service, wherein the credentialing service responds
to the request by encrypting the credential with a second encryption key that was derived based on the token and by sending
the encrypted credential to the computing system;

receiving, at the computing system and from the credentialing service, the credential encrypted with the second encryption
key, wherein the vendor has registered an application identified by the application identifier with the credentialing service;

providing, from the computing system, the encrypted credential to the device, wherein the device derives the second encryption
key based on the token and uses the second encryption key to decrypt the encrypted credential.

US Pat. No. 9,292,404

METHODS AND SYSTEMS FOR PROVIDING CONTEXT FOR PARENTAL-CONTROL-POLICY VIOLATIONS

Symantec Corporation, Mo...

1. A computer-implemented method for providing context for parental-control-policy violations, the method being performed
by a computing device comprising at least one processor, the method comprising:
tracking a child's usage of a computing system;
generating an event history that includes a first chain of at least two hyperlink selections and a second chain of at least
two hyperlink selections based on the child's usage of the computing system;

identifying a restricted event that violated a parental-control policy;
creating an event trail that identifies, within the event history, a chain of hyperlink selections that led to the restricted
event;

determining that the first chain of hyperlink selections led to the violation of the parental-control policy;
determining that the second chain of hyperlink selections did not lead to the violation of the parental-control policy;
including the first chain of hyperlink selections in the event trail based on the determining that the first chain led to
the violation of the parental-control policy;

omitting the second chain of hyperlink selections from the event trail based on the determining that the second chain did
not lead to the violation of the parental-control policy.

US Pat. No. 9,230,115

EDUCATING COMPUTER USERS CONCERNING SECURITY THREATS

Symantec Corporation, Mo...

1. A computer implemented method for educating and protecting users concerning attacks through attack simulation, the method
comprising the steps of:
selecting a user to for attack simulation based on a security hygiene rating, wherein the security hygiene rating is based
on a history of security events for the user;

simulating, by a computer, the specific attack against the user, wherein the attack targets a user action to perform the attack;
receiving a user action in response to the simulated specific attack;
displaying educational security information to the user concerning best practices for the user including steps to avoid being
victimized, based on the user's response to the simulating of the specific attack, said educational security information describing
the specific attack;

adjusting the security hygiene rating concerning the user, based on the user's response to the simulated specific attack;
and

automatically adjusting, based on the security hygiene rating of the user, at least one security setting for protecting a
computer operated by the user from malware.

US Pat. No. 9,225,736

TECHNIQUES FOR DETECTING ANOMALOUS NETWORK TRAFFIC

Symantec Corporation, Mo...

1. A method for managing authentication information comprising:
receiving a list including a plurality of processes, wherein each of the plurality of processes is run on a client system
by executing a file representing that process;

for each process on the list, analyzing the file representing that process to determine what types of network traffic are
used by the process by identifying in the file instructions that entail those types of network traffic;

for each process on the list, generating a list of approved types of network traffic based on types of network traffic determined
for the process while analyzing the file representing the process;

transmitting the list of processes including, for each process, the list of approved types of network traffic for use in identifying
infected processes;

monitoring network traffic of each process on the list of processes;
upon detecting network traffic for a process on the list of processes, determining that the type of network traffic detected
is not on the list of approved types for that process; and

identifying the process as infected based on determining that the type of network traffic detected is not on the list of approved
types for that process.

US Pat. No. 9,223,961

SYSTEMS AND METHODS FOR PERFORMING SECURITY ANALYSES OF APPLICATIONS CONFIGURED FOR CLOUD-BASED PLATFORMS

Symantec Corporation, Mo...

1. A computer-implemented method for performing security analyses of applications configured for cloud-based platforms, at
least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
identifying an online platform that hosts an online service and that is capable of hosting a plurality of third-party applications
integrated with the online service and configured to operate on the online platform, wherein the online service hosts and/or
processes data via one or more cloud-based applications;

identifying, by a security system separate from the online service, at least one third-party application by identifying user-facing
content within the online service that references the third-party application, the third-party application being:

separate from and configured to operate on the online platform;
specifically designed to be integrated with the online service and enhancing the online service by customizing an interaction
with the online service;

retrieving, from the online service by the security system, metadata describing:
at least one characteristic of the third-party application;
the interaction of the third-party application with the online service;
an internet resource provided via a canvas page that comprises at least a portion of the third-party application;
in response to determining that the third-party application is separate from the online platform, performing, by the security
system, a security analysis of the third-party application instead of the online service that determines a most probable classification
of the third-party application, based at least in part on the metadata describing at least one characteristic of the third-party
application, the interaction of the third-party application with the online service, and the internet resource provided via
the canvas page, and flagging the third-party application as malicious based on the security analysis.

US Pat. No. 9,219,728

SYSTEMS AND METHODS FOR PROTECTING SERVICES

Symantec Corporation, Mo...

1. A computer-implemented method for protecting services, at least a portion of the method being performed by a computing
device comprising at least one processor, the method comprising:
identifying a service control manager, the service control manager having access to modify a configuration of at least one
service;

identifying a request from a process for permission to access the configuration of the service;
in response to the request:
authenticating the process based on at least one attribute of the process;
providing an authentication token to the process;
intercepting an attempt by the process to access the configuration of the service via the service control manager, the attempt
comprising the authentication token;

in response to the attempt, validating the authentication token;
in response to validating the authentication token, allowing the process to access the configuration of the service.

US Pat. No. 9,218,495

SYSTEMS AND METHODS FOR SHARING LOGS OF A CHILD'S COMPUTER ACTIVITIES WITH A GUARDIAN OF THE CHILD

Symantec Corporation, Mo...

1. A computer-implemented method for sharing logs, at least a portion of the method being performed by a computing system
comprising at least one processor, the method comprising:
receiving a request, from a requesting guardian of a child, to create a log-sharing policy that authorizes the requesting
guardian of the child to view logs of computer activity of the child performed on a tracking computing device that is controlled
by a tracking guardian of a different child and that is not controlled by the requesting guardian, the log-sharing policy
indicating circumstances in which logs of computer activity on the tracking computing device are allowed to be provided to
the requesting guardian;

notifying the tracking guardian of the request to create the log-sharing policy;
receiving, from the tracking guardian, a response that authorizes the requesting guardian to view the logs of the computer
activity of the child performed on the tracking computing device;

in response to receiving the authorization from the tracking guardian, storing the log-sharing policy;
determining that the child is involved in a computer activity on the tracking computing device;
monitoring the computer activity by a parental control software system at the tracking computing device;
creating a log of the computer activity;
determining, based on the log-sharing policy, that the requesting guardian is authorized to view the log of the computer activity,
the tracking guardian being required to agree to share the log of the computer activity by granting the request from the requesting
guardian in order to share the log;

providing the log of the computer activity to the requesting guardian at least in part by formatting the log in a format readable
by a parental control software system different than the parental control software system on the tracking computing device.

US Pat. No. 9,178,904

SYSTEMS AND METHODS FOR DETECTING MALICIOUS BROWSER-BASED SCRIPTS

Symantec Corporation, Mo...

1. A computer-implemented method for detecting malicious browser-based scripts, the method comprising:
identifying an attempt by a web browser to access sensitive information stored on a server;
locating a web browser script installed in the web browser by inspecting Document Object Model nodes in the web browser prior
to determining whether to allow the web browser to access the sensitive information;

calculating a signature hash for the web browser script;
querying, using the signature hash, a browser script signature database that associates web browser script signature hashes
with script security indicators;

receiving, in response to querying the browser script signature database, a script security indicator associated with the
signature hash, the script security indicator indicating whether the web browser script is identified, within the browser
script signature database, as a security threat;

applying, based on the script security indicator that indicates whether the web browser script is identified as a security
threat, a script security policy associated with the web browser script, the script security policy indicating whether to
allow the web browser to access the sensitive information stored on the server;

wherein a computing device comprising at least one processor performs the method.

US Pat. No. 9,146,822

CLUSTER CONFIGURATION SYSTEMS AND METHODS

Symantec Corporation, Mo...

1. A cluster configuration method comprising:
maintaining configuration information associated with a first node and a second node, including cluster configuration version
information, wherein cluster configuration version information associated with said first node includes a first configuration
version indication and cluster configuration version information associated with said second node includes a second configuration
version indication;

evaluating said first node as a potential configuration update node for said second node, including evaluating an indication
of potential update availability of a partial snapshot, wherein evaluating said first node comprises subtracting said first
configuration version indication from said second configuration version indication;

performing an update type selection when said subtraction of said first configuration version indication from said second
configuration version indication indicates the first configuration version indication is more recent than the second configuration
version indication, including determining whether to select a partial snapshot update information indication; and

performing an update for said second node in accordance with results of said update type selection, wherein said performing
an update includes performing a partial upload of snapshot information from said first node.

US Pat. No. 9,137,333

METHOD AND SYSTEM FOR ADDING PLUG-IN FUNCTIONALITY TO VIRTUALIZED APPLICATIONS

Symantec Corporation, Mo...

1. A method comprising:
modifying, by a server computing system, sequence data of an application to be invoked in a virtual environment, the modifying
creating modified sequence data to cause a client computing system to invoke a proxy agent in the virtual environment prior
to invoking the application in the virtual environment;

generating a virtualized application package for the application using the modified sequence data; and
providing the virtualized application package to cause the client computing system to invoke the proxy agent in the virtual
environment, wherein the proxy agent changes a configuration of the application to cause the application to load a data-loss
protection plug-in in the virtual environment to prevent loss of protected data.

US Pat. No. 9,122,679

METHOD AND SYSTEM FOR INFORMATION RETRIEVAL EFFECTIVENESS ESTIMATION IN E-DISCOVERY

Symantec Corporation, Mo...

1. A method for a server computing system, comprising:
determining, by the server computing system, a plurality of statistics for a plurality of validation documents;
determining a number for a sample size of test documents in a plurality of test documents based on the plurality of statistics
for the plurality of validation documents and an effectiveness measure of interest;

determining, by the server computing system, a plurality of statistics for the plurality of test documents, wherein a number
of test documents in the plurality of test documents is the number for the sample size of test documents;

determining a number of false negatives for a corpus of documents based on the sample size and one or more of the plurality
of statistics for the plurality of test documents, wherein a document of the corpus of documents is a false negative if classification
of the document by a classification model is negative and classification of the document by a user is positive; and

calculating, by the server computing system, an effectiveness of an information retrieval system on a corpus of documents
based on the number of false negatives for the corpus of documents.

US Pat. No. 9,122,635

EFFICIENT DATA BACKUP WITH CHANGE TRACKING

Symantec Corporation, Mo...

1. A method comprising:
determining whether file data of a file has changed since a creation time of a previous backup image, wherein the determining
further comprises

analyzing a previous track log associated with the previous backup image, wherein
the previous track log comprises a plurality of file entries associated with a plurality of files included in the previous
backup image,

each of the file entries comprises recorded file attributes of the file, and
the analyzing uses one or more present file attributes of the file and one or more of the recorded file attributes;
in response to a determination that the file data has not changed, generating a metadata header associated with the file data,
wherein

the metadata header comprises metadata, and
the metadata identifies the file data in the previous backup image; and
transmitting the metadata header to a backup server.

US Pat. No. 9,104,859

SYSTEMS AND METHODS FOR SCANNING DATA STORED ON CLOUD COMPUTING PLATFORMS

Symantec Corporation, Mo...

1. A computer-implemented method for scanning data stored on cloud computing platforms,
at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
identifying a cloud computing service that hosts a plurality of cloud computing instances and a plurality of data volumes
that store data for the plurality of cloud computing instances;

determining that a data volume within the plurality of data volumes that stores data for a cloud computing instance within
the plurality of cloud computing instances is subject to a security scan;

identifying at least one of an owner of the data volume and an owner of the cloud computing instance;
prioritizing the security scan on the data volume over a security scan on an additional data volume within the plurality of
data volumes based on at least one of the owner of the data volume and the owner of the cloud computing instance;

detecting a computing system that is external to the cloud computing instance;
performing, based on the prioritization of the security scan on the data volume over the security scan on the additional data
volume, the security scan on the data volume from the computing system that is external to the cloud computing instance instead
of performing the security scan from within the cloud computing instance.

US Pat. No. 9,081,507

SHARED STORAGE ACCESS MANAGEMENT SYSTEMS AND METHODS

Symantec Corporation, Mo...

16. A computer system comprising: a processor coupled to a non-transitory computer readable storage media and executing computer
readable code which causes the computer system to perform operations including:
performing an endpoint input/output (I/O) source authority tracking process in which permission of an endpoint I/O source
to perform an I/O with at least a portion of an endpoint storage target is tracked at least in part based on a corresponding
endpoint I/O source ID value;

confirming the endpoint storage target supports endpoint I/O source ID value registration and commands corresponding to registration
operations; and

performing an I/O operation based upon results of the endpoint I/O source authority tracking process, wherein the endpoint
I/O source ID value is associated with the endpoint I/O source and the endpoint I/O source is a virtual machine.

US Pat. No. 9,059,870

TECHNIQUES FOR MANAGING ELECTRONIC MESSAGE DISTRIBUTION

Symantec Corporation, Mo...

1. A method for managing electronic message distribution, the method comprising:
analyzing an electronic message;
determining whether the electronic message satisfies one of a plurality of predetermined conditions;
determining a geographical location of an intended recipient of the electronic message;
converting at least a portion of the electronic message from a first predetermined format to a second predetermined format
based on the determination of whether the electronic message satisfies the one of the plurality of predetermined conditions
and the determined geographical location of the intended recipient of the electronic message, wherein the first predetermined
format is a message format locally cacheable by the intended recipient and the second predetermined format is a message format
that is not locally cacheable by the intended recipient; and

transmitting the converted electronic message.

US Pat. No. 9,483,643

SYSTEMS AND METHODS FOR CREATING BEHAVIORAL SIGNATURES USED TO DETECT MALWARE

Symantec Corporation, Mo...

1. A computer-implemented method for creating behavioral signatures used to detect malware, at least a portion of the method
being performed by a computing device comprising at least one processor, the method comprising:
maintaining a database that identifies:
known malicious files and behaviors exhibited by the known malicious files;
known non-malicious files and behaviors exhibited by the known non-malicious files;
creating a behavioral signature used to detect malware by:
determining a combination of behaviors exhibited by at least one of the known malicious files identified within the database;
identifying the number of known malicious files that exhibit each behavior within the combination of behaviors;
identifying the number of known non-malicious files that exhibit each behavior within the combination of behaviors;
determining that the number of known malicious files that exhibit each behavior within the combination exceeds the number
of known non-malicious files that exhibit each behavior within the combination by a certain threshold;

incorporating representations of each behavior within the combination of behaviors into the behavioral signature.

US Pat. No. 9,485,606

SYSTEMS AND METHODS FOR DETECTING NEAR FIELD COMMUNICATION RISKS

Symantec Corporation, Mo...

1. A computer-implemented method for detecting near field communication risks, at least a portion of the method being performed
by a computing device comprising at least one processor, the method comprising:
identifying a mobile device capable of near field communication;
identifying a potentially illegitimate attempted near field communication involving the mobile device;
tracking at least one contextual behavior by a device with near field communication capability observed to occur during a
predefined time window surrounding the potentially illegitimate attempted near field communication and relating to the potentially
illegitimate attempted near field communication, wherein tracking the contextual behavior comprises determining that the mobile
device did not provide a user-facing notification of the potentially illegitimate attempted near field communication;

determining, based at least in part on the contextual behavior having occurred within the predefined time window, that the
contextual behavior indicates an attempted attack on the mobile device that involves the potentially illegitimate attempted
near field communication; and

determining, based at least in part on the contextual behavior indicating an attempted attack on the mobile device, that the
potentially illegitimate attempted near field communication poses a risk to the mobile device.

US Pat. No. 9,455,994

TECHNIQUES FOR INTELLIGENTLY EXECUTING A DIGITAL SIGNATURE

Symantec Corporation, Mo...

1. A method for intelligently executing a digital signature, comprising the steps of:
receiving a signature request from a user, wherein the signature request comprises a file;
scanning the signature request to produce one or more scan results;
performing a signature process on the file in response to receiving the signature request from the user; and
communicating an indication of the one or more scan results to a reputation service server.

US Pat. No. 9,436,821

SYSTEMS AND METHODS FOR DETECTING ATTEMPTS TO TRANSMIT SENSITIVE INFORMATION VIA DATA-DISTRIBUTION CHANNELS

Symantec Corporation, Mo...

1. A computer-implemented method for detecting attempts to transmit sensitive information via data-distribution channels,
at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
identifying an attempt to transmit a file through a data-distribution channel;
comparing, using an image-matching technique, the file with a plurality of known sensitive files that are both stored in image
formats and protected by a data-loss-prevention policy;

comparing, using a finer image-matching technique that consumes more computing resources than the image-matching technique,
the file and at least one known sensitive file from the plurality of known sensitive files that was not discarded by the image-matching
technique;

determining, based on the results of the finer image-matching technique, that the file violates the data-loss-prevention policy;
performing a security action in response to determining that the file violates the data-loss-prevention policy.

US Pat. No. 9,411,953

TRACKING INJECTED THREADS TO REMEDIATE MALWARE

Symantec Corporation, Mo...

1. A method of detecting a malicious file at a client, comprising:
detecting thread creation events performed by an operating system of the client;
collecting data about detected thread creation events, the collected data for a thread creation event including an identity
of a created thread, an identity of a process that created the thread, and an identity of a file stored by the client that
was executed to form the process that created the thread;

analyzing an address space of a process executing on the client to identify legitimate memory regions in the address space
known to not contain malware;

identifying a thread of the process executing on the client referencing a location in the address space of the process outside
of the legitimate memory regions, the location designated as a suspicious memory region;

designating the thread referencing the suspicious memory region as a suspicious thread;
identifying a malicious file associated with the suspicious thread by accessing the collected data about detected thread creation
events to identify a file stored by the client that was executed to form a process that created the suspicious thread, identifying
the malicious file comprising:

determining an identifier of the suspicious thread by querying the operating system for the identifier of the suspicious thread
and receiving the identifier of the suspicious thread from the operating system in response to the query;

providing the identifier of the suspicious thread to a service that receives a thread identifier identifying a thread and
responds with an identity of a file that created the identified thread, the service using the collected data about detected
thread creation events; and

receiving from the service, in response to providing the identifier of the suspicious thread, an identifier of the malicious
file associated with the suspicious thread; and

remediating the malicious file associated with the suspicious thread.

US Pat. No. 9,313,218

SYSTEMS AND METHODS FOR PROVIDING INFORMATION IDENTIFYING THE TRUSTWORTHINESS OF APPLICATIONS ON APPLICATION DISTRIBUTION PLATFORMS

Symantec Corporation, Mo...

1. A computer-implemented method for providing information identifying the trustworthiness of applications on application
distribution platforms, at least a portion of the method being performed by a computing device comprising at least one processor,
the method comprising:
monitoring event notifications generated by an accessibility service that provides user interface enhancements for disabled
individuals on an operating system installed on the computing device;

determining, based on an analysis of an event notification generated by the accessibility service, that a user is viewing
at least one application for download on an application distribution platform;

in response to determining that the event notification generated by the accessibility service indicates that the user is viewing
the application on the application distribution platform, identifying the application that the user is viewing by applying
a set of rules based on characteristics of the computing device to content of an active window that is currently displayed
on a screen of the computing device in order to search for an indication of a name of the application;

once the application is identified, retrieving information from a third party that identifies the trustworthiness of the application;
before the user downloads the application, displaying the information identifying the trustworthiness of the application to
the user.

US Pat. No. 9,292,350

MANAGEMENT AND PROVISIONING OF VIRTUAL MACHINES

Symantec Corporation, Mo...

1. A computer-implemented method comprising:
accessing, using one or more processors, a virtual machine (VM) configuration of a virtual machine, wherein
the VM is to be hosted by a host node, and
the VM configuration comprises one or more requirements that are necessary for hosting the VM;
accessing a first cluster configuration of a first cluster, wherein
an n-ary tree comprises a first leaf level and a second leaf level,
the first leaf level comprises at least a root node of the first cluster,
the second leaf level comprises a first plurality of potential nodes (second leaf nodes) of the first cluster,
the first plurality of second leaf nodes are configured to host at least one VM, and
the first cluster configuration comprises configuration information for one or more nodes of the first plurality of second
leaf nodes, wherein

each second leaf node of the one or more second leaf nodes generates configuration information corresponding to the each second
leaf node; and

comparing the configuration information corresponding to the each second leaf node with the VM configuration, wherein
the each second leaf node performs the comparing with respect to itself,
the comparing determines whether the each second leaf node is capable of satisfying the one or more requirements that are
necessary for hosting the VM,

the each second leaf node transmits a result of its respective comparison to the root node, and
the result is one of a set of such results; and
provisioning the VM to be hosted at one of the second leaf nodes, wherein
the provisioning is based, at least in part, on the set of such results.

US Pat. No. 9,251,152

EFFICIENT METHOD FOR RELOCATING SHARED MEMORY

Symantec Corporation, Mo...

1. A method comprising:
creating a record in a data structure, in response to two or more files of a file system sharing an first extent, wherein
the record comprises mapping information for the first extent,
the record indicates that the first extent is share, and
the first extent is stored at a first memory location;
creating a temporary record in a temporary data structure, in response to the contents of the first extent being relocated
to a second extent,

wherein
the second extent is stored at a second memory location, and
the temporary record comprises information indicating how many files share the first extent;
determining that inodes corresponding to the files that share the first extent have been undated; and
deleting the temporary record in response to the determining.

US Pat. No. 9,246,887

METHOD AND APPARATUS FOR SECURING CONFIDENTIAL DATA FOR A USER IN A COMPUTER

Symantec Corporation, Mo...

1. An article of manufacture for securing confidential data, the article of manufacture comprising:
at least one non-transitory processor readable storage medium; and
instructions stored on the at least one medium;
wherein the instructions are configured to be readable from the at least one medium by at least one processor and thereby
cause the at least one processor to operate so as to:

access a first digital identity defining confidential information associated with a first individual and maintained by an
identity manager;

generate a first plurality of search rules based on the confidential information defined by the first digital identity;
search a plurality of files in a storage system using the first plurality of search rules to detect a file having at least
a portion of the confidential information;

encrypt the file using a first encryption key associated with the first digital identity;
receive a request to access the file comprising a credential during a session;
authenticate the request based on the credential and the first encryption key; and
associate the first encryption key with the session.

US Pat. No. 9,246,941

SYSTEMS AND METHODS FOR PREDICTING THE IMPACT OF SECURITY-POLICY CHANGES ON USERS

Symantec Corporation, Mo...

1. A computer-implemented method for predicting the impact of security-policy changes on users, at least a portion of the
method being performed by a computing device comprising at least one processor, the method comprising:
identifying at least one end-user computing system that is potentially to be regulated using a new security policy potentially
to be activated by an administrator of the end-user computing system;

predicting, prior to activating the new security policy on the end-user computing system, how activating the new security
policy will impact at least one user of the end-user computing system by:

deploying the new security policy to the end-user computing system;
monitoring, over a time period of live user activity on the end-user computing system, at least one behavior of the user on
the end-user computing system for evaluation against the new security policy responsive to determining that the new security
policy is potentially to be activated;

determining, without notifying the user of the new security policy and without having first activated the new security policy,
how activating the new security policy on the end-user computing system would have impacted the behavior by:

detecting, at the end-user computing system, a condition that would have triggered enforcement of the new security policy
on the end-user computing system;

determining that the behavior comprised the condition, caused the condition, and/or occurred simultaneously with the condition;
determining, in response to detecting the condition that would have triggered enforcement of the new security policy, that
enforcement of the new security policy on the end-user computing system would have impacted the behavior;

notifying, based at least in part on predicting how activating the new security policy will impact the user, the administrator
of the end-user computing system with information that indicates how activating the new security policy will impact future
user behavior.

US Pat. No. 9,202,076

SYSTEMS AND METHODS FOR SHARING DATA STORED ON SECURE THIRD-PARTY STORAGE PLATFORMS

Symantec Corporation, Mo...

1. A computer-implemented method for sharing data stored on secure third-party storage platforms, at least a portion of the
method being performed by a computing device comprising at least one processor, the method comprising:
identifying, at a server-side computing system, a request from a client system for a token that provides temporary access
to an encrypted file stored under a user account, wherein the temporary access requires decryption of the encrypted file;

identifying, in response to the request, an asymmetric key pair designated for the user account, the asymmetric key pair comprising
an encryption key and a decryption key that has been encrypted with a client-side key;

receiving, from the client system, the client-side key;
decrypting the decryption key with the client-side key;
using the decryption key to generate temporary decryption data that facilitates the decryption of the encrypted file and that
is set to expire by using the decryption key to generate a uniform resource locator that comprises the temporary decryption
data;

generating the token and designating the temporary decryption data as available in exchange for the token;
providing the token to the client system.

US Pat. No. 9,172,600

EFFICIENT I/O ERROR ANALYSIS AND PROACTIVE I/O FAILOVER TO ALTERNATE PATHS FOR INFINIBAND CHANNEL

Symantec Corporation, Mo...

1. A computer implemented method for proactively rerouting input/output (“I/O”) operations in an InfiniBand managed storage
environment comprising at least one processor node containing a host channel adapter (“HCA”) and at least one managed storage
device containing at least one target channel adapter (“TCA”) exposing a plurality of logical units (“LUNs”) and logical volumes,
the method comprising the steps of:
for each InfiniBand channel between a specific HCA and a specific TCA in the InfiniBand managed storage environment, grouping,
by a computer, each one of a plurality of I/O paths between the HCA and any LUN or logical volume exposed by the TCA into
a path set;

determining, by the computer, an occurrence of a failure on a specific path of a specific path set on a specific InfiniBand
channel; and

proactively rerouting all I/O operations on all paths of the specific path set to paths of a separate path set on a separate
InfiniBand channel, without waiting for I/O errors to occur on other paths of the specific path set, wherein the specific
InfiniBand channel and the separate InfiniBand channel both connect a specific processor node to a specific managed storage
device.

US Pat. No. 9,166,993

ANOMALY DETECTION BASED ON PROFILE HISTORY AND PEER HISTORY

SYMANTEC CORPORATION, Mo...

1. A method comprising:
collecting, by an anomaly detection system executing by a processor, file-activity data pertaining to file accesses to files
in an identified network share accessed by a group of individual users;

computing, by the anomaly detection system, file access patterns for the individual users in the group from the file-activity
data;

for one of the individual users, comparing the individual user's file access pattern against a profile history of the individual
user to find a first deviation in the file accesses by the individual user;

identifying, by the anomaly detection system, a cluster of users from the group based on at least one of user collaborations
of individual users of the group or a reporting structure of the group of users;

when the first deviation is found, comparing the individual user's file access pattern against a peer history of the other
individual users in the cluster to find a second deviation; and

reporting, by the anomaly detection system, an anomaly in the file access patterns by the individual user when the first deviation
and the second deviation are found.

US Pat. No. 9,141,449

MANAGING REMOTE PROCEDURE CALLS WHEN A SERVER IS UNAVAILABLE

Symantec Corporation, Mo...

1. A computer-implemented method for managing a server cluster, said method comprising:
issuing a remote procedure call (RPC) request, via at least one computer processor in a client device, from the client device
to a first server for processing said RPC request, wherein said first server is located in said server cluster apart from
said client device and wherein said server cluster comprises metadata servers that are coupled to a plurality of data servers;

adding, via said at least one computer processor, an entry for said RPC request to an RPC table on said client device;
receiving, at said client device, a message that said first server is inoperative, wherein said message is received from a
central management server responsible for monitoring server health in said server cluster and wherein said message is sent
in response to an alert to the central management server, wherein said alert indicates said first server has not responded
to a health check message issued by said client device, said health check message having a timeout period that is shorter
than a timeout period for said RPC request; and

in response to receiving said message, said client device canceling said RPC request, by clearing said RPC request from said
RPC table, and then said client device reissuing, via said at least one computer processor, said RPC request to a second server
for processing said RPC request, wherein said second server is located in said server cluster apart from said client device.

US Pat. No. 10,032,033

SYSTEMS AND METHODS FOR PROTECTING BACKED-UP DATA FROM RANSOMWARE ATTACKS

Symantec Corporation, Mo...

1. A computer-implemented method for protecting backed-up data from ransomware attacks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:determining that a backup system periodically backs up at least one file stored at the computing device to a remote storage system by storing a copy of the file at the remote storage system;
identifying one or more characteristics of the file that are used by the backup system to identify files that are to be backed up to the remote storage system;
generating a tripwire file having the same one or more characteristics that are used by the backup system to identify files that are to be backed up to the remote storage system;
storing the tripwire file at the computing device;
determining that the file stored at the computing device has likely been encrypted by ransomware executing on the computing device by detecting that the tripwire file has been modified;
performing, in response to detecting that the tripwire file has been modified, an action that prevents the backup system from replacing the copy of the file at the remote storage system with a copy of the encrypted file.

US Pat. No. 9,166,970

DYNAMIC FRAMEWORK FOR CERTIFICATE APPLICATION CONFIGURATION

Symantec Corporation, Mo...

1. A method comprising:
receiving, by a script hosting server, a script from an authenticated source;
storing, by the script hosting server, the script in a script database;
associating, by the script hosting server, the script with a certificate profile for a digital certificate based on input
from the authenticated source, wherein more than one script can be associated with the certificate profile;

receiving, by the script hosting server, user enrollment information for the certificate profile from the authenticated source,
wherein the user enrollment information indicates an enrolled user for the certificate profile;

storing the user enrollment information in a user database;
receiving, by the script hosting server, a script request of a client device, the script request identifying the certificate
profile and a user of the client device;

determining, by the script hosting server, whether-when the user is enrolled in the certificate profile based on the user
enrollment information in the user database; and

upon determining that the user is enrolled, providing the associated one or more scripts to the client device.

US Pat. No. 9,148,392

SYSTEMS AND METHODS FOR AGGREGATING EVENT INFORMATION

Symantec Corporation, Mo...

1. A computer-implemented method for aggregating event information, at least a portion of the method being performed by a
computing device comprising at least one hardware processor, the method comprising:
identifying a plurality of social networking data feeds;
identifying a planned event involving at least one person associated with at least one social networking data feed within
the plurality of social networking data feeds;

identifying a time and a location of the planned event;
identifying, within a data feed from the plurality of social networking data feeds, a submission that corresponds to the planned
event using at least one of:

the time of the planned event;
the location of the planned event;
identifying, within an additional data feed from the plurality of social networking data feeds, an additional submission that
corresponds to the planned event using at least one of:

the time of the planned event;
the location of the planned event;
creating an event document from the submission within the data feed and the additional submission within the additional data
feed to describe the planned event, wherein the step of creating the event document is performed by the computing device.

US Pat. No. 9,146,868

SYSTEMS AND METHODS FOR ELIMINATING INCONSISTENCIES BETWEEN BACKING STORES AND CACHES

Symantec Corporation, Mo...

1. A computer-implemented method for eliminating inconsistencies between backing stores and caches, at least a portion of
the method being performed by a computing device comprising at least one processor, the method comprising:
superimposing a synchronization marker on at least one write operation in a cache that queues write operations destined for
a backing store, the synchronization marker bifurcating the write operations queued in the cache into:

a subset of one or more write operations known to have been successfully performed on the backing store;
an additional subset of one or more additional write operations that are not yet known to have been successfully performed
on the backing store;

superimposing a corresponding synchronization marker on copies, in the backing store, of write operations from the at least
one write operation, the synchronization marker and the corresponding synchronization marker representing a most recent synchronization
point between the backing store and the cache;

detecting at least one inconsistency between the backing store and the cache that queues write operations destined for the
backing store;

in response to detecting the inconsistency between the backing store and the cache that queues the write operations destined
for the backing store:

identifying the synchronization marker;
identifying the additional subset of additional write operations based at least in part on the synchronization marker that
bifurcates the write operations queued in the cache;

in response to identifying the additional subset of additional write operations based at least in part on the synchronization
marker:

performing the additional subset of additional write operations on the backing store in order to eliminate the inconsistency
between the backing store and the cache;

updating the synchronization marker based at least in part on performing the additional subset of additional write operations
on the backing store.

US Pat. No. 9,135,266

SYSTEM AND METHOD FOR ENABLING ELECTRONIC DISCOVERY SEARCHES ON BACKUP DATA IN A COMPUTER SYSTEM

SYMANTEC CORPORATION, Mo...

1. A non-transitory computer-accessible storage medium storing program instructions executable by one or more processors to:
receive backup data from a file server computer, wherein the backup data includes file data for a plurality of files on the
file server computer;

receive event data specifying a plurality of file access events that have occurred on the file server, wherein the event data
indicates a respective user and a respective file with which each of the file access events is associated;

create mapping information based on the event data and the backup data, wherein in creating the mapping information, the program
instructions are executable by the one or more processors to perform the following for each respective file access event of
at least a subset of the plurality of file access events specified by the event data: a) determine the respective file with
which the respective file access event is associated; b) determine respective file data in the backup data that corresponds
to the respective file with which the respective file access event is associated; and c) store information mapping the respective
file access event to the respective file data in the backup data;

wherein the event data specifies a first file access event for a particular file, wherein the first file access event indicates
that the particular file was accessed by a first user at a first time, wherein the event data also specifies a second file
access event for the particular file, wherein the second file access event indicates that the particular file was accessed
by a second user at a second time, wherein the mapping information maps the first file access event and the second file access
event to the respective file data for the particular file in the backup data;

receive backup catalog information for the backup data, wherein the backup catalog information specifies where the file data
for each file of the plurality of files is stored in the backup data;

receive user input specifying a search query to perform on the backup data;
match the search query to one or more of the file access events in the at least a subset of the plurality of file access events;
and

for each respective file access event of the one or more file access events matching the search query, use the mapping information
to lookup the respective file data in the backup data that corresponds to the respective file with which the respective file
access event is associated;

wherein said receiving the user input specifying the search query comprises receiving user input requesting to search the
backup data to find files deleted by a particular user during a particular time period;

wherein said matching the search query to the one or more file access events comprises determining that each of the one or
more file access events specifies that a particular file was deleted by the particular user during the particular time period;

wherein the one or more file access events matching the search query include the first file access event indicating that the
particular user performed a read access on the particular file at the first time, wherein the particular file corresponds
to particular file data in the backup data, wherein the program instructions are executable by the one or more processors
to examine the backup catalog information to lookup the particular file data in the backup data in response to determining
that the first file access event matches the search query.

US Pat. No. 9,128,742

SYSTEMS AND METHODS FOR ENHANCING VIRTUAL MACHINE BACKUP IMAGE DATA

Symantec Corporation, Mo...

1. A computer-implemented method for enhancing virtual machine backup image data, at least a portion of the method being performed
by a computing device comprising at least one processor, the method comprising:
identifying a virtual machine to be stored as a backup image;
backing up the virtual machine by storing the backup image of the virtual machine in a backup repository;
while backing up the virtual machine, collecting configuration information that identifies at least one of:
virtual hardware of the virtual machine;
an original location of the virtual machine; or
system software of the virtual machine,
the collecting configuration information comprising at least one of:
harvesting the configuration information from a profile of the virtual machine maintained by a host system of the virtual
machine; or

parsing an image of the virtual machine to identify the configuration information;
associating the configuration information with the backup image in a catalog of virtual machine backup images, the catalog
being searchable by the configuration information;

maintaining the catalog of the virtual machine backup images such that the virtual machine backup images are accessible via
configuration information searches.

US Pat. No. 9,104,858

PROTECTING USER IDENTITY AT A CLOUD USING A DISTRIBUTED USER IDENTITY SYSTEM

Symantec Corporation, Mo...

1. A method comprising:
assigning, by a server computer system, an anonymous cloud account to a user in response to a determination that identity
information of the user is validated for a user request to access a cloud, wherein the anonymous cloud account does not reveal
an identity of the user to the cloud;

creating mapping data associating the user with the anonymous cloud account, wherein the mapping data is not made available
to the cloud;

facilitating user access to the cloud based on the anonymous cloud account;
receiving, by the server computer system, cloud access pattern data associated with the anonymous cloud account from the cloud,
wherein the cloud access pattern data is generated by the cloud for the anonymous cloud account without the cloud determining
the identity of the user; and

correlating the cloud access pattern data with the mapping data to identify the user that accessed cloud content specified
in the cloud access pattern data.

US Pat. No. 9,058,118

TECHNIQUES FOR SYNCHRONIZING AND/OR CONSOLIDATING STORAGE AREAS

Symantec Corporation, Mo...

1. An apparatus for synchronizing storage areas comprising:
at least one processor configured to:
identify one or more source storage areas associated with a virtual machine;
create one or more destination storage areas corresponding to the one or more source storage areas;
link the one or more source storage areas directly with the one or more destination storage areas;
synchronize the one or more source areas with the one or more destination storage areas in order to establish data consistency
among the one or more source areas with the one or more destination areas, wherein operation of the virtual machine continues
during synchronization, wherein synchronization operates as a low priority process with negligible impact to virtual machine
performance, wherein portions of the one or more source areas are changed during synchronization and the changed portions
are transmitted to the one or more destination storage areas prior to completion of synchronization; and

associate, when synchronization is complete, the virtual machine with the one or more destination storage areas and disassociate
the virtual machine with the one or more source storage areas.

US Pat. No. 9,489,513

SYSTEMS AND METHODS FOR SECURING COMPUTING DEVICES AGAINST IMPOSTER PROCESSES

Symantec Corporation, Mo...

1. A computer-implemented method for securing computing devices against imposter processes, at least a portion of the method
being performed by a computing device comprising at least one processor, the method comprising:
identifying, by the computing device, a process executing on the computing device that is subject to a security assessment;
determining, by the computing device initiating a query, based on comparing an attribute of the process to an attribute of
a legitimate process, that a similarity between the process and the legitimate process meets a predetermined match threshold
based at least in part on a similarity of a name of the process with a name of the legitimate process;

identifying the legitimate process in response to determining that the similarity between the process and the legitimate process
meets the predetermined match threshold;

determining, by the computing device, in response to identifying the legitimate process, that the process is not the legitimate
process at least in part by determining that at least one of:

the process does not comprise a digital signature that matches a digital signature of the legitimate process; and
a hash of the process does not match a hash of the legitimate process;
determining, based at least in part on the similarity between the process and the legitimate process meeting the predetermined
match threshold and at least in part on determining that the process is not the legitimate process, that the process comprises
an imposter process of the legitimate process;

determining, by the computing device, that a file has been created on the computing device by the imposter process;
determining, by the computing device, a security action for the file on the computing device in response to determining that
the file has been created by the imposter process;

performing, by the computing device, the security action on the computing device for the file in response to determining the
security action and thereby improving security on the computing device.

US Pat. No. 9,450,945

UNIFIED ACCESS CONTROLS FOR CLOUD SERVICES

Symantec Corporation, Mo...

1. A method, comprising:
receiving, from a user device, a request to access a cloud service to utilize a resource provided by the cloud service, wherein
to utilize the resource, the user device is configured to at least one of request information from the resource or send information
to the resource;

in response to receiving the request, determining a context of the request to access the cloud service;
comparing, by a processor, the context of the request to a cloud service access policy, the cloud service access policy to
control utilization of the resource provided by the cloud service;

if the context of the request satisfies the cloud service access policy, determining a type of the information associated
with the request, wherein the type of information is determined using at least one of a non-reversible hash and signature-based
detection;

comparing, by the processor, the type of the information associated with the request to an information control policy, the
information control policy to control what types of information are requested from the resource and sent by the user device
to the resource in view of the context of the request to access to the cloud service; and

if the type of the information satisfies the information control policy, granting the user device access to the cloud service.

US Pat. No. 9,383,989

SYSTEMS AND METHODS FOR UPDATING APPLICATIONS

Symantec Corporation, Mo...

1. A computer-implemented method for updating applications, at least a portion of the method being performed by a computing
device comprising at least one processor, the method comprising:
identifying each version of an application;
determining possible upgrade paths to upgrade the application from an initial version of the application to a desired version
of the application by, for each version of the application:

creating a connection between the version and each subsequent version to which the version can be upgraded, and
weighting each connection with a success rate that indicates the probability that upgrading the version to the subsequent
version will produce a fully-functional version of the subsequent version, wherein the success rate for each connection is
obtained by receiving historical data that indicates the success of an attempt to perform the upgrade on at least one additional
computing device;

identifying, from among the possible upgrade paths, an optimal upgrade path for upgrading the application from the initial
version to the desired version based on an analysis of both the combined weight and the combined length of the connections
within each possible upgrade path.

US Pat. No. 9,268,964

TECHNIQUES FOR MULTIMEDIA METADATA SECURITY

Symantec Corporation, Mo...

1. A method for multimedia metadata security comprising:
receiving, at a second device separate from a first device which created a multimedia file, the multimedia file containing
unencrypted multimedia metadata;

encrypting, using the second device, a portion of the unencrypted multimedia metadata stored in a body of the multimedia file,
wherein encryption of the portion of unencrypted multimedia metadata is separate from encryption of the multimedia file, and
wherein the second device is configured to provide encryption of the portion of the unencrypted multimedia metadata differently
from one or more other portions of unencrypted multimedia metadata within the multimedia file based on one or more rules after
receipt of the multimedia file from the first device; and

embedding a network address in the multimedia metadata to facilitate initiation of a decryption request for the portion of
the encrypted multimedia metadata, wherein the embedded network address is configured to receive the decryption request.

US Pat. No. 9,256,766

SYSTEMS AND METHODS FOR COLLECTING THIEF-IDENTIFYING INFORMATION ON STOLEN COMPUTING DEVICES

Symantec Corporation, Mo...

1. A computer-implemented method for collecting thief-identifying information on stolen computing devices, at least a portion
of the method being performed by a computing device comprising at least one processor, the method comprising:
receiving an indication that the computing device has been stolen;
determining that an attempt by a thief of the stolen computing device to log into a user account of the thief via the stolen
computing device was successful;

collecting, at the stolen computing device based at least in part on determining that the attempt was successful, information
capable of identifying the thief, wherein the information capable of identifying the thief is accessible at the stolen computing
device only when the thief has successfully logged into the user account of the thief via the stolen computing device;

reporting, to a remote computing device, the information capable of identifying the thief.

US Pat. No. 9,215,264

TECHNIQUES FOR MONITORING SECURE CLOUD BASED CONTENT

Symantec Corporation, Mo...

1. A method for monitoring secure cloud based content comprising:
monitoring, using a browser component of a browser comprising an iframe, a secure session accessing cloud based content, wherein
the monitoring comprises concurrently accessing from the browser cloud based content other than cloud based content requested
by a user of the browser;

identifying specific cloud based content meeting a specified criteria; and
performing, via a response component, a specified action based at least in part on the identified specific cloud based content,
wherein the specified action comprises emulating a user action in the browser.

US Pat. No. 9,100,426

SYSTEMS AND METHODS FOR WARNING MOBILE DEVICE USERS ABOUT POTENTIALLY MALICIOUS NEAR FIELD COMMUNICATION TAGS

Symantec Corporation, Mo...

1. A computer-implemented method for warning mobile device users about potentially malicious Near Field Communication (NFC)
tags, at least a portion of the method being performed by a computing device comprising at least one processor, the method
comprising:
prior to a mobile device scanning at least one NFC tag, obtaining, by the mobile device from a remote server, NFC-tag information
that identifies:

a geo-location of the NFC tag;
a result of at least one malware analysis performed on an NFC message received by another mobile device from the NFC tag via
NFC transmission;

determining, based at least in part on the result of the malware analysis performed on the NFC message, that the NFC tag includes
potentially malicious content;

determining, based at least in part on the geo-location of the NFC tag, that the mobile device is located in proximity of
the NFC tag;

in response to determining that the mobile device is located in the proximity of the NFC tag, providing an alert that warns
a user of the mobile device against scanning the NFC tag due at least in part to the potentially malicious content included
in the NFC tag.

US Pat. No. 9,092,248

SYSTEMS AND METHODS FOR RESTORING DISTRIBUTED APPLICATIONS WITHIN VIRTUAL DATA CENTERS

Symantec Corporation, Mo...

1. A computer-implemented method for restoring distributed applications within virtual data centers, at least a portion of
the method being performed by a computing device comprising at least one processor, the method comprising:
receiving a request to restore a distributed application to a virtual data center, wherein:
the distributed application comprises at least one virtual machine;
the virtual data center comprises:
at least one processing resource allocated from at least one hypervisor;
at least one datastore for storing virtual machines running within the virtual data center;
identifying a backup of the virtual machine stored within backup storage;
exposing the backup of the virtual machine stored within the backup storage to the hypervisor;
regenerating the virtual machine by accessing the backup of the virtual machine at the backup storage;
adding the virtual machine to the distributed application;
restoring, before completely recovering the virtual machine from the backup storage to the datastore of the virtual data center,
the distributed application by starting the virtual machine as part of the distributed application.