`
`.
`Applicants
`.
`U.S. Senal No.
`
`Filed
`
`Title
`
`Group Art Unit
`
`Attorney docket no. ELG-P-9139USZ
`
`IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`.
`.
`Yigal Mordechai Edery et a1.
`
`:
`
`:
`
`:
`
`:
`
`:
`
`unknown
`
`herewith
`
`MALICIOUS MOBILE CODE RUNTIME MONITORING
`SYSTEM AND METHODS
`
`unknown
`
`
`
`9 st
`0-. 1—
`CD Y-
`3' 2
`\
`3; C0
`.— 1—v-
`g 1—
`
`.
`
`,
`V) ‘
`3 Examiner
`:
`unknown
`1
`
`[Bl
`EXPRESS MAIL MAILING LABEL NUMBER E!) 399946563 US, Date of Deposit: March 7, 2006
`Ln
`I hereby certify that this paper or fee is being deposited with the United States Postal Service "Express Mail Post Office to Addressee"
`._fl
`Service under 37 CFR [.10 on the date indicated above and is addressed to the Commissioner for Patents, PO. Box 1450, Alexandria, VA
`:-
`22313-1450.
`
`Andrew L. Tia‘oloff
`CI"
`r (Name of person mailing paper or fee)
`
`-
`
`
`’ 2
`March 7 2006
`(Signature of person mailing paper or fee
`Date
`
`
`
`
`
`
`/
`
`Commissioner for Patents
`PO. Box 1450
`
`Alexandria, VA 22313-1450
`
`/
`
`PATENT APPLICATION TRANSMITTAL LETTER
`
`Sir:
`
`Attorney for the above-captioned applicants transmits herewith the following:
`
`1.
`
`a fee transmittal sheet (1 page);
`
`2.
`
`an application data sheet (3 pages);
`
`3.
`
`the application, which is a copy of the parent application as filed, comprising a
`
`cover sheet (1 page), specification (42 pages), claims (15 pages), drawings (10
`
`pages), and abstract (1 page);
`
`ELG-P-9139U82
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0001
`
`‘
`
`m G
`
`LLJ
`
`K '
`
`"
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0001
`
`

`

`.j
`
`4.
`
`a copy of an executed declaration of the inventors from the parent application;
`
`and
`
`5.
`
`a Preliminary Amendment and Information Disclosure Statement.
`
`PLEASE ASSOCIATE THIS APPLICATION WITH CUSTOMER NUMBER
`
`43214.
`
`Should any questions arise, the Patent Office is invited to telephone attorney for
`
`applicants at 212—490-3285.
`
`CUSTOMER NUMBER
`
`43214
`US. PATENT TRADEMARK OFFICE
`
`Tiajoloff& Kelly
`Chrysler Building, 37th floor
`405 Lexington Avenue
`New York, NY 10174
`
`tel. 212—490-3285
`fax 212—490-3295
`
`Respectfully submitted,
`
`
`
`Andrew L. Tiajoloff
`Registration No. 31,575
`
`ELG-P-9139U82
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0002
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0002
`
`

`

`FEE CALCULATION
`1. BASIC FILING, SEARCH. AND EXAMINATION FEES
`FILING FEES
`Small Entig
`Fee (§)
`150
`100
`100
`150
`100
`
`Application TyE
`Utility
`Design
`' Plant
`Reissue
`Provisional
`2. excess CLAIM FEES
`
`SEARCH FEES
`Small Entlg
`
`Fee {fl
`500
`100
`300
`500
`0
`
`EXAMINATION FEES
`Small Entity
`Fee I§I
`100
`65
`so
`
`Fee Q)
`200
`130
`160
`600
`0
`
`Fees Paid Q)
`1000
`
`
`
`901080
`
`Approved for use through 07/3112006. OMB 0651-0032
`Patent and Trademark Office: U.S. DEPARTMENT OF COMMERCE
`Under the Paperwork Reduction Act of 1995. no persons are required to respond to a collection of information unless it displays a valid OMB control number.
`Complete if Known
`
`m
`
`3
`
`
`FEE TRANSMITTAL
`
`
`
`no
`for FY 2005
`3
`Effective 12/08/2004
`0
`
`
`
`
`
`
`
` EDERY. Yigal Mordechai
`
`
`P-9139-Usz
`
`
`
`YM
`TOTAL AMOUNT OF PA
`
`ENT
`
`(3)7350
`
`
`
`Application Number
`
`
`
`
`
`
`First Named Inventor
`
`Group lArt Unit
`
`Attorney Docket No.
`
`METHOD OF PAYMENT (check all that apply)
`I:I None [3 Other (please specify):
`|:] Check E] Credit Card E] Money Order
`Deposit Account Name: Eitan Law Group
`E] Deposit Account Number 50-3400
`For the above-identified deposit account. the Director is hereby authorized to: (check all that apply)
`E Charge iee(s) indicated below
`[:1 Charge Iee(s) indicated below. except for the fillng fee
`E Charge any additional Iee(s) or underpayments of Iee(s)
`Credit any overpayments
`under 37 CFE 1.16 and 1.17
`.
`WARNING: Information on this form may become public. Credit card Information should not be included on this form. Provide credit card
`information and authorization on PTO-2038.
`
`Fee ($1
`300
`200
`zoo
`300
`200
`
`.
`
`F_ee_,Description
`Each claim over 20 or, for Reissues, each claim over 20 and more than in the original patent
`Each independent claim over 3 or. for Reissues. each independent claim more than in the original patent
`Multiple dependent claims
`Extra Claims
`Total Claims
`x
`_5_§
`-20 or HP =
`15
`‘ HP = highest number of total claims paid for. if greater than 20.
`Fee ($1
`Indeg. Claims
`Extra Claims
`_2_tfl
`x
`-3 or HP =
`_2_1
`11;
`HP = highest number of independent claims paid for. if greater than 3.
`
`Fee Paid (5)
`2_7§Q
`
`Fee Paid [51
`M
`
`Fee (5)
`it;
`
`Small Entig
`Fee (El
`Fee (§)
`25
`50
`100
`200
`180
`360
`Multiple Dependent Claims
`Fee [fl
`Fee Paid [fl
`Q
`
`‘ 3. APPLICATION 5le FEE
`if the specification and drawings exceed 100 sheets of paper. the application size fee due is $250 ($125 for small entity) for each
`additional 50 sheets orfraction thereof. See 35 U.S.C. 41(a)(1)(G) and 37 CFR1.16(s).
`Total Sheets
`Extra Sheets
`Number of each additional 50 or fraction thereof
`(round up to a whole number)
`x
`
`-100
`
`/ 50 =
`
`Fee (5)
`
`=
`
`Fee Paid (g)
`
`4. OTHER FEE(S)
`Non-English Specification, $130 fee (no small entity discount)
`Other fee 5 :
`
`Fee Pglg (5)
`
`
`SUBMITTED BY
`Comlete iraxlicable
`
`Name(Print/Type)
`a
`Tally Eitan
`igg'rfigrigogn’f“ - Telephone
`(212) 490-3285
`
`
`
`
`mina2_— muon.s
`. ,. .
`_
`This collection of information is
`-q red by 37 CFR 1136. The information is required to obtain or retain a benefit by the public which is to file (and by the
`
`' ‘on. Confidentiality is governed by 35 use. 122 and 37 CFR 1.14. This collection is estimated to take 30 minutes to complete.
`'
`including gathering. preparing. and submitting the completed application form to the USPTO. Time will vary depending upon the individual case. Any comments
`on the amount of time you require to complete this form andior suggestions for reducing this burden. should be sent to the Chief information Officer. U.S. Patent
`and Trademark Office. US. Department of Commerce. PO Box 1450, Alexandria. VA 22313-1450. DO NOT SEND FEES 0R COMPLETED FORMS TO THIS
`ADDRESS. SEND TO: Commissioner for Patents. P.O. Box 1450, Alexandria. VA 22313-1450.
`
`I! you need assistance In completing the form. call 1s800~PTO-9199 and select option 2.
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0003
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0003
`
`

`

`
`
`.
`Applicants
`.
`U.S. Senal No.
`
`Filed
`
`Title
`
`Group Art Unit
`
`Attorney docket no. ELG-P-9139USZ
`
`IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`.
`.
`Yigal Mordechai Edery et a1.
`
`:
`
`:
`
`:
`
`:
`
`:
`
`unknown
`
`herewith
`
`MALICIOUS MOBILE CODE RUNTIME MONITORING
`SYSTEM AND METHODS
`
`unknown
`
`
`
`9 st
`‘1. 1—
`CD Y-
`3' 2
`\
`3; C0
`.— 1—v-
`g 1—
`
`.
`
`,
`V) ‘
`3 Examiner
`:
`unknown
`1
`
`[Bl
`EXPRESS MAIL MAILING LABEL NUMBER E!) 399946563 US, Date of Deposit: March 7, 2006
`Ln
`I hereby certify that this paper or fee is being deposited with the United States Postal Service "Express Mail Post Office to Addressee"
`._fl
`Service under 37 CFR [.10 on the date indicated above and is addressed to the Commissioner for Patents, PO. Box 1450, Alexandria, VA
`:-
`22313-1450.
`
`Andrew L. Tia‘oloff
`CI"
`r (Name of person mailing paper or fee)
`
`-
`
`
`’ 2
`March 7 2006
`(Signature of person mailing paper or fee
`Date
`
`
`
`
`
`
`/
`
`Commissioner for Patents
`PO. Box 1450
`
`Alexandria, VA 22313-1450
`
`/
`
`PATENT APPLICATION TRANSMITTAL LETTER
`
`Sir:
`
`Attorney for the above-captioned applicants transmits herewith the following:
`
`1.
`
`a fee transmittal sheet (1 page);
`
`2.
`
`an application data sheet (3 pages);
`
`3.
`
`the application, which is a copy of the parent application as filed, comprising a
`
`cover sheet (1 page), specification (42 pages), claims (15 pages), drawings (10
`
`pages), and abstract (1 page);
`
`ELG-P-9139U82
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0004
`
`‘
`
`m G
`
`LLJ
`
`K '
`
`"
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0004
`
`

`

`.j
`
`4.
`
`a copy of an executed declaration of the inventors from the parent application;
`
`and
`
`5.
`
`a Preliminary Amendment and Information Disclosure Statement.
`
`PLEASE ASSOCIATE THIS APPLICATION WITH CUSTOMER NUMBER
`
`43214.
`
`Should any questions arise, the Patent Office is invited to telephone attorney for
`
`applicants at 212—490-3285.
`
`CUSTOMER NUMBER
`
`43214
`US. PATENT TRADEMARK OFFICE
`
`Tiajoloff& Kelly
`Chrysler Building, 37th floor
`405 Lexington Avenue
`New York, NY 10174
`
`tel. 212—490-3285
`fax 212—490-3295
`
`Respectfully submitted,
`
`
`
`Andrew L. Tiajoloff
`Registration No. 31,575
`
`ELG-P-9139U82
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0005
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0005
`
`

`

`FEE CALCULATION
`1. BASIC FILING, SEARCH. AND EXAMINATION FEES
`FILING FEES
`Small Entig
`Fee (§)
`150
`100
`100
`150
`100
`
`Application TyE
`Utility
`Design
`' Plant
`Reissue
`Provisional
`2. excess CLAIM FEES
`
`SEARCH FEES
`Small Entlg
`
`Fee {fl
`500
`100
`300
`500
`0
`
`EXAMINATION FEES
`Small Entity
`Fee I§I
`100
`65
`so
`
`Fee Q)
`200
`130
`160
`600
`0
`
`Fees Paid Q)
`1000
`
`
`
`901080
`
`Approved for use through 07/3112006. OMB 0651-0032
`Patent and Trademark Office: U.S. DEPARTMENT OF COMMERCE
`Under the Paperwork Reduction Act of 1995. no persons are required to respond to a collection of information unless it displays a valid OMB control number.
`Complete if Known
`
`m
`
`3
`
`
`FEE TRANSMITTAL
`
`
`
`no
`for FY 2005
`3
`Effective 12/08/2004
`0
`
`
`
`
`
`
`
` EDERY. Yigal Mordechai
`
`
`P-9139-Usz
`
`
`
`YM
`TOTAL AMOUNT OF PA
`
`ENT
`
`(3)7350
`
`
`
`Application Number
`
`
`
`
`
`
`First Named Inventor
`
`Group lArt Unit
`
`Attorney Docket No.
`
`METHOD OF PAYMENT (check all that apply)
`I:I None [3 Other (please specify):
`|:] Check E] Credit Card E] Money Order
`Deposit Account Name: Eitan Law Group
`E] Deposit Account Number 50-3400
`For the above-identified deposit account. the Director is hereby authorized to: (check all that apply)
`E Charge iee(s) indicated below
`[:1 Charge Iee(s) indicated below. except for the fillng fee
`E Charge any additional Iee(s) or underpayments of Iee(s)
`Credit any overpayments
`under 37 CFE 1.16 and 1.17
`.
`WARNING: Information on this form may become public. Credit card Information should not be included on this form. Provide credit card
`information and authorization on PTO-2038.
`
`Fee ($1
`300
`200
`zoo
`300
`200
`
`.
`
`F_ee_,Description
`Each claim over 20 or, for Reissues, each claim over 20 and more than in the original patent
`Each independent claim over 3 or. for Reissues. each independent claim more than in the original patent
`Multiple dependent claims
`Extra Claims
`Total Claims
`x
`_5_§
`-20 or HP =
`15
`‘ HP = highest number of total claims paid for. if greater than 20.
`Fee ($1
`Indeg. Claims
`Extra Claims
`_2_tfl
`x
`-3 or HP =
`_2_1
`11;
`HP = highest number of independent claims paid for. if greater than 3.
`
`Fee Paid (5)
`2_7§Q
`
`Fee Paid [51
`M
`
`Fee (5)
`it;
`
`Small Entig
`Fee (El
`Fee (§)
`25
`50
`100
`200
`180
`360
`Multiple Dependent Claims
`Fee [fl
`Fee Paid [fl
`Q
`
`‘ 3. APPLICATION 5le FEE
`if the specification and drawings exceed 100 sheets of paper. the application size fee due is $250 ($125 for small entity) for each
`additional 50 sheets orfraction thereof. See 35 U.S.C. 41(a)(1)(G) and 37 CFR1.16(s).
`Total Sheets
`Extra Sheets
`Number of each additional 50 or fraction thereof
`(round up to a whole number)
`x
`
`-100
`
`/ 50 =
`
`Fee (5)
`
`=
`
`Fee Paid (g)
`
`4. OTHER FEE(S)
`Non-English Specification, $130 fee (no small entity discount)
`Other fee 5 :
`
`Fee Pglg (5)
`
`
`SUBMITTED BY
`Comlete iraxlicable
`
`Name(Print/Type)
`a
`Tally Eitan
`igg'rfigrigogn’f“ - Telephone
`(212) 490-3285
`
`
`
`
`mina2_— muon.s
`. ,. .
`_
`This collection of information is
`-q red by 37 CFR 1136. The information is required to obtain or retain a benefit by the public which is to file (and by the
`
`' ‘on. Confidentiality is governed by 35 use. 122 and 37 CFR 1.14. This collection is estimated to take 30 minutes to complete.
`'
`including gathering. preparing. and submitting the completed application form to the USPTO. Time will vary depending upon the individual case. Any comments
`on the amount of time you require to complete this form andior suggestions for reducing this burden. should be sent to the Chief information Officer. U.S. Patent
`and Trademark Office. US. Department of Commerce. PO Box 1450, Alexandria. VA 22313-1450. DO NOT SEND FEES 0R COMPLETED FORMS TO THIS
`ADDRESS. SEND TO: Commissioner for Patents. P.O. Box 1450, Alexandria. VA 22313-1450.
`
`I! you need assistance In completing the form. call 1s800~PTO-9199 and select option 2.
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0006
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0006
`
`

`

`ATTORNEY DOCKET 4342600014
`
`APPLICATION FOR
`
`UNITED STATES PATENT
`
`IN THE NAME OF
`
`Yigal Edery, Nimrod Vered and David Kroll
`
`OF
`
`FINJAN SOFTWARE, LTD.
`
`MALICIOUS MOBILE CODE RUNTIME MONITORING
`
`SYSTEM AND METHODS
`
`DOCKET NO. 43426.00014
`
`Please direct communications to:
`
`Intellectual Property Department
`Squire, Sanders & Dempsey L.L.P.
`600 Hansen Way
`Palo Alto, CA 94304-1043
`(650) 856-6500
`
`Express Mail Number EL 701 364 624
`
`
`
`
`
`
`
`ll"ILA}.03..
`
`1 of 59
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0007
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0007
`
`

`

`ATTORNEY DOCKET 4342600014
`
`MALICIOUS MOBILE CODE RUNTIME MONITORING
`
`SYSTEM AND METHODS
`
`PRIORITY REFERENCE TO RELATED APPLICATIONS
`
`U1
`
`This application claims benefit of and hereby incorporates by reference
`
`provisional application serial number 60/205,591, entitled “Computer Network Malicious
`
`Code Run-time Monitoring,” filed on May 17, 2000 by inventors Nimrod Itzhak Vered, et
`
`al. This application is also a Continuation-In—Part of and hereby incorporates by
`
`reference patent application serial number 09/539,667, entitled “System and Method for
`
`Protecting a Computer and a Network From Hostile Downloadables” filed on March 30,
`
`2000 by inventor Shlomo Touboul. This application is also a Continuation-In-Part of and
`
`hereby incorporates by reference patent application serial number 09/551,302, entitled
`
`“System and Method for Protecting a Client During Runtime From Hostile
`
`Downloadables”, filed on April 18, 2000 by inventor Shlomo Touboul.
`
`
`
`(lit!I
`
`"iii".i.iillilii
`
`
`Hmllnil,15
`
`iii-“5
`
`BACKGROUND OF THE INVENTION
`
`Field of the Invention
`
`This invention relates generally to computer networks, and more particularly
`
`20
`
`provides a system and methods for protecting network-connectable devices from
`
`undesirable downloadable operation.
`
`Description of the Background Art
`
`20f59
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0008
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0008
`
`

`

`ATTORNEY DOCKET 4342600014
`
`Advances in networking technology continue to impact an increasing number and
`
`diversity of users. The Internet, for example, already provides to expert, intermediate and
`
`even novice users the informational, product and service resources of over 100,000
`
`interconnected networks owned by governments, universities, nonprofit groups,
`
`5
`
`companies, etc. Unfortunately, particularly the Internet and other public networks have
`
`also become a major source of potentially system-fatal or otherwise damaging computer
`
`code commonly referred to as “viruses.”
`
`Efforts to forestall viruses from attacking networked computers have thus far met
`
`
`
`with only limited success at best. Typically, a virus protection program designed to
`
`identify and remove or protect against the initiating of known viruses is installed on a
`
`network firewall or individually networked computer. The program is then inevitably
`
`surmounted by some new virus that often causes damage to one or more computers. The
`
`damage is then assessed and, if isolated, the new virus is analyzed. A corresponding new
`
`virus protection program (or update thereof) is then developed and installed to combat the
`
`new virus, and the new program operates successfully until yet another new virus appears
`
`-_ and so on. Of course, damage has already typically been incurred.
`
`To make matters worse, certain classes of viruses are not well recognized or
`
`understood, let alone protected against. It is observed by this inventor, for example, that
`
`Downloadable information comprising program code can include distributable
`
`20
`
`components (e.g. JavaTM applets and JavaScript scripts, ActiveXTM controls, Visual
`
`Basic, add-ins and/or others). It can also include, for example, application programs,
`
`Trojan horses, multiple compressed programs such as zip or meta files, among others.
`
`US. Patent 5,983,348 to Shuang, however, teaches a protection system for protecting
`
`3of59
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0009
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0009
`
`

`

`ATTORNEY DOCKET 4342600014
`
`against only distributable components including “Java applets or ActiveX controls”, and
`
`further does so using resource intensive and high bandwidth static Downloadable content
`
`and operational analysis, and modification of the Downloadable component; Shuang
`
`further fails to detect or protect against additional program code included within a tested
`
`5
`
`Downloadable. US. Patent 5,974,549 to Golan teaches a protection system that further
`
`focuses only on protecting against ActiveX controls and not other distributable
`
`components, let alone other Downloadable types. US. patent 6,167,520 to Touboul
`
`enables more accurate protection than Shuang or Golan, but lacks the greater flexibility
`
`and efficiency taught herein, as do Shuang and Golan.
`
`Accordingly, there remains a need for efficient, accurate and flexible protection of
`
`computers and other network connectable devices from malicious Downloadables.
`
`
`
`SUMMARY OF THE INVENTION
`
`"iii"iiiiii,"
`
`itHull.15.,=15 ‘ protecting a personal computer (“PC”) or other persistently or even intermittently
`
`The present invention provides protection systems and methods capable of
`
`network accessible devices or processes from harmful, undesirable, suspicious or other
`
`“malicious” operations that might otherwise be effectuated by remotely operable code.
`
`While enabling the capabilities of prior systems, the present invention is not nearly so
`
`limited, resource intensive or inflexible, and yet enables more reliable protection. For
`
`20
`
`example, remotely operable code that is protectable against can include downloadable
`
`application programs, Trojan horses and program code groupings, as well as software
`
`“componen ", such as JavaTM applets, ActiveXm controls, IavaScriptmNisual Basic
`
`scripts, add-ins, etc., among others. Protection can also be provided in a distributed
`
`4 of 59
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0010
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0010
`
`

`

`ATTORNEY DOCKET 4342600014
`
`interactively, automatically or mixed configurable manner using protected client, server
`
`or other parameters, redirection, local/remote logging, etc., and other server/client based
`
`protection measures can also be separately and/or interoperably utilized, among other
`
`examples.
`
`5
`
`In one aspect, embodiments of the invention provide for determining, within one
`
`
`
`or more network “servers” (cg. firewalls, resources, gateways, email relays or other
`
`devices/processes that are capable of receiving-and-transfening a Downloadable) whether
`
`received information includes executable code (and is a “Downloadable”). Embodiments
`
`also provide for delivering static, configurable and/or extensible remotely operable
`
`protection policies to a Downloadable-destination, more typically as a sandboxed package
`
`including the mobile protection code, downloadable policies and one or more received
`
`Downloadables. Further client-based or remote protection code/policies can also be
`
`utilized in a distributed manner. Embodiments also provide for causing the mobile
`
`protection code to be executed within a Downloadable-destination in a manner that
`
`enables various Downloadable operations to be detected, intercepted or further responded
`
`to via protection operations. Additional server/information-destination device security or
`
`other protection is also enabled, among still further aspects.
`
`A protection engine according to an embodiment of the invention is operable
`
`within one or more network servers, firewalls or other network connectable information
`
`20
`
`re-communicating devices (as are referred to herein summarily one or more “servers” or
`
`“re-communicators”). The protection engine includes an information monitor for
`
`monitoring information received by the server, and a code detection engine for
`
`determining whether the received information includes executable code. The protection
`
`50f59
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0011
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0011
`
`

`

`ATTORNEY DOCKET 4342600014
`
`engine also includes a packaging engine for causing a sandboxed package, typically
`
`including mobile protection code and downloadable protection policies to be sent to a
`
`Downloadable-destination in conjunction with the received information, if the received
`
`information is determined to be a Downloadable.
`
`5’
`
`A sandboxed package according to an embodiment ofthe invention is receivable
`
`by and operable with a remote Downloadable-destination. The sandboxed package
`
`includes mobile protection code (“MPC”) for causing one or more predetermined
`
`malicious operations or operation combinations of a Downloadable to be monitored or
`
`
`
`iliiill
`
`
`
`otherwise intercepted. The sandboxed package also includes protection policies (operable
`
`alone or in conjunction with further Downloadable-destination stored or received
`
`policies/MPCS) for causing one or more predetermined operations to be performed if one
`
`or more undesirable operations of the Downloadable is/are intercepted. The sandboxed
`
`package can also include a corresponding Downloadable and can provide for initiating the
`
`Downloadable in a protective “sandbox”. The MPG/policies can further include a
`
`15
`
`communicator for enabling further MPC/policy information or “modules” to be utilized
`
`and/or for event logging or other purposes.
`
`A sandbox protection system according to an embodiment of the invention
`
`comprises an installer for enabling a received MPC to be executed within a
`
`Downloadable-destination (device/process) and further causing a Downloadable
`
`20
`
`application program, distributable component or other received downloadable code to be
`
`received and installed within the Downloadable-destination. The protection system also
`
`includes a diverter for monitoring one or more operation attempts of the Downloadable,
`
`an operation analyzer for determining one or more responses to the attempts, and a
`
`60f59
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0012
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0012
`
`

`

`ATTORNEY DOCKET 4342600014
`
`security enforcer for effectuating responses to the monitored operations. The protection
`
`system can further include one or more security policies according to which one or more
`
`protection system elements are operable automatically (e. g. prograrnrnatically) or in
`
`conjunction with user intervention (e. g. as enabled by the security enforcer). The security
`
`5
`
`policies can also be configurable/extensible in accordance with further downloadable
`
`and/or Downloadable-destination information.
`
`
`
`A method according to an embodiment of the invention includes receiving
`
`downloadable information, determining whether the downloadable information includes
`
`executable code, and causing a mobile protection code and security policies to be
`
`communicated to a network client in conjunction with security policies and the
`
`downloadable information if the downloadable information is determined to include
`
`executable code. The determining can further provide multiple tests for detecting, alone
`
`or together, whether the downloadable information includes executable code.
`
`A further method according to an embodiment of the invention includes forming a
`
`sandboxed, package that includes mobile protection code (“MPC”), protection policies,
`
`and a received, detected-Downloadable, and causing the sandboxed package to be
`
`communicated to and installed by a receiving device or process (“user device”) for
`
`responding to one or more malicious operation attempts by the detected-Downloadable
`
`from within the user device. The MPG/policies can further include a base “module” and
`
`20
`
`a “communicator” for enabling further up/downloading of one or more further “modules”
`
`or other information (e. g. events, user/user device information, etc.).
`
`Another method according to an embodiment of the invention includes installing,
`
`within a user device, received mobile protection code (“MPC”) and protection policies in
`
`70f 59
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0013
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0013
`
`

`

`ATTORNEY DOCKET 4342600014
`
`conjunction with the user device receiving a downloadable application program,
`
`component or other Downloadable(s). The method also includes determining, by the
`
`MPC, a resource access attempt by the Downloadable, and initiating, by the MPC, one or
`
`more predetermined operations corresponding to the attempt. (Predetermined operations
`
`5
`
`can, for example, comprise initiating user, administrator, client, network or protection
`
`system determinable operations, including but not limited to modifying the Downloadable
`
`operation, extricating the Downloadable, notifying a user/another, maintaining a
`
`local/remote log, causing one or more MPCs/policies to be downloaded, etc.)
`
`
`
`1i?3533iiii"
`
`1"iii«2531.ll
`
`b—lU1.
`
`Advantageously, systems and methods according to embodiments of the invention
`
`enable potentially damaging, undesirable or otherwise malicious operations by even
`
`unknown mobile code to be detected, prevented, modified and/or otherwise protected
`
`against without modifying the mobile code. Such protection is further enabled in a
`
`manner that is capable of minimizing server and client resource requirements, does not
`
`require pre—installation of security code within a Downloadable-destination, and provides
`
`for client specific or generic and readily updateable security measures to be flexibly and
`
`efficiently implemented. Embodiments further provide for thwarting efforts to bypass
`
`security measures (e. g. by "hiding" undesirable operation causing information within
`
`apparently inert or otherwise "friendly" downloadable information) and/or dividing or
`
`combining security measures for even greater flexibility and/or efficiency.
`
`20
`
`Embodiments also provide for determining protection policies that can be
`
`downloaded and/or ascertained from other security information (e.g. browser settings,
`
`administrative policies, user input, uploaded information, etc.). Different actions in
`
`response to different Downloadable operations, clients, users and/or other criteria are also
`
`8of59
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0014
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0014
`
`

`

`ATTORNEY DOCKET 4342600014
`
`enabled, and embodiments provide for implementing other security measures, such as
`
`verifying a downloadable source, certification, authentication, etc. Appropriate action
`
`can also be accomplished automatically (e.g. programmatically) and/or in conjunction
`
`with alerting one or more users/administrators, utilizing user input, etc. Embodiments
`
`5
`
`further enable desirable Domrloadable operations to remain substantially unaffected,
`
`among other aspects.
`
`
`
`90f 59
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0015
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0015
`
`

`

`ATTORNEY DOCKET 4342600014
`
`BRIEF DESCRIPTION OF "II-IE DRAWINGS
`
`FIG. 1a is a block diagram illustrating a network system in accordance with an
`
`embodiment of the present invention;
`
`FIG. 1b is a block diagram illustrating a network subsystem example in
`
`5
`
`accordance with an embodiment of the invention;
`
`
`
`FIG. 10 is a block diagram illustrating a further network subsystem example in
`
`accordance with an embodiment of the invention;
`
`FIG. 2 is a block diagram illustrating a computer system in accordance with an
`
`embodiment of the invention;
`
`FIG. 3 is a flow diagram broadly illustrating a protection system host according to
`
`an embodiment of the invention;
`
`FIG. 4 is a block diagram illustrating a protection engine according to an
`
`embodiment of the invention;
`
`FIG. 5 is a block diagram illustrating a content inspection engine according to an
`
`embodiment of the invention;
`
`FIG. 6a is a block diagram illustrating protection engine parameters according to
`an embodiment ofthe invention;
`I
`
`FIG. 6b is a flow diagram illustrating a linking engine use in conjunction with
`
`ordinary, compressed and distributable sandbox package utilization, according to an
`
`20
`
`embodiment of the invention;
`
`FIG. 7a is a flow diagram illustrating a sandbox protection system operating
`
`within a destination system, according to an embodiment of the invention;
`
`10 of 59
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0016
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0016
`
`

`

`ATTORNEY DOCKET 4342600014
`
`FIG. 7b is a block diagram illustrating memory allocation usable in conjunction
`
`with the protection system of FIG. 7a, according to an embodiment of the invention;
`
`FIG. 70 is a block diagram illustrating a mobile protection code according to an
`
`embodiment of the invention;
`
`5
`
`FIG. 8 is a flowchart illustrating a method for examining a Downloadable in
`
`accordance with the present invention;
`
`FIG. 9 is a flowchart illustrating a server based protection method according to an
`
`embodiment of the invention;
`
`FIG. 10a is a flowchart illustrating method for determining if a potential-
`
`Downloadable includes or is likely to include executable code, according to an
`
`embodiment of the invention;
`
`
` destination according to an embodiment of the invention;
`
`FIG. 10b is a flowchart illustrating a method for forming a protection agent,
`
`according to an embodiment of the invention;
`
`FIG. 11 is a flowchart illustrating a method for protecting a Downloadable
`
`FIG. 12a is a flowchart illustrating a method for forming a Downloadable access
`
`interceptor according to an embodiment of the invention; and
`
`FIG. 12b is a flowchart illustrating a method for implementing mobile protection
`
`policies according to an embodiment of the invention.
`
`20
`
`11 of 59
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0017
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0017
`
`

`

`ATTORNEY DOCKET 4342600014
`
`DETAILED DESCRIPTION
`
`In providing malicious mobile code runtime monitoring systems and methods,
`
`embodiments of the invention enable actually or potentially undesirable operations of
`
`even unknown malicious code to be efficiently and flexibly avoided. Embodiments
`
`5
`
`provide, within one or more “servers” (e. g. firewalls, resources, gateways, email relays or
`
`other information re-communicating devices), for receiving downloadable-information
`
`and detecting whether the downloadable-information includes one or more instances of
`
`executable code (e.g. as with a Trojan horse, zip/meta file etc.). Embodiments also
`
`provide for separately or interoperably conducting additional security measures within the
`
`server, within a Downloadable-destination of a detected-Downloadable, or both.
`
`Embodiments further provide for causing mobile protection code (“MPC”) and
`
`downloadable protection policies to be communicated to, installed and executed within
`
`one or more received information destinations in conjunction with a detected-
`
`
`
`Downloadable. Embodiments also provide, within an information-destination, for
`
`‘ii.111.
` detecting malicious operations of the detected-Downloadable and causing responses
`
`thereto in accordance with the protection policies (which can correspond to one or more
`
`user, Downloadable, source, destination, or other parameters), or further downloaded or
`
`downloadable-destination based policies (which can also be configurable or extensible).
`
`(Note that the term “or”, as used herein, is generally intended to mean “and/or” unless
`
`20
`
`otherwise indicated.)
`
`FIGS. 1a through 1c illustrate a computer network system 100 according to an
`
`embodiment of the invention. FIG. 1a broadly illustrates system 100, while FIGS. 1b and
`
`12 of 59
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0018
`
`SOPHOS
`EXHIBIT 1012 - PAGE 0018
`
`

`

`ATTORNEY DOCKET 4342600014
`
`1c illustrate exemplary protectable subsystem implementations corresponding with
`
`system 104 or 106 of FIG. 1a.
`
`Beginning with FIG. 1a, computer network system 100 includes an external
`
`computer network 101 , such as a Wide Area Network or “WAN” (e.g. the Internet),
`
`5
`
`which is coupled to one or more network resource servers (summarily depicted as
`
`resource server-1 102 and resource server-N 103). Where external network 101 includes
`
`the Internet, resource servers 1-N (102, 103) might provide one or more resources
`
`including web pages, streaming media, transaction-facilitating information, program
`
`updates or other downloadable information, summarily depicted as resources 121, 131
`
`and 132. Such information can also include more traditionally viewed “Downloadables”
`
`or “mobile code” (Le. distributable components), as well as downloadablc application
`
`programs or other further Downloadables, such as those that are discussed herein. (It will
`
`be appreciated that interconnected networks can also provide various other resources as
`
`well.)
`
`Also coupled via external network 101 are subsystems 104-106. Subsystems 104—
`
`106 can, for example, include one or more servers, personal computers (“PCs”), smart
`
`appliances, personal infomlation managers or other devices/processes that are at least
`
`temporarily or otherwise intermittently directly or indirectly connectable in a wired or
`
`wireless manner to external network 101 (e.g. us