PTAB, Exhibit 3002
`Symantec Corp. v. Finjan, Inc.
`IPR2015-01897
`
`

`
`FIN000l-CONI-CIPI-CON4
`
`PATENT
`
`BACKGROUND OF THE INVENTION
`
`Field of the Invention
`
`[0002]
`
`This invention relates generally to computer networks, and more particularly
`
`provides a system and methods for protecting network-connectable devices from undesirable
`
`downloadable operation.
`
`Description of the Background Art
`
`[0003]
`
`Advances in networking technology continue to impact an increasing number and
`
`diversity of users. The Internet, for example, already provides to expert, intermediate and even
`
`novice users the informational, product and service resources of over 100,000 interconnected
`
`networks owned by governments, universities, nonprofit groups, companies, etc. Unfortunately,
`
`particularly the Internet and other public networks have also become a major source of
`
`potentially system-fatal or otherwise damaging computer code commonly referred to as
`
`“viruses.”
`
`[0004]
`
`Efforts to forestall viruses from attacking networked computers have thus far met
`
`with only limited success at best. Typically, a virus protection program designed to identify and
`
`remove or protect against the initiating of known viruses is installed on a network firewall or
`
`individually networked computer. The program is then inevitably surmounted by some new
`
`virus that often causes damage to one or more computers. The damage is then assessed and, if
`
`isolated, the new virus is analyzed. A corresponding new virus protection program (or update
`
`thereof) is then developed and installed to combat the new virus, and the new program operates
`
`successfully until yet another new virus appears - and so on. Of course, damage has already
`
`typically been incurred.
`
`[0005]
`
`To make matters worse, certain classes of viruses are not well recognized or
`
`understood, let alone protected against. It is observed by this inventor, for example, that
`
`Downloadable information comprising program code can include distributable components (e.g.
`
`Javam applets and JavaScript scripts, AetiveX'““ controls, Visual Basic, add-ins andfor others).
`
`It can also include, for example, application programs, Trojan horses, multiple compressed
`
`programs such as zip or meta files, among others. U.S. Patent 5,983,348 to Shuang, however,
`
`teaches a protection system for protecting against only distributable components including “Java
`
`Page 2 oI‘33
`
`

`
`FIN000l-CONI-CIPI-CON4
`
`PATENT
`
`applets or ActiveX controls”, and further does so using resource intensive and high bandwidth
`
`static Downloadable content and operational analysis, and modification of the Downloadable
`
`component; Shuang further fails to detect or protect against additional program code included
`
`within a tested Downloadable. U.S. Patent 5,974,549 to Golan teaches a protection system that
`
`further focuses only on protecting against ActiveX controls and not other distributable
`
`components, let alone other Downloadable types. U.S. patent 6,l6'?',520 to Touboul enables
`
`more accurate protection than Shuang or Golan, but lacks the greater flexibility and efficiency
`
`taught herein, as do Shuang and Golan.
`
`[0006]
`
`Accordingly, there remains a need for efficient, accurate and flexible protection of
`
`computers and other network connectable devices from malicious Downloadables.
`
`SUMMARY OF THE INVENTION
`
`[0007]
`
`The present invention provides protection systems and methods capable of
`
`protecting a personal computer (“PC”) or other persistently or even intermittently network
`
`accessible devices or processes from harmful, undesirable, suspicious or other “malicious”
`
`operations that might otherwise be effectuated by remotely operable code. While enabling the
`
`capabilities of prior systems, the present invention is not nearly so limited, resource intensive or
`
`inflexible, and yet enables more reliable protection. For example, remotely operable code that is
`
`protectable against can include down loadable application programs, Trojan horses and program
`
`code groupings, as well as software “components”, such as Java TM applets, ActiveX“''
`
`controls, JavaScript"“/Visual Basic scripts, add-ins, etc., among others. Protection can also be
`
`provided in a distributed interactively, automatically or mixed configurable manner using
`
`protected client, server or other parameters, redirection, localfremote logging, etc., and other
`
`serverfclient based protection measures can also be separately andfor interoperably utilized,
`
`among other examples.
`
`[0008]
`
`In one aspect, embodiments of the invention provide for determining, within one
`
`or more network “servers” (e.g. firewalls, resources, gateways, email relays or other
`
`devices!processes that are capable of receiving-and-transferring a Downloadable) whether
`
`received information includes executable code (and is a “Down1oadab|e”). Embodiments also
`
`provide for delivering static, configurable and;/or extensible remotely operable protection policies
`
`to a Downloadable-destination, more typically as a sandboxed package including the mobile
`
`Page 3 oI‘33
`
`

`
`FIN000l-CONI-CIPI-CON4
`
`PATENT
`
`protection code, downloadable policies and one or more received Downloadables. Further
`
`client-based or remote protection code/policies can also be utilized in a distributed manner.
`
`Embodiments also provide for causing the mobile protection code to be executed within a
`
`Downloadable-destination in a manner that enables various Downloadable operations to be
`
`detected, intercepted or further responded to via protection operations. Additional
`
`server/‘information-destination device security or other protection is also enabled, among still
`
`further aspects.
`
`[0009]
`
`A protection engine according to an embodiment of the invention is operable
`
`within one or more network servers, firewalls or other network connectable information re-
`
`communicating devices (as are referred to herein summarily one or more “servers” or “re-
`
`communicators”). The protection engine includes an information monitor for monitoring
`
`information received by the server, and a code detection engine for determining whether the
`
`received information includes executable code. The protection engine also includes a packaging
`
`engine for causing a sandboxed package, typically including mobile protection code and
`
`downloadable protection policies to be sent to a Downloadable-destination in conjunction with
`
`the received information, if the received information is determined to be a Down loadable.
`
`[000 I 0]
`
`A sandboxed package according to an embodiment of the invention is receivable
`
`by and operable with a remote Downloadable-destination. The sandboxed package includes
`
`mobile protection code (“M PC”) for causing one or more predetermined malicious operations or
`
`operation combinations of a Downloadable to be monitored or otherwise intercepted. The
`
`sandboxed package also includes protection policies (operable alone or in conjunction with
`
`further Downloadable-destination stored or received policiesfMPCs) for causing one or more
`
`predetermined operations to be performed if one or more undesirable operations of the
`
`Downloadable isfare intercepted. The sandboxed package can also include a corresponding
`
`Downloadable and can provide for initiating the Downloadable in a protective “sandbox”. The
`
`MPCx’policies can further include a communicator for enabling fI.lI’tl1CI’ MPC!policy information
`
`or “modules” to be utilized andfor for event logging or other purposes.
`
`[000] 1]
`
`A sandbox protection system according to an embodiment of the invention
`
`comprises an installer for enabling a received MPC to be executed within a Downloadable-
`
`destination (devicefprocess) and further causing a Downloadable application program,
`
`Page 4 ol‘33
`
`

`
`FIN000l-CONI-CIPI-CON4
`
`PATENT
`
`distributable component or other received downloadable code to be received and installed within
`
`the Downloadable-destination. The protection system also includes a diverter for monitoring one
`
`or more operation attempts of the Downloadable, an operation analyzer for determining one or
`
`more responses to the attempts, and a security enforcer for effectuating responses to the
`
`monitored operations. The protection system can further include one or more security policies
`
`according to which one or more protection system elements are operable automatically (e.g.
`
`programmatically) or in conjunction with user intervention (e.g. as enabled by the security
`
`enforcer). The security policies can also be conf1gurab1eKextensible in accordance with further
`
`downloadable andfor Downloadable-destination information.
`
`[00012]
`
`A method according to an embodiment of the invention includes receiving
`
`downloadable information, determining whether the downloadable information includes
`
`executable code, and causing a mobile protection code and security policies to be communicated
`
`to a network client in conjunction with security policies and the downloadable information if the
`
`downloadable information is determined to include executable code. The determining can
`
`further provide multiple tests for detecting, alone or together, whether the downloadable
`
`information includes executable code.
`
`[UDOI3]
`
`A further method according to an embodiment of the invention includes forming a
`
`sandboxed package that includes mobile protection code (“MPC"), protection policies, and a
`
`received, detected-Downloadable, and causing the sandboxed package to be communicated to
`
`and installed by a receiving device or process (“user device”) for responding to one or more
`
`malicious operation attempts by the detected-Downloadable from within the user device. The
`
`MPCfpolicies can further include a base “module” and a “communicator” for enabling further
`
`up!downloading of one or more further “modules” or other information (e.g. events, user!user
`
`device information, etc.).
`
`[00014]
`
`Another method according to an embodiment of the invention includes installing,
`
`within a user device, received mobile protection code (“MPC”) and protection policies in
`
`conjunction with the user device receiving a downloadable application program, component or
`
`other Downloadable(s). The method also includes determining, by the MPC, a resource access
`
`attempt by the Downloadable, and initiating, by the MPC, one or more predetermined operations
`
`corresponding to the attempt. (Predeterrnined operations can, for example, comprise initiating
`
`Page 5 oI‘33
`
`

`
`FIN000l-CONI-CIPI-CON4
`
`PATENT
`
`user, administrator, client, network or protection system determinable operations, including but
`
`not limited to modifying the Downloadable operation, extricating the Downloadable, notifying a
`
`userfanother, maintaining a localfremote log, causing one or more MPCsr’policies to be
`
`downloaded, etc.)
`
`[00015]
`
`Advantageously, systems and methods according to embodiments of the invention
`
`enable potentially damaging, undesirable or otherwise malicious operations by even unknown
`
`mobile code to be detected, prevented, modified andKor otherwise protected against without
`
`modifying the mobile code. Such protection is further enabled in a manner that is capable of
`
`minimizing server and client resource requirements, does not require pre-installation of security
`
`code within a Downloadable-destination, and provides for client specific or generic and readily
`
`updateable security measures to be flexibly and efficiently implemented. Embodiments further
`
`provide for thwarting efforts to bypass security measures (e.g. by “hiding” undesirable operation
`
`causing information within apparently inert or otherwise “friendly” downloadable information)
`
`andfor dividing or combining security measures for even greater flexibility andfor efficiency.
`
`[000 I 6]
`
`Embodiments also provide for determining protection policies that can be
`
`downloaded and./or ascertained from other security information (e.g. browser settings,
`
`administrative policies, user input, uploaded information, etc.). Different actions in response to
`
`different Downloadable operations, clients, users and/or other criteria are also enabled, and
`
`embodiments provide for implementing other security measures, such as verifying a
`
`downloadable source, certification, authentication, etc. Appropriate action can also be
`
`accomplished automatically (e.g. programmatically) andlor in conjunction with alerting one or
`
`more usersfadministrators, utilizing user input, etc. Embodiments further enable desirable
`
`Downloadable operations to remain substantially unaffected, among other aspects.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[00017]
`
`FIG. la is a block diagram illustrating a network system in accordance with an
`
`embodiment of the present invention;
`
`[00018]
`
`FIG. lb is a block diagram illustrating a network subsystem example in
`
`accordance with an embodiment of the invention;
`
`Page 6 ol‘33
`
`

`
`FIN000l-CONI-CIPI-CON4
`
`PATENT
`
`[00019]
`
`FIG. 1c is a block diagram illustrating a further network subsystem example in
`
`accordance with an embodiment of the invention;
`
`[00020]
`
`FIG. 2 is a block diagram illustrating a computer system in accordance with an
`
`embodiment of the invention;
`
`[00021]
`
`FIG. 3 is a flow diagram broadly illustrating a protection system host according to
`
`an embodiment of the invention;
`
`[00022]
`
`FIG. 4 is a block diagram illustrating a protection engine according to an
`
`embodiment of the invention;
`
`[00023]
`
`FIG. 5 is a block diagram illustrating a content inspection engine according to an
`
`embodiment of the invention;
`
`[00024]
`
`FIG. 6a is a block diagram illustrating protection engine parameters according to
`
`an embodiment of the invention;
`
`[00025]
`
`FIG. 6b is a flow diagram illustrating a linking engine use in conjunction with
`
`ordinary, compressed and distributable sandbox package utilization, according to an embodiment
`
`of the invention;
`
`[00026]
`
`FIG. 7a is a flow diagram illustrating a sandbox protection system operating
`
`within a destination system, according to an embodiment of the invention;
`
`[0002?']
`
`FIG. ?'b is a block diagram illustrating memory allocation usable in conjunction
`
`with the protection system of FIG. 7a, according to an embodiment of the invention;
`
`[00028]
`
`FIG. 8 is a block diagram illustrating a mobile protection code according to an
`
`embodiment of the invention;
`
`[00029]
`
`FIG. 9 is a flowchart illustrating a protection method according to an embodiment
`
`of the invention;
`
`[00030]
`
`FIG. 10a is a flowchart illustrating method for determining if a potential-
`
`Downloadable includes or is likely to include executable code, according to an embodiment of
`
`the invention;
`
`[00031]
`
`FIG. 10b is a flowchart illustrating a method for forming a protection agent,
`
`according to an embodiment of the invention;
`
`Page 7 ol‘33
`
`

`
`FIN000l-CONI-CIPI-CON4
`
`PATENT
`
`[00032]
`
`FIG.
`
`1 I
`
`is a flowchart illustrating a method for protecting a Downloadable
`
`destination according to an embodiment of the invention;
`
`[00033]
`
`FIG. I2a is a flowchart illustrating a method for forming a Downloadable access
`
`interceptor according to an embodiment of the invention; and
`
`[00034]
`
`FIG. 12b is a flowchart illustrating a method for implementing mobile protection
`
`policies according to an embodiment of the invention.
`
`DETAILED DESCRIPTION
`
`[00035]
`
`In providing malicious mobile code runtime monitoring systems and methods,
`
`embodiments of the invention enable actually or potentially undesirable operations of even
`
`unknown malicious code to be efficiently and flexibly avoided. Embodiments provide, within
`
`one or more “servers” (e.g. firewalls, resources, gateways, email relays or other information re-
`
`communicating devices), for receiving downloadable-information and detecting whether the
`
`downloadable—information includes one or more instances of executable code (e.g. as with a
`
`Trojan horse, zipfmeta file etc.). Embodiments also provide for separately or interoperably
`
`conducting additional security measures within the server, within a Downloadable-destination of
`
`a detected-Downloadable, or both.
`
`[00036]
`
`Embodiments further provide for causing mobile protection code (“MPC”) and
`
`downloadable protection policies to be communicated to, installed and executed within one or
`
`more received information destinations in conjunction with a detected-Downloadable.
`
`Embodiments also provide, within an information-destination, for detecting malicious operations
`
`of the detected-Downloadable and causing responses thereto in accordance with the protection
`
`policies (which can correspond to one or more user, Downloadable, source, destination, or other
`
`parameters), or further downloaded or downloadable-destination based policies (which can also
`
`be configurable or extensible). (Note that the term “or”, as used herein, is generally intended to
`
`mean “and;/or” unless otherwise indicated.)
`
`[00037]
`
`FIGS. la through lc illustrate a computer network system 100 according to an
`
`embodiment of the invention. FIG. la broadly illustrates system [00, while FIGS. lb and 12 of
`
`Ic illustrate exemplary protectable subsystem implementations corresponding with system 104
`
`or 106 of FIG. la.
`
`Page 8 ol‘33
`
`

`
`FIN000l-CONI-CIPI-CON4
`
`PATENT
`
`[00038]
`
`Beginning with FIG. la, computer network system I00 includes an external
`
`computer network I01, such as a Wide Area Network or “WAN” (e.g. the Internet), which is
`
`coupled to one or more network resource servers (summarily depicted as resource server-1 102
`
`and resource server-N 103). Where external network 101 includes the lntemet, resource servers
`
`1-N (102, 103) might provide one or more resources including web pages, streaming media,
`
`transaction-facilitating information, program updates or other downloadable information,
`
`summarily depicted as resources I21, I31 and I32. Such information can also include more
`
`traditionally viewed “Downloadables” or “mobile code” (i.e. distributable components), as well
`
`as downloadable application programs or other further Downloadables, such as those that are
`
`discussed herein. (It will be appreciated that interconnected networks can also provide various
`
`other resources as well.)
`
`[00039]
`
`Also coupled via extemal network 101 are subsystems I04-106. Subsystems I04-
`
`I06 can, for example, include one or more servers, personal computers (“PCs”), smart
`
`appliances, personal information managers or other devices!processes that are at least
`
`temporarily or otherwise intermittently directly or indirectly connectable in a wired or wireless
`
`manner to external network 101 (e.g. using a dialup, DSL, cable modem, cellular connection,
`
`IR/RF, or various other suitable current or future connection alternatives). One or more of
`
`subsystems 104-106 might fiirther operate as user devices that are connectable to external
`
`network 101 via an intemet service provider (“ISP”) or local area network (“LAN”), such as a
`
`corporate intranet, or home, portable device or smart appliance network, among other examples.
`
`[00040]
`
`FIG. la also broadly illustrates how embodiments of the invention are capable of
`
`selectively, modiftably or extensibly providing protection to one or more determinable ones of
`
`networked subsystems 104-106 or elements thereof (not shown) against potentially harmful or
`
`other undesirable (“malicious”) effects in conjunction with receiving downloadable information.
`
`“Protected” subsystem 104, for example, utilizes a protection in accordance with the teachings
`
`herein, while “unprotected” subsystem-N 105 employs no protection, and protected subsystem-
`
`M 106 might employ one or more protections including those according to the teachings herein,
`
`other protection, or some combination.
`
`[00041]
`
`System 100 implementations are also capable of providing protection to
`
`redundant elements 107 of one or more of subsystems I04-106 that might be utilized, such as
`
`Page 9 ol‘33
`
`

`
`FIN000l-CONI-CIPI-CON4
`
`PATENT
`
`backups, failsafe elements, redundant networks, etc. Where included, such redundant elements
`
`are also similarly protectable in a separate, combined or coordinated manner using embodiments
`
`of the present invention either alone or in conjunction with other protection mechanisms. In such
`
`cases, protection can be similarly provided singly, as a composite of component operations or in
`
`a backup fashion. Care should, however, be exercised to avoid potential repeated protection
`
`engine execution corresponding to a single Downloadable; such “chaining” can cause a
`
`Downloadable to operate incorrectly or not at all, unless a subsequent detection engine is
`
`configured to recognize a prior packaging of the Downloadable.
`
`[00042]
`
`FIGS. lb and 1c further illustrate, by way of example, how protection systems
`
`according to embodiments of the invention can be utilized in conjunction with a wide variety of
`
`different system implementations.
`
`In the illustrated examples, system elements are generally
`
`configurable in a manner commonly referred to as a “client-server” configuration, as is typically
`
`utilized for accessing Internet and many other network resources. For clarity sake, a simple
`
`client-server configuration will be presumed unless otherwise indicated.
`
`It will be appreciated,
`
`however, that other configurations of interconnected elements might also be utilized (e.g. peer-
`
`peer, routers, proxy servers, networks, converters, gateways, services, network reconfiguring
`
`elements, etc.) in accordance with a particular application.
`
`[00043]
`
`The FIG. lb example shows how a suitable protected system 104:1 (which can
`
`correspond to subsystem-1 104 or subsystem-M 106 of FIG. I) can include a protection-initiating
`
`host “server” or “re-communicator” (e.g. ISP serverl40a), one or more user devices or
`
`“Downloadable-destinations” 145, and zero or more redundant elements (which elements are
`
`summarily depicted as redundant client devicefprocess 145a). In this example, ISP server 140a
`
`includes one or more email, Internet or other servers 141a, or other devices or processes capable
`
`of transferring or otherwise “re-communicating” downloadable information to user devices I45.
`
`Server 141a further includes protection engine or “PE” l42a, which is capable of supplying
`
`mobile protection code (“M PC”) and protection policies for execution by client devices 145.
`
`One or more of user devices 145 can further include a respective one or more clients 146 for
`
`utilizing information received via server 140a, in accordance with which MPC and protection
`
`policies are operable to protect user devices 145 from detrimental, undesirable or otherwise
`
`“malicious” operations of downloadable information also received by user device 145.
`
`Page 10 of 33
`
`

`
`FIN000l-CONI-CIPI-CON4
`
`PATENT
`
`[00044]
`
`The FIG. Ic example shows how a further suitable protected system l04b can
`
`include, in addition to a “re-communicator”, such as server 142b, a firewall 1430 (e.g. as is
`
`typically the case with a corporate intranet and many existing or proposed homefsmart
`
`networks.) In such cases, a server l41b or firewall 143 can operate as a suitable protection
`
`engine host. A protection engine can also be implemented in a more distributed manner among
`
`two or more protection engine host systems or host system elements, such as both of server 141
`
`band firewall [43, or in a more integrated manner, for example, as a standalone device.
`
`Redundant system or system protection elements 11) can also be similarly provided in a more
`
`distributed or integrated manner (see above).
`
`[00045]
`
`System 104b also includes internal network 144 and user devices 145. User
`
`devices 145 further include a respective one or more clients 146 for utilizing information
`
`received via server 1403, in accordance with which the MPCs or protection policies are operable.
`
`(As in the previous example, one or more of user devices 145 can also include or correspond
`
`with similarly protectable redundant system elements, which are not shown.)
`
`[00046]
`
`It will be appreciated that the configurations of FIGS la-lc are merely exemplary.
`
`Alternative embodiments might, for example, utilize other suitable connections, devices or
`
`processes. One or more devices can also be configurable to operate as a network server, firewall,
`
`smart router, a resource server servicing deliverable third-party!manufacturer postings, a user
`
`device operating as a firewallfserver, or other information-suppliers or intermediaries (i.e. as a
`
`“re-communicator” or “server”) for servicing one or more further interconnected devices or
`
`processes or interconnected levels of devices or processes. Thus, for example, a suitable
`
`protection engine host can include one or more devices or processes capable of providing or
`
`supporting the providing of mobile protection code or other protection consistent with the
`
`teachings herein. A suitable information-destination or "user device” can further include one or
`
`more devices or processes (such as email, browser or other clients) that are capable of receiving
`
`and initiating or otherwise hosting a mobile code execution.
`
`[00047]
`
`FIG. 2 illustrates an exemplary computing system 200, that can comprise one or
`
`more of the elements of FIGS. la through lc. While other application-specific alternatives might
`
`be utilized, it will be presumed for clarity sake that system 100 elements (FIGS. la-c) are
`
`Page II of 33
`
`

`
`FIN000l-CONI-CIPI-CON4
`
`PATENT
`
`implemented in hardware, software or some combination by one or more processing systems
`
`consistent therewith, unless otherwise indicated.
`
`[00048]
`
`Computer system 200 comprises elements coupled via communication channels
`
`(e.g. bus 201) including one or more general or special purpose processors 202, such as a
`
`Pentium® or Power PC®, digital signal processor (“DSP”), etc. System 200 elements also
`
`include one or more input devices 203 (such as - mouse, keyboard, microphone, pen, etc.), and
`
`one or more output devices 204, such as a suitable display, speakers, actuators, etc., in
`
`accordance with a particular application.
`
`[00049]
`
`System 200 also includes a computer readable storage media reader 205 coupled
`
`to a computer readable storage medium 206, such as a storagefmemory device or hard or
`
`removable storagefmemory media; such devices or media are further indicated separately as
`
`storage device 208 and memory 209, which can include hard disk variants, floppyfcompact disk
`
`variants, digital versatile disk (“DVD”) variants, smart cards, read only memory, random access
`
`memory, cache memory, etc., in accordance with a particular application. One or more suitable
`
`communication devices 207 can also be included, such as a modem, OS L, infrared or other
`
`suitable transceiver, etc. for providing inter-device communication directly or via one or more
`
`suitable private or public networks that can include but are not limited to those already discussed.
`
`[00050]
`
`Working memory further includes operating system (“OS”) elements and other
`
`programs, such as application programs, mobile code, data, etc. for implementing system 100
`
`elements that might be stored or loaded therein during use. The particular OS can vary in
`
`accordance with a particular device, features or other aspects in accordance with a 110 particular
`
`application (e.g. Windows, Mac, Linux, Unix or Palm OS variants, a proprietary OS, etc.).
`
`Various programming languages or other tools can also be utilized, such as C++, Java, Visual
`
`Basic, etc. As will be discussed, embodiments can also include a network client such as a
`
`browser or email client, e.g. as produced by Netscape, Microsoft or others, a mobile code
`
`executor such as an OS task manager, Java Virtual Machine (“IVM”), etc., and an application
`
`program interface (“API”), such as a Microsoft Windows or other suitable element in accordance
`
`with the teachings herein. (It will also become apparent that embodiments might also be
`
`implemented in conjunction with a resident application or combination of mobile code and
`
`resident application components.)
`
`Page 12 of 33
`
`

`
`FIN000l-CONI-CIPI-CON4
`
`PATENT
`
`[00051]
`
`One or more system 200 elements can also be implemented in hardware, software
`
`or a suitable combination. When implemented in software (e.g. as an application program,
`
`object, downloadable, servlet, etc.
`
`in whole or part), a system 200 element can be communicated
`
`transitionally or more persistently from local or remote storage to memory (or cache memory,
`
`etc.) for execution, or another suitable mechanism can be utilized, and elements can be
`
`implemented in compiled or interpretive form. Input, intermediate or resulting data or functional
`
`elements can further reside more transitionally or more persistently in a storage media, cache or
`
`more persistent volatile or non—volatile memory, (e.g. storage device 207 or memory 208) in
`
`accordance with a particular application.
`
`[00052]
`
`FIG. 3 illustrates an interconnected re-communicator 300 generally consistent
`
`with system l40b of FIG. I, according to an embodiment of the invention. As with system
`
`140b, system 300 includes a server 301, and can also include a firewall 302.
`
`In this
`
`implementation, however, either server 301 or firewall 302 (if a firewall is used) can further
`
`include a protection engine (310 or 320 respectively). Thus, for example, an included firewall
`
`can process received information in a conventional manner, the results of which can be firrther
`
`processed by protection engine 310 of server 301, or information processed by protection engine
`
`320 of an included firewall 302 can be processed in a conventional manner by server 301. (For
`
`clarity sake, a server including a singular protection engine will be presumed, with or without a
`
`firewall, for the remainder of the discussion unless otherwise indicated. Note, however, that
`
`other embodiments consistent with the teachings herein might also be utilized.)
`
`[00053]
`
`FIG. 3 also shows how information received by server 301 (or firewall 302) can
`
`include non-executable information, executable information or a combination of non-executable
`
`and one or more executable code portions (e.g. so-called Trojan horses that include a hostile
`
`Downloadable within a friendly one, combined, compressed or otherwise encoded files, etc.).
`
`Particularly such combinations will likely remain undetected by a firewall or other more
`
`conventional protection systems. Thus, for convenience, received information will also be
`
`referred to as a “potential-Downloadable”, and received information found to include executable
`
`code will be referred to as a “Downloadable” or equivalently as a "detected-Downloadable”
`
`(regardless of whether the executable code includes one or more application programs,
`
`distributable “components” such as Java, ActiveX, add-in, etc.).
`
`Page 13 of 33
`
`

`
`FIN000l-CONI-CIPI-CON4
`
`PATENT
`
`[00054]
`
`Protection engine 310 provides for detecting whether received potential-
`
`Downloadables include executable code, and upon such detection, for causing mobile protection
`
`code (“MPC”) to be transferred to a device that is a destination of the potential-Downloadable
`
`(or “Downloadable-destination”). Protection engine 310 can also provide protection policies in
`
`conjunction with the MPC (or thereafter as well), which MPCr’policies can be automatically (e.g.
`
`programmatically) or interactively configurable in accordance user, administrator, downloadable
`
`source, destination, operation, type or various other parameters alone or in combination (see
`
`below). Protection engine 310 can also provide or operate separately or interoperably in
`
`conjunction with one or more of certification, authentication, downloadable tagging, source
`
`checking, verification, logging, diverting or other protection services via the MPC, policies,
`
`other localfremote server or destination processing, etc. (e.g. which can also include protection
`
`mechanisms taught by the above-noted prior applications; see FIG. 4).
`
`[00055]
`
`Operational ly, protection engine 310 of server 301 monitors information received
`
`by server 301 and determines whether the received information is deliverable to a protected
`
`destination, e.g. using a suitable monitorfdata transfer mechanism and comparing a destination-
`
`address of the received information to a protected destination set, such as a protected destinations
`
`list, array, database, etc. (All deliverable information or one or more subsets thereof might also
`
`be monitored.) Protection engine 310 further analyzes the potential-Downloadable and
`
`determines whether the potential-Downloadable includes executable code. If not, protection
`
`engine 310 enables the not executable potential-Downloadable 331 to be delivered to its
`
`destination in an unaffected manner.
`
`[00056]
`
`In conjunction with determining that the potential-Downloadable is a detected-
`
`Downloadable, protection engine 310 also causes mobile protection code or “MPC” 341 to be
`
`communicated to the D