Armorize Products
`8,141,154
`The statements and documents cited below are solely provided by way of example and based on information
`available to Finjan, Inc. at the time this chart was created, and not to be used by way of limitation or for
`purposes of construing the claim terms. Finjan reserves its right to supplement this chart as additional
`information becomes known to it.
`
`For purposes of this chart, “Armorize Products” refers to the following: HackAlert Anti-Malware, CodeSecure
`Automated Static Source Code Analysis, SmartWAF Web Application Firewall, SafeImpressions and Malvertising
`Protection. See http://www.armorize.com/index.php?link_id=hackalert.
`Claim 1
`
`1a. A system for protecting a
`Armorize Products meet the recited claim language because they provide a
`computer from dynamically
`system with a content processor for processing content received over a network,
`generated malicious content,
`the content including a call to a first function, and the call including an input, and
`comprising: a content
`for invoking a second function with the input, only if a security computer
`processor (i) for processing
`indicates that such invocation is safe.
`content received over a
`
`network, the content
`By the way of example, and not limitation, Armorize Products meet the recited
`including a call to a first
`claim language because Armorize Products dynamically analyzes exploit kits,
`function, and the call
`exploit code, obfuscated scripts within web content, to prevent delivery of a
`including an input, and (ii) for
`payload or dropper from another server to a client computer. Armorize
`invoking a second function
`Products use a cloud system to analyze the dynamic threats. For example,
`with the input, only if a
`HackAlert uses a behavior-based scanning engine to send downloadable content
`security computer indicates
`to run in an isolated sandbox hosted at the Armorize datacenter to be analyzed
`that such invocation is safe;
`for behavioral characteristics that indicate malware injections. If there is an
`active drive-by download, the download is analyzed and the behavior and
`remediation guidance is reported back to the end user.
`
`This is demonstrated in Armorize’s public documents and at
`http://www.armorize.com/codesecure/index.php,
`http://www.armorize.com/index.php?link_id=product,
`http://www.armorize.com/index.php?link_id=hackalert, and
`http://www.armorize.com/pdfs/resources/smartwaf.pdf.
`
`Armorize HackAlert analyzes, detects, prevents, and mitigates against malware
`infections. HackAlert is a system to protect a computer from dynamically
`generated malicious content. A computer attempts to access web content with
`that input sent to HackAlert, the content processor. If HackAlert determines the
`web content to be safe, the client computer is able to load the web content.
`“HackAlert focuses on special malware, such as 0-day exploits or exploits used in
`APT (Advanced Persistent Threat) attacks, that are undetectable by typical virus
`or malware scanners. This may include for example malicious binaries, document
`exploits (PDF, Word, Excel, PowerPoint, Flash), Java exploits, browser exploits,
`BHO (browser helper object) exploits, drive-by downloads, click-to downloads,
`etc.” http://www.armorize.com/index.php?link_id=hackalert.
`
`See also, http://blog.armorize.com/2010/12/hdd-plus-malware-spread-
`through.html showing Armorize Products decoding malvertising and drive-by
`
`1
`
`

`
`download exploits on msn.com. In the example below, the banner contains
`obfuscated javascript code, which loads iframes that include exploits to cause
`drive-by downloads. Armorize’s HackAlert can use multiple behavioral and static
`analysis techniques coupled to detect potential malware and make a call to
`Armorize’s media reputation database. If the downloadable is safe, HackAlert
`will allow the file to be downloaded, otherwise it will prevent the file from being
`downloaded or it will make the file safe.
`http://www.armorize.com/index.php?link_id=SafeImpression.
`
`
`
`
`
`2
`
`

`
`
`http://www.armorize.com/pdfs/resources/armorize-appsec-apt-malware-
`malvertising-source-code-analysis.pdf
`
`CodeSecure in combination with SmartWAF can provide real-time scanning of
`downloadables and acts as a firewall between the Internet and the client
`computer. If the content is determined to be safe, the content can go forward
`to the client computer. http://www.armorize.com/codesecure/features.html
`“Easily managed through a centralized web portal, CodeSecure™ provides
`automated appliance-free, compiler-independent code analysis. It traces tainted
`data flow through the target application, pinpoints vulnerable code and
`generates reports that provide prioritized remediation guidance for security
`flaws. These reports can be exported to Armorize SmartWAF™ application
`firewall solution for real-time vulnerable entry point protection and mitigation,
`before issues are fixed.”
`
`SmartWAF is on a security computer between the client computer and the
`
`3
`
`

`
`Internet. SmartWAF with CodeSecure receives downloadables and blocks
`potential malicious code from accessing the client computer.
`http://www.armorize.com/pdfs/resources/smartwaf.pdf.
`
`
`
`
`
`
`See also, https://hackalert.armorize.com/learnmore.php
`“HackAlert V3 is delivered as a cloud-based service. The service's globally
`distributed agents browse customer websites to detect active malware
`downloads and links to malicious sites.
`HackAlert V3 optimizes multiple analysis techniques to detect malware drive-by
`downloads targeting end-users before the website is flagged by search engines
`as malicious.
`HackAlert V3 delivers the following benefits:
`
`Protects clients and customers from malware injected websites, drive by
`downloads and malicious advertising (malvertising)
`
`Identifies malware before the website is flagged as malicious
`
`Displays injected code snippets to facilitate remediation
`
`Deploys as cloud-based SaaS or as a flexible API for enterprise
`integration
`
`Integrates with WAF or Web server modules for instant mitigation”
`
`Examples on an input include the below script code.
`
`4
`
`

`
`
`
`http://layer8tek.com/userfiles/pdf/armorize/hackalert.pdf.
`
`Another example of input include “http://3pigs.info/t/?58965b8f was injected as
`source for malicious file”:
`
`
`
`5
`
`

`
`1b. a transmitter for
`transmitting the input to the
`security computer for
`inspection, when the first
`function is invoked; and
`
`
`
`See Scaling Web 2.0 Malware Infection by Wayne Huang.
`
`To the extent that Armorize contends that it does not literally infringe this claim,
`Armorize infringes under the doctrine of equivalents. The above described
`functionality of Armorize is at most insubstantially different from the claimed
`functionality and performs the same function in the same way to achieve the
`same result. Once Finjan receives non-infringement positions, if any, Finjan may
`supplement its disclosure. In addition, Finjan may supplement its disclosure once
`it receives Armorize’s production of documents with relevant and non-public
`information, particularly related to its source code.
`Armorize Products meet the recited claim language because they include a
`transmitter for transmitting the input to the security computer for inspection
`when the first function is invoked.
`
`By the way of example, and not limitation, Armorize Products meet the recited
`claim language because Armorize Products separately contains a transmitter for
`sending dynamically generated malicious content including drive-by downloads,
`payloads or droppers from another server to the Armorize cloud infrastructure,
`such as Armorize’s cloud-based sandboxes and media reputation database.
`http://www.armorize.com/index.php?link_id=about (“By generating forensics
`information on-the-fly, HackAlert’s cloud-based sandboxing not only detects an
`advanced attack, but also provides an aggregated forensics report giving insight
`into the attack’s origin, intent, and behavior.”).
`
`This is demonstrated in Armorize’s public documents and at
`http://www.armorize.com/codesecure/index.php,
`http://www.armorize.com/index.php?link_id=product,
`http://www.armorize.com/index.php?link_id=hackalert, and
`http://www.armorize.com/pdfs/resources/smartwaf.pdf.
`
`Armorize HackAlert analyzes, detects, prevents, and mitigates against malware
`infections. HackAlert is a system to protect a computer from dynamically
`
`6
`
`

`
`generated malicious content. A computer attempts to access web content with
`that input sent to HackAlert, the content processor. If HackAlert determines the
`web content to be safe, the client computer is able to load the web content.
`“HackAlert focuses on special malware, such as 0-day exploits or exploits used in
`APT (Advanced Persistent Threat) attacks, that are undetectable by typical virus
`or malware scanners. This may include for example malicious binaries, document
`exploits (PDF, Word, Excel, PowerPoint, Flash), Java exploits, browser exploits,
`BHO (browser helper object) exploits, drive-by downloads, click-to downloads,
`etc.” http://www.armorize.com/index.php?link_id=hackalert.
`
`See also, http://blog.armorize.com/2010/12/hdd-plus-malware-spread-
`through.html showing Armorize Products decoding malvertising and drive-by
`download exploits on msn.com. In the example below, the banner contains
`obfuscated javascript code, which loads iframes that include exploits to cause
`drive-by downloads. Armorize’s HackAlert can use multiple behavioral and static
`analysis techniques coupled to detect potential malware and make a call to
`Armorize’s media reputation database. If the downloadable is safe, HackAlert
`will allow the file to be downloaded, otherwise it will prevent the file from being
`downloaded or it will make the file safe.
`http://www.armorize.com/index.php?link_id=SafeImpression.
`
`
`
`
`CodeSecure in combination with SmartWAF can provide real-time scanning of
`downloadables and acts as a firewall between the Internet and the client
`computer. If the content is determined to be safe, the content can go forward
`to the client computer. http://www.armorize.com/codesecure/features.html
`“Easily managed through a centralized web portal, CodeSecure™ provides
`automated appliance-free, compiler-independent code analysis. It traces tainted
`data flow through the target application, pinpoints vulnerable code and
`generates reports that provide prioritized remediation guidance for security
`flaws. These reports can be exported to Armorize SmartWAF™ application
`
`7
`
`

`
`firewall solution for real-time vulnerable entry point protection and mitigation,
`before issues are fixed.”
`
`SmartWAF is on a security computer between the client computer and the
`Internet. SmartWAF with CodeSecure receives downloadables and blocks
`potential malicious code from accessing the client computer.
`http://www.armorize.com/pdfs/resources/smartwaf.pdf.
`
`
`
`
`
`
`See also, https://hackalert.armorize.com/learnmore.php
`“HackAlert V3 is delivered as a cloud-based service. The service's globally
`distributed agents browse customer websites to detect active malware
`downloads and links to malicious sites.
`HackAlert V3 optimizes multiple analysis techniques to detect malware drive-by
`downloads targeting end-users before the website is flagged by search engines
`as malicious.
`HackAlert V3 delivers the following benefits:
`
`Protects clients and customers from malware injected websites, drive by
`downloads and malicious advertising (malvertising)
`
`Identifies malware before the website is flagged as malicious
`
`Displays injected code snippets to facilitate remediation
`
`Deploys as cloud-based SaaS or as a flexible API for enterprise
`integration
`
`Integrates with WAF or Web server modules for instant mitigation”
`
`To the extent that Armorize contends that it does not literally infringe this claim,
`Armorize infringes under the doctrine of equivalents. The above described
`functionality of Armorize is at most insubstantially different from the claimed
`functionality and performs the same function in the same way to achieve the
`same result. Once Finjan receives non-infringement positions, if any, Finjan may
`supplement its disclosure. In addition, Finjan may supplement its disclosure once
`it receives Armorize’s production of documents with relevant and non-public
`information, particularly related to its source code.
`
`8
`
`

`
`1c. a receiver for receiving an
`indicator from the security
`computer whether it is safe
`to invoke the second function
`with the input
`
`Armorize Products meet the recited claim language because they send
`information to a receiver for receiving an indicator from the security computer
`whether it is safe to invoke the second function with the input.
`
`By the way of example, and not limitation, Armorize Products meet the recited
`claim language because Armorize Products receive indicators of whether it is
`safe to invoke the second function with the input from the Armorize cloud
`infrastructure, such as Armorize’s cloud-based sandboxes and media reputation
`database. http://www.armorize.com/index.php?link_id=about (“By generating
`forensics information on-the-fly, HackAlert’s cloud-based sandboxing not only
`detects an advanced attack, but also provides an aggregated forensics report
`giving insight into the attack’s origin, intent, and behavior.”).
`
`This is demonstrated in Armorize’s public documents and at
`http://www.armorize.com/codesecure/index.php,
`http://www.armorize.com/index.php?link_id=product,
`http://www.armorize.com/index.php?link_id=hackalert, and
`http://www.armorize.com/pdfs/resources/smartwaf.pdf.
`
`Armorize HackAlert analyzes, detects, prevents, and mitigates against malware
`infections. HackAlert is a system to protect a computer from dynamically
`generated malicious content. A computer attempts to access web content with
`that input sent to HackAlert, the content processor. If HackAlert determines the
`web content to be safe, the client computer is able to load the web content.
`“HackAlert focuses on special malware, such as 0-day exploits or exploits used in
`APT (Advanced Persistent Threat) attacks, that are undetectable by typical virus
`or malware scanners. This may include for example malicious binaries, document
`exploits (PDF, Word, Excel, PowerPoint, Flash), Java exploits, browser exploits,
`BHO (browser helper object) exploits, drive-by downloads, click-to downloads,
`etc.” http://www.armorize.com/index.php?link_id=hackalert.
`
`See also, http://blog.armorize.com/2010/12/hdd-plus-malware-spread-
`through.html showing Armorize Products decoding malvertising and drive-by
`download exploits on msn.com. In the example below, the banner contains
`obfuscated javascript code, which loads iframes that include exploits to cause
`drive-by downloads. Armorize’s HackAlert can use multiple behavioral and static
`analysis techniques coupled to detect potential malware and make a call to
`Armorize’s media reputation database. If the downloadable is safe, HackAlert
`will allow the file to be downloaded, otherwise it will prevent the file from being
`downloaded or it will make the file safe.
`http://www.armorize.com/index.php?link_id=SafeImpression.
`
`9
`
`

`
`
`In another example, Armorize SafeImpression provides detail information about
`the type of malware. In the example below, the malware advertisement
`includes information about malicious behaviors detected and information about
`the source of the drive-by download.
`
`http://www.armorize.com/index.php?link_id=hackalert
`
`10
`
`
`
`
`
`

`
`
`CodeSecure in combination with SmartWAF can provide real-time scanning of
`downloadables and acts as a firewall between the Internet and the client
`computer. If the content is determined to be safe, the content can go forward
`to the client computer. http://www.armorize.com/codesecure/features.html
`“Easily managed through a centralized web portal, CodeSecure™ provides
`automated appliance-free, compiler-independent code analysis. It traces tainted
`data flow through the target application, pinpoints vulnerable code and
`generates reports that provide prioritized remediation guidance for security
`flaws. These reports can be exported to Armorize SmartWAF™ application
`firewall solution for real-time vulnerable entry point protection and mitigation,
`before issues are fixed.”
`
`CodeSecure can also indicate the type of malware vulnerabilities of the code
`such as cross site scripting, command injection, resource injection, XML/XPath
`injection, reflection injection, malicious file inclusion and SQL injection.
`http://www.armorize.com/pdfs/resources/codesecure.pdf.
`
`SmartWAF is on a security computer between the client computer and the
`Internet. SmartWAF with CodeSecure receives downloadables and blocks
`potential malicious code from accessing the client computer.
`http://www.armorize.com/pdfs/resources/smartwaf.pdf.
`
`
`
`
`
`See also, https://hackalert.armorize.com/learnmore.php
`“HackAlert V3 is delivered as a cloud-based service. The service's globally
`distributed agents browse customer websites to detect active malware
`downloads and links to malicious sites.
`HackAlert V3 optimizes multiple analysis techniques to detect malware drive-by
`downloads targeting end-users before the website is flagged by search engines
`as malicious.
`HackAlert V3 delivers the following benefits:
`
`Protects clients and customers from malware injected websites, drive by
`downloads and malicious advertising (malvertising)
`
`11
`
`

`
`Claim 2
`2. The system of claim 1
`wherein said content
`processor (i) suspends
`processing of the content
`after said transmitter
`transmits the input to the
`security computer, and (ii)
`resumes processing of the
`content after said receiver
`receives the indicator from
`the security computer.
`
`Identifies malware before the website is flagged as malicious
`
`Displays injected code snippets to facilitate remediation
`
`Deploys as cloud-based SaaS or as a flexible API for enterprise
`
`integration
`
`Integrates with WAF or Web server modules for instant mitigation”
`
`To the extent that Armorize contends that it does not literally infringe this claim,
`Armorize infringes under the doctrine of equivalents. The above described
`functionality of Armorize is at most insubstantially different from the claimed
`functionality and performs the same function in the same way to achieve the
`same result. Once Finjan receives non-infringement positions, if any, Finjan may
`supplement its disclosure. In addition, Finjan may supplement its disclosure once
`it receives Armorize’s production of documents with relevant and non-public
`information, particularly related to its source code.
`
`Armorize Products meet the recited claim language because they include a
`content processor that suspends processing of the content after said transmitter
`transmits the input to the security computer, and resumes processing of the
`content after said receiver receives the indicator from the security computer.
`
`By the way of example, and not limitation, Armorize Products meet the recited
`claim language because Armorize Products seek to protect a computer from
`dynamically generated malicious content. Armorize Products provide dynamic
`analysis of web content to prevent malicious content from reaching the end
`user. If the content is determined to be safe, the content will be delivered to the
`end user.
`
`This is demonstrated in Armorize’s public documents and at
`http://www.armorize.com/codesecure/index.php,
`http://www.armorize.com/index.php?link_id=product,
`http://www.armorize.com/index.php?link_id=hackalert, and
`http://www.armorize.com/pdfs/resources/smartwaf.pdf.
`
`Armorize HackAlert analyzes, detects, prevents, and mitigates against malware
`infections. HackAlert is a system to protect a computer from dynamically
`generated malicious content. A computer attempts to access web content with
`that input sent to HackAlert, the content processor. If HackAlert determines the
`web content to be safe, the client computer is able to load the web content.
`“HackAlert focuses on special malware, such as 0-day exploits or exploits used in
`APT (Advanced Persistent Threat) attacks, that are undetectable by typical virus
`or malware scanners. This may include for example malicious binaries, document
`exploits (PDF, Word, Excel, PowerPoint, Flash), Java exploits, browser exploits,
`BHO (browser helper object) exploits, drive-by downloads, click-to downloads,
`etc.” http://www.armorize.com/index.php?link_id=hackalert.
`
`See also, http://blog.armorize.com/2010/12/hdd-plus-malware-spread-
`through.html showing Armorize Products decoding malvertising and drive-by
`download exploits on msn.com. In the example below, the banner contains
`
`12
`
`

`
`obfuscated javascript code, which loads iframes that include exploits to cause
`drive-by downloads. Armorize’s HackAlert can use multiple behavioral and static
`analysis techniques coupled to detect potential malware and make a call to
`Armorize’s media reputation database. If the downloadable is safe, HackAlert
`will allow the file to be downloaded, otherwise it will prevent the file from being
`downloaded or it will make the file safe.
`http://www.armorize.com/index.php?link_id=SafeImpression.
`
`
`In another example, Armorize SafeImpression provides detail information about
`the type of malware. In the example below, the malware advertisement
`includes information about malicious behaviors detected and information about
`the source of the drive-by download.
`
`
`
`13
`
`

`
`Claim 3
`3. The system of claim 1
`wherein the input is
`dynamically generated by
`said content processor prior
`to being transmitted by said
`transmitter.
`
`
`
`http://www.armorize.com/index.php?link_id=hackalert
`
`To the extent that Armorize contends that it does not literally infringe this claim,
`Armorize infringes under the doctrine of equivalents. The above described
`functionality of Armorize is at most insubstantially different from the claimed
`functionality and performs the same function in the same way to achieve the
`same result. Once Finjan receives non-infringement positions, if any, Finjan may
`supplement its disclosure. In addition, Finjan may supplement its disclosure once
`it receives Armorize’s production of documents with relevant and non-public
`information, particularly related to its source code.
`
`Armorize Products meet the recited claim language because they provide a
`system wherein the input is dynamically generated by the content processor
`prior to being transmitted by the transmitter.
`
`By the way of example, and not limitation, Armorize Products meet the recited
`claim language because Armorize Products seek to protect a computer from
`dynamically generated malicious content. Armorize Products provide dynamic
`analysis of web content to prevent malicious content from reaching the end
`user. The input is dynamically is generated by the content processor using real-
`time detection and analysis of malicious content.
`
`This is demonstrated in Armorize’s public documents and at
`http://www.armorize.com/codesecure/index.php,
`
`14
`
`

`
`http://www.armorize.com/index.php?link_id=product,
`http://www.armorize.com/index.php?link_id=hackalert, and
`http://www.armorize.com/pdfs/resources/smartwaf.pdf.
`
`Armorize HackAlert analyzes, detects, prevents, and mitigates against malware
`infections. HackAlert is a system to protect a computer from dynamically
`generated malicious content. A computer attempts to access web content with
`that input sent to HackAlert, the content processor. If HackAlert determines the
`web content to be safe, the client computer is able to load the web content.
`“HackAlert focuses on special malware, such as 0-day exploits or exploits used in
`APT (Advanced Persistent Threat) attacks, that are undetectable by typical virus
`or malware scanners. This may include for example malicious binaries, document
`exploits (PDF, Word, Excel, PowerPoint, Flash), Java exploits, browser exploits,
`BHO (browser helper object) exploits, drive-by downloads, click-to downloads,
`etc.” http://www.armorize.com/index.php?link_id=hackalert.
`
`See also, http://blog.armorize.com/2010/12/hdd-plus-malware-spread-
`through.html showing Armorize Products decoding malvertising and drive-by
`download exploits on msn.com. In the example below, the banner contains
`obfuscated javascript code, which loads iframes that include exploits to cause
`drive-by downloads. Armorize’s HackAlert can use multiple behavioral and static
`analysis techniques coupled to detect potential malware and make a call to
`Armorize’s media reputation database. If the downloadable is safe, HackAlert
`will allow the file to be downloaded, otherwise it will prevent the file from being
`downloaded or it will make the file safe.
`http://www.armorize.com/index.php?link_id=SafeImpression.
`
`
`In another example, Armorize SafeImpression provides detail information about
`the type of malware. In the example below, the malware advertisement
`includes information about malicious behaviors detected and information about
`
`
`
`15
`
`

`
`the source of the drive-by download.
`
`
`
`http://www.armorize.com/index.php?link_id=hackalert
`
`CodeSecure in combination with SmartWAF can provide real-time scanning of
`downloadables and acts as a firewall between the Internet and the client
`computer. If the content is determined to be safe, the content can go forward
`to the client computer. http://www.armorize.com/codesecure/features.html
`“Easily managed through a centralized web portal, CodeSecure™ provides
`automated appliance-free, compiler-independent code analysis. It traces tainted
`data flow through the target application, pinpoints vulnerable code and
`generates reports that provide prioritized remediation guidance for security
`flaws. These reports can be exported to Armorize SmartWAF™ application
`firewall solution for real-time vulnerable entry point protection and mitigation,
`before issues are fixed.”
`
`CodeSecure can also indicate the type of malware vulnerabilities of the code
`such as cross site scripting, command injection, resource injection, XML/XPath
`injection, reflection injection, malicious file inclusion and SQL injection.
`http://www.armorize.com/pdfs/resources/codesecure.pdf.
`
`To the extent that Armorize contends that it does not literally infringe this claim,
`Armorize infringes under the doctrine of equivalents. The above described
`functionality of Armorize is at most insubstantially different from the claimed
`functionality and performs the same function in the same way to achieve the
`
`16
`
`

`
`Claim 4
`4a. A non-transitory
`computer-readable storage
`medium storing program
`code for causing a computing
`device to: process content
`received over a network, the
`content including a call to a
`first function, and the call
`including an input;
`
`
`same result. Once Finjan receives non-infringement positions, if any, Finjan may
`supplement its disclosure. In addition, Finjan may supplement its disclosure once
`it receives Armorize’s production of documents with relevant and non-public
`information, particularly related to its source code.
`
`Armorize Products meet the recited claim language because they include a non-
`transitory computer-readable storage medium storing program code for causing
`a computing device to process content received over a network with the content
`including a call to a first function and an input.
`
`By the way of example, and not limitation, Armorize Products meet the recited
`claim language because Armorize Products seek to protect a computer from
`dynamically generated malicious content. Armorize Products dynamically
`analyzes exploit kits, exploit code, obfuscated scripts within web content, to
`prevent delivery of a payload or dropper from another server to a client
`computer. Armorize Products use a cloud system to analyze the dynamic
`threats. For example, HackAlert uses a behavior-based scanning engine to send
`downloadable content to run in an isolated sandbox hosted at the Armorize
`datacenter to be analyzed for behavioral characteristics that indicate malware
`injections. If there is an active drive-by download, the download is analyzed and
`the behavior and remediation guidance is reported back to the end user.
`
`This is demonstrated in Armorize’s public documents and at
`http://www.armorize.com/codesecure/index.php,
`http://www.armorize.com/index.php?link_id=product,
`http://www.armorize.com/index.php?link_id=hackalert, and
`http://www.armorize.com/pdfs/resources/smartwaf.pdf.
`
`Armorize HackAlert analyzes, detects, prevents, and mitigates against malware
`infections. HackAlert is a system to protect a computer from dynamically
`generated malicious content. A computer attempts to access web content with
`that input sent to HackAlert, the content processor. If HackAlert determines the
`web content to be safe, the client computer is able to load the web content.
`“HackAlert focuses on special malware, such as 0-day exploits or exploits used in
`APT (Advanced Persistent Threat) attacks, that are undetectable by typical virus
`or malware scanners. This may include for example malicious binaries, document
`exploits (PDF, Word, Excel, PowerPoint, Flash), Java exploits, browser exploits,
`BHO (browser helper object) exploits, drive-by downloads, click-to downloads,
`etc.” http://www.armorize.com/index.php?link_id=hackalert.
`
`See also, http://blog.armorize.com/2010/12/hdd-plus-malware-spread-
`through.html showing Armorize Products decoding malvertising and drive-by
`download exploits on msn.com. In the example below, the banner contains
`obfuscated javascript code, which loads iframes that include exploits to cause
`drive-by downloads. Armorize’s HackAlert can use multiple behavioral and static
`analysis techniques coupled to detect potential malware and make a call to
`Armorize’s media reputation database. If the downloadable is safe, HackAlert
`will allow the file to be downloaded, otherwise it will prevent the file from being
`
`17
`
`

`
`downloaded or it will make the file safe.
`http://www.armorize.com/index.php?link_id=SafeImpression.
`
`
`
`
`
`18
`
`

`
`
`http://www.armorize.com/pdfs/resources/armorize-appsec-apt-malware-
`malvertising-source-code-analysis.pdf
`
`CodeSecure in combination with SmartWAF can provide real-time scanning of
`downloadables and acts as a firewall between the Internet and the client
`computer. If the content is determined to be safe, the content can go forward
`to the client computer. http://www.armorize.com/codesecure/features.html
`“Easily managed through a centralized web portal, CodeSecure™ provides
`automated appliance-free, compiler-independent code analysis. It traces tainted
`data flow through the target application, pinpoints vulnerable code and
`generates reports that provide prioritized remediation guidance for security
`flaws. These reports can be exported to Armorize SmartWAF™ application
`firewall solution for real-time vulnerable entry point protection and mitigation,
`before issues are fixed.”
`
`SmartWAF is on a security computer between the client computer and the
`
`19
`
`

`
`Internet. SmartWAF with CodeSecure receives downloadables and blocks
`potential malicious code from accessing the client computer.
`http://www.armorize.com/pdfs/resources/smartwaf.pdf.
`
`
`
`
`
`
`See also, https://hackalert.armorize.com/learnmore.php
`“HackAlert V3 is delivered as a cloud-based service. The service's globally
`distributed agents browse customer websites to detect active malware
`downloads and links to malicious sites.
`HackAlert V3 optimizes multiple analysis techniques to detect malware drive-by
`downloads targeting end-users before the website is flagged by search engines
`as malicious.
`HackAlert V3 delivers the following benefits:
`
`Protects clients and customers from malware injected websites, drive by
`downloads and malicious advertising (malvertising)
`
`Identifies malware before the website is flagged as malicious
`
`Displays injected code snippets to facilitate remediation
`
`Deploys as cloud-based SaaS or as a flexible API for enterprise
`integration
`
`Integrates with WAF or Web server modules for instant mitigation”
`
`Examples on an input include the below script code.
`
`20
`
`

`
`
`
`http://layer8tek.com/userfiles/pdf/armorize/hackalert.pdf.
`
`Another example of input include “http://3pigs.info/t/?58965b8f was injected as
`source for malicious file”:
`
`
`
`21
`
`

`
`See Scaling Web 2.0 Malware Infection by Wayne Huang.
`
`
`
`
`
`To the extent that Armori