PTO/SB/05 (09-04)
`Approved for use through 07/31/2006. OMB 0651-0032
`U.S. Patent and Trademark Office. U.S. DEPARTMENT OF COMMERCE
`Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number.
`
`UTILITY
`PATENT APPLICATION
`TRANSMITTAL
`'-(Only for new non provisional applications under 37 C.F.R. 1 .53(b))
`
`Attorney Docket No.
`
`43426.00069
`
`First Inventor
`
`Yigal EDERY
`
`""
`
`Title
`
`MALICIOUS MOBILE CODE RUNTIME MONITORING
`SYSTEM AND METHODS
`
`Express Mail Label No:
`
`EV 661 243 784 US
`
`APPLICATION ELEMENTS
`See MPEP chapter 600 concerning utility patent application contents.
`
`ADDRESS TO:
`
`Commissioner for Patents
`P.O. Box 1450
`Alexandria VA 22313·1450
`
`t~
`~'J,-
`:::>
`·- --
`-
`col()
`(\j'--
`(;51-
`'r"
`'r"
`
`I.C)
`0
`C\1
`~
`0
`
`1.[81 Fee Transmittal Form (e.g., PTO/SB/17)
`(Submit an original and a duplicate for fee processing)
`2. 0 Applicant claims small entity status.
`See 37 CFR 1.27.
`[Total Pages ~ I
`3. [81 Specification
`Both the claims and abstract must start on a new page
`(For Information on the preferred arrangement, see MPEP 608.01(a))
`4. [gl Drawing(s) (35 U.S. C. 113)
`[Total Sheets 1Q
`
`I
`
`I
`
`5. Oath or Declaration
`[Total Sheets §
`a. 0 Newly executed (original or copy)
`b.
`[81 Copy from a prior application (37 CFR 1.63 (d))
`(for a continuation/divisional with Box 18 completed)
`i. 0 DELETION OF INVENTOR{S}
`Signed statement attached deleting inventor(s)
`named in the prior application, see 37 CFR
`1 .63(d)(2) and 1.33(b).
`6.0 Application Data Sheet. See 37 CFR 1.76
`
`7.0 CD-ROM or CD·R in duplicate, large table or
`Computer Program (Appendix)
`0 Landscape Table on CD
`
`ACCOMPANYING APPLICATIONS PARTS
`
`9.0
`
`Assignment Papers (cover sheet & document(s)
`Name of Assignee
`
`10.0 37 C.F.R. 3.73(b) Statement 0 Power of Attorney
`(when there is an assignee)
`11.0 English Translation Document (if applicable)
`
`12.0
`
`Information Disclosure Statement (PTOISB/08 or PT0-1449)
`0 Copies of citations attached
`
`13. [81
`
`Preliminary Response
`
`14. [81 Return Receipt Postcard (MPEP 503)
`(Should be specifically itemized)
`
`15.0 Certified Copy of Priority Document(s)
`(if foreign priority is claimed)
`
`16.0 Nonpublication Request under 35 U.S.C. 122(b)(2)(B)(i).
`Applicant must attach form PTO/SB/35 or its equivalent.
`17.0 Other: General Authorization to Petition for Extensions of Time
`
`8. Nucleotide and/or Amino Acid Sequence Submission
`(if applicable, items a.-c. are required)
`a. 0 Computer Readable Form (CRF)
`b.
`Specification Sequence Listing on:
`i. 0 CD-ROM or CD-R (2 copies); or
`ii. 0 Paper
`c. 0 Statements verifying identity of above copies
`18. If a CONTINUING APPLICATION, check appropriate box, and supply the requisite information below and in the first sentence of the
`specification following the title, or in an Application Data Sheet under 37 CFR 1. 76:
`0 Divisional
`0 Continuation-in-part (CIP)
`1:81 Continuation
`Examiner Chirsto[!her A. Revak
`Prior application information:
`
`of prior application No: 09/861 229
`Art Unit: 2131
`
`1:81 Customer Number
`
`130256
`
`I OR 0
`
`Correspondence address below
`
`19. CORRESPONDENCE ADDRESS
`
`Name
`
`Address
`
`City
`
`Country
`
`Signature
`
`Name (Print/Type)
`
`I State I
`I Telephone
`..0
`--...
`
`I
`
`II
`
`.I
`
`h -
`
`Marc A. Sockol
`
`Zip Code
`
`Fax
`
`I Date
`
`June 22, 2005
`
`Registration No.
`(Attorney/Agent)
`
`1 40.823
`
`This collection of Information Is required by 37 CFR 1.53(b). The information Is required to obtain or retain a benefit by the ptJblic which Is to file (and by the USPTO to process) an application.
`Confidentiality Is governed by 35 U.S.C. 122 and 37 CFR 1.11 and 1.14. This collection is estimated to take 12 minutes to complete. Including gathering, preparing, and submitting the completed
`application form to the USPTO. Time will vary depending upon the Individual case. Any comments on the amount of time you require to complete this form and/or suggestions for reducing this
`burden, should be sent to the Chief Information Officer, U.S. Patent and Trademark Office, U.S. Department of Commerce, P.O. Box 1450. Alexandria, VA 22313-1450. DO NOT SEND FEES OR
`COMPLETED FORMS TO THIS ADDRESS. SEND TO: Mall Stop Patent Application, Commissioner for Patents, P.O. Box 1450, Alexandria, VA 22313·1450.
`If you need assistance In completing the fOrm, caii1·800.PT0·9199 and select option 2.
`
`0001
`
`Blue Coat Systems - Exhibit 1030
`
`

`
`PTO/SB/17 (12-04v2)
`Approved for use through 07/31/2006. OMB 0651-0032
`U.S. Patent and Trademark Office: U.S. DEPARTMENT OF COMMERCE
`Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number.
`
`c::; r
`Effective on 1210812004.
`•
`Fees pursuant to the Consolidated Appropriations Act, 2005 (H.R. 4818).
`~
`~
`c
`
`FEE TRANSMITTAL
`for FY 2005
`0 Applicant claims small entity status. See 37 CFR 1.27
`
`\..TOTAL AMOUNT OF PAYMENT
`
`($) 3,720
`
`Complete If Known
`
`Application Number
`
`Not Yet Assigned
`
`Filing Date
`
`June 22, 2005
`
`First Named Inventor Yigal EDERY
`Not Yet Assigned
`Examiner Name
`Not Yet Assigned
`Art Unit
`43426.00069
`Attorney Docket No.
`
`'
`
`~
`
`METHOD OF PAYMENT (check all that apply)
`D Check 0 Credit Card 0 Money Order 0 None D Other (please identify) :
`l8J Deposit Account Deposit Account Number: 05-0150
`Deposit Account Name: Squire, Sanders & Dempsey, L.L.P.
`For the above-identified deposit account, the Director is hereby authorized to: (check all that apply)
`0 Charge fee(s) indicated below, except for the filing fee
`~ Charge fee(s) indicated below
`~ Charge any additional fee(s) or underpayments of fee(s) ~ Credit any overpayments
`Under 37 CFR 1.16 and 1.17
`WARNING: Information on this form may become public. Credit card information should not be included on this form. Provide credit card
`information and authorization on PT0-2038.
`FEE CALCULATION
`
`1. BASIC FILING, SEARCH, AND EXAMINATION FEES
`FILING FEES
`SEARCH FEES
`Small Entitll
`Small Entitll
`Fee($)
`Fee($)
`150
`250
`100
`50
`!50
`100
`250
`!50
`100
`0
`
`Fee($)
`500
`100
`300
`500
`0
`
`Fee Paid {il
`1.120
`
`Fee Paid {il
`1.600
`
`Fees Paid {il
`I 000
`--
`- -
`- -
`- -
`Small Entitll
`lliJ.ll
`lliJ.ll
`25
`50
`100
`200
`180
`360
`Multiele Deeendent Claims
`Fee Paid {il
`lliJ.ll
`---
`- - -
`
`EXAMINATION FEES
`Small Entitll
`Fee($)
`100
`65
`80
`300
`0
`
`Fee($)
`200
`130
`160
`600
`0
`
`lliJ.ll
`Aeelication TJtee
`300
`Utility
`200
`Design
`Plant
`200
`Reissue
`300
`Provisional
`200
`2. EXCESS CLAIM FEES
`Fee Descrietion
`Each claim over 20 (including Reissues)
`Each independent claim over 3 (including Reissues)
`Multiple dependent claims
`Fee{$}
`Total Claims
`Extra Claims
`50
`76
`-20 or HP=
`56
`X
`HP = highest number of total claims paid for, if greater than 20.
`Fee{$)
`lndee. Claims
`Extra Claims
`-3 or HP=
`11
`ft
`200
`=
`X
`HP = highest number of independent claims paid for, if greater than 3.
`3. APPLICATION SIZE FEE
`If the specification and drawings exceed 100 sheets of paper (excluding electronically filed sequence or computer
`listings under 37 CFR !.52( e)), the application size fee due is $250 ($125 for small entity) for each additional 50
`sheets or fraction thereof. See 35 U.S.C. 41(a)(I)(G) and 37 CFR 1.16(s).
`Number of each additional 50 or fraction thereof
`Total Sheets Extra Sheets
`- 100 = Q /50=
`Q (round up to a whole number)
`35
`X
`4. OTHER FEE(S)
`Non-English Specification, $130 fee (no small entity discount)
`Other (e.g., late filing surcharge):
`
`lliJ.ll Fee Paid {il
`Q
`0
`=
`Fees Paid {il
`- -
`- -
`
`SUBMITIED BY
`
`Signature
`
`Name (Printffype)
`
`-
`h.--~ y
`
`Marc A. Sockol
`
`I Registration No.
`
`IAttomev/Aaentl
`
`40,23
`
`Telephone
`
`(650) 656-6500
`
`Date
`
`June 22. 2005
`
`This collection of information is required by 37 CFR 1.136. The information is required to obtain or retain a benefit by the public which is to file (and by the USPTO to process) an application.
`Confidentiality is governed by 35 U.S.C. 122 and 37 CFR 1.14. This collection is estimated to take 30 minutes to complete, induding gathering, preparing. and submitting the completed
`application form to the USPTO. Time will vary depending upon the individual case. Any convnents on the amount of time you require to complete this form and/or suggestions for reduCing this
`burden. should be sent to the Chief Information Officer. U.S. Patent and Trademark Office, U.S. Department of Commerce, P.O. Box 1450, Alexandria. VA 22313-1450. DO NOT SEND FEES
`OR COMPLETED FORMS TO THIS ADDRESS. SEND TO: Commissioner for Patents, P.O. Box 1450, Alexandria, VA 22313-1450.
`If you need assistance in completing this form, ca/11-800-PT0-9199 (1-800-786-9199) and select option 2.
`
`0002
`
`

`
`~I
`
`Express Mail Label No. EV 661 243 784 US
`
`Attorney Docket No.: 43426.00069
`
`IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`In Re Application Of:
`
`Examiner: Not Yet Assigned
`
`Yigal EDERY eta/.
`
`Art Unit:
`
`Not Yet Assigned
`
`Serial No: Not Yet Assigned
`
`Filed:
`
`June 22, 2005
`
`For:
`
`MALICIOUS MOBILE CODE
`RUNTIME MONITORING
`SYSTEM AND MEETINGS
`
`Commissioner of Patents
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`GENERAL AUTHORIZATION TO PETITION FOR EXTENSIONS OF TIME
`
`Dear Sir:
`
`With reference to the subject application, and pursuant to 37 C.P.R. § 1.136, Applicants
`
`hereby authorize and request the Commissioner to treat any correspondence requiring a petition
`
`for extension of time as containing such a request therefor for the appropriate length oftime.
`
`This general authorization is effective during the pendency of this application, including any
`
`division or continuing application therefrom.
`
`Where no check is received by the Commissioner, you are hereby authorized to charge
`
`payment of the requisite petition fees, or charge any additional fee required under 37 C.P.R. §
`
`In re EDERY eta/.
`
`- 1-
`
`85727.1
`
`0003
`
`

`
`Express Mail Label No. EV 661 243 784 US
`
`Attorney Docket No.: 43426.00069
`
`1.17, or credit any overpayment of same, to Deposit Account No. 05-0150.
`
`Date: June 22, 2005
`
`Respectfully submitted,
`
`By:
`
`h.-lr-2-tJ
`
`Marc A. Sockol
`Attorney for Applicant(s)
`Reg. No. 40,823
`
`Squire, Sanders & Dempsey L.L.P.
`600 Hansen Way
`Palo Alto, CA 94304-1043
`Telephone: (650) 856-6500
`Facsimile: (650) 843-8777
`
`Express Mail Label No.
`
`EV 661 243 784 US
`
`In re EDERY eta/.
`
`-2-
`
`85727.1
`
`0004
`
`

`
`ATTORNEY DOCKET 43426.00069
`
`APPLICATION FOR
`
`UNITED STATES PATENT
`
`IN THE NAME OF
`
`Yigal Edery, Nimrod Vered, David Kroll and Shlomo Touboul
`
`OF
`
`FIN JAN SOFTWARE, LTD.
`
`MALICIOUS MOBILE CODE RUNTIME MONITORING
`
`SYSTEM AND METHODS
`
`DOCKET NO. 43426.00069
`
`Please direct communications to:
`
`Intellectual Property Department
`
`Squire, Sanders & Dempsey L.L.P.
`
`600 Hansen Way
`
`Palo Alto, CA 94304-1043
`
`(650) 856-6500
`
`Express Mail Number EL 661 243 784 US
`
`1
`
`0005
`
`

`
`MALICIOUS MOBILE CODE RUNTIME MONITORING SYSTEM AND METHODS
`
`ATTORNEY DOCKET 43426.00069
`
`PRIORITY REFERENCE TO RELATED APPLICATIONS
`
`This application is a continuation of and incorporates by reference patent
`
`5
`
`application serial number 09/861,229, which claims benefit of reference provisional
`
`application serial number 60/205,591 entitled "Computer Network Malicious Code Run(cid:173)
`
`time Monitoring," filed on May 17, 2000 by inventors Nimrod Itzak Vered, e.t al. This
`
`application also incorporates by reference the provisional application serial number
`
`60/205,591. This application is also a Continuation-In-Part of and hereby incorporates by
`
`10
`
`reference patent application serial number 09/539,667, now U.S. Patent No. 6,804,780,
`
`entitled "System and Method for Protecting a Computer and a Network from Hostile
`
`Downloadables" filed on March 30, 2000 by inventor Shlomo Touboul. This application
`
`is also a Continuation-In-Part of and hereby incorporates by reference patent application
`
`serial number 09/551,302, now U.S. Patent No. 6,480,962, entitled "System and Method
`
`15
`
`for Protecting a Client During Runtime From Hostile Downloadables", filed on Aprill8,
`
`2000 by inventor Shlomo Touboul.
`
`BACKGROUND OF THE INVENTION
`
`Field of the Invention
`
`20
`
`This invention relates generally to computer networks, and more particularly
`
`provides a system and methods for protecting network-connectable devices from
`
`undesirable downloadable operation.
`
`Description of the Background Art
`
`25
`
`Advances in networking techilology continue to impact an increasing number and
`
`diversity of users. The Internet, for example, already provides to expert, intermediate and
`
`even novice users the informational, product and service resources of over 100,000
`
`interconnected networks owned by governments, universities, nonprofit groups,
`
`companies, etc. Unfortunately, particularly the Internet and other public networks have
`
`2
`
`0006
`
`

`
`ATTORNEY DOCKET 43426.00069
`
`also become a major sourc.e of potentially system-fatal or otherwise damaging computer
`
`code commonly referred to as "viruses."
`
`Efforts to forestall viruses from attacking networked computers have thus far met
`
`with only limited success at best. Typically, a virus protection program designed to
`
`5
`
`identify and remove or protect against the initiating of known viruses is installed on a
`
`network firewall or individually networked computer. The program is then inevitably
`
`surmounted by some new virus that often causes damage to one or more computers. The
`
`damage is then assessed and, if isolated, the new virus is analyzed. A corresponding new
`
`virus protection program (or update thereof) is then developed and installed to combat the
`
`10
`
`new virus, and the new program operates successfully until yet another new virus appears
`
`- and so on. Of course, damage has already typically been incurred.
`
`To make matters worse, certain classes of viruses are not well recognized or
`
`understood, let alone protected against. It is observed by this inventor, for example, that
`
`Downloadable information comprising program code can include distributable
`
`15
`
`components (e.g. Java™ applets and JavaScript scripts, ActiveXTM controls, Visual
`
`Basic, add-ins and/or others). It can also include, for example, application programs,
`
`Trojan horses, multiple compressed programs such as zip or meta files, among others.
`
`U.S. Patent 5,983,348 to Shuang, however, teaches a protection system for protecting
`
`against only distributable components including "Java applets or ActiveX controls", and
`
`20
`
`further does so using resource intensive and high bandwidth static Downloadable content
`
`and operational analysis, and modification of the Downloadable component; Shuang
`
`further fails to detect or protect against additional program code included within a tested
`
`Downloadable. U.S. Patent 5,974,549 to Golan teaches a protection systeiD: that further
`
`focuses only on protecting against ActiveX controls and not other distributable
`
`25
`
`components, let alone other Downloadable types. U.S. patent 6,167,520 to Touboul
`
`enables more accurate protection than Shuang or Golan, but lacks the greater flexibility
`
`and efficiency taught herein, as do Shuang and Golan.
`
`Accordingly, there remains a need for efficient, accurate and flexible protection of
`
`computers and other network connectable devices from malicious Downloadables.
`
`30
`
`3
`
`0007
`
`

`
`ATTORNEY DOCKET 43426.00069
`
`SUMMARY OF THE INVENTION
`
`The present invention provides protection systems and methods capable of
`
`protecting a personal computer ("PC") or other persistently or even intermittently
`
`network accessible devices or processes from harmful, undesirable, suspicious or other
`
`5
`
`"malicious" operations that might otherwise be effectuated by remotely operable code.
`
`While enabling the capabilities of prior systems, the present invention is not nearly so
`
`limited, resource intensive or inflexible, and yet enables more reliable protection. For
`
`example, remotely operable code that is protectable against can include downloadable
`
`application programs, Trojan horses and program code groupings, as well as software
`
`10
`
`"components", such as Java™ applets, Activex™ controls, JavaScriptTMNisual Basic
`
`scripts, add-ins, etc., among others. Protection can also be provided in a distributed
`
`interactively, automatically or mixed configurable manner using protected client, server
`
`or other parameters, redirection, local/remote logging, etc., and other server/client based
`
`protection measures can also be separately and/or interoperably utilized, among other
`
`15
`
`examples.
`
`In one aspect, embodiments of the invention provide for determining, within one
`
`or more network "servers" (e.g. firewalls, resources, gateways, email relays or other
`
`devices/processes that are capable of receiving-and-transferring a Downloadable) whether
`
`received information includes executable code (and is a "Downloadable"). Embodiments
`
`20
`
`also provide for delivering static, configurable and/or extensible remotely operable
`
`protection policies to a Downloadable-destination, more typically as a sandboxed package
`
`including the mobile protection code, downloadable policies and one or more received
`
`Downloadables. Further client-based or remote protection code/policies can also be
`
`utilized in a distributed manner. Embodiments also provide for causing the mobile
`
`25
`
`protection code to be executed within a Downloadable-destination in a manner that
`
`enables various Downloadable operations to be detected, intercepted or further responded
`
`to via protection operations. Additional server/information-destination device security or
`
`other protection is also enabled, among still further aspects.
`
`A protection engine according to an embodiment of the invention is operable
`
`30 within one or more network servers, firewalls or other network connectable information
`
`4
`
`0008
`
`

`
`ATTORNEY DOCKET 43426.00069
`
`re-communicating devices (as are referred to herein summarily one or more "servers" or
`
`"re-communicators"). The protection engine includes an information monitor for
`
`monitoring information received by the server, and a code detection engine for
`
`determining whether the received information includes executable code. The protection
`
`5
`
`engine also includes a packaging engine for causing a sandboxed package, typically·
`
`including mobile protection code and downloadable protection policies to be sent to a
`
`Downloadable-destination in conjunction with the received information, if the received
`
`information is determined to be a Downloadable.
`
`A sandboxed package according to an embodiment of the invention is receivable
`
`10 · by and operable with a remote Downloadable-destination. The sandboxed package
`
`includes mobile protection code ("MPC") for causing one or more predetermined
`
`malicious operations or operation combinations of a Downloadable to be monitored or
`
`otherwise intercepted. The sandboxed package also includes protection policies (operable
`
`alone or in conjunction with further Downloadable-destination stored or received
`
`15
`
`policies/MPCs) for causing one or more predetermined operations to be performed if one
`
`or more undesirable operations of the Downloadable is/are intercepted. The sandboxed
`
`package can also include a corresponding Downloadable and can provide for initiating the
`
`Downloadable in a protective "sandbox". The MPC/policies can further include a
`
`communicator for enabling further MPC/policy information or "modules" to be utiiized
`
`20
`
`and/or for event logging or other purposes.
`
`A.sandbox protection system according to an embodiment of the invention
`
`comprises an installer for enabling a received MPC to be executed within a
`
`Downloadable-destination (device/process) and further causing a Downloadable
`
`application program, distributable component or other received downloadable code to be
`
`25
`
`received and installed within the Downloadabie-destination. The protection system also
`
`includes a diverter for monitoring one or more operation attempts of the Downloadable,
`
`an operation analyzer for determining one or more responses to the attempts, and a
`
`security enforcer for effectuating responses to the monitored operations. The protection
`
`system can further include one or more security policies according to which one or more
`
`30
`
`protection system elements are operable automatically (e.g. programmatically) or in
`
`5
`
`0009
`
`

`
`ATTORNEY DOCKET 43426.00069
`
`conjunction with user intervention (e.g. as enabled by the security enforcer). The security
`
`policies can also be configurable/extensible in accordance with further downloadable
`
`and/or Downloadable-destination information.
`
`A method according to an embodiment of the invention includes receiving
`
`5
`
`downloadable information, determining whether the downloadable information includes
`
`executable code, and causing a mobile protection code and security policies to be
`
`communicated to a network client in conjunction with security policies and the
`
`downloadable information if the downloadable information is determined to include
`
`executable code. The determining can further provide multiple tests for detecting, alone
`
`10
`
`or together, whether the downloadable infomiation includes executable code.
`
`A further method according to an embodiment of the invention includes forming a
`
`sandboxed package that includes mobile protection code ("MPC"), protection policies,
`
`and a received, detected-Downloadable, and causing the sandboxed package to be
`
`communicated to and installed by a receiving device or process ("user device") for
`
`15
`
`responding to one or more malicious operation attempts by the detected-Downloadable
`
`from within the user device. The MPC/policies can further include a base "module" and
`
`a "communicator" for enabling further up/downloading of one or more further "modules"
`
`or other information (e.g. events, user/user device information,·etc.).
`
`Another method according to an embodiment of the invention includes installing,
`
`20 within a user device, received mobile protection code ("MPC") and protection policies in
`
`conjunction with the user device receiving a downloadable application program,
`
`component or other Downloadable(s). The method also includes determining, by the
`
`MPC, a resource access attempt by the Downloadable, and initiating, by the MPC, <?ne or
`
`more predetermined operations corresponding to the attempt. (Predetermined operations
`
`25
`
`can, for example, comprise initiating user, administrator, client, network or protection
`
`system determinable operations, including but not limited to modifying the Downloadable
`
`operation, extricating the Downloadable, notifying a user/another, maintaining a
`
`local/remote log, causing one or more MPCs/policies to be downloaded, etc.)
`
`Advantageously, systems and methods according to embodiments of the invention
`
`30
`
`enable potentially damaging, undesirable or otherwise malicious operations by even
`
`6
`
`0010
`
`

`
`ATTORNEY DOCKET 43426.00069
`
`unknown mobile code to be detected, prevented, modified and/or otherwise protected
`
`against without modifying the mobile code. Such protection is further enabled in a
`
`manner that is capable of minimizing server and client resource requirements, does not
`
`require pre-installation of security code within a Downloadable-destination, and provides
`
`5
`
`for client specific or generic and readily updateable security measures to be flexibly and
`
`efficiently implemented. Embodiments further provide for thwarting efforts to bypass
`
`security measures (e.g. by "hiding" undesirable operation causing information within
`
`apparently inert or otherwise "friendly" downloadable information) and/or dividing or
`
`combining security measures for even greater flexibility and/or efficiency.
`
`10
`
`Embodiments also provide for determining protection policies that can be
`
`downloaded and/or ascertained from other security information (e.g. browser settings,
`
`administrative policies, user input, uploaded information, etc.). Different actions in
`
`response to different Downloadable operations, clients, users and/or other criteria are also
`
`enabled, and embodiments provide for implementing other security measures, such as
`
`15
`
`verifying a downloadable source, certification, authentication, etc. Appropriate action
`
`can also be accomplished automatically (e.g. programmatically) and/or in conjunction
`
`with alerting one or more users/administrators, utilizing user input, etc. Embodiments
`
`further enable desirable Downloadable operations to remain substantially unaffected,
`
`among other aspects.
`
`20
`
`25
`
`7
`
`0011
`
`

`
`ATTORNEY DOCKET 43426.00069
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. la is a block diagram illustrating a network system in accordance with an
`
`embodiment of the present invention;
`
`FIG. 1 b is a block diagram illustrating a network subsystem example in
`
`5
`
`accordance with an embodiment of the invention;
`
`FIG. lc is a block diagram illustrating a further network subsystem example in
`
`accordance with an embodiment of the invention;
`
`FIG. 2 is a block diagram illustrating a computer system in accordance with an
`
`embodiment of the invention;
`
`10
`
`FIG. 3 is a flow diagram broadly illustrating a protection system host according to
`
`an embodiment of the invention;
`
`FIG. 4 is a block diagram illustrating a protection engine according to an
`
`embodiment of the invention;
`
`FIG. 5 is a block diagram illustrating a content inspection engine according to an
`
`15
`
`embodiment of the invention;
`
`FIG. 6a is a block diagram illustrating protection engine parameters according to
`
`an embodiment of the invention;
`
`FIG. 6b is a flow diagram illustrating a linking engine use in conjunction with
`
`ordinary, compressed and distributable sandbox package utilization, according to an
`
`20
`
`embodiment of the invention';
`
`FIG. 7a is a flow diagram illustrating a sandbox protection system operating
`
`within a destination system, according to an embodiment of the invention;
`
`FIG. 7b is a block diagram illustrating memory allocation usable in conjunction
`
`with the protection system ofFIG. 7a, according to an embodiment of the invention;
`
`25
`
`FIG. 7c is a block diagram illustrating a mobile protection code according to an
`
`embodiment of the invention;
`
`FIG. 8 is a flowchart illustrating a method for examining a Downloadable in
`
`accordance with the present invention;
`
`FIG. 9 is a flowchart illustrating a server based protection method according to an
`
`30
`
`embodiment of the invention;
`
`8
`
`0012
`
`

`
`ATTORNEY DOCKET 43426.00069
`
`FIG. 1 Oa is a flowchart illustrating method for determining if a potential(cid:173)
`
`Downloadable includes or is likely to include executable code, according to an
`
`embodiment of the invention;
`
`FIG. lOb is a flowchart illustrating a method for forming a protection agent,
`
`5
`
`according to an embodiment of the invention;
`
`FIG. 11 is a flowchart illustrating a method for protecting a Downloadable
`
`destination according to an embodiment of the invention;
`
`FIG. 12a is a flowchart illustrating a method for forming a Downloadable access
`
`interceptor according to an embodiment of the invention; and
`
`10
`
`FIG. 12b is a flowchart illustrating a method for implementing mobile protection
`
`policies according to an embodiment of the invention.
`
`15
`
`DETAILED DESCRIPTION
`
`In providing malicious mobile code runtime monitoring systems and methods,
`
`embodiments of the invention enable actually or potentially undesirable operations of
`
`even unknown malicious code to be.efficiently and flexibly avoided. Embodiments
`
`20
`
`provide, within one or more "servers" (e.g. firewalls, resources, gateways, email relays or
`
`other information re-communicating devices), for receiving downloadable-information
`
`and detecting whether the downloadable-information includes one or more instances of
`
`executable code (e.g. as with a Trojan horse, zip/meta file etc.). Embodiments also
`
`provide for separately or interoperably conducting additional security measures within the
`
`25
`
`server, within a Downloadable-destination of a detected-Downloadable, or both.
`
`Embodiments further provide for causing mobile protection code ("MPC") and
`
`downloadable protection policies· to be communicated to, installed and executed within
`
`one or more received information destinations in conjunction with a detected(cid:173)
`
`Downloadable. Embodiments also provide, within an information-destination, for
`
`30
`
`detecting malicious operations of the detected-Downloadable and causing responses
`
`9
`
`0013
`
`

`
`ATTORNEY DOCKET 43426.00069
`
`thereto in accordance with the protection policies (which can correspond to one or more
`
`user, Downloadable, source, destination, or other parameters), or further downloaded or
`
`downloadable-destination based policies (which can also be configurable or extensible).
`
`(Note that the term "or", as used herein, is generally intended to mean "and/or" unless
`
`5
`
`otherwise indicated.)
`
`FIGS. 1a through 1c illustrate a computer network system 100 according to an
`
`embodiment of the invention: FIG. 1a broadly Illustrates system 100, while FIGS. 1b and
`
`1c illustrate exemplary protectable subsystem implementations corresponding with
`
`system 104 or 106 of FIG~ 1a.
`
`10
`
`Beginning with FIG. 1a, computer network system 100 includes an external
`
`computer network 101, such as a Wide Area Network or "WAN" (e.g. the Internet),
`
`which is coupled to one or more network resource servers (summarily depicted as
`
`resource server-1 102 and resource server-N 103). Where external network 101 includes
`
`the Internet, resource servers 1-N (102, 103) might provide one or more resources
`
`15
`
`including web pages, streaming media, transaction-facilitating information, program
`
`updates or other downloadable information, summarily depicted as resources 121, 131
`
`and 132. Such information can also include more traditionally viewed "Downloadables"
`
`or "mobile code" (i.e. distributable components), as well as downloadable application
`
`programs or other further Downloadables, such as those that are discussed herein. (It will
`
`20
`
`be appreciated that interconnected networks can also provide various other resources as
`
`well.)
`
`Also coupled via external network 101 are subsystems 104-106. Subsystems 104-
`
`106 can, for example, include one or more servers, personal computers ("PCs"), smart
`
`appliances, personal information managers or other devices/processes that are at least
`
`25
`
`temporarily or otherwise intermittently directly or indirectly connectable in a wired or
`
`wireless manner to external network 101 (e.g. using a dialup, DSL, cable modem,
`
`cellular connection, IRJRF, or various other suitable current or future connection
`
`alternatives). One or more of subsystems 104-106 might further operate as user devices
`
`that are connectable to external network 101 via an internet service provider ("ISP") or
`
`10
`
`0014
`
`

`
`ATTORNEY DOCKET 43426.00069
`
`local area network ("LAN"), such as a corporate intranet, or home, portable device or
`
`smart appliance network, among other examples.
`
`FIG. 1a also broadly illustrates how embodiments of the invention are capable of
`
`selectively, modifiably or extensibly providing protection to one or more determinable
`
`5
`
`ones of networked subsystems 104-106 or elements thereof (not shown) against
`
`potentially harmful or other undesirable ("malicious") effects in conjunction with
`
`receiving downloadable information. "Protected" subsystem 104, for example, utilizes a
`
`protection in accordance with the teachings herein, while "unprotected" subsystem-N 105
`
`employs no protection, and protected subsystem-M 106 might employ one or more
`
`· 10
`
`protections including those according to the teachings herein, other protection, or some
`
`combination.
`
`System 100 implementations are also capable of providing protection to redundant
`
`elements 107 of one or more of subsystems 104-106 that might be utilized, such as
`
`backups, failsafe elements, redundant networks, etc. Where included, such redundant
`
`15
`
`elements are also similarly protectable in a separate, combined or coordinated manner
`
`using embodiments of the present invention either alone or in conjunction with other
`
`protection mechanisms. In such cases, protection can be similarly provided singly, as a
`
`composite of component operations or in a backup fashion. Care should, however, be
`
`exercised to avoid potential repeated protection engine execution corresponding to a
`
`20
`
`single Downloadable; such "chaining" can cause a Downloadable to operate incorrectly
`
`or not at