Europaisches
`Patentamt
`European
`
`Office ln
`Office europeen
`des brevets
`
`(19)
`
`(12)
`
`(11)
`EUROPEAN PATENT SPECIFICATION
`
`II mi
`
`11111
`
`EP 3 360 071 B1
`
`(45) Date of publication and mention
`of the grant of the patent:
`30.12.2020 Bulletin 2020/53
`
`(21) Application number: 16854157.1
`
`(22) Date of filing: 04.10.2016
`
`(51) Int Cl.:
`G06F 21/57(2°11°1)
`H04L 29/06(2°06'09
`
`G06F 21/60(2°11°9
`G06F 21/56(2°11°9
`
`(86) International application number:
`PCT/US2016/055273
`
`(87) International publication number:
`WO 2017/062338 (13.04.2017 Gazette 2017/15)
`
`(54) METHOD AND SYSTEM FOR IDENTIFICATION OF SECURITY VULNERABILITIES
`
`VERFAHREN UND SYSTEM ZUR ERKENNUNG VON SICHERHEITSSCHWACHSTELLEN
`
`PROCEDE ET SYSTEME D'IDENTIFICATION DE VULNERABILITES DE SECURITE
`
`(84) Designated Contracting States:
`AL AT BE BG CH CY CZ DE DK EE ES Fl FR GB
`GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO
`PL PT RO RS SE SI SK SM TR
`
`(74) Representative: Barker Brettell LLP
`100 Hagley Road
`Edgbaston
`Birmingham B16 8QQ (GB)
`
`(30) Priority: 06.10.2015 US 201514876592
`
`(43) Date of publication of application:
`15.08.2018 Bulletin 2018/33
`
`(73) Proprietor: Assured Enterprises, Inc.
`Reston, Virginia 20190 (US)
`
`(72) Inventor: LI, David
`Reston, Virginia 20190 (US)
`
`(56) References cited:
`WO-A2-2011/068967
`US-Al- 2008 244 691
`US-Al- 2012 222 123
`US-Al- 2014 123 279
`US-B1- 7 845 007
`
`US-Al- 2004 064 726
`US-Al- 2011 321 164
`US-Al- 2013 333 032
`US-B1- 7 845 007
`
`Note: Within nine months of the publication of the mention of the grant of the European patent in the European Patent
`Bulletin, any person may give notice to the European Patent Office of opposition to that patent, in accordance with the
`Implementing Regulations. Notice of opposition shall not be deemed to have been filed until the opposition fee has been
`paid. (Art. 99(1) European Patent Convention).
`
`Printed by Jouve. 75001 PARIS (FR)
`
`WIZ, Inc. EXHIBIT - 1032
`WIZ, Inc. v. Orca Security LTD.
`
`EP 3 360 071 B1
`
`oy
`[Ez
`
`des brevets
`
`
`
`
`
`
`
`Patent Office
`
`Office européen
`
`
`
`“|
`
`(12)
`
`IMA
`
`(11)
`
`EP 3 360 071 B1
`
`EUROPEAN PATENT SPECIFICATION
`
`(45) Date of publication and mention
`of the grant of the patent:
`30.12.2020
`Bulletin 2020/53
`
`(51) Int Cl.:
`GO6F 21/57 (2013.01)
`HO4L 29/06 (2006.0)
`
`GO6F 21/60 (2913.07)
`GOGF 21/56 (2019-0)
`
`(21) Application number: 16854157.1
`
`(86) International application number:
`
`(22) Date of filing: 04.10.2016
`
`PCT/US2016/055273
`
`(87) International publication number:
`WO 2017/062338 (13.04.2017 Gazette 2017/15)
`
`
`
`(54) METHOD AND SYSTEM FOR IDENTIFICATION OF SECURITY VULNERABILITIES
`
`VERFAHREN UND SYSTEM ZUR ERKENNUNG VON SICHERHEITSSCHWACHSTELLEN
`
`PROCEDE ET SYSTEME D’IDENTIFICATION DE VULNERABILITES DE SECURITE
`
`
`
`(84) Designated Contracting States:
`AL AT BE BG CH CY CZ DE DK EE ES FI FR GB
`GR HR HUIEISIT LILT LU LV MC MK MT NL NO
`PL PT RO RS SE SISK SMTR
`
`(74) Representative: Barker Brettell LLP
`100 Hagley Road
`Edgbaston
`Birmingham B16 8QQ (GB)
`
`(30) Priority: 06.10.2015 US 201514876592
`
`(43) Date of publication of application:
`15.08.2018
`Bulletin 2018/33
`
`(73) Proprietor: Assured Enterprises, Inc.
`Reston, Virginia 20190 (US)
`
`(72) Inventor: LI, David
`Reston, Virginia 20190 (US)
`
`(56) References cited:
`WO-A2-2011/068967
`US-A1- 2008 244691
`US-A1- 2012 222123
`US-A1- 2014 123 279
`US-B1- 7 845 007
`
`US-A1- 2004 064 726
`US-A1- 2011 321 164
`US-A1- 2013 333 032
`US-B1-7 845 007
`
`
`
`
`
`Note: Within nine months of the publication of the mention of the grant of the European patent in the European Patent
`Bulletin, any person may give notice to the European Patent Office of opposition to that patent, in accordance with the
`Implementing Regulations. Notice of opposition shall not be deemed to have been filed until the opposition fee has been
`paid. (Art. 99(1) European Patent Convention).
`
`
`
`WIZ, Inc. EXHIBIT - 1032
`Printed by Jouve, 75001 PARIS (FR)
`WIZ, Inc. v. Orca Security LTD. - IPR2024-00220
`
`EP 3 360 071 B1
`
`WIZ, Inc. EXHIBIT - 1032
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`1
`
`EP 3 360 071 (31
`
`2
`
`Description
`
`TECHNICAL FIELD OF THE INVENTION
`
`[0001] Embodiments of the present invention relate
`generally to security of electronic devices and systems
`and, more particularly, to identification of security vulner-
`abilities
`
`BACKGROUND
`
`[0002] Computer systems may include many elements
`communicatively coupled to one another via a network.
`Networking and sharing of elements adds a level of com-
`plexity that is not present with a single element that
`stands alone. Network and system administrators may
`manage network elements using various software tools,
`which may include a graphical user interface.
`[0003] Application code may run on computer sys-
`tems. One application may have code running on various
`elements of a computer system. The application itself
`may be managed by network or system administrators
`using various software tools.
`[0004] Malware may attack computer systems. Mal-
`ware may include spyware, rootkits, password stealers,
`spam, sources of phishing attacks, sources of denial-of-
`service-attacks, viruses, loggers, Trojans, adware, or
`any other digital content that produces malicious activi-
`ties. Furthermore, an application may be vulnerable to
`malware or other exploitative attacks
`[0005] Application WO2011068967 discloses a mal-
`ware analysis method, performing code scans based on
`analyses of import tables to identify called application
`code functions/components .
`
`SUMMARY
`
`In one embodiment, a system for securing an
`[0006]
`electronic device includes a processor and a memory.
`The memory may be communicatively coupled to the
`processor and include instructions. The instructions,
`when loaded and executed by the processor, cause the
`processor to scan data including one or more application
`components to uniquely identify elements therein, deter-
`mine from a given application component additional com-
`ponents to be accessed by the given application compo-
`nent, scan the additional components to uniquely identify
`elements therein, determine whether the additional com-
`ponents include any known vulnerabilities, associate one
`or more known vulnerabilities of the additional compo-
`nents with the given application component, record the
`known vulnerabilities and the given application compo-
`nent. The given application component may be uniquely
`identified.
`[0007]
`In another embodiment, a machine readable
`storage medium may include computer-executable in-
`structions that are readable by a processor. The instruc-
`tions, when read and executed, may be for causing the
`
`20
`
`processor to scan data including one or more application
`components to uniquely identify elements therein, deter-
`mine from a given application component additional com-
`ponents to be accessed by the given application compo-
`5 nent, scan the additional components to uniquely identify
`elements therein, determine whether the additional com-
`ponents include any known vulnerabilities, associate one
`or more known vulnerabilities of the additional compo-
`nents with the given application component, record the
`10 known vulnerabilities and the given application compo-
`nent. The given application component may be uniquely
`identified.
`[0008]
`In yet another embodiment, a method of secur-
`ing an electronic device may include scanning data in-
`15 cluding application components to uniquely identify ele-
`ments therein, determining from a given application com-
`ponent additional components to be accessed by the giv-
`en application component, scanning the additional com-
`ponents to uniquely identify elements therein, determin-
`ing whether the additional components include any
`known vulnerabilities, associating one or more known
`vulnerabilities of the additional components with the giv-
`en application component, and recording the known vul-
`nerabilities and the given application component. The
`25 given application component may be uniquely identified.
`[0009]
`In one embodiment, a system may include a
`memory. The memory may be communicatively coupled
`to the processor and include instructions. The instruc-
`tions, when loaded and executed by the processor, cause
`the processor to identify one or more application compo-
`nents uniquely identified and determine vulnerabilities
`associated with a given application component. The vul-
`nerabilities may include vulnerabilities of additional com-
`ponents to be accessed by the given application compo-
`35 nent. The processor may be caused to adjust character-
`izations of the vulnerabilities associated with the given
`application component based upon contextual informa-
`tion from the system in which the given application com-
`ponent resides. The contextual information may include
`40 security information.
`[0010]
`In another embodiment, a machine readable
`storage medium may include computer-executable in-
`structions that are readable by a processor. The instruc-
`tions, when read and executed, may be for causing the
`45 processor to identify one or more uniquely identified ap-
`plication components and determine vulnerabilities as-
`sociated with a given application component. The vul-
`nerabilities may include vulnerabilities of additional com-
`ponents to be accessed by the given application compo-
`50 nent. The processor may be caused to adjust character-
`izations of the vulnerabilities associated with the given
`application component based upon contextual informa-
`tion from the system in which the given application com-
`ponent resides. The contextual information may include
`55 security information.
`[0011]
`In yet another embodiment, a method may in-
`clude identifying one or more application components
`uniquely identified and determining vulnerabilities asso-
`
`30
`
`2
`
`1
`
`EP 3 360 071 B1
`
`2
`
`Description
`
`TECHNICAL FIELD OF THE INVENTION
`
`Embodiments of the present invention relate
`[0001]
`generally to security of electronic devices and systems
`and, more particularly, to identification of security vulner-
`abilities
`
`BACKGROUND
`
`Computer systems may include many elements
`[0002]
`communicatively coupled to one another via a network.
`Networking and sharing of elements adds a level of com-
`plexity that is not present with a single element that
`stands alone. Network and system administrators may
`manage network elements using various software tools,
`which may include a graphical user interface.
`[0003]
`Application code may run on computer sys-
`tems. One application may have code running on various
`elements of a computer system. The application itself
`may be managed by network or system administrators
`using various software tools.
`[0004]
`Malware may attack computer systems. Mal-
`ware may include spyware, rootkits, password stealers,
`spam, sources of phishing attacks, sources of denial-of-
`service-attacks, viruses, loggers, Trojans, adware, or
`any other digital content that produces malicious activi-
`ties. Furthermore, an application may be vulnerable to
`malware or other exploitative attacks
`[0005]
`Application WO2011068967 discloses a mal-
`ware analysis method, performing code scans based on
`analyses of import tables to identify called application
`code functions/components .
`
`SUMMARY
`
`In one embodiment, a system for securing an
`[0006]
`electronic device includes a processor and a memory.
`The memory may be communicatively coupled to the
`
`processor and include instructions. The instructions,
`
`when loaded and executed by the processor, cause the
`processor to scan data including one or more application
`components to uniquely identify elements therein, deter-
`mine from a given application component additional com-
`ponents to be accessed by the given application compo-
`nent, scan the additional components to uniquely identify
`
`elements therein, determine whether the additional com-
`ponents include any known vulnerabilities, associate one
`or more known vulnerabilities of the additional compo-
`nents with the given application component, record the
`known vulnerabilities and the given application compo-
`nent. The given application component may be uniquely
`identified.
`[0007]
`In another embodiment, a machine readable
`storage medium may include computer-executable in-
`structions that are readable by a processor. The instruc-
`
`tions, when read and executed, may be for causing the
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`processor to scan data including one or more application
`components to uniquely identify elements therein, deter-
`mine from a given application component additional com-
`ponents to be accessed by the given application compo-
`nent, scan the additional components to uniquely identify
`elements therein, determine whether the additional com-
`ponents include any known vulnerabilities, associate one
`or more known vulnerabilities of the additional compo-
`nents with the given application component, record the
`known vulnerabilities and the given application compo-
`nent. The given application component may be uniquely
`identified.
`[0008]
`In yet another embodiment, a method of secur-
`ing an electronic device may include scanning data in-
`cluding application components to uniquely identify ele-
`ments therein, determining from a given application com-
`ponent additional components to be accessed by the giv-
`en application component, scanning the additional com-
`ponents to uniquely identify elements therein, determin-
`ing whether the additional components include any
`known vulnerabilities, associating one or more known
`vulnerabilities of the additional components with the giv-
`en application component, and recording the known vul-
`nerabilities and the given application component. The
`given application component may be uniquely identified.
`[0009]
`In one embodiment, a system may include a
`memory. The memory may be communicatively coupled
`to the processor and include instructions. The instruc-
`tions, when loaded and executed by the processor, cause
`the processor to identify one or more application compo-
`nents uniquely identified and determine vulnerabilities
`associated with a given application component. The vul-
`nerabilities may include vulnerabilities of additional com-
`ponents to be accessed by the given application compo-
`nent. The processor may be caused to adjust character-
`izations of the vulnerabilities associated with the given
`application component based upon contextual informa-
`tion from the system in which the given application com-
`ponent resides. The contextual information may include
`security information.
`
`In another embodiment, a machine readable
`[0010]
`storage medium may include computer-executable in-
`structions that are readable by a processor. The instruc-
`tions, when read and executed, may be for causing the
`processor to identify one or more uniquely identified ap-
`plication components and determine vulnerabilities as-
`sociated with a given application component. The vul-
`nerabilities may include vulnerabilities of additional com-
`ponents to be accessed by the given application compo-
`nent. The processor may be caused to adjust character-
`izations of the vulnerabilities associated with the given
`application component based upon contextual informa-
`tion from the system in which the given application com-
`ponent resides. The contextual information may include
`security information.
`[0011]
`In yet another embodiment, a method may in-
`clude identifying one or more application components
`uniquely identified and determining vulnerabilities asso-
`
`

`

`3
`
`EP 3 360 071 81
`
`4
`
`ciated with a given application component. The vulnera-
`bilities may include vulnerabilities of one or more addi-
`tional components to be accessed by the given applica-
`tion component. The method may include adjusting char-
`acterizations of the vulnerabilities associated with the giv-
`en application component based upon contextual infor-
`mation from the system in which the given application
`component resides. The contextual information may in-
`clude security information.
`
`BRIEF DESCRIPTION OF THE FIGURES
`
`[0012] Fora more complete understanding of the con-
`figurations of the present disclosure, needs satisfied
`thereby, and the objects, features, and advantages there-
`of, reference now is made to the following description
`taken in connection with the accompanying drawings.
`
`FIGURE 1 is a block diagram of an example system
`for identifying security vulnerabilities, in accordance
`with the teachings of the present disclosure;
`FIGURE 2 is an illustration of example operation and
`further configuration of the system for identifying se-
`curity vulnerabilities, in accordance with the teach-
`ings of the present disclosure;
`FIGURE 3 is an illustration of further example oper-
`ation of the system for identifying security vulnera-
`bilities, in accordance with the teachings of the
`present disclosure; and
`FIGURE 4 is a flow chart of an example method for
`identifying security vulnerabilities, in accordance
`with the teachings of the present disclosure.
`
`DETAILED DESCRIPTION
`
`[0013] FIGURE 1 is an illustration of an example em-
`bodiment of a system 100 for identifying security vulner-
`abilities, in accordance with the teachings of the present
`disclosure. System 100 may include any suitable number
`and kind of elements. For example, system 100 may in-
`clude one or more devices that can identify security vul-
`nerabilities by scanning electronic devices, file systems,
`Java applications, .NET applications, or other sources of
`electronic data. Such scanning may be performed locally
`to the source of electronic data or remotely on another
`electronic device communicatively coupled through a
`network to the source of electronic data. For example,
`system 100 may include one or more agents 102 config-
`ured to scan sources of electronic data for vulnerabilities.
`In another example, system 100 may include a server
`104 configured coordinate scanning sources of electron-
`ic data for vulnerabilities. System 100 may include any
`suitable number and kind of source of electronic data,
`such as files or file system 114, that may be scanned for
`vulnerabilities. Although file system 114 is shown sepa-
`rate from any clients or servers, file system 114 may be
`resident on the same device as client 102 or server 104.
`[0014] Server 104 may be configured to coordinate
`
`scanning of various sources of information by agents
`102. Server 104 may be implemented in any suitable
`manner, including by one or more applications, scripts,
`libraries, modules, code, drivers, or other entities on an
`5 electronic device. These may include software or instruc-
`tions resident on a memory 124 for execution by a proc-
`essor 122. Although sever 104 is illustrated in FIGURE
`1 as including example elements, server 104 may include
`more or less elements. Moreover, the function of some
`10 elements of server 104 as discussed herein may be per-
`formed in various embodiments by other elements of
`server 104. Also, the function of some elements of server
`104 as discussed herein may be performed in various
`embodiments by elements of client 102. For example,
`15 server 104 may include a communication application
`120, security enterprise manager 126, update manager
`134, scan scheduler 128, policy manager 130, or a cen-
`tral repository 132.
`[0015] Client 102 may be configured scan various
`20 sources of information such as file system 114. Client
`102 may be implemented in any suitable manner, includ-
`ing by one or more applications, scripts, libraries, mod-
`ules, code, drivers, or other entities on an electronic de-
`vice. These may include software or instructions resident
`25 on a memory 118 for execution by a processor 116. Al-
`though client 102 is illustrated in FIGURE 1 as including
`example elements, client 102 may include more or less
`elements. Moreover, the function of some elements of
`client 102 as discussed herein may be performed in var-
`ious embodiments by other elements of client 102. For
`example, client 102 may include a communication appli-
`cation 110, scan application 108, and local repository
`112. Client 102 may communicate with server 104
`through network 106.
`[0016] Client 102 and server 104 may communicate
`with sources of information about vulnerability of soft-
`ware. Any suitable sources of information may be utilized
`by client 102 and server 104. For example, server 104
`may communicate with one or more vulnerability data-
`40 bases 138, 140. Database 138 may be a publicly acces-
`sible vulnerability database, while database 140 may be
`a proprietary vulnerability database. Although a single
`such database 138, 140 is shown and described, multiple
`public or proprietary databases may be accessed. Data-
`45 base 138 may include the National Vulnerability Data-
`base (NVD). Database 138 may include a repository of
`standards-based vulnerability management data. The
`database may further include databases of security
`checklists, security related software flaws, misconfigura-
`tions, product names, product versions, exploitability
`metrics, impact metrics, temporal metrics, environmental
`metrics, and others. Server 104 may communicate with
`a system evaluation database 136, which may include
`information about the overall health of a system in which
`file system 114 (or other data under evaluation) resides.
`Each of these databases may be implemented in any
`suitable manner, such as by a relational database, nav-
`igational database, or other organization of data and data
`
`30
`
`35
`
`50
`
`55
`
`3
`
`3
`
`EP 3 360 071 B1
`
`4
`
`ciated with a given application component. The vulnera-
`bilities may include vulnerabilities of one or more addi-
`tional components to be accessed by the given applica-
`tion component. The method may include adjusting char-
`
`acterizations of the vulnerabilities associated with the giv-
`en application component based upon contextual infor-
`mation from the system in which the given application
`component resides. The contextual information may in-
`clude security information.
`
`BRIEF DESCRIPTION OF THE FIGURES
`
`[0012]
`
`Fora more complete understanding of the con-
`
`figurations of the present disclosure, needs satisfied
`
`scanning of various sources of information by agents
`102. Server 104 may be implemented in any suitable
`manner, including by one or more applications, scripts,
`libraries, modules, code, drivers, or other entities on an
`electronic device. These may include software or instruc-
`tions resident on a memory 124 for execution by a proc-
`essor 122. Although sever 104 is
`illustrated in FIGURE
`1 as including example elements, server 104 may include
`
`10
`
`more or less elements. Moreover, the function of some
`elements of server 104 as discussed herein may be per-
`formed in various embodiments by other elements of
`server 104. Also, the function of some elements of server
`104 as discussed herein may be performed in various
`
`thereby, and the objects, features, and advantages there-
`
`15
`
`of, reference now is made to the following description
`taken in connection with the accompanying drawings.
`
`is a block diagram of an example system
`FIGURE 1
`for identifying security vulnerabilities, in accordance
`with the teachings of the present disclosure;
`FIGURE 2
`is an illustration of example operation and
`further configuration of the system for identifying se-
`
`curity vulnerabilities, in accordance with the teach-
`ings of the present disclosure;
`FIGURE 3
`is an illustration of further example oper-
`ation of the system for identifying security vulnera-
`bilities,
`in accordance with the teachings of the
`present disclosure; and
`FIGURE 4
`is a flow chart of an example method for
`identifying security vulnerabilities, in accordance
`with the teachings of the present disclosure.
`
`DETAILED DESCRIPTION
`
`is an illustration of an example em-
`FIGURE 1
`[0013]
`bodiment of a system 100 for identifying security vulner-
`
`abilities, in accordance with the teachings of the present
`disclosure. System 100 may include any suitable number
`and kind of elements. For example, system 100 may in-
`clude one or more devices that can identify security vul-
`nerabilities by scanning electronic devices, file systems,
`Java applications, .NET applications, or other sources of
`electronic data. Such scanning may be performed locally
`to the source of electronic data or remotely on another
`electronic device communicatively coupled through a
`
`network to the source of electronic data. For example,
`system 100 may include one or more agents 102 config-
`ured to scan sources of electronic data for vulnerabilities.
`In another example, system 100 may include a server
`104 configured coordinate scanning sources of electron-
`ic data for vulnerabilities. System 100 may include any
`suitable number and kind of source of electronic data,
`such as files or file system 114, that may be scanned for
`vulnerabilities. Although file system 114 is shown sepa-
`rate from any clients or servers, file system 114 may be
`resident on the same device as client 102 or server 104.
`[0014]
`Server 104 may be configured to coordinate
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`embodiments by elements of client 102. For example,
`server 104 may include a communication application
`120, security enterprise manager 126, update manager
`
`134, scan scheduler 128, policy manager 130, or a cen-
`tral repository 132.
`[0015]
`Client 102 may be configured scan various
`sources of information such as file system 114. Client
`102 may be implemented in any suitable manner, includ-
`ing by one or more applications, scripts, libraries, mod-
`ules, code, drivers, or other entities on an electronic de-
`vice. These may include software or instructions resident
`on a memory 118 for execution by a processor 116. Al-
`though client 102 is illustrated in FIGURE 1 as including
`example elements, client 102 may include more or less
`elements. Moreover, the function of some elements of
`client 102 as discussed herein may be performed in var-
`ious embodiments by other elements of client 102. For
`example, client 102 may include a communication appli-
`cation 110, scan application 108, and local repository
`112.
`Client 102 may communicate with server 104
`through network 106.
`[0016]
`Client 102 and server 104 may communicate
`with sources of information about vulnerability of soft-
`ware. Any suitable sources of information may be utilized
`
`by client 102 and server 104. For example, server 104
`may communicate with one or more vulnerability data-
`bases 138, 140. Database 138 may be a publicly acces-
`sible vulnerability database, while database 140 may be
`a proprietary vulnerability database. Although a single
`such database 138, 140 is shown and described, multiple
`public or proprietary databases may be accessed. Data-
`base 138 may include the National Vulnerability Data-
`base (NVD). Database 138 may include a repository of
`standards-based vulnerability management data. The
`database may further include databases of security
`checklists, security related software flaws, misconfigura-
`tions, product names, product versions, exploitability
`metrics, impact metrics, temporal metrics, environmental
`metrics, and others. Server 104 may communicate with
`a system evaluation database 136, which may include
`information about the overall health of a system in which
`file system 114 (or other data under evaluation) resides.
`Each of these databases may be implemented in any
`
`suitable manner, such as by a relational database, nav-
`igational database, or other organization of data and data
`
`

`

`5
`
`EP 3 360 071 (31
`
`6
`
`structures. Server 104 may integrate the contents from
`these databases to provide comprehensive coverage of
`known vulnerabilities.
`[0017] Communication application 120 and communi-
`cation application 110 may be configured to handle in-
`bound and outbound communications to other entities
`for server 104 and client 102. For example, communica-
`tion application 120 and communication application 110
`may handle communications with file system 114, data-
`bases 138, 140, 126, and between server 104 and client
`102. Communication application 120 and communication
`application 110 may be implemented by any suitable
`mechanism, such as an application, function, library, ap-
`plication programming interface, script, executable,
`code, software, or instructions. These may in turn be im-
`plemented by instructions resident in memory for execu-
`tion by a processor that, when loaded into the processor,
`cause the functionality described in this disclosure to be
`performed.
`[0018] Security enterprise manager 126 may be con-
`figured to organize scanning operations in system 100.
`Security enterprise manager 126 may determine, for ex-
`ample, what agents 102 need to scan their respective
`sources of data, how agents 102 will scan, how informa-
`tion will be reported from agents 102, what remedial ac-
`tion might be taken or recommended, when agents 102
`will be updated, and other such configurations and op-
`erations of system 100. Security enterprise manager 126
`may utilize a scan scheduler 128 to determine or dictate
`how often and under what conditions scans of data will
`be made and repeated. Furthermore, security enterprise
`manager 126 may utilize an update manager 134 to de-
`termine or dictate how often and under what conditions
`information to be used by scan application 108 will be
`updated. Update manager 134 may be configured to
`gather information from one or more sources about how
`to scan data, such as database 138, 140, 136. Update
`manager 134 may be configured to store relevant infor-
`mation to be used by agents 102 in central repository
`132. Contents from central repository 132 may be selec-
`tively provided to agents 102 by update manager. Secu-
`rity enterprise manager 126 may utilize a policy manager
`130 configured to analyze the overall health of a system
`under evaluation. Policy manager 130 may be configured
`to access information from, for example, system evalu-
`ation database 136. Security enterprise manager 126,
`update manager 134, scan scheduler 128, and policy
`manager 130 may be implemented by any suitable mech-
`anism, such as an application, function, library, applica-
`tion programming interface, script, executable, code,
`software, or instructions. These may in turn be imple-
`mented by instructions resident in memory for execution
`by a processor that, when loaded into the processor,
`cause the functionality described in this disclosure to be
`performed.
`[0019] Scan application 108 may be configured to scan
`data under evaluation in system 100. The data may be
`located on the same electronic device as scan application
`
`20
`
`35
`
`108 or on an electronic device communicatively coupled
`to scan application 108. Scan application may analyze
`the data under evaluation to determine whether the data
`indicates any vulnerabilities to users of the data. Scan
`5 application may utilize a local repository 112 to hold rules,
`guidelines, settings, or other data collected by server
`104. Local repository 112 may be implemented by any
`suitable manner of implementing databases or other data
`structures. Scan application 108 may be configured to
`10 scan data, such as those in file system 114, at any ap-
`propriate time. Scan application 108 may be implement-
`ed by any suitable mechanism, such as an application,
`function, library, application programming interface,
`script, executable, code, software, or instructions. These
`15 may in turn be implemented by instructions resident in
`memory for execution by a processor that, when loaded
`into the processor, cause the functionality described in
`this disclosure to be performed.
`[0020]
`In operation, scan application 108 may search
`for holes, vulnerabilities, or other possible exploitations
`in software. Such software may include files in file system
`114. Scan application may look for signatures of software
`binaries that are defined in local repository 112. Such
`signatures may be imported from original sources, such
`25 as databases 138, 140. Scan application 108 may search
`and scan software located on a given computer, desktop,
`smartphone, tablet, or other suitable electronic device.
`In some embodiments, scan application 108 may search
`and scan a defined installation image that is to be in-
`30 stalled on multiple clients. Scan application 108 may
`identify files or subcomponents or files in file system 114
`that have been identified as having a vulnerability. In
`some embodiments, such a file might not be malicious
`itself, but ma