System and method for comprehensive general electric protection for computers against malicious programs that may steal information and/or cause damages
First Claim
1. A security system for computers that does not depend on information about the specific identities of malicious programs, wherein said computers are at least one of a personal computer, a network server, a cellular phone, a palm pilot, a car computer, and/or other computerized gadget, comprising at least one of:
- a. A system for automatic segregation between programs that is applied to at least one of the hard disks and other non-volatile storage devices;
b. An independent device that is adapted to notice and intercept whenever the amount of data actually sent out from a computer does not fit the amount reported by at last one of;
the Security System installed on the computer, and the communications software of the computer;
c. A system for preventing malicious software from falsifying the user'"'"'s input;
d. A security system wherein in an organization the Security System of the central authority and/or of the system administrator and/or a gateway computer through which the other computers access the web—
automatically checks at least once in a while if the Security System is functioning properly on the other computers;
e. A security system and/or firewall that prevents applications and/or drivers from accessing directly at all or at least without user permission the hardware ports of and/or the actual device drivers that physically access at least one of the communication channels and the storage devices;
f. A security system and/or fireball that prevents applications and/or drivers from accessing without user permission also USB devices;
g. A security system and/or firewall that prevents applications and/or drivers from accessing without user permission also at least one of Bluetooth communication devices, infra-red, and other wireless communication channels;
h. A security system and/or firewall that prevents applications and/or drivers from accessing without user permission at least one of Fax sending functions and other TAPI functions;
i. A security system wherein at least one general trusted area and at least one non-trusted area are enforced by creating at least two Virtual Environments (VEs), one for the trusted area and one for the non-trusted area, and enforcing the virtual sharing of resources between them, so that each VE sees only itself and the OS;
i. A security system wherein separate VEs with virtual sharing are used to enforce better segregation between users, so that each user has at least one VE of his/her own, and/or to enforce different profiles or configurations for the same users.
1 Assignment
0 Petitions
Accused Products
Abstract
In the prior art of computer security by default programs are allowed to do whatever they like to other programs or to their data files or to critical files of the operating system, which is as absurd as letting a guest in a hotel bother other guests as he pleases, steal their property or copy it or destroy it, or have free access to the hotel'"'"'s management resources. The present concept is based on automatic segregation between programs. This is preferably done by creating automatically an unlimited number of Virtual Environments (VEs) with virtual sharing of resources, so that the programs in each VE think that they are alone on the computer, and (unless explicitly allowed by the user) any changes that they think they made in virtually shared resources are in reality only made in their own VE, while the user preferably has an integrated view of the computer.
318 Citations
93 Claims
-
1. A security system for computers that does not depend on information about the specific identities of malicious programs, wherein said computers are at least one of a personal computer, a network server, a cellular phone, a palm pilot, a car computer, and/or other computerized gadget, comprising at least one of:
-
a. A system for automatic segregation between programs that is applied to at least one of the hard disks and other non-volatile storage devices;
b. An independent device that is adapted to notice and intercept whenever the amount of data actually sent out from a computer does not fit the amount reported by at last one of;
the Security System installed on the computer, and the communications software of the computer;
c. A system for preventing malicious software from falsifying the user'"'"'s input;
d. A security system wherein in an organization the Security System of the central authority and/or of the system administrator and/or a gateway computer through which the other computers access the web—
automatically checks at least once in a while if the Security System is functioning properly on the other computers;
e. A security system and/or firewall that prevents applications and/or drivers from accessing directly at all or at least without user permission the hardware ports of and/or the actual device drivers that physically access at least one of the communication channels and the storage devices;
f. A security system and/or fireball that prevents applications and/or drivers from accessing without user permission also USB devices;
g. A security system and/or firewall that prevents applications and/or drivers from accessing without user permission also at least one of Bluetooth communication devices, infra-red, and other wireless communication channels;
h. A security system and/or firewall that prevents applications and/or drivers from accessing without user permission at least one of Fax sending functions and other TAPI functions;
i. A security system wherein at least one general trusted area and at least one non-trusted area are enforced by creating at least two Virtual Environments (VEs), one for the trusted area and one for the non-trusted area, and enforcing the virtual sharing of resources between them, so that each VE sees only itself and the OS;
i. A security system wherein separate VEs with virtual sharing are used to enforce better segregation between users, so that each user has at least one VE of his/her own, and/or to enforce different profiles or configurations for the same users. - View Dependent Claims (19, 69, 71, 73, 75, 76, 81, 82, 84, 85, 86, 88, 89, 90, 91, 93)
-
-
2-18. -18. (canceled)
-
20-66. -66. (canceled)
-
67. A security system and/or firewall that asks the user for confirmation when at least one of the following activities occur:
-
a. Multiple E-mails are being sent out consecutively;
b. The e-mail message or messages include an attachment or attachments which are executable files.
-
-
68. (canceled)
-
70. The system of claim 6919 wherein when running virus-scan programs, at least one of the following features exists:
-
a. The virus-scan program can access freely all the real files and directories, including files and/or directories created for the implementation of Copy-On-Write or of sub-VEs;
b. When the anti-virus program reports a virus or asks the user for a confirmation for deleting a virus, the user can be exposed also to the special files and/or directories;
c. The Security System comes with its own special anti-virus program or programs, or it interferes whenever the anti-virus program wants to show the user any of these special files or directories, and then the security system can answer automatically instead of the user and/or questions can be displayed to the user through the merged view;
d. The Security System lets the antivirus run automatically each time on the next VE, seeing each time only the scope of that VE;
e. The Security System ruins either a special antivirus or interferes when the antivirus shows results and then reports the results to the users in terms of VE'"'"'s, and/or can ask the user if he want to remove the virus or remove the entire VE.
-
-
72. (canceled)
-
74. (canceled)
-
77. A security system wherein in an organization the Security System of the central authority and/or of the system administrator and/or a gateway computer through which the other computers access the web—
- automatically checks at least once in a while if the Security System is functioning properly on the other computers.
- View Dependent Claims (78)
-
79. (canceled)
-
80. (canceled)
-
83. (canceled)
-
87. (canceled)
-
92. (canceled)
Specification