William Alan Sobel

6349311, Feb 19, 2002

Feb 1, 1999

09/241794

William E. Sobel - Cypress CA
Carey S. Nachenberg - Northridge CA

Symantec Corporation - Cupertino CA

G06F 1200

707203

A computer readable file of a first state ( ) is updated to a second state ( ) through the use of an incremental update ( ) which provides the information necessary to construct the file of the second version ( ) from a file of the first version ( ). In order to allow for future access to the first version ( ), without maintaining a copy of the file of the first version ( ), a back-update file ( ) is created. The back-update file ( ) provides the information necessary to construct a file of the first state ( ) from a file of the second state ( ).

6785818, Aug 31, 2004

Jan 14, 2000

09/483536

William E. Sobel - Stevenson Ranch CA
David Grawrock - Aloha OR

Symantec Corporation - Cupertino CA

G06F 1214

713200, 713187

Apparati, computer-implemented methods, and computer-readable media for thwarting map-loaded module ( ) attacks on a digital computer ( ). Within the computer ( ) is an intermediate location such as a registry ( ) containing mappings from generic names ( ) of map-loaded modules ( ) to specific locations ( ) of the map-loaded modules ( ). Coupled to the intermediate location ( ) is a monitor module ( ) adapted to monitor attempts to replace existing mappings ( ) of map-loaded modules ( ) with replacement mappings ( ). Coupled to the map-loaded modules ( ) is a file system monitor;module ( ) adapted to monitor attempts to insert new map-loaded modules ( ) into the computer ( ). Coupled to the monitor module ( ) and to the file system monitor module ( ) is a programmable control module ( ) adapted to determine when a change in mapping constitutes a malicious code attack.

7124272, Oct 17, 2006

Apr 18, 2003

10/418476

Mark K. Kennedy - Redondo Beach CA, US
William Sobel - Cypress CA, US

Symantec Corporation - Cupertino CA

G06F 12/00

711173

Improved file tracking methods and file re-positioning or file defragmenting mechanisms are disclosed for use with a differential rate memory device which has allocatable storage units disposed in regions of comparatively faster data access and of comparatively slower data access for storing retrievable data file contents in such regions.

7155741, Dec 26, 2006

May 6, 2002

10/140149

William E Sobel - Stevenson Ranch CA, US
Bruce McCorkendale - Los Angeles CA, US

Symantec Corporation - Cupertino CA

H04L 9/00

726 22

Buffer overflow attacks are prevented by altering the load locations of commonly used executable code modules. A monitor layer () is associated with an operating system () and controls the load locations for predetermined modules containing executable code that can be used in the execution of buffer overflow attacks. The monitor layer () applies predetermined criteria to determine whether a module () presents a high risk for enabling a buffer overflow attack. If the monitor layer () determines that the module () presents a high risk, the monitor layer () may force the module () to load in an alternate location () by reserving sections of memory () into which the module normally loads. Alternatively, the monitor layer () may alter the area of the module that directs the operating system () to load it into a particular location (), thus causing the operation system to load the module to an alternate location ().

7159149, Jan 2, 2007

Oct 24, 2002

10/280586

Mark Spiegel - West Hills CA, US
Bruce McCorkendale - Los Angeles CA, US
William Sobel - Stevenson Ranch CA, US

Symantec Corporation - Cupertino CA

G06F 11/00

714 43, 726 22, 726 23, 726 24, 709224

Methods, apparati, and computer program products for detecting and responding to fast-spreading network worm attacks include a network monitoring module (), which observes () failed network connection attempts from multiple sources. A logging module () logs () the failed connection attempts. An analysis module () uses the logged data on the failed connection attempts to determine () whether a sources is infected with a worm using a set of threshold criteria. The threshold criteria indicate whether a source's failed connection attempts are non-normal. In one embodiment, a response module () responds () to the computer worm by, e. g. , alerting a user or system administrator, terminating an infected process (), or terminating the infected source's network access.

7249187, Jul 24, 2007

Nov 27, 2002

10/305622

William E Sobel - Stevenson Ranch CA, US
Greg Vogel - Chatsworth CA, US
Bruce McCorkendale - Los Angeles CA, US

Symantec Corporation - Cupertino CA

G06F 15/16

709229, 709227, 726 3, 726 4

Methods, apparati, and computer program products enforce computer network security policies by assigning network membership to a client () based on the client's compliance with the security policies. When a client () requests () a network address, the DHCP proxy () intercepts the request and assigns () that client () a logical address on the protected network () if the client () is in compliance with the security policies. If the client () is not in compliance with the security policies, in various embodiments, the DHCP proxy () assigns () the client () an address on a restricted network () or no network address at all.

7260847, Aug 21, 2007

Oct 24, 2002

10/280663

William Sobel - Stevenson Ranch CA, US
Bruce McCorkendale - Los Angeles CA, US

Symantec Corporation - Cupertino CA

G06F 12/14
G06F 15/00
H04L 9/00

726 24, 713165, 713166, 713167, 713188, 726 1

Computer-implemented methods, apparati, and computer-readable media for detecting malicious computer code in a file () associated with a computer (). A method of the present invention comprises the steps of determining whether there is more than one hard link () to the file (); and when there is more than one hard link (), ascertaining the identities of all the hard links (), and performing an antivirus scan on the file () based upon the hard link(s) () having the most restrictive scanning criteria of all the hard links (), or upon the union of scanning criteria amongst all the hard links ().

7293063, Nov 6, 2007

Jun 4, 2003

10/455014

William E Sobel - Stevenson Ranch CA, US

SYMANTEC Corporation - Cupertino CA

G06F 15/16

709206, 709207, 726 23, 726 24

A spam manager () receives () at least one e-mail () addressed to a domain (). The spam manager () performs () a signature based analysis of received e-mail () to determine whether received e-mail () includes at least one signature indicative of spam. Responsive to the spam manager () identifying e-mail () that does not include at least one signature indicative of spam and to a timeout period not having transpired from a time of receipt of the e-mail () by the spam manager (), the spam manager () performs () at least one secondary analysis of the identified e-mail ().