1
Matthew Conover, Sourabh Satish: Detecting shellcode that modifies IAT entries. Symantec Corporation, Gunnison McKay & Hodgson L, Serge J Hodgson, June 23, 2009: US07552479 (70 worldwide citation)

On start up of a process, a critical imported functions table including resolved addresses of critical imported functions that an application, such as a host intrusion detection system application depends upon to have data integrity, is dynamically allocated and marked read only to impede modificati ...


2
Matthew Conover, Sourabh Satish: Method and apparatus to detect and recover from a stack frame corruption. Symantec Corporation, Gunnison McKay & Hodgson L, Lisa A Norris, September 18, 2007: US07272748 (40 worldwide citation)

A prologue and an epilogue of a function are hooked. Completion of the prologue is stalled in a first state of a stack frame, and a copy of the first state of the stack frame is saved. Completion of the prologue is initiated, permitting execution of the function. Completion of the epilogue is stalle ...


3
Matthew Conover: System and method for logging operations of virtual machines. Symantec Corporation, Campbell Stephenson, May 21, 2013: US08448165 (40 worldwide citation)

A system and method for logging operations of guest virtual machines are provided. An execution event is triggered, in response to a request to load a software module in a virtual machine. A processor sends an indication to a hypervisor that the software module is loaded in the virtual machine, in r ...


4
Tzi cker Chiueh, Matthew Conover: Insertion and invocation of virtual appliance agents through exception handling regions of virtual machines. Symantec Corporation, Advantedge Law Group, July 17, 2012: US08225317 (32 worldwide citation)

A method for inserting an agent of a virtual appliance into a virtual machine. The method may include inserting, into an exception handler memory location of a virtual machine, one or more computer-executable instructions configured to facilitate transfer of control from the virtual machine to an ag ...


5
Bruce Montague, Sanjay Sawhney, Matthew Conover, Tzi cker Chiueh: Security driver for hypervisors and operating systems of virtualized datacenters. Symantec Corporation, Rory D Rankin, Meyertons Hood Kivlin Kowert & Goetzel P C, February 26, 2013: US08387046 (31 worldwide citation)

A system and method for efficient security protocols in a virtualized datacenter environment are contemplated. In one embodiment, a system is provided comprising a hypervisor coupled to one or more protected virtual machines (VMs) and a security VM. Within a private communication channel, a split ke ...


6
Peter Szor, Peter Ferrie, Matthew Conover: Detection of SYSENTER/SYSCALL hijacking. Symantec Corporation, Fenwick & West, November 10, 2009: US07617534 (20 worldwide citation)

Techniques are disclosed for detecting manipulations of user-kernel transition registers (such as the SYSENTER/SYSCALL critical registers of Intel/AMD processors, respectively), and other such registers. In one embodiment, a register monitor agent is deployed at system boot-up, and continues monitor ...


7
Govind Salinas, Matthew Conover, Sourabh Satish: Method to identify buffer overflows and RLIBC attacks. Symantec Corporation, Gunnison McKay & Hodgson L, Philip McKay, May 17, 2011: US07945953 (17 worldwide citation)

A method and system detect buffer overflows and RLIBC attacks by determining if a critical call initiating function is a “potential threat”. In one embodiment, a critical call initiating function is considered a potential threat if the value of the return address of the critical call initiating func ...


8
Taher Mansur Vohra, Matthew Conover: Tracking storage operations of virtual machines. Symantec Corporation, Meyertons Hood Kivlin Kowert & Goetzel P C, Dean M Munyon, Paul T Seegers, June 11, 2013: US08464254 (15 worldwide citation)

Techniques relating to tracking storage operations performed by a guest virtual machine executing on a computer system are disclosed. The guest virtual machine may include a filter driver that provides an indication to a storage tracking virtual machine executing on the computer system that the gues ...


9
Sanjay Sawhney, Matthew Conover, Bruce Montague: Systems and methods for providing network access control in virtual environments. Symantec Corporation, ALG Intellectual Property, January 20, 2015: US08938782 (14 worldwide citation)

A computer-implemented method for providing network access control in virtual environments. The method may include: 1) injecting a transient security agent into a virtual machine that is running on a host machine; 2) receiving, from the transient security agent, an indication of whether the virtual ...


10
Matthew Conover: Heap buffer overflow exploitation prevention system and method. Symantec Corporation, Gunnison McKay & Hodgson L, Serge J Hodgson, February 5, 2008: US07328323 (11 worldwide citation)

A method includes stalling a call to a heap allocation function originating from a request by an application for a block of heap buffer, predicting a block of the heap buffer to fulfill the request, and determining if a forward link (F-link) and a backward link (B-link) of the predicted block are ad ...