Abstract: A method, system and computer program product for blocking access to restricted elements of application interface and covering the restricted elements by trusted interface elements. The system includes an analyzer module, a database of restricted elements and a blocking module. The analyzer module is configured to detect interface elements of an active application rendered on a computer or a mobile device. The analyzer module determines if an application interface element is restricted by comparing the application interface element against the known restricted interface elements from the database. If the restricted element is detected, the analyzer module sends the data about the restricted element to the blocking module. The blocking module covers the restricted interface element by a trusted interface element or by an image.

Abstract: Method and system for configuration of a computer system according to security policies. The configuration of an employee's personal computer system according to the security policies of the corporate network provides for security of access to the corporate network. Configuration change instructions are generated according to the security policy and applied to the configuration of the computer system. The configuration system includes at least one computer system used to access a corporate network, a policy application module configured to determine configuration parameters of the computer system and to pass the configuration data to an instruction forming module. The computer system is configured according to the selected security policy by execution of at least one configuration change instruction. The configuration system also includes a database of security policies.

Abstract: System for updating filtering rules for messages received by a plurality of users including a filtering rules database storing filtering rules for the users; means for distributing the filtering rules to the users; a user reputation database comprising a reputation weight for each user; and means for receiving and processing of user reports that indicate that a message belongs to a particular category. The means for receiving (i) calculates a message weight in its category based on a number of reports received from multiple users and a reputation weights of those users, (ii) decides whether the message belongs to the particular category if the message weight exceeds a predefined threshold, (iii) updates the filtering rules in the filtering rules database based on the deciding, and (iv) distributes the updated filtering rules from the filtering rules database to the users using the means for distributing.

Abstract: A system for a dynamic adjustment of expiration date of an authorization key, the system comprising: a security product that will be installed on a predetermined number of computers. The administration key allows a use of the software product on the predetermined number of computers during a predetermined period of time. The plurality of authorization units purchased from a vendor that are the smallest increments of time that a duration period of the authorization key is measured in. The expiration date for all the computers can be updated at any time, depending on the number of computers on which the software is installed at any given time. The administration server determines a beginning and an ending date of a functionality of the authorization key for the security product. The data base receives and stores the beginning and the ending date of the functionality of the authorization key for the security product.

Abstract: A method, system and computer program product for blocking access to restricted elements of application interface and covering the restricted elements by trusted interface elements. The system includes an analyzer module, a database of restricted elements and a blocking module. The analyzer module is configured to detect interface elements of an active application rendered on a computer or a mobile device. The analyzer module determines if an application interface element is restricted by comparing the application interface element against the known restricted interface elements from the database. If the restricted element is detected, the analyzer module sends the data about the restricted element to the blocking module. The blocking module covers the restricted interface element by a trusted interface element or by an image.

Abstract: A malware detection rule is evaluated for effectiveness and accuracy. The detection rule defines criteria for distinguishing files having a characteristic of interest from other files lacking that characteristic, for instance, malicious files vs. benign files. The detection rule is applied to a set of unknown files. This produces a result set that contains files detected from among the set of unknown files as having the at least one characteristic of interest. Each file from the result set is compared to at least one file from a set of known files having the characteristic to produce a first measure of similarity, and to at least one file from a set of known files lacking the characteristic to produce a second measure of similarity. In response to the first measure of similarity exceeding a first similarity threshold, the detection rule is deemed effective. In response to the second measure of similarity exceeding a second similarity threshold, the detection rule is deemed inaccurate.

Abstract: System and method for categorizing a plurality of network resources. Collected properties of a network resource are analyzed to determine applicability of various predefined categories to that network resource. At least one category from among the predefined categories is assigned to that network resource according to a determination of applicability of the at least one category to the network resource. A resource-specific time interval for re-categorizing each one of the network resources is dynamically adjusted based on a plurality of previous categorization results for that network resource, such that different network resources will be associated with correspondingly different re-categorization intervals.

Abstract: A server-based system for generation of heuristic scripts for malware detection includes an automatic heuristics generation system for generating heuristic scripts for curing malware infections; a log database containing logs of events from user computers, including detection of known malicious objects and detection of suspicious objects; a safe objects database accessible containing signatures of known safe objects; a malicious objects database containing signatures of known malicious objects. The system retrieves suspect object metadata from the log database and generates the heuristic script based on data from the safe and malicious objects databases. For multiple computers having the same configuration and having the same logs, only one log common to all the multiple computers is transmitted and only one heuristic script is distributed to the multiple computers. A different and specific heuristic script is distributed to those computers that have a different log than the common log.

Abstract: Disclosed are some aspects of systems and methods for providing security for online transactions. An example method includes determining, at a security service, that an online transaction related to a payment service has been initiated at a computer by a user of the computer, collecting first information from the computer and second information from the payment service, and determining, based on the collected information, whether the online transaction is suspicious. These aspects further include, when the online transaction is determined to be suspicious, determining whether a malicious program can be identified on the computer and when the malicious program is identified, performing corresponding remedial actions with respect to the detected malicious program.

Abstract: Disclosed are system and method for controlling execution of a program. An example method includes determining a memory sector of interest in a first virtual memory location; duplicating the memory sector of interest in a second virtual memory location; tagging the memory sector of interest in the first virtual address space and the duplicated memory sector in the second virtual address space with different tags; selecting between the memory sector of interest and the duplicated memory sector a memory location for execution of the program; executing, by a hardware processor, the program in the selected memory location until receipt of a notification to transfer execution of the program from a memory sector tagged with one tag to a memory sector tagged with a different tag; and transferring program execution to the memory location other than the one in which the notification was received.

Abstract: A system and method for capturing and re-calling an application function. The method of function re-call during anti-virus check includes the following steps: function intercept (capture); anti-virus analysis of the parameters used to call the function; preparing of an application stack for function re-call (when the analysis did not detect any malicious functionality); and calling the function again. The exemplary method can be used with browsers and other applications.

Abstract: Disclosed system and methods for detecting malicious applications. The system provides a library of handler functions. The handlers functions control access of one or more applications to protected resources on a user device. The system also modifies the one or more applications to access the library of handler functions instead of corresponding application program interface (API) functions of the user device. The handler functions receive API function calls from a modified application. The system analyzes the received API function calls for malicious behavior characteristics. When the API function calls do not exhibit malicious behavior characteristics, the handler functions perform the API function calls to the protected resources. When the API function calls exhibit malicious behavior characteristics, the system prevents access of the modified application to the protected resources.

Abstract: An initial trust status is assigned to a first object, the trust status representing one of either a relatively higher trust level or a relatively lower trust level. Based on the trust status, the first object is associated with an event type to be monitored, where the event type is selected from among: essential events, occurrence of which is informative as to trust status evaluating for an object, and critical events, including the essential events, and additional events, occurrence of which is informative as to execution of suspicious code. Occurrences of events relating to the first object are monitored. In response to the first object being assigned the relatively higher trust level, only the essential events are monitored. In response to the first object being assigned the relatively lower trust level, the critical events are monitored. A need for performing malware analysis is determined based on the trust status of the first object and the event type.

Abstract: Disclosed are systems, methods and computer program products for efficient and reliable analysis, optimization and detection of obfuscated malware. One disclosed example method for malware detection includes loading an executable software code on a computer system and disassembling the software code into an assembly language or other low-level programming language. The method then proceeds to simplifying complex assembly instructions and constructing a data flow model of the simplified software code. The dependencies and interrelations of code elements of the data flow model are analyzed to identify obfuscated software codes therein. The identified obfuscated codes are then optimized. Based on the results of optimization, determination is made whether the software code is malicious and/or whether further antimalware analysis of the optimized software code is necessary.

Abstract: Disclosed are systems and methods for ensuring fault tolerance of antivirus protection realized in a virtual environment. An example method includes collecting, by a antivirus agent in a virtual machine, information about available security virtual machines that provide at least one or more resource-intensive methods of antivirus checking of programs running on the virtual machine; analyzing the collected information to determine a location of the virtual machine relative to the security virtual machines and determine priorities for each of the security virtual machines based on the location of the virtual machine relative; forming a list of the available security virtual machines according to the priorities of the security virtual machines to identify a primary security virtual machine; connecting the virtual machine to the primary security virtual machine; and requesting the primary security virtual machine to perform at least antivirus checking of one or more programs running on the virtual machine.

Abstract: Disclosed herein are systems, methods and computer program products for protecting computer systems from software vulnerabilities. In one aspect, a system is configured to detect execution of a software application and determine whether the detected application has vulnerabilities. When the application has vulnerabilities, the system may analyze the application to identify typical actions performed by the application. The system may then create one or more restriction rules based on the identified typical actions of the application. The restriction rules allow application to perform typical actions and block atypical actions. The system then controls execution of the application using the created restriction rules.

Abstract: Disclosed are system, methods, and computer program product for applying security policies based on available licenses to a plurality of devices. An example method includes determining, by a processor, one or more criteria for a device relating to a priority of the device in the network for application of the security policies; determining numeric values for each of the one of more criteria; determining a coefficient for the device based on the numeric values; determining the priority of the device based on the coefficient of the device and respective coefficients of the plurality of devices; designating a security policy for the device based on the priority of the device; determining availability of a license for a software applying the designated security policy to the device; and when the license for the software that applies the designated security policy is available, applying the designated security polity to the device.

Abstract: Disclosed are system, methods, and computer program product for designation of encryption policies for user devices. An example method includes determining one or more criteria for the user device related to encryption requirements of the user device; determining numeric values for each of the one of more criteria; determining a coefficient for the device based on the numeric values; determining an encryption policy for the device based on the coefficient; and applying the determined encryption policy to the device.

Abstract: Disclosed are systems, methods and computer program products for selecting interprocess communication mechanism. In one aspect, the system collects information about resources used by two or more processes involved in an interprocess communication in which a first process can transfer data to a second process using one of a synchronous and asynchronous data transfer methods; analyzes the collected information to determine which data transfer method achieves at least one of minimizing time of the data transfer between processes, maximizing utilization of resources used for the data transfer, minimizing standstill time during the data transfer, minimizing effect of other processes of the operating system on the data transfer, and based on the determination, selects one of the synchronous or asynchronous method of interprocess communication to transfer the data between the first and second processes.

Abstract: Disclosed are systems, methods and computer program products for automating installation of applications. In one aspect, the system launches an application installer of a software application; identifies control elements in an active window of the application installer, wherein the control elements include at least user interface (UI) elements responsible for transitioning the active window to another window of the application installer; transitions to other windows of the application installer and identifies control elements in all other windows of the application installer until the application is installed; generates an automatic installation rule for the application that automatically activates one or more windows of the application installer and one or more control elements of said window to install the application without a participation of a user.