Abstract: A system and method is provided for detecting anomalous events based on a dump of an address space of a software process in a memory of a computing device. An exemplary method includes detecting at least one event occurring in an operating system of the computing device during an execution of the software process, determining a context of the detected event, wherein the context comprises a dump of an address space of the software process containing code that was being executed at the moment of occurrence of the detected event, selecting a set of features of the dump for use in determining whether or not the event is anomalous, transforming the selected set of features of the dump into a convolution, determining a popularity of the convolution by polling a database, and determining that the detected event is an anomalous event if the determined popularity is below a threshold value.

Abstract: A system and method is provided for providing a set of convolutions to a computing device for detecting anomalous events occurring in an operating system of the computing device. An exemplary method includes launching an agent in an operating system of a client device, registering, by the agent, events occurring in the operating system, for each registered event, determining a context of the event, wherein the context comprises a call stack at a moment of occurrence of the event, selecting a set of features based on the call stack of the event, generating a convolution based on the selected set of features of the event and the context of the event, and adding the generated convolution to a set of convolutions of events occurring on client devices, and providing, to a client device from which a request is received, the set of convolutions of events occurring on client devices.

Abstract: Disclosed is a method for analyzing a log for conducting an antivirus scan of a file. The method includes opening a file in a virtual machine. The opening of the file includes execution of a guest process having a thread in a virtual processor of the virtual machine. A plurality of events in the thread of the guest process is intercepted. Registers associated with a system call made during execution of the first thread of the guest process are determined. Execution of the thread of the guest process is halted. In a log associated with the opening of the file, information is saved indicating events intercepted during execution of the thread in an altered guest physical memory page, and context data of the virtual processor. Using at least one template having rules, the saved log is analyzed to determine whether the file opened in the virtual machine is harmful.

Abstract: Disclosed are systems and methods for analysis of files for maliciousness and determining an action. An exemplary method comprises: opening a file, by a processor, in a virtual machine, intercepting an event arising in an execution of a thread of a process created upon opening of the file, determining, a context of the processor on which the thread is being executed, the determination including reading register values of the processor and a stack, comparing the context with rules that check: a behavior of the thread of the process, a changing, by the thread, of attributes of the file, and an access of the thread to the Internet, and based on a result of the comparison, performing at least one of: recognizing the file as being malicious, halting the execution of the thread, changing the context of the processor, and waiting for a next intercepted event.

Abstract: A system and method is provided for detecting anomalous events based on a dump of an address space of a software process in a memory of a computing device. An exemplary method includes detecting at least one event occurring in an operating system of the computing device during an execution of the software process, determining a context of the detected event, wherein the context comprises a dump of an address space of the software process containing code that was being executed at the moment of occurrence of the detected event, selecting a set of features of the dump for use in determining whether or not the event is anomalous, transforming the selected set of features of the dump into a convolution, determining a popularity of the convolution by polling a database, and determining that the detected event is an anomalous event if the determined popularity is below a threshold value.

Abstract: Disclosed is a method for analyzing a log for conducting an antivirus scan of a file. The method includes opening a file in a virtual machine. The opening of the file includes execution of a guest process having a thread in a virtual processor of the virtual machine. A plurality of events in the thread of the guest process is intercepted. Registers associated with a system call made during execution of the first thread of the guest process are determined. Execution of the thread of the guest process is halted. In a log associated with the opening of the file, information is saved indicating events intercepted during execution of the thread in an altered guest physical memory page, and context data of the virtual processor. Using at least one template having rules, the saved log is analyzed to determine whether the file opened in the virtual machine is harmful.

Abstract: A system and method is provided for providing a set of convolutions to a computing device for detecting anomalous events occurring in an operating system of the computing device. An exemplary method includes launching an agent in an operating system of a client device, registering, by the agent, events occurring in the operating system, for each registered event, determining a context of the event, wherein the context comprises a call stack at a moment of occurrence of the event, selecting a set of features based on the call stack of the event, generating a convolution based on the selected set of features of the event and the context of the event, and adding the generated convolution to a set of convolutions of events occurring on client devices, and providing, to a client device from which a request is received, the set of convolutions of events occurring on client devices.

Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device. If the determined popularity is below a threshold value, the method determines that the detected event is an anomalous event.

Abstract: Disclosed are systems and methods for generating a log for conducting an antivirus scan of a file. The described technique includes opening a file in a virtual machine, which causes execution of a guest process and a thread in a (virtual) processor of the virtual machine. The technique includes identifying, during execution of the first thread, events that involve alteration of guest physical memory pages of the virtual machine. The technique determines altered guest physical memory page based on analysis of the log and identifies when a transfer of control to altered guest physical memory pages has occurred. The resultant log for analysis by a security application includes information indicating the events occurring during execution of the thread in the altered guest physical memory page, and context data of the virtual processor on which the thread is being executed.

Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device. If the determined popularity is below a threshold value, the method determines that the detected event is an anomalous event.

Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device. If the determined popularity is below a threshold value, the method determines that the detected event is an anomalous event.

Abstract: Disclosed are system and method for detecting malicious code in files. One exemplary method comprises: intercepting, by a processor, one or more application program interface (API) calls during an execution of a process launched from a file of a computing device; determining and detecting, by the processor, a presence of an exit condition of the process; in response to detecting the exit condition, identifying one or more signatures of a first type and transferring one or more saved memory dumps of the computing device to an emulator for execution; and determining and identifying a malicious code in the file in response to detecting one or more signatures of a second type based at least upon execution results of the transferred memory dumps of the computing device.

Abstract: Disclosed are systems and methods for analysis of files for maliciousness and determining an action. An exemplary method comprises: opening a file, by a processor, in a virtual machine, intercepting an event arising in an execution of a thread of a process created upon opening of the file, determining, a context of the processor on which the thread is being executed, the determination including reading register values of the processor and a stack, comparing the context with rules that check: a behavior of the thread of the process, a changing, by the thread, of attributes of the file, and an access of the thread to the Internet, and based on a result of the comparison, performing at least one of: recognizing the file as being malicious, halting the execution of the thread, changing the context of the processor, and waiting for a next intercepted event.

Abstract: Disclosed are systems and methods of analysis of files for maliciousness in a virtual machine. An exemplary method comprises: opening and executing a file by a processor in a virtual machine; intercepting an event arising in the process of execution of a thread of a process created upon opening of the file; halting the execution of the thread; reading the context of the processor on which the thread is being executed; comparing the context of the processor with one or more rules; and based on the results of the comparison, performing at least one of: recognizing the file as being malicious; halting the execution of the process created upon opening of the file; changing the context of the processor; and waiting for the next intercepted event.

Abstract: Disclosed are systems and methods for generating a log for conducting an antivirus scan of a file. The described technique includes opening a file in a virtual machine, which causes execution of a guest process and a thread in a (virtual) processor of the virtual machine. The technique includes identifying, during execution of the first thread, events that involve alteration of guest physical memory pages of the virtual machine. The technique determines altered guest physical memory page based on analysis of the log and identifies when a transfer of control to altered guest physical memory pages has occurred. The resultant log for analysis by a security application includes information indicating the events occurring during execution of the thread in the altered guest physical memory page, and context data of the virtual processor on which the thread is being executed.

Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device.

Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device.

Abstract: A system and method is provided for detecting anomalous events occurring in an operating system of a computing device. An exemplary method includes detecting an event that occurs in the operating system of the computing device during execution of a software process. Moreover, the method includes determining a context of the detected event and forming a convolution of the detected event based on selected features of the determined context of the detected event. Further, the method includes determining a popularity of the formed convolution by polling a database containing data relating to a frequency of detected events occurring in client devices in a network, where the detected events of the client devices correspond to the detected event in the computing device.

Abstract: Disclosed are a system and method for protecting computers from unauthorized remote administration. One exemplary method includes: intercepting events occurring in the computer system including a first event and a second event associated with data transfer with an application executing in the computer system; determining that the first intercepted event is dependent on the second intercepted event based on parameters of the first intercepted event and the second intercepted event; generating a rule defining a dependency of at least one parameter of the first intercepted event on at least one parameter of the second intercepted event; responsive to determining a degree of similarity of the generated rule and a previously created rule exceeds a threshold value, identifying at least one application as a remote administration application that created the first and second identified intercepted events; and blocking the identified remote administration application from exchanging data with the computer system.

Abstract: Disclosed are systems and methods of analysis of files for maliciousness in a virtual machine. An exemplary method comprises: opening and executing a file by a processor in a virtual machine; intercepting an event arising in the process of execution of a thread of a process created upon opening of the file; halting the execution of the thread; reading the context of the processor on which the thread is being executed; comparing the context of the processor with one or more rules; and based on the results of the comparison, performing at least one of: recognizing the file as being malicious; halting the execution of the process created upon opening of the file; changing the context of the processor; and waiting for the next intercepted event.