Abstract: Disclosed herein are systems and methods for blocking information from being received on a computing device. In one aspect, an exemplary method comprises, by a hardware processor, intercepting a Domain Name System (DNS) request, the intercepted DNS request being associated with the information being blocked from the computing device, obtaining a set of rules for a transmission of the intercepted DNS request, determining, whether at least one rule of the obtained set of rules subscribes to a blocking of the transmission of the intercepted DNS request, and blocking the transmission of the intercepted DNS request when at least on rule of the set of rules subscribes to the blocking of the transmission of the intercepted DNS request, wherein the blocking of the transmission of the intercepted DNS request blocks the information from being received on the computing device.

Abstract: Disclosed herein are systems and methods for access control in an electronic control unit (ECU). In one aspect, an exemplary method comprises, by an operating system (OS) kernel of the ECU of a vehicle, intercepting at least one request for an interaction of a control application with a basic component through an interaction interface provided by the basic component for interactions with applications, requesting from a security subsystem of the operating system, a verdict as to whether or not access for the interaction of the control application with the basic component through the interaction interface can be provided, and when the verdict is received from the security subsystem granting the access, providing the interaction between the basic component and the control application through the interaction interface in accordance with the received verdict.

Abstract: Disclosed herein are systems and method for intercepting malicious messages for training a malware detection classifier. In an exemplary aspect, an application selection module may select, from a plurality of applications, an application for execution in an execution environment based on a priority level of the application. During the execution of the selected application, a network interception module may monitor network activity comprising information about data being sent and received over a network connected to the execution environment and storing the network activity in memory of the execution environment (e.g., in a network activity log). A message selection module may subsequently extract, from the stored network activity, an electronic message, in response to determining that the electronic message corresponds to the selected application, may storing the electronic message in a message database used for training the malware detection classifier.

Abstract: Systems and methods for transmitting critical data to a server are provided. The data structure intended for transmission to the server is divided up on the client side into a substructure containing critical data (CD) and a substructure not containing CD. The substructure containing CD is further divided up at the client side into at least two substructures and the resulting substructures are sent consecutively to the server via a node with a transformation module. The substructure not containing CD is sent directly to the server, bypassing the node with the transformation module. After receiving the substructures, they are combined at the server side into a single data structure. The critical data are data with respect to which the law of the state in whose jurisdiction the client or an authorized entity is located imposes restrictions on the gathering, storage, accessing, dissemination and processing thereof.

Abstract: Disclosed herein are systems and methods for categorizing an application on a computing device. In one aspect, an exemplary method comprises, obtaining results of a classification of an application from a security server, when the results of the classification satisfy rules of relevance, designating the results of the classification as relevant and determining a category of the application based on the designation of the results as relevant, and when the results of the classification do not satisfy the rules of relevance, performing at least one of: terminating the categorization of the application, and updating the classification of the application based on a set of attributes of the application.

Abstract: Disclosed herein are systems and methods for reducing a number of false positives in classification of files. In one aspect, an exemplary method comprises, analyzing a file to determine whether or not the file is to be recognized as being malicious, when the file is recognized as being malicious, analyzing the file to detect a false positive outcome, when the false positive outcome is detected, excluding the file from being scanned and calculating a flexible hash of the file, and storing the calculated flexible hash in a database of exceptions.

Abstract: Disclosed herein are systems and methods for blocking network connections to network resources of forbidden categories.

Abstract: Disclosed are systems and methods for creating antivirus records for antivirus applications. An exemplary method includes: analyzing a log of records of API function calls of a file for presence of malicious behavior using one or more behavioral rules; determining that the file is malicious when a behavioral rule corresponding to one or more records of API function calls from the log is identified; extracting from the log the one or more API function calls associated with the identified behavioral rule; determining whether the one or more extracted records of API function calls are supported by an antivirus application of a user device; and when the one or more extracted records of API function calls are not supported by the antivirus application, adding to the antivirus application, a support for registering the unsupported records of API function calls.

Abstract: Disclosed herein are systems and methods for optimizing antivirus scanning of files on virtual machines. In one aspect, an exemplary method comprises, determining whether there is a record about a file in a verdict cache, when there is, assigning the verdict found in the verdict cache to the file, and when no record is found in the verdict cache, determining whether the file is currently being scanned in a parallel thread, when the file is currently being scanned in a parallel thread, blocking the scanning of the file until the scanning in the parallel thread is completed, and placing a result of the scanning in the parallel thread in the verdict cache, and when the file is not currently being scanned in a parallel thread, performing the scanning of the file on a current thread, and placing a result of the scanning on the current thread in the verdict cache.

Abstract: Disclosed herein are systems and methods for determining trust levels of files on a computing device. In one aspect, an exemplary method comprises, selecting file names which are stable, generating at least one group of files from at least two files of the selected file names, the at least two files being components of a same application, searching for a presence of a dominant developer such that at least one private key of the dominant developer has been used to sign at least one file of the group of files that is generated, when a dominant developer is found, determining a trust level for all files of the group in accordance with verdicts associated with the dominant developer, and when the dominant developer is not found, determining the trust level for all the files of the group based on verdicts of outside services that have been assigned to the files of the group.

Abstract: Systems and methods for performing a repeat antivirus scan of a file are disclosed. A local database is saved on a mobile device, where each record is added to the database when the corresponding file is recognized as being non-malicious as a result of an antivirus scan. A short hash sum of the file is computed and the long hash sum of the file and information about the antivirus scan performed and corresponding to the first hash sum of the file are found in the aforementioned database. Using the long hash sum, a verdict on the file is requested from the cloud services. An antivirus scan of the file is performed, except when the verdict obtained is unchanged (as compared to the verdict contained in the information about the antivirus scan performed of the obtained record corresponding to the file), and no updating of the antivirus databases has occurred since the date of performing the antivirus scan.

Abstract: Disclosed are systems and methods for generating rules for detecting and blocking attacks on electronics systems of a means of transportation. A security server receives log data having messages that were intercepted on the buses of the means of transportation around the time of a road traffic accident with the means of transportation. The security server detects computer attacks on the electronics systems and generates one or more rules that depend on one or more indicators of compromise, such as malicious messages used in a computer attack and information on at least one ECU that is a recipient of the malicious messages. The generated rules further specify actions for blocking subsequent computer attacks, such as blocking, modifying, or changing communications within the communications bus of the vehicle.

Abstract: A method for protecting memory pages of a computing device using a hypervisor includes detecting, by a hypervisor, a token associated with the trusted program, in response to receiving a hypercall from a trusted program. The token associated with the trusted program is checked against a saved token of the hypervisor to determine trustworthiness of the trusted program. The hypervisor creates a memory page containing a safe hypercall address of the hypervisor. Addresses of the memory page are transmitted from the hypervisor to the trusted program. The hypervisor allows execution of the hypercall by the trusted program accessing the safe hypercall address found at the addresses of the memory page.

Abstract: Disclosed are systems and methods for enabling transmission of data and commands between a mobile device and a vehicle. An exemplary method comprises connecting a security device to a vehicle and to a mobile device, the security device having a protected memory, verifying, by the security device, an authenticity of the mobile device, allowing, by the security device, transmission of data and commands between the mobile device and at least one actuating device of the vehicle when the mobile device is verified as being authentic, transmitting, by the security device, results of executions of commands from the at least one actuating device of the vehicle to the mobile device.

Abstract: Disclosed herein are systems and method for securely sending user data. In an exemplary aspect, a trusted party device may receive a request for user data and a first hash of the request stored in a distributed registry. In response to verifying that the first hash matches a hash of the request as calculated by the trusted party device, the trusted party device may generate and transmit both a confirmation request to send the user data and a second hash of the confirmation request to an authorized user device. The trusted party device may receive, from the authorized user device, both a confirmation message and a third hash of the confirmation message stored in the distributed registry. In response to verifying that the third hash matches a hash of the confirmation message as calculated by the trusted party device, the trusted party device may send the requested user data.

Abstract: System and methods are provided for searching users that meet one or more search requirements. Configuration profiles are obtained of computing systems operated by sample users that have at least one determined characteristic. A machine learning model is generated that associates the determined characteristic of the sample users with the configuration profiles of the computing systems of the sample users. Identifying at least one target user that matches the at least one determined characteristic specified in a search query based on analysis of the configuration profile of the computing system of said target user by the machine learning model.

Abstract: Disclosed herein are methods and systems for detecting malicious files. An exemplary method comprises emulating execution of a file under analysis, forming a behavior log of the emulated execution of the file under analysis, forming one or more behavior patterns from commands and parameters selected from the behavior log, calculating a convolution of the one or more behavior patterns, selecting two or more models for detecting malicious files from a database, calculating a degree of maliciousness of the file being executed based using the convolution and the two or more models, forming a decision making template based on the degree of maliciousness and determining that the file is malicious when a degree of similarity between the decision making template and a predetermined decision making template exceeds a predetermined threshold value.

Abstract: The present disclosure provides systems and methods to stepwise increasing the IT security of elements of a technological system. In an exemplary aspect, the method comprises gathering data on technological systems and a plurality of elements comprising the technological system by intercepting traffic between the plurality of elements using data exchange protocols, identifying vulnerable elements of the technological system by one or more of: detecting suspicious actions on the vulnerable elements and statistical data relating to the elements, analyzing the vulnerable elements to generate a classification of severity of vulnerabilities of the vulnerable elements, identifying most vulnerable portions of the vulnerable elements as compared to other elements in the vulnerable elements, operating the most vulnerable portions of the vulnerable elements in a protected environment.

Abstract: A system and method is provided for providing a set of convolutions to a computing device for detecting anomalous events occurring in an operating system of the computing device. An exemplary method includes launching an agent in an operating system of a client device, registering, by the agent, events occurring in the operating system, for each registered event, determining a context of the event, wherein the context comprises a call stack at a moment of occurrence of the event, selecting a set of features based on the call stack of the event, generating a convolution based on the selected set of features of the event and the context of the event, and adding the generated convolution to a set of convolutions of events occurring on client devices, and providing, to a client device from which a request is received, the set of convolutions of events occurring on client devices.

Abstract: Methods and systems are described in the present disclosure for classifying malicious objects. In an exemplary aspect, a method includes: collecting data describing a state of an object of the computer system, forming a vector of features, calculating a degree of similarity based on the vector, calculating a limit degree of difference that is a numerical value characterizing the probability that the object being classified will certainly belong to another class, forming a criterion for determination of class of the object based on the degree of similarity and the limit degree of difference, determining that the object belongs to the determined class when the data satisfies the criterion, wherein the data is collected over a period of time defined by a data collection rule and pronouncing the object as malicious when it is determined that the object belongs to the specified class.