Abstract: A system and method is provided for determining whether an electronic file is malicious. An exemplary method includes extracting resources from an electronic file; forming a first rule that establishes a functional dependency between the extracted resources; identifying, in a database of malicious file resources, a second rule associated with one or more of the extracted resources; comparing the formed first rule with the identified second rule to calculate a degree of similarity between first and second rules; and determining the electronic file to be a malicious file when the calculated degree of similarity exceeds a predetermined threshold value.

Abstract: Disclosed are systems and methods for emulating execution of a file based on emulation time. In one aspect, an exemplary method comprises, generating an image of a file, emulating an execution of instructions from the image for a predetermined emulation time, the emulation including: when an emulation of an execution of instruction from an image of another file is needed, generating an image of the another file, detecting known set of instructions in portions read from the image, inserting a break point into a position in the generated image corresponding to a start of the detected set of instructions, emulating execution of the another file by emulating execution of instructions from the generated image, and adding corresponding records to an emulation log, and reading a next portion from the image of the another file and repeating the emulation until the predetermined emulation time has elapsed.

Abstract: Disclosed are systems and methods for adapting a pattern of dangerous behavior of programs. A teaching module may load into an activity monitor the pattern and establish a first usage mode for it, during which the activity monitor detects threats that correspond to that pattern, but does not perform actions for their removal. Later, in the course of a teaching period, the activity monitor detects threats based on the detection of events from the mentioned pattern. If the events have occurred as a result of user actions, and the events have a recurring nature or are regular in nature, the teaching module adds parameters to the pattern which exclude from subsequent detection those events or similar events. Upon expiration of the teaching period, the teaching module converts the pattern of dangerous behavior of programs to the second usage mode, during which threats are detected using the modified pattern and removed.

Abstract: The present disclosure provides a system for managing computer resources for detection of malicious files based on machine learning model. In one aspect, the system may comprise: a hardware processor configured to: form at least one behavior pattern on the basis of commands and parameters, calculate the convolution of the formed behavior pattern, calculate the degree of harmfulness the convolution and a model for detection of malicious files, manage the computing resources used to ensure the security of that computing device, based on the degree of harmfulness, wherein the degree of harmfulness is within a predetermined range of values and if the obtained degree of harmfulness of applications exceeds the predetermined threshold value, send a request to allocate additional resources of the computing device, otherwise send a request to free up previously allocated resources of the computing device.

Abstract: Disclosed herein are systems and methods of creating antivirus records. An exemplary method comprises: analyzing, by a protector against targeted attacks, a log of API function calls of a file for presence of malicious behavior using one or more behavioral rules; determining that the file is malicious when a behavioral rule corresponding to records of a log of API function calls is identified; extracting one or more records of API function calls associated with the identified behavioral rule; determining whether at least one extracted record of the API function calls can be registered by a protector of a computing device; and when the at least one extracted record can be registered by the protector of the computing device, creating an antivirus record for the protector of the computing device, wherein the created antivirus record includes at least the extracted records of the API function calls.

Abstract: Disclosed are systems and methods for machine learning of a model for detecting malicious files. The described system samples files from a database of files and trains a detection model for detecting malicious files on the basis of an analysis of the sampled files. The described system forms behavior logs based on executable commands intercepted during execution of the sampled files, and generates behavior patterns based on the behavior log. The described system determines a convolution function based on the behavior patterns, and trains a detection model for detecting malicious files by calculating parameters of the detection model using the convolution function on the behavior patterns. The trained detection model may be used to detect malicious files by utilizing the detection model on a system behavior log generated during execution of suspicious files.

Abstract: Disclosed are systems and methods for preserving of data saved on a data storage device. An assessment is made as to the degradation of the data storage device, during which a determination is made of the rate of degradation and the probability of failure of the data storage device. When the probability is greater than a given threshold, the damaged sectors of the data storage device are identified by scanning of the surface of the data storage device. A worth grade (i.e., the value of the saved data to the user) is determined at least for data in sectors close to the damaged sectors on the basis of an analysis of at least the meta-data of the data. A decision is made as to the possible loss of data, and a backup copy is created based on the worth grade of the data and the rate of degradation of the data storage device.

Abstract: Systems and methods for ensuring data security. A MAC is computed sequentially for each selected message from a data log that contains at least two messages. To build a data block, a preset encryption key is used for a first message and an encryption key for the previous message is used for subsequent messages. A determination that the data log is compromised can be made based on MAC data block data and an independent calculation of a MAC.

Abstract: Disclosed are systems and methods for detecting distributed denial-of-service (DDoS) attack. An exemplary method includes receiving one or more requests from a first user for a service executing on a server, and generating a first vector associated with the first user comprised of a plurality of characteristics indicative of the first user accessing the service; calculating a comparison between the first vector and a reference vector, wherein the reference vector comprises an averaged distribution of characteristics for a plurality of users accessing the service, and determining that the service is under a denial-of-service attack based on the comparison between the first vector and the reference vector.

Abstract: Disclosed are systems and methods for detection of malicious intermediate language files. In one exemplary aspect, the system comprises a database comprising hashes of known malicious files, a resource allocation module configured to select a set of resources from a file being analyzed, a hash calculation module, coupled to the resource allocation module, configured to calculate a perceptive hash of the set of resources; and an analysis module, coupled to the other modules, configured to identify a degree of similarly between the set of resources and a set of resources from known malicious files by comparing the perceptive hash with perceptive hashes of the set of resources from known malicious files, determine a harmfulness of the file being analyzed based on the degree of similarity and remove or quarantine the file being analyzed when the harmfulness exceeds a predetermined threshold.

Abstract: Disclosed are methods and systems for detecting malicious codes in the address space of processes. The described method detects a launching of a process from an executable file executing on a computer, detects access to a address within a memory area in an address space of the trusted process, wherein the memory area is a memory area that lies outside the boundaries of the trusted executable image representing the executable file and is an executable memory area, analyzes memory areas within a vicinity of the address space to determine whether another executable image is located in the memory areas, analyzing the another executable image to determine whether the other executable image contains malicious code, concluding malicious code is contained in the address space of the trusted process when the another executable image contains malicious code and performing one of removing, halting or quaranting the malicious code from the address space.

Abstract: Systems and methods for limiting applications launched without installation for the presence of malicious code. Applications launched without installation and which contain malicious code can be stopped or paused. Relationships between a fully-functional website-related application requiring installation and a functionally-restricted application launched without installation can be used to determine malicious code.

Abstract: Disclosed are a system, a method, and computer readable storage medium having instructions for filtering network traffic to protect a server from a distributed denial-of-service (DDoS) attack. The described technique includes intercepting data from a network node to the computing device responsive to detecting a computing device is subject to a DDoS attack. The technique further includes determining one or more data transmission parameters based on the intercepted data, assigning a danger rating to the network node, and changing the danger rating of the network node based on application of a filter and on the data transmission parameters. The described technique limits a transmittal of data from the network node to the computing device if the resultant danger rating of the network node exceeds a threshold value.

Abstract: Systems and methods for managing antivirus records. A method can include providing a data store of antivirus records, providing an antivirus application to be executed on each of a plurality of user computers, and executing instructions by a remote server to implement a processing tool configured to collect an antivirus record parameter for a particular antivirus record and collect statistical data of a detection events associated with the antivirus record, and a processing tool to configured to determine a false activation using the antivirus record parameter and the statistical data.

Abstract: Aspects of the present disclosure include systems and methods for detecting unwanted software. An exemplary method comprises identifying a first file associated with a first application and a second file installed on the computing device, wherein the first file is related to the second file, identifying a second application installed on the computing device that uses at least one of the first and second files, determining a first frequency of use for the first application and a second frequency of use for the second application, determining that the second application was installed at substantially the same time as the first application based on a comparison of the first frequency of use and the second frequency of use and determining that the first application is an unwanted application when the comparison of the first frequency and the second frequency results in a degree of similarity greater than a threshold value.

Abstract: Disclosed are systems, methods and computer program products for motivating and rewarding a student to study new subjects by controlling student's access to an electronic device based on results of studying. An example method includes generating, by a hardware processor, an exercise for a user based on a learning criteria; associating the exercise with an access control policy for at least one user's device; providing the exercise to the user and receiving a user's answer to the exercise; determining based on the user's answer whether to apply or not apply to the user's device the access control policy associated with the exercise; and based on the determination whether to apply or not apply the access control policy to the user's device, controlling or not controlling access of the user to the user's device.

Abstract: Disclosed are systems and methods for analysis of files for maliciousness and determining an action. An exemplary method comprises: opening a file, by a processor, in a virtual machine, intercepting an event arising in an execution of a thread of a process created upon opening of the file, determining, a context of the processor on which the thread is being executed, the determination including reading register values of the processor and a stack, comparing the context with rules that check: a behavior of the thread of the process, a changing, by the thread, of attributes of the file, and an access of the thread to the Internet, and based on a result of the comparison, performing at least one of: recognizing the file as being malicious, halting the execution of the thread, changing the context of the processor, and waiting for a next intercepted event.

Abstract: Disclosed are systems and methods for blocking access to interface elements of a page of an application in an applications store. In one exemplary aspect, a method comprises executing a restrictive application that restricts use of a computing device, determining that an application store page for the restrictive application is being presented in the applications store on the computing device by using an accessibility application programming interface (API), blocking access to one or more interface controls for evaluation of the application in the applications store, obtaining authentication data associated with an authorized user using the computing device and responsive to determining that the authentication data satisfies one or more conditions for unblocking, providing access to the interface controls.

Abstract: Disclosed are systems and methods for controlling opening of computer files by vulnerable applications. An example method includes: responsive to detecting creation by a source software application of a computer file on the user computer, determining a file access policy associated with the computer file based on one or more parameters of the computer file; responsive to detecting a request from a consumer software application to open the computer file, determining an application launching policy associated with the consumer software application based on one or more vulnerabilities identified for the consumer software application; determining a file opening policy associated with the computer file and the consumer software application based on the file access policy, the application launching policy, and respective priorities amongst the policies; and controlling opening of the computer file by the consumer software application according to the determined file opening policy.

Abstract: Disclosed are system and method for determining and forming a list of update agents for a plurality of network terminal nodes connecting with at least one server in a network. One exemplary method comprises: receiving, by at least one network terminal node of the plurality of network terminal nodes, at least one unique identifier assigned by the server to the at least one network terminal node; broadcasting in the network the at least one unique identifier by the at least one network terminal node; collecting data relating to the at least one network terminal node and other network terminal nodes broadcasting in a same broadcasting domain of the network; and transmitting the data to the server for determining and forming a list of update agents for the same broadcasting domain of the network.