Abstract: Disclosed are systems, methods and computer program products for configuring application control rules. The system creates a new application control rule that specifies restrictions or permission on execution a software application, a function of an application or a category of applications. The system then collects information about one or more computers in a network, including information about software applications deployed on the computers and existing application control rules. The system then tests the new application control rule using the collected information to determine verdicts rendered by the new application control rule that restrict or permit execution of an application, certain function of an application or a category of applications. The system then compares verdicts rendered by the new application rule with the verdicts rendered by the existing application control rules to identify conflicting rules, and reconfigures the new application control rule to eliminate conflicts.

Abstract: Disclosed system and methods for detecting malware by performing behavioral malware analysis using malware trigger scenarios. In one aspect, a method for malware detection includes providing a plurality of malware trigger scenarios specifying different sets of malware trigger events known to trigger malicious behaviour in malicious software. The method further includes executing a software program in a computer environment and creating one more malware trigger events as specified in the malware trigger scenarios. The method further includes monitoring execution events of the software program in the computer environment and determining based on the analysis of the monitored execution events whether the software program exhibits malicious behaviour. When the software program exhibits malicious behaviour, performing remedial actions on the software program.

Abstract: System and method for re-adjustment of a security application to various application execution scenarios. Application execution scenarios for each of a set of software applications are created, each representing a specific subset of functionality of a corresponding application. Sets of security application configuration instructions are stored, each corresponding to at least one of the application execution scenarios. A current one or more of the application execution scenarios that is being executed in the computing device is determined and, in response, a set of security application configuration instructions corresponding to each current application execution scenario are carried out, such that the security application is adjusted to perform a specific subset of security functionality that is particularized to the current one or more of the application execution scenarios.

Abstract: Disclosed are system, methods and computer program product for secure transfer of data from an input device. An example method includes receiving first data by a driver of the input device; interpreting the first data into second data by the driver; sending the second data to a driver filter of an antivirus software; determining, by the antivirus software, whether the second data is associated with a user interface application protected by the antivirus software; when the second data is associated with a protected application, bypassing an operating system and sending the second data to the user interface application; sending the second data by the user interface application to a Text Services Framework (TSF) software; processing the second data by the TSF software to generate third data; sending the third data by the TSF software to the user interface application for display on a user interface.

Abstract: Disclosed are systems, methods and computer program products for detection of malicious executable files based on the similarity of various types of extractable resources of the executable files. In one aspect, the system determines a type of an executable file being analyzed and determines types of extractable resources of the executable file based on the type of the executable file. The system then extracts the identified extractable resources of the executable file and compares the extracted resources to known resources of malicious executable files. The system then determines a degree of similarity between the compared resources. The system then determines whether the executable file is malicious based on a degree of similarity of the one or more compared resources.

Abstract: Disclosed system and methods for detecting spam using shingles. In one aspect, the system receives an electronic message including at least a text portion. The system identifies in the received message insignificant text portions. The system then removes identified insignificant text portions to generate an abridged message. The system then generates a set of shingles from the abridged message. The system then indentifies in the generated set of shingles one or more shingles that occur only in messages not containing spam. The system then removes one or more identified shingles from the generated set of shingles to generate a reduced set of shingles. The system then performs spam filtering of the reduced set of shingles to determine whether the received message contains spam.

Abstract: Instructions of an application program are emulated such that they are carried out sequentially in a first virtual execution environment that represents the user-mode data processing of the operating system. A system API call requesting execution of a user-mode system function is detected. In response, the instructions of the user-mode system function called by the API are emulated according to a second emulation mode in which the instructions of the user-mode system function are carried out sequentially in a second virtual execution environment that represents the user-mode data processing of the operating system, including tracking certain processor and memory states affected by the instructions of the user-mode system function. Results of the emulating of the application program instructions according to the first emulation mode are analyzed for any presence of malicious code.

Abstract: A pre-OS security agent runs in an environment independent of the operating system (OS) but interfaced with the file system and able to exchange information with a security application running over the OS. Prior to the start-up of the OS, an indication of a state or condition is obtained relating to a risk of an inability of the security application to function normally, or to a change in the computer system affecting the start-up of the OS. Based on the indication, a set of one or more actions are determined for resolving the state or condition. The pre-OS security agent executes the set of one or more actions in response to the indication.

Abstract: Disclosed are systems, methods and computer program products for providing user access to encrypted data. In one example, a system is configured to receive a security policy for the user device, wherein the security policy includes data access conditions and data encryption conditions for one or more users of the user device; identify one or more user accounts in the OS of the user device as specified in the data access conditions; create a pre-boot authentication account (PBA) for the identified user accounts based on the data access conditions, for storing pre-boot authentication credentials for authenticating a user before booting of the OS on the user device; and encrypt at least a portion of data stored on the user device based on the data encryption conditions, wherein access to the encrypted portion of data is granted to the user upon entry of the correct pre-boot authentication credentials.

Abstract: Disclosed are systems, methods and computer program products for providing user access to encrypted data. In one example, a system is configured to receive a security policy for the user device, wherein the security policy includes data access conditions and data encryption conditions for one or more users of the user device; identify one or more user accounts in the OS of the user device as specified in the data access conditions; create a pre-boot authentication account (PBA) for the identified user accounts based on the data access conditions, for storing pre-boot authentication credentials for authenticating a user before booting of the OS on the user device; and encrypt at least a portion of data stored on the user device based on the data encryption conditions, wherein access to the encrypted portion of data is granted to the user upon entry of the correct pre-boot authentication credentials.

Abstract: Disclosed are systems, methods and computer program products for detecting computer malware. In one example, a security server receives information about a suspicious software object detected by a client computer using one or more malware detection methods. The server identifies the malware detection methods used to detect the suspicious object, and selects one or more different malware detection methods to check whether the suspicious object is malicious or clean. The server analyzes the suspicious object using the selected one or more different malware analysis methods to check whether the object is malicious or clean. If the object is determined to be malicious, the server generates and sends to the client computer detection instructions specific to the one or more malware detection methods used by the client computer for detecting and blocking the malicious object on the client computer.

Abstract: Disclosed are systems, methods and computer program products for modifying a software distribution package. In one aspect, the system receives a software distribution package including one or more compressed files and one or more digital signatures of the one or more files; determines whether it is necessary to modify the software distribution package; determines a size of modifications to the software distribution package; if the size of the modifications does not exceed a size threshold, modifies a commentary section of the software distribution package without recalculating of the digital signatures for the files included in the software distribution package; and if the size of the modifications exceeds the size threshold, modifies an offset region between a file structure of the software distribution package and the compressed files of the software distribution package without recalculating the digital signatures of the files included in the software distribution package.

Abstract: Disclosed are systems, methods and computer program products for determining a security status of at least one potentially malicious file in a customer network. An example method comprising receiving, by a client computer system, client heuristics information from a server system for determining a security status of client data generated by at least one client application; monitoring and identifying at least one suspicious file of the client data as a potentially malicious file by analyzing metadata associated with the at least one suspicious file using the client heuristics information; collecting threat-identification information of the potentially malicious file to exclude confidential information associated with a content of the potentially malicious file; transmitting the threat-identification information to the server system for determining a security status of the potentially malicious file; and receiving security tools from the server system to block or remove the potentially malicious file.

Abstract: Disclosed is a portable security device and method for detection and treatment of computer malware. The security device includes a communication interface for connecting to a computer, a memory for storing a set of data for use in malware detection experiments, and an antivirus engine configured to perform one or more malware detection experiments on the computer. A malware detection experiment includes simulating a connection to the computer of a data storage device containing a predefined set of data. The antivirus engine further configured to identify modifications in the set of data contained in the data storage device after termination of one or more malware detection experiments, analyze a modified set of data for presences of computer malware, determine a treatment mechanism for the detected malware, perform treatment of the detected malware on the computer, and generate user reports.

Abstract: System and method for detecting ransomware. A current user behavior pattern is monitored based on user input via a user input device. The user behavior is compared against a reference set of behavior patterns associated with user frustration with non-responsiveness of the user interface module. A current status pattern of the operating system is also monitored. The current status pattern is compared against a reference set of operating system status patterns associated with predefined ransomware behavior. In response to indicia of current user frustration with non-responsiveness of the user interface, and further in response to indicia of the current status pattern having a correlation to the predefined ransomware behavior, an indication of a positive detection of ransomware executing on the computer system is provided.

Abstract: A system and method for testing and optimization of updates. An update is received by a test module, which selects a testing environment and determines a testing period. The test module tests the update in the testing environment and provides the test results to an analyzer module. The analyzer module determines the feasibility of the update installation based on a set of feasibility rules. If the update is deemed feasible, the update is added to the list of the updates for installation and provided to an installation module for installation on computer systems.

Abstract: Disclosed are systems, methods and computer program products for adaptively modifying antivirus databases. In one example, a system stores in an antivirus database a list of file types and antivirus records for different file types. When the system receives files for performing antivirus analysis, it retrieves from the database the list of file types and uses it to determine file types of the received files. The system then retrieves from the database antivirus lists for the determined file types and uses them to perform antivirus analysis of the files. The system then identifies files with an unknown file type and attempts to determine the file type of these files. The system then updates the antivirus database by (i) adding to the list of file types a new file type corresponding to said unknown file type, and (ii) adding a new empty antivirus list corresponding to said unknown file type.

Abstract: Automated configuration of a software application to be installed via a software installation package onto different user devices for different users. An initial software installation package is obtained, as is information representing (a) associations between the plurality of users and the plurality of user devices, and (b) user attributes from which access privilege level information for individual users is determinable. The initial software installation package is configured for the user devices based on the information representing (a) and (b), to produce a plurality of different specially-configured software installation packages, each one of which corresponds to one or more specific users and one or more specific user devices. Each specially-configured package includes parameters that establish functionality for the software application based on the access privilege level of the users.

Abstract: Apparatus and method for analyzing usage of a software license. A computer system is configured to execute a software product that is activated, subject to a software license, by a first license key. The computer system includes a license use determining module that is adapted to communicate with a group of other computer systems on the same computer network, store first license key-related information that is derived from the first license key, send the first license key-related information to be received by each computer system of the group, and receive any messages sent by responders of the group in response to reception of the first license key-related information. Each of the messages is indicative of a corresponding responder having a copy of the software product that is activated by the first license key.

Abstract: Automated configuration of a software application to be installed via a software installation package onto different user devices for different users. An initial software installation package is obtained, as is information representing (a) associations between the plurality of users and the plurality of user devices, and (b) user attributes from which access privilege level information for individual users is determinable. The initial software installation package is configured for the user devices based on the information representing (a) and (b), to produce a plurality of different specially-configured software installation packages, each one of which corresponds to one or more specific users and one or more specific user devices. Each specially-configured package includes parameters that establish functionality for the software application based on the access privilege level of the users.