Abstract: Method and computer program product for signature testing used in anti-malware processing. Silent signatures, after being tested, are not updated into a white list and are sent directly to users instead. If the silent signature coincides with malware signature, a user is not informed. A checksum (e.g., hash value) of a suspected file is sent to a server, where statistics are kept and analyzed. Based on collected false positive statistics of the silent-signature, the silent-signature is either valid or invalid. Use of the silent signatures provides for effective signature testing and reduces response time to new malware-related threats. The silent signature method is used for turning off a signature upon first false positive occurrence. Use of silent signatures allows improving heuristic algorithms for detection of unknown malware.

Abstract: Disclosed are systems, methods and computer program products for protecting cloud security services from unauthorized access and malware attacks. In one example, a cloud server receives one or more queries from security software of the user device. The server analyzes a system state and configuration of the user device to determine the level of trust associated with the user device. The server also analyzes the one or more queries received from the security software to determine whether to update the level of trust associated with the user device. The server determines, based on the level of trust, how to process the one or more queries. Finally, the server provides responses to the one or more queries from the security software based on the determination of how to process the one or more queries.

Abstract: A system for permanent data deletion is provided. The file deletion system consists of a permanent deletion unit, an analysis module, a database of rules for forming deletion algorithm and an algorithm forming unit. A file to be deleted is passed into the system and the system permanently deletes the file. The system dynamically forms the deletion algorithm based on algorithm forming rules. The rules are selected from the database according to file parameters and user criteria. The file parameters are determined by the analysis module. A user has an access to algorithm forming rules and can edit the rules. Algorithm forming rules can be based on an arbitrary number of complex conditions.

Abstract: A system and method for dynamic configuration of the security modules for optimization of execution of security tasks are provided. The system includes: a mechanism for identifying the clients connected to the network; a client data collection unit that determines hardware/software configurations of each detected client; a security module selection and installation unit that selects required modules for each client; a statistics collection unit that collects the security tasks execution statistics from user modules and from client modules; and a configuration unit that configures the client and server modules based on the collected statistics in order to optimize execution of the security tasks.

Abstract: Application configuration settings are managed for a plurality of diverse computing devices having different resources including independent applications. An operational objective defining certain behaviors for a plurality of applications executable computing devices is received via a user input. Configuration and resource information is obtained for each computing device. A determination is made of applications on each of the computing devices for which the specified operational objective can be at least partially achieved. The determination is based on the user input, on the configuration and resource information for each of the computing devices, and on a predefined set of resource mappings that defines requirements for meeting various operational objectives and resources needed for meeting each of the requirements.

Abstract: A server-based system for generation of heuristic scripts for malware detection includes an automatic heuristics generation system for generating heuristic scripts for curing malware infections; a log database containing logs of events from user computers, including detection of known malicious objects and detection of suspicious objects; a safe objects database accessible containing signatures of known safe objects; a malicious objects database containing signatures of known malicious objects. The system retrieves suspect object metadata from the log database and generates the heuristic script based on data from the safe and malicious objects databases. For multiple computers having the same configuration and having the same logs, only one log common to all the multiple computers is transmitted and only one heuristic script is distributed to the multiple computers. A different and specific heuristic script is distributed to those computers that have a different log than the common log.

Abstract: Disclose are system, method and computer program product for correcting antivirus records. In an example aspect, an antivirus application analyzes a software object for a presence of malware. The antivirus application includes an antivirus database and an antivirus cache. The antivirus application retrieves from the antivirus database an antivirus record associated with the analyzed object. The antivirus record indicates whether the object is clean or malicious and further includes at least a test antivirus record status indicator. The antivirus application checks at least in the antivirus cache for correction of the test antivirus record. The correction includes a change in the test status of the antivirus record. When a correction for the retrieved antivirus record is found in the antivirus cache, the antivirus application uses said correction for the antivirus record for a further processing of the software object.

Abstract: Disclosed are system, method and computer program product for adaptive control of actions of a user on a computer system. The system monitors one or more actions of the user, applies restriction rules to detect prohibited user actions, and blocks prohibited actions that violate at least one restriction rule. The system also collects information on allowed actions of the user and corresponding system events, analyzes in real-time the collected information about system events corresponding to the allowed actions to detect anomalous actions that did not violate any of the restriction rules, but caused abnormal increase in the usage of certain system resources. When an anomalous action is detected, the system identifies restriction rules that are associated with the detected anomalous action and edits these rules or creates new restriction rules to include the anomalous action prohibited to the user.

Abstract: Disclosed are system, method and computer program product for adaptive control of actions of a user on a computer system. The system monitors one or more actions of the user, applies restriction rules to detect prohibited user actions, and blocks prohibited actions that violate at least one restriction rule. The system also collects information on allowed actions of the user and corresponding system events, analyzes in real-time the collected information about system events corresponding to the allowed actions to detect anomalous actions that did not violate any of the restriction rules, but caused abnormal increase in the usage of certain system resources. When an anomalous action is detected, the system identifies restriction rules that are associated with the detected anomalous action and edits these rules or creates new restriction rules to include the anomalous action prohibited to the user.

Abstract: Disclosed are systems and methods for detection and repair of malware on data storage devices. The system includes a controller, a communication interface for connecting an external data storage device, and a memory for storing antivirus software. The antivirus software is configured to scan the data contained in the data storage device, perform repair or removal of malicious files or programs found on the data storage device, identify suspicious files or programs on the data storage device and malicious files or programs that cannot be repaired or removed from the data storage device, send information about these files or programs to the antivirus software provider, receive updates for the antivirus software from the antivirus software provider, and rescan the suspicious files or programs and malicious files or programs that cannot be repaired or removed using updated antivirus software.

Abstract: A method for reducing the size of the AV database on a user computer by dynamically generating an AV database according to user parameters is provided. Critical user parameters that affect the content of the AV database required for this user are determined. The AV database for the single user is generated based on the user parameters. When the parameters of the user computer change or when new malware threats are detected, the user AV database is dynamically updated according to the new parameters and the new malware threats. The update procedure becomes more efficient since a need of updating large volumes of data is eliminated. The AV system, working with a small AV database, finds malware objects more efficiently and uses less of computer system resources.

Abstract: Solutions for responding to security-related incidents in a computer network, including a security server, and a client-side arrangement. The security server includes an event collection module communicatively coupled to the computer network, an event analysis module operatively coupled to the event collection module, and a solution module operatively coupled to the event analysis module. The event collection module is configured to obtain incident-related information that includes event-level information from at least one client computer of the plurality of client computers, the incident-related information being associated with at least a first incident which was detected by that at least one client computer and provided to the event collection module in response to that detection. The event analysis module is configured to reconstruct at least one chain of events causally related to the first incident and indicative of a root cause of the first incident based on the incident-related information.

Abstract: Disclosed are systems, methods and computer program products for multi-level user authentication. In one example, method includes detecting a plug-in token connected to a device that controls user access to a protected resource; identifying one or more authorized users associated with the detected token who are authorized to access the protected resource; authenticating whether a first user requesting accessing the protected resource is associated with the detected token and authorized to access the protected resource; detecting presence of one or more wireless transponders of one or more authorized users associated with the token, including at least a transponder of the first user; and providing access to the protected resource to the first user when the first user is authenticated as an authorized user associated with the detected token and the transponder of at least the first user is detected.

Abstract: Disclosed are system, method and computer program product for remote administration of mobile devices. The system includes an administration server that receives a request to perform a remote administrative task on a mobile device. The server selects a function that performs the requested remote administrative task. The server identifies one or more management protocols that perform the selected function, wherein different protocols use different mechanisms to perform the same function. The server determines if the mobile device supports one or more of the identified protocols. When the mobile device supports two or more different management protocols, the server selects a protocol with the highest priority for performing the selected function. The server then executes the selected management protocol to perform the selected function that performs the requested remote administrative task on the mobile device.

Abstract: Automated deployment of a software application to be installed via a software installation package onto different user devices for different users. An initial software installation package, is obtained, along with information representing (a) associations between the users and the user devices, (b) user attributes from which access privilege level information for individual users is determinable, and (c) device attributes for each of the plurality of user devices, including network connectivity information. The initial software installation package is custom-configured for individual user devices based on the information representing (a) and (b) to produce a different specially-configured software installation packages. Each one includes installation parameters that establish functionality for the software application based on the access privilege level of the corresponding user. Data transfer channels are custom-configured for individual user devices based on the information representing (a) and (c).

Abstract: An improved emulator for analyzing software code, and associated method. The emulator includes a virtual execution environment in which a series of virtual processing states are represented during emulation of a first portion of the software code, and a hardware accelerator that performs an initialization of the computing hardware to directly execute a second portion of the software code under investigation without emulation thereof in the virtual execution environment. An efficiency assessment module determines a measure of efficiency of performing the executing of the second portion of the software code under investigation without emulation thereof, and an acceleration decision module performs selection of the second portion of the software code under investigation to be directly executed by the hardware accelerator module based on the determined measure of efficiency.

Abstract: Disclosed are systems, methods and computer program products for protecting cloud security services from unauthorized access and malware attacks. In one example, a cloud server receives one or more queries from security software of the user device. The server analyzes a system state and configuration of the user device to determine the level of trust associated with the user device. The server also analyzes the one or more queries received from the security software to determine whether to update the level of trust associated with the user device. The server determines, based on the level of trust, how to process the one or more queries. Finally, the server provides responses to the one or more queries from the security software based on the determination of how to process the one or more queries.

Abstract: System and method for detecting ransomware. A current user behavior pattern is monitored based on user input via a user input device. The user behavior is compared against a reference set of behavior patterns associated with user frustration with non-responsiveness of the user interface module. A current status pattern of the operating system is also monitored. The current status pattern is compared against a reference set of operating system status patterns associated with predefined ransomware behavior. In response to indicia of current user frustration with non-responsiveness of the user interface, and further in response to indicia of the current status pattern having a correlation to the predefined ransomware behavior, an indication of a positive detection of ransomware executing on the computer system is provided.

Abstract: Disclosed are systems, methods and computer program products for detecting computer malware using security rating rules. In one example, the system identifies at least one problematic security rating rule that was activated during antivirus analysis of both safe and malicious programs. The system then selects a group of programs for which said problematic rule was activated. The system then identifies in the selected group of programs a plurality of only malicious programs or the plurality of only safe programs based on the problematic security rating rule and at least one different security rating rule. The system then generates a behavior model script based on the problematic security rating rule and the at least one different security rating rule and executes said behavior model script during antivirus analysis of said analyzed program to detect a computer malware in said analyzed program.

Abstract: Disclosed system and methods for detecting malicious applications. The system provides a library of handler functions. The handlers functions control access of one or more applications to protected resources on a user device The system also modifies the one or more applications to access the library of handler functions instead of corresponding application program interface (API) functions of the user device. The handler functions receive API function calls from a modified application. The system analyzes the received API function calls for malicious behavior characteristics. When the. API function calls do not exhibit malicious behavior characteristics, the handier functions perform the API function calls to the protected resources. When the API function calls exhibit malicious behavior characteristics, the system prevents access of the modified application to the protected resources.