Abstract: Disclose are system, method and computer program product for correcting antivirus records. In an example aspect, an antivirus application analyzes a software object for a presence of malware. The antivirus application includes an antivirus database and an antivirus cache. The antivirus application retrieves from the antivirus database an antivirus record associated with the analyzed object. The antivirus record indicates whether the object is clean or malicious and further includes at least a test antivirus record status indicator. The antivirus application checks at least in the antivirus cache for correction of the test antivirus record. The correction includes a change in the test status of the antivirus record. When a correction for the retrieved antivirus record is found in the antivirus cache, the antivirus application uses said correction for the antivirus record for a further processing of the software object.

Abstract: Disclosed are system, method and computer program product for adaptive control of actions of a user on a computer system. The system monitors one or more actions of the user, applies restriction rules to detect prohibited user actions, and blocks prohibited actions that violate at least one restriction rule. The system also collects information on allowed actions of the user and corresponding system events, analyzes in real-time the collected information about system events corresponding to the allowed actions to detect anomalous actions that did not violate any of the restriction rules, but caused abnormal increase in the usage of certain system resources. When an anomalous action is detected, the system identifies restriction rules that are associated with the detected anomalous action and edits these rules or creates new restriction rules to include the anomalous action prohibited to the user.

Abstract: Disclosed are system, method and computer program product for adaptive control of actions of a user on a computer system. The system monitors one or more actions of the user, applies restriction rules to detect prohibited user actions, and blocks prohibited actions that violate at least one restriction rule. The system also collects information on allowed actions of the user and corresponding system events, analyzes in real-time the collected information about system events corresponding to the allowed actions to detect anomalous actions that did not violate any of the restriction rules, but caused abnormal increase in the usage of certain system resources. When an anomalous action is detected, the system identifies restriction rules that are associated with the detected anomalous action and edits these rules or creates new restriction rules to include the anomalous action prohibited to the user.

Abstract: Disclosed are systems and methods for detection and repair of malware on data storage devices. The system includes a controller, a communication interface for connecting an external data storage device, and a memory for storing antivirus software. The antivirus software is configured to scan the data contained in the data storage device, perform repair or removal of malicious files or programs found on the data storage device, identify suspicious files or programs on the data storage device and malicious files or programs that cannot be repaired or removed from the data storage device, send information about these files or programs to the antivirus software provider, receive updates for the antivirus software from the antivirus software provider, and rescan the suspicious files or programs and malicious files or programs that cannot be repaired or removed using updated antivirus software.

Abstract: Solutions for responding to security-related incidents in a computer network, including a security server, and a client-side arrangement. The security server includes an event collection module communicatively coupled to the computer network, an event analysis module operatively coupled to the event collection module, and a solution module operatively coupled to the event analysis module. The event collection module is configured to obtain incident-related information that includes event-level information from at least one client computer of the plurality of client computers, the incident-related information being associated with at least a first incident which was detected by that at least one client computer and provided to the event collection module in response to that detection. The event analysis module is configured to reconstruct at least one chain of events causally related to the first incident and indicative of a root cause of the first incident based on the incident-related information.

Abstract: A method for reducing the size of the AV database on a user computer by dynamically generating an AV database according to user parameters is provided. Critical user parameters that affect the content of the AV database required for this user are determined. The AV database for the single user is generated based on the user parameters. When the parameters of the user computer change or when new malware threats are detected, the user AV database is dynamically updated according to the new parameters and the new malware threats. The update procedure becomes more efficient since a need of updating large volumes of data is eliminated. The AV system, working with a small AV database, finds malware objects more efficiently and uses less of computer system resources.

Abstract: Disclosed are system, method and computer program product for remote administration of mobile devices. The system includes an administration server that receives a request to perform a remote administrative task on a mobile device. The server selects a function that performs the requested remote administrative task. The server identifies one or more management protocols that perform the selected function, wherein different protocols use different mechanisms to perform the same function. The server determines if the mobile device supports one or more of the identified protocols. When the mobile device supports two or more different management protocols, the server selects a protocol with the highest priority for performing the selected function. The server then executes the selected management protocol to perform the selected function that performs the requested remote administrative task on the mobile device.

Abstract: Disclosed are systems, methods and computer program products for multi-level user authentication. In one example, method includes detecting a plug-in token connected to a device that controls user access to a protected resource; identifying one or more authorized users associated with the detected token who are authorized to access the protected resource; authenticating whether a first user requesting accessing the protected resource is associated with the detected token and authorized to access the protected resource; detecting presence of one or more wireless transponders of one or more authorized users associated with the token, including at least a transponder of the first user; and providing access to the protected resource to the first user when the first user is authenticated as an authorized user associated with the detected token and the transponder of at least the first user is detected.

Abstract: Automated deployment of a software application to be installed via a software installation package onto different user devices for different users. An initial software installation package, is obtained, along with information representing (a) associations between the users and the user devices, (b) user attributes from which access privilege level information for individual users is determinable, and (c) device attributes for each of the plurality of user devices, including network connectivity information. The initial software installation package is custom-configured for individual user devices based on the information representing (a) and (b) to produce a different specially-configured software installation packages. Each one includes installation parameters that establish functionality for the software application based on the access privilege level of the corresponding user. Data transfer channels are custom-configured for individual user devices based on the information representing (a) and (c).

Abstract: Disclosed system and methods for detecting malicious applications. The system provides a library of handler functions. The handlers functions control access of one or more applications to protected resources on a user device The system also modifies the one or more applications to access the library of handler functions instead of corresponding application program interface (API) functions of the user device. The handler functions receive API function calls from a modified application. The system analyzes the received API function calls for malicious behavior characteristics. When the. API function calls do not exhibit malicious behavior characteristics, the handier functions perform the API function calls to the protected resources. When the API function calls exhibit malicious behavior characteristics, the system prevents access of the modified application to the protected resources.

Abstract: Systems and methods for generating a set of event filtering rules for filtering events being produced in response to emulation of a program. A plurality of sample programs is constructed based on a plurality of known program development tools. Emulated execution of the plurality of sample programs is carried out in an isolated virtual machine environment and events occurring in the virtual machine environment as a result of the emulated execution of the plurality of sample programs are recorded in an event log. A set of rules is formulated for distinguishing events from among the event log that are determined to be insignificant with respect to malware detection processing to be performed.

Abstract: An improved emulator for analyzing software code, and associated method. The emulator includes a virtual execution environment in which a series of virtual processing states are represented during emulation of a first portion of the software code, and a hardware accelerator that performs an initialization of the computing hardware to directly execute a second portion of the software code under investigation without emulation thereof in the virtual execution environment. An efficiency assessment module determines a measure of efficiency of performing the executing of the second portion of the software code under investigation without emulation thereof, and an acceleration decision module performs selection of the second portion of the software code under investigation to be directly executed by the hardware accelerator module based on the determined measure of efficiency.

Abstract: Disclosed are systems, methods and computer program products for detecting computer malware using security rating rules. In one example, the system identifies at least one problematic security rating rule that was activated during antivirus analysis of both safe and malicious programs. The system then selects a group of programs for which said problematic rule was activated. The system then identifies in the selected group of programs a plurality of only malicious programs or the plurality of only safe programs based on the problematic security rating rule and at least one different security rating rule. The system then generates a behavior model script based on the problematic security rating rule and the at least one different security rating rule and executes said behavior model script during antivirus analysis of said analyzed program to detect a computer malware in said analyzed program.

Abstract: Disclosed system and methods for protecting computer resources from unauthorized access. The system provides a library of handler functions that control access of applications to protected resources on a computer device. The system associates a security policy with the library to handler functions. The security policy specifies access rules for accessing protected resources by the applications. The system also modifies applications to access the library of handler functions instead of corresponding application program interface (API) functions of the computer device. When a handler function receives an API function call from a modified application, it may determine if the received API function call complies with the access rules. When the API function call complies with the access rules, the handler function performs the API function call from the application to the protected resources. When the API function call violates the access rules, the handler function block that API function call.

Abstract: Disclosed are systems, methods and computer program products for protecting cloud security services from unauthorized access and malware attacks. In one example, a cloud server receives one or more queries from security software of the user device. The server analyzes a system state and configuration of the user device to determine the level of trust associated with the user device. The server also analyzes the one or more queries received from the security software to determine whether to update the level of trust associated with the user device. The server determines, based on the level of trust, how to process the one or more queries. Finally, the server provides responses to the one or more queries from the security software based on the determination of how to process the one or more queries.

Abstract: System and method for detecting ransomware. A current user behavior pattern is monitored based on user input via a user input device. The user behavior is compared against a reference set of behavior patterns associated with user frustration with non-responsiveness of the user interface module. A current status pattern of the operating system is also monitored. The current status pattern is compared against a reference set of operating system status patterns associated with predefined ransomware behavior. In response to indicia of current user frustration with non-responsiveness of the user interface, and further in response to indicia of the current status pattern having a correlation to the predefined ransomware behavior, an indication of a positive detection of ransomware executing on the computer system is provided.

Abstract: Systems and methods for generating a set of event filtering rules for filtering events being produced in response to emulation of a program. A plurality of sample programs is constructed based on a plurality of known program development tools. Emulated execution of the plurality of sample programs is carried out in an isolated virtual machine environment and events occurring in the virtual machine environment as a result of the emulated execution of the plurality of sample programs are recorded in an event log. A set of rules is formulated for distinguishing events from among the event log that are determined to be insignificant with respect to malware detection processing to be performed.

Abstract: Removing malware from a computer system. An inspection module obtains an inspection log representing operational history of the operating system and the application programs of the computer system. The inspection log is analyzed to detect a presence of any malware on the computer system. A treatment scenario is generated that defines a plurality of actions to be executed for removing any malware present on the computer system, as detected in the analyzing. The treatment scenario is generated based on the information contained in the inspection log and on a knowledge base of malware removal rules. The generated treatment scenario is evaluated to assess the actions defined in the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system. A modified treatment scenario can be created to reduce the risk in response to an assessment of the risk.

Abstract: Disclosed are systems, methods and computer program products for detection of spam. In one example, a system receives electronic messages and attempts to classify the messages as legitimate or spam messages. For an unknown message, the system obtains its metadata including hash sum of the message and sender's IP address. The system then places the metadata of the unknown messages into one cluster of a plurality of clusters based on degree of similarity between hash sums of different unknown messages. The system then rates each unknown message in accordance with a rating of the cluster, wherein the rating of the cluster is based, at least, on a number of similar hash sums of unknown messages received from different addresses of message senders contained in said cluster. Finally, the system classifies unknown messages as legitimate or spam based on the message rating.

Abstract: A server system that includes one or more processors and memory receives, from a client, metadata for a plurality of suspicious files for which the client was unable to conclusively determine a security status. The server system also analyzes the metadata using threat-identification information to identify potentially malicious files and requests authorization to receive the potentially malicious files from the client. In response to the request, upon authorization for the server system to receive the potentially malicious files, the server system automatically receives one or more potentially malicious files from the client that were authorized based on a confidentiality level of the potentially malicious files.