Abstract: Removing malware from a computer system. An inspection module obtains an inspection log representing operational history of the operating system and the application programs of the computer system. The inspection log is analyzed to detect a presence of any malware on the computer system. A treatment scenario is generated that defines a plurality of actions to be executed for removing any malware present on the computer system, as detected in the analyzing. The treatment scenario is generated based on the information contained in the inspection log and on a knowledge base of malware removal rules. The generated treatment scenario is evaluated to assess the actions defined in the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system. A modified treatment scenario can be created to reduce the risk in response to an assessment of the risk.

Abstract: Protection of a computer system against exploits. A computer system has a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory. An association of the process thread and the first portion of memory is recorded. A limited access regime in which one of the write and execute privileges is disabled, is established, and is monitored for any exceptions occurring due to attempted writing or execution in violation thereof. In response to the exception being determined as a write exception, the associated process thread is looked up, and analyzed for a presence of malicious code. In response to the exception type being determined as an execute exception, the first portion of memory is analyzed for a presence of malicious code. In response to detection of a presence of malicious code, execution of the malicious code is prevented.

Abstract: A system and method for optimization of AV processing of disk files. The system includes an AV scanner, a data cache module, an AV service and file analysis module. The optimization allows for reduction of time needed for the AV processing. Trusted files associated with a trusted key file are found. The trusted files that have been found are cached and excluded from further AV processing and the AV processing time is reduced.

Abstract: Disclosed a portable security device and methods for secure user authentication. The security device stores operating system agents that enable communication with user devices that have different operating systems. The security device also stores user authentication data for accessing different Internet resources by the user devices. The security devices connects to the user device using an operating system agent corresponding to the operating system of the user device, and receives from the user device a request to access an Internet resource. The security device select user authentication data associated with the requested Internet resource, and obtains the requested Internet resource using the selected user authentication data.

Abstract: A system and method for dynamic configuration of the security modules for optimization of execution of security tasks are provided. The system includes: a mechanism for identifying the clients connected to the network; a client data collection unit that determines hardware/software configurations of each detected client; a security module selection and installation unit that selects required modules for each client; a statistics collection unit that collects the security tasks execution statistics from user modules and from client modules; and a configuration unit that configures the client and server modules based on the collected statistics in order to optimize execution of the security tasks.

Abstract: System, method, and computer-readable medium for managing removal of unused objects on a subject computer system that includes a plurality of computing resources. Current configuration and operational state information of a subject computer system are analyzed to detect a presence of unused objects on the subject computer system. An estimated degree of impact that unused objects have on the workload of at least one computing resource of the plurality of computing resources is obtained. A measure of the exigency of taking action to remove the unused objects is determined based on the estimated degree of impact and on the current degree of workload of the at least one computing resource. Instructions are generated for removing specific ones of the unused objects for which the exigency of taking action is sufficiently great.

Abstract: Disclosed are system, method and computer program product for updating software programs on a computer. The system detects an attempt by an update process to execute on the computer and retrieves information about authorized category of software programs to determine whether the detected update process is authorized. When the update process is authorized, the system (i) designates the update process as trusted process, (ii) allows the update process to download on the computer an update object, (iii) and designates the update object as a trusted object. The system then detects an attempt by an installation process to install the update object, and determines from the policy whether the detected installation process is associated to authorized category and related to the trusted update process. When the installation process authorized and related to the trusted update process, the system allows the trusted installation process to install the trusted update object.

Abstract: Apparatus, processes, and related technologies for comparison between a target item of software code and a reference set of software code. The target item is preprocessed to be compared against a reference item from the reference set to identify a selected set of lines of software code from the target item to be used for the comparison. Each line of the selected set of lines from the target software item is individually compared with lines of software code from the reference set to produce a measure of similarity between the target software item and at least one reference item of software code from the reference set. Various techniques for maintaining and updating a numerical representation of similarity of the target item with each reference item, the numerical representation being stored in a corresponding element of a data structure.

Abstract: A system and method that handles and prevents application installation and execution errors in computer systems using an expert data acquired by analysis of the application and errors detected in the emulator. The system also handles the errors raised during an application update. The system allows for testing of applications for execution on a system with a particular configuration. The system can determine all possible errors that can be raised in different execution environments. Additionally, the system can determine system error causes and modify the computer system in order to prevent the system errors. An automated analysis of the application execution in the emulated execution environment is performed. An expert system of error handling scenarios is formed based on the emulation. The system includes an emulator, an expert system, an expert database and an error processor.

Abstract: Disclosed are systems, methods and computer program products for malware detection in a peer-to-peer (P2P) network. In one example embodiment, a peer node of the P2P network receives a user request to download a data object from the P2P network. The peer node obtains a metadata object associated with the requested data object and extracts from the metadata object a checksum associated with the requested data object. The peer node then determines if the extracted checksum is associated with a malicious data object by comparing the extracted checksum with checksums of known malicious data objects stored in a local malware database. If the checksum of the requested data object matches a checksum of a malicious data object, the user request to download the data object form the P2P network is denied.

Abstract: Disclosed are systems and methods for computer malware detection. The system is configured to emulate execution of a program code, monitor events of program execution, classify the monitored events as malicious or non-malicious, and collect information about unclassifiable events. The system further includes one or more analyst workstations configured to isolate a program analyst from external audiovisual stimuli. The workstation includes a video output device operable to display a list of unclassifiable events and event-related information to the program analyst and a user input device operable to receive analyst's physiological response indicative of whether the displayed list of unclassifiable events exhibits malicious behavior.

Abstract: The present disclosure relates generally to the field of computer security and, in particular, to systems for detecting unknown malware. A method comprises generating genes for known malicious and clean objects; analyzing object genes using different malware analysis methods; computing a level of successful detection of malicious objects by one or a combination of malware analysis methods based on analysis of genes of the known malicious objects; computing a level of false positive detections of malicious objects by one or a combination of malware analysis methods based on analysis of genes of known clean objects; measuring effectiveness of each one or the combination of malware analysis methods as a function of the level of successful detections and the level of false positive detections; and selecting one or a combination of the most effective malware analysis methods for analyzing unknown object for malware.

Abstract: A method, and computer program product for updating botnets are described. A statistical method for analyzing the hosts that send out SPAM and updating botnets is provided. The proposed method uses the fact that a computer in a botnet has to distribute content using the activity patterns closely resembling the distribution patterns of other computers in the same botnet over the same time period. The distribution statistical data obtained for different sources are compared using approximation of graphical data. Based on comparison it is determined whether the computer belongs to a botnet and the botnet is updated accordingly.

Abstract: A method and system for identification of malware threats on web resources. The system employs a scheduled antivirus (AV) scanning of web resources. The scheduled scanning of web resources allows to create malware check lists and to configure access to web resources. Frequency and depth of inspection (i.e., scan) are determined for each web resource. The user identifiers are used for scheduled AV scanning of web resources. The system allows for scanning a web resource based on selected configurations without using additional client applications.

Abstract: Method and computer program product for signature testing used in anti-malware processing. Silent signatures, after being tested, are not updated into a white list and are sent directly to users instead. If the silent signature coincides with malware signature, a user is not informed. A checksum (e.g., hash value) of a suspected file is sent to a server, where statistics are kept and analyzed. Based on collected false positive statistics of the silent-signature, the silent-signature is either valid or invalid. Use of the silent signatures provides for effective signature testing and reduces response time to new malware-related threats. The silent signature method is used for turning off a signature upon first false positive occurrence. Use of silent signatures allows improving heuristic algorithms for detection of unknown malware.

Abstract: Disclosed a portable security device and methods for secure user authentication. The security device stores operating system agents that enable communication with user devices that have different operating systems. The security device also stores user authentication data for accessing different Internet resources by the user devices. The security devices connects to the user device using an operating system agent corresponding to the operating system of the user device, and receives from the user device a request to access an Internet resource. The security device select user authentication data associated with the requested Internet resource, and obtains the requested Internet resource using the selected user authentication data.

Abstract: A system and method for dynamic configuration of the security modules for optimization of execution of security tasks are provided. The system includes: a client detection unit that finds the clients on the network; a client data collection unit that determines hardware/software configurations of each detected client; a security module selection and installation unit that selects required modules for each client from a modules database; a statistics collection unit that collects the security tasks execution statistics from user modules and from client modules; and a re-configuration unit that reconfigures the client and server modules based on the collected statistics in order to optimize execution of the security tasks.

Abstract: Disclosed are systems, methods and computer program products for updating antivirus cache during malware scan of a computer system. In particular, an antivirus cache stored in a non-volatile system memory may be updated with information from an antivirus database during execution of malware detection processes launched on the computer system. If a malware detection process use one or more sections of the antivirus cache which require updating, the system replicates those sections of the antivirus cache and updates them. Each update contains different types of data and code associated with different types of malware. During update, the same types of data for each type of malware is collected and stored as data files in corresponding sections of the antivirus cache and executable code sections are converted into platform-specific dynamic libraries and also stored in the antivirus cache.

Abstract: A system and computer program product for implementing an object-oriented hierarchical database architecture that supports functionality of an emulator. The hierarchical data architecture is created for implementing a files system and/or a system registry inside the emulator, where malware components are emulated and tested. The data architecture supports the emulator and provides for effective recovery of a database fragments after modifications of the fragments by the emulated malware. The non-relational object-oriented database consists of database objects. Each of the database objects has various data fields. Special user types are assigned to the database objects. Each user type is defined by a selected set of data fields. The database objects have a parent-child relationship. Each database object has a unique parent object and a unique set of index fields. The unique set of the index fields is a unique set of data fields of an object. The database has a root object which is unique for the database.

Abstract: Disclosed are systems, methods and computer program products for locating lost or stolen electronic devices. The method comprises deploying software agents on a plurality of networked electronic devices; receiving by a software agent deployed on a first electronic device a message from a remote server, the message including an identifier of a lost or stolen electronic device; searching by the software agent on a network to which the first electronic device is connected for the lost or stolen electronic device using the device identifier; if the lost or stolen electronic device is located on the network, collecting information about the lost or stolen electronic device; and transmitting by the software agent the collected information to one of the central server or an owner of the lost or stolen electronic device.