Abstract: Disclosed herein are systems and methods for modifying execution environments of applications. In one aspect, an exemplary method comprises, identifying an application that requires an isolated execution environment in order to be analyzed, generating an isolated execution environment to launch the identified application using constraint generating rules from a rules database, launching the application in the isolated execution environment that was generated, when an incorrect execution of the application is detected after the application is launched in the isolated execution environment, stopping the execution of the application and modifying the isolated execution environment using the constraint generating rules from the rule database, and when an incorrect execution of the application is not detected after the application is launched in the isolated execution environment, checking for a presence of a malicious code in the application running in the modified isolated execution environment.

Abstract: Disclosed are systems and methods for training and retraining a model for detection of malicious activity from container files, which contain at least two or more objects constituting logically separate data regions. Parameters of each object chosen from at least one safe container and one malicious container are determined which uniquely characterize the functional relation of the mentioned object to at least one selected object. Convolutions are formed separately for each container on the basis of the determined parameters of the objects, which are used to train a machine learning model for detecting malicious container files.

Abstract: Disclosed herein are methods and systems for detecting malicious files using two stage file classification. An exemplary method comprises selecting, by a hardware processor, a set of attributes of a file under analysis, calculating, by the hardware processor, a hash of the file based on the selected set of attributes, selecting, by the hardware processor, a classifier for the file from a set of classifiers based on the calculated hash of the file, assigning, by the hardware processor, the file under analysis to the one or more categories based on the selected classifier, determining whether the file has been assigned to a category of malicious files and concluding that the file is malicious based on the determination.

Abstract: A system and method is provided for determining whether an electronic file is malicious. An exemplary method includes extracting resources from an electronic file; forming a first rule that establishes a functional dependency between the extracted resources; identifying, in a database of malicious file resources, a second rule associated with one or more of the extracted resources; comparing the formed first rule with the identified second rule to calculate a degree of similarity between first and second rules; and determining the electronic file to be a malicious file when the calculated degree of similarity exceeds a predetermined threshold value.

Abstract: Disclosed are systems and methods for emulating execution of a file based on emulation time. In one aspect, an exemplary method comprises, generating an image of a file, emulating an execution of instructions from the image for a predetermined emulation time, the emulation including: when an emulation of an execution of instruction from an image of another file is needed, generating an image of the another file, detecting known set of instructions in portions read from the image, inserting a break point into a position in the generated image corresponding to a start of the detected set of instructions, emulating execution of the another file by emulating execution of instructions from the generated image, and adding corresponding records to an emulation log, and reading a next portion from the image of the another file and repeating the emulation until the predetermined emulation time has elapsed.

Abstract: Disclosed are systems and methods for detection of malicious intermediate language files. In one exemplary aspect, the system comprises a database comprising hashes of known malicious files, a resource allocation module configured to select a set of resources from a file being analyzed, a hash calculation module, coupled to the resource allocation module, configured to calculate a perceptive hash of the set of resources; and an analysis module, coupled to the other modules, configured to identify a degree of similarly between the set of resources and a set of resources from known malicious files by comparing the perceptive hash with perceptive hashes of the set of resources from known malicious files, determine a harmfulness of the file being analyzed based on the degree of similarity and remove or quarantine the file being analyzed when the harmfulness exceeds a predetermined threshold.

Abstract: Disclosed herein are methods and systems for detecting malicious files using two stage file classification. An exemplary method comprises selecting, by a hardware processor, a set of attributes of a file under analysis, calculating, by the hardware processor, a hash of the file based on the selected set of attributes, selecting, by the hardware processor, a classifier for the file from a set of classifiers based on the calculated hash of the file, assigning, by the hardware processor, the file under analysis to the one or more categories based on the selected classifier, determining whether the file has been assigned to a category of malicious files and concluding that the file is malicious based on the determination.

Abstract: Disclosed are systems and methods for emulating execution of a file based on emulation time. In one aspect, an exemplary method comprises, generating an image of a file, emulating an execution of instructions from the image for a predetermined emulation time, the emulation including: when an emulation of an execution of instruction from an image of another file is needed, generating an image of the another file, detecting known set of instructions in portions read from the image, inserting a break point into a position in the generated image corresponding to a start of the detected set of instructions, emulating execution of the another file by emulating execution of instructions from the generated image, and adding corresponding records to an emulation log, and reading a next portion from the image of the another file and repeating the emulation until the predetermined emulation time has elapsed.

Abstract: Disclosed are systems and methods for emulating execution of a file. An image of a file is formed, which is comprised of instructions read from the file. An analysis module detects at least one known set of instructions in a portion read from the file, and inserts a break point into a position in the generated image of the file corresponding to a start of the detected set of instructions. An emulation module emulates execution of the file by emulating execution of instructions from the generated image of the file and adding corresponding records to an emulation log associated with the emulated execution of the at least one known set of instructions.

Abstract: Disclosed are systems and methods for training and retraining a model for detection of malicious activity from container files, which contain at least two or more objects constituting logically separate data regions. Parameters of each object chosen from at least one safe container and one malicious container are determined which uniquely characterize the functional relation of the mentioned object to at least one selected object. Convolutions are formed separately for each container on the basis of the determined parameters of the objects, which are used to train a machine learning model for detecting malicious container files.

Abstract: A method and system is provided for detecting malicious compound files. An example method includes: obtaining at least one compound file; identifying a first set of features of the at least one compound file including features associated with a header of the at least one compound file; subsequent to identifying the first set of features, identifying, by the processor, a second set of features of the at least one compound file including features associated with at least one directory of the at least one compound file; determining a hash sum of the at least one compound file based on the first and second set of features; comparing the hash sum of the at least one compound file with information associated with a plurality of compound files stored in a database; and identifying the at least one compound file as being malicious, trusted or untrusted based at least on comparison results.

Abstract: Disclosed are systems and methods for detection of malicious intermediate language files. In one exemplary aspect, the system comprises a database comprising hashes of known malicious files, a resource allocation module configured to select a set of resources from a file being analyzed, a hash calculation module, coupled to the resource allocation module, configured to calculate a perceptive hash of the set of resources; and an analysis module, coupled to the other modules, configured to identify a degree of similarly between the set of resources and a set of resources from known malicious files by comparing the perceptive hash with perceptive hashes of the set of resources from known malicious files, determine a harmfulness of the file being analyzed based on the degree of similarity and remove or quarantine the file being analyzed when the harmfulness exceeds a predetermined threshold.

Abstract: Disclosed are systems and methods for emulating execution of a file. An image of a file is formed, which is comprised of instructions read from the file. An analysis module detects at least one known set of instructions in a portion read from the file, and inserts a break point into a position in the generated image of the file corresponding to a start of the detected set of instructions. An emulation module emulates execution of the file by emulating execution of instructions from the generated image of the file and adding corresponding records to an emulation log associated with the emulated execution of the at least one known set of instructions.

Abstract: A system and method is provided for determining whether an electronic file is malicious. An exemplary method includes extracting resources from an electronic file; forming a first rule that establishes a functional dependency between the extracted resources; identifying, in a database of malicious file resources, a second rule associated with one or more of the extracted resources; comparing the formed first rule with the identified second rule to calculate a degree of similarity between first and second rules; and determining the electronic file to be a malicious file when the calculated degree of similarity exceeds a predetermined threshold value.

Abstract: Disclosed are method and system for detecting harmful files executed by a virtual stack machine. An example method includes: analyzing a file executable on the virtual stack machine to identify both parameters of a file section of the file and parameters of a function of the virtual stack machine when executing the file; identifying, in a database, at least one cluster of safe files based on the identified parameters of the file section of the file and the identified parameters of the virtual stack machine; creating, using at least one clustering rule, a data cluster based on the identified at least one cluster of safe files; calculating at least one checksum of the created data cluster; and determining that the file executable on the virtual stack machine is harmful if the computed at least one checksum matches a checksum in a database of checksums of harmful files.

Abstract: A method and system is provided for detecting malicious compound files. An example method includes: obtaining at least one compound file; identifying a first set of features of the at least one compound file including features associated with a header of the at least one compound file; subsequent to identifying the first set of features, identifying, by the processor, a second set of features of the at least one compound file including features associated with at least one directory of the at least one compound file; determining a hash sum of the at least one compound file based on the first and second set of features; comparing the hash sum of the at least one compound file with information associated with a plurality of compound files stored in a database; and identifying the at least one compound file as being malicious, trusted or untrusted based at least on comparison results.

Abstract: Disclosed are method and system for detecting harmful files executed by a virtual stack machine. An example method includes: analyzing a file executable on the virtual stack machine to identify both parameters of a file section of the file and parameters of a function of the virtual stack machine when executing the file; identifying, in a database, at least one cluster of safe files based on the identified parameters of the file section of the file and the identified parameters of the virtual stack machine; creating, using at least one clustering rule, a data cluster based on the identified at least one cluster of safe files; calculating at least one checksum of the created data cluster; and determining that the file executable on the virtual stack machine is harmful if the computed at least one checksum matches a checksum in a database of checksums of harmful files.

Abstract: Systems and methods for optimizing an antivirus determination for executable files. Optimization by excluding from an antivirus check executable files such as dynamic libraries and/or resource files that do not contain executable code speeds up the overall antivirus determination. An optimization system generally includes an antivirus system. The antivirus system generally includes a check tool and an executable file detection system. The executable file detection system generally includes a breakdown tool, an analysis tool, and a database. The antivirus system can be operably coupled to an antivirus server via the Internet.

Abstract: Disclosed are method and system for detecting harmful files executed by a virtual stack machine. An example method includes: identifying data from a file executed on the virtual stack machine, the data including parameters of a file section of the file and/or parameters of a function of the file; searching in a database for at least one cluster of safe files that contains at least one of: a value of the parameters of the file section exceeding a first threshold, and a value of the parameters of the function exceeding a second threshold; creating a cluster of data of the file based on the identified cluster of safe files; calculating a checksum of the created cluster of data of the file; and determining that the file is a harmful file if the computed checksum matches a checksum in a database of checksums of harmful files.