Abstract: A method and system is provided for detecting malicious compound files. An example method includes: obtaining at least one compound file; identifying a first set of features of the at least one compound file including features associated with a header of the at least one compound file; subsequent to identifying the first set of features, identifying, by the processor, a second set of features of the at least one compound file including features associated with at least one directory of the at least one compound file; determining a hash sum of the at least one compound file based on the first and second set of features; comparing the hash sum of the at least one compound file with information associated with a plurality of compound files stored in a database; and identifying the at least one compound file as being malicious, trusted or untrusted based at least on comparison results.

Abstract: Disclosed are method and system for detecting harmful files executed by a virtual stack machine. An example method includes: analyzing a file executable on the virtual stack machine to identify both parameters of a file section of the file and parameters of a function of the virtual stack machine when executing the file; identifying, in a database, at least one cluster of safe files based on the identified parameters of the file section of the file and the identified parameters of the virtual stack machine; creating, using at least one clustering rule, a data cluster based on the identified at least one cluster of safe files; calculating at least one checksum of the created data cluster; and determining that the file executable on the virtual stack machine is harmful if the computed at least one checksum matches a checksum in a database of checksums of harmful files.

Abstract: A method and system is provided for detecting malicious compound files. An example method includes: obtaining at least one compound file; identifying a first set of features of the at least one compound file including features associated with a header of the at least one compound file; subsequent to identifying the first set of features, identifying, by the processor, a second set of features of the at least one compound file including features associated with at least one directory of the at least one compound file; determining a hash sum of the at least one compound file based on the first and second set of features; comparing the hash sum of the at least one compound file with information associated with a plurality of compound files stored in a database; and identifying the at least one compound file as being malicious, trusted or untrusted based at least on comparison results.

Abstract: Disclosed are exemplary aspects of systems and methods for blocking execution of scripts. An exemplary method comprises: intercepting a request for a script from a client to a server; generating a bytecode of the intercepted script; computing a hash sum of the generated bytecode; determining a degree of similarity between the hash sum of the bytecode and a plurality of hash sums of malicious and clean scripts stored in a database; identifying a similar hash sum from the database whose degree of similarity with the hash sum of the bytecode is within a threshold of similarity; determining a coefficient of trust of the similar hash sum; determining whether the requested script is malicious based on the degree of similarity and the coefficient of trust of the similar hash sum; and blocking the execution of the malicious script on the client.

Abstract: Disclosed are exemplary aspects of systems and methods for blocking execution of scripts. An exemplary method comprises: intercepting a request for a script from a client to a server; generating a bytecode of the intercepted script; computing a hash sum of the generated bytecode; determining a degree of similarity between the hash sum of the bytecode and a plurality of hash sums of malicious and clean scripts stored in a database; identifying a similar hash sum from the database whose degree of similarity with the hash sum of the bytecode is within a threshold of similarity; determining a coefficient of trust of the similar hash sum; determining whether the requested script is malicious based on the degree of similarity and the coefficient of trust of the similar hash sum; and blocking the execution of the malicious script on the client.

Abstract: Disclosed are method and system for detecting harmful files executed by a virtual stack machine. An example method includes: analyzing a file executable on the virtual stack machine to identify both parameters of a file section of the file and parameters of a function of the virtual stack machine when executing the file; identifying, in a database, at least one cluster of safe files based on the identified parameters of the file section of the file and the identified parameters of the virtual stack machine; creating, using at least one clustering rule, a data cluster based on the identified at least one cluster of safe files; calculating at least one checksum of the created data cluster; and determining that the file executable on the virtual stack machine is harmful if the computed at least one checksum matches a checksum in a database of checksums of harmful files.

Abstract: Disclosed are systems, methods and computer program products for automating installation of applications. In one aspect, the system launches an application installer of a software application; identifies control elements in an active window of the application installer, wherein the control elements include at least user interface (UI) elements responsible for transitioning the active window to another window of the application installer; transitions to other windows of the application installer and identifies control elements in all other windows of the application installer until the application is installed; generates an automatic installation rule for the application that automatically activates one or more windows of the application installer and one or more control elements of said window to install the application without a participation of a user.

Abstract: Disclosed are exemplary aspects of systems and methods for detection of phishing scripts. An exemplary method comprises: generating a bytecode of a script; computing a hash sum of the generated bytecode; determining a degree of similarity between the hash sum of the bytecode and hash sums in one or more groups of hash sums of known phishing scripts; identifying at least one group of hash sums that contains a hash sum whose degree of similarity with the hash sum of the bytecode is within a threshold; determining a coefficient of compactness of the identified group of hash sums and a coefficient of trust of the identified group of hash sums; and determining whether the script is a phishing script based on the degree of similarity, the coefficient of compactness and the coefficient of trust.

Abstract: Disclosed are method and system for detecting harmful files executed by a virtual stack machine. An example method includes: identifying data from a file executed on the virtual stack machine, the data including parameters of a file section of the file and/or parameters of a function of the file; searching in a database for at least one cluster of safe files that contains at least one of: a value of the parameters of the file section exceeding a first threshold, and a value of the parameters of the function exceeding a second threshold; creating a cluster of data of the file based on the identified cluster of safe files; calculating a checksum of the created cluster of data of the file; and determining that the file is a harmful file if the computed checksum matches a checksum in a database of checksums of harmful files.

Abstract: Disclosed are systems, methods and computer program products for detection of harmful files of different formats. An example method includes: receiving a suspicious file; determining a file format of the suspicious file; determining, using antivirus software, if the suspicious file is clean or harmful; and when the antivirus software fails to determine whether the suspicious file is clean or harmful, selecting, based on at least the file format of the suspicious file, a configuration of a virtual machine for analyzing a maliciousness of the suspicious file by at least: selecting a program associated with the file format of the suspicious file, opening the suspicious file using the associated program in the virtual machine, collecting data of at least one activity on the virtual machine, and analyzing the data to determine the maliciousness of the suspicious file.

Abstract: Disclosed are systems, methods and computer program products for detection of harmful files of different formats. An example method includes: receiving a suspicious file; determining a file format of the suspicious file; determining, using antivirus software, if the suspicious file is dean or harmful; and when the antivirus software fails to determine whether the suspicious file is clean or harmful, selecting, based on at least the file format of the suspicious file, a configuration of a virtual machine for analyzing a maliciousness of the suspicious file by at least: selecting a program associated with the file format of the suspicious file, opening the suspicious file using the associated program in the virtual machine, collecting data of at least one activity on the virtual machine, and analyzing the data to determine the maliciousness of the suspicious file.

Abstract: Disclosed are systems, methods and computer program products for automating installation of applications. In one aspect, the system launches an application installer of a software application; identifies control elements in an active window of the application installer, wherein the control elements include at least user interface (UI) elements responsible for transitioning the active window to another window of the application installer; transitions to other windows of the application installer and identifies control elements in all other windows of the application installer until the application is installed; generates an automatic installation rule for the application that automatically activates one or more windows of the application installer and one or more control elements of said window to install the application without a participation of a user.

Abstract: Disclosed are systems, methods and computer program products for detection of harmful files of different formats. An example method includes determining a suspicious file and a file format of the suspicious file; analyzing the suspicious file by an antivirus software to determine whether the suspicious file is clean or harmful; when the suspicious file is determined to be harmful by the antivirus software, generating a signature of the suspicious file and updating a collection of harmful files with the signature of the suspicious file; and when the suspicious file is not determined to be clean or harmful by the antivirus software, selecting, based on at least the file format of the suspicious file, a configuration of a virtual machine for analysis of the suspicious file, and analyzing the suspicious file by the virtual machine with selected configuration to determine whether the suspicious file is clean or harmful.