Patents by Inventor Denis V. Anikin
Denis V. Anikin has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11609993Abstract: A method for emulating execution of a file includes emulating execution of the instructions of a file on a virtual processor of an emulator. The execution of the instructions is halted in response to an invocation of an API function. A determination is made whether the invoked API function is present in the updatable modules of the emulator. The updatable modules contain implementation of API functions. In response to determining that the invoked API function is present in the updatable modules, execution of the invoked API function is emulated according to corresponding implementation contained in the updatable modules. Otherwise, result of execution of the invoked API function is generated by executing a corresponding virtual API function on a processor of a computing device.Type: GrantFiled: November 6, 2020Date of Patent: March 21, 2023Assignee: AO Kaspersky LabInventors: Vladislav V. Pintiysky, Denis V. Anikin, Dmitry A. Kirsanov, Sergey V. Trofimenko
-
Patent number: 11449615Abstract: Disclosed herein are systems and methods for forming a log during an execution of a file with vulnerabilities. In one aspect, an exemplary method comprises, discovering an activation of a trigger during an execution of a thread of a process created upon opening the file, wherein the trigger describes conditions accompanying an event which relates to an attempt to exploit a vulnerability of the file, analyzing a stack of the process created upon opening the file, and discovering a chain of function calls preceding the event in a form of a sequence of call and return addresses, analyzing the discovered chain of function calls for fulfillment of conditions of the trigger which relate to the attempt to exploit the vulnerability, and when the conditions of the trigger are fulfilled, saving information about the chain of function calls in a log.Type: GrantFiled: May 15, 2019Date of Patent: September 20, 2022Assignee: AO Kaspersky LabInventors: Alexey V. Monastyrsky, Mikhail A. Pavlyushchik, Vladislav V. Pintiysky, Denis V. Anikin, Dmitry A. Kirsanov
-
Patent number: 11397812Abstract: Disclosed herein are systems and methods of categorizing a .NET application. In one aspect, an exemplary method comprises, by a hardware processor of a security module, launching a CLR profiler upon launching of the .NET application, forming an execution log of the .NET application and adding information about events occurring during the execution of the .NET application via the launched CLR profiler, assigning to the .NET application, a category of a predetermined list of categories based on an analysis of the execution log of the .NET application, and determining whether the .NET application is categorized as being a malicious application.Type: GrantFiled: September 18, 2018Date of Patent: July 26, 2022Assignee: AO Kaspersky LabInventors: Vladimir A. Kuskov, Denis V. Anikin, Dmitry A. Kirsanov
-
Publication number: 20210397708Abstract: A method for emulating execution of a file includes emulating execution of the instructions of a file on a virtual processor of an emulator. The execution of the instructions is halted in response to an invocation of an API function. A determination is made whether the invoked API function is present in the updatable modules of the emulator. The updatable modules contain implementation of API functions. In response to determining that the invoked API function is present in the updatable modules, execution of the invoked API function is emulated according to corresponding implementation contained in the updatable modules. Otherwise, result of execution of the invoked API function is generated by executing a corresponding virtual API function on a processor of a computing device.Type: ApplicationFiled: November 6, 2020Publication date: December 23, 2021Inventors: Vladislav V Pintiysky, Denis V. Anikin, Dmitry A. Kirsanov, Sergey V. Trofimenko
-
Patent number: 11048795Abstract: Disclosed is a method for analyzing a log for conducting an antivirus scan of a file. The method includes opening a file in a virtual machine. The opening of the file includes execution of a guest process having a thread in a virtual processor of the virtual machine. A plurality of events in the thread of the guest process is intercepted. Registers associated with a system call made during execution of the first thread of the guest process are determined. Execution of the thread of the guest process is halted. In a log associated with the opening of the file, information is saved indicating events intercepted during execution of the thread in an altered guest physical memory page, and context data of the virtual processor. Using at least one template having rules, the saved log is analyzed to determine whether the file opened in the virtual machine is harmful.Type: GrantFiled: December 16, 2019Date of Patent: June 29, 2021Assignee: AO Kaspersky LabInventors: Vladislav V. Pintiysky, Denis V. Anikin, Denis Y. Kobychev, Maxim Y. Golovkin, Vitaly V. Butuzov, Dmitry V. Karasovsky, Dmitry A. Kirsanov
-
Publication number: 20200210591Abstract: Disclosed herein are systems and methods for forming a log during an execution of a file with vulnerabilities. In one aspect, an exemplary method comprises, discovering an activation of a trigger during an execution of a thread of a process created upon opening the file, wherein the trigger describes conditions accompanying an event which relates to an attempt to exploit a vulnerability of the file, analyzing a stack of the process created upon opening the file, and discovering a chain of function calls preceding the event in a form of a sequence of call and return addresses, analyzing the discovered chain of function calls for fulfillment of conditions of the trigger which relate to the attempt to exploit the vulnerability, and when the conditions of the trigger are fulfilled, saving information about the chain of function calls in a log.Type: ApplicationFiled: May 15, 2019Publication date: July 2, 2020Inventors: Alexey V. Monastyrsky, Mikhail A. Pavlyushchik, Vladislav V. Pintiysky, Denis V. Anikin, Dmitry A. Kirsanov
-
Patent number: 10642973Abstract: Disclosed are systems and methods for analysis of files for maliciousness and determining an action. An exemplary method comprises: opening a file, by a processor, in a virtual machine, intercepting an event arising in an execution of a thread of a process created upon opening of the file, determining, a context of the processor on which the thread is being executed, the determination including reading register values of the processor and a stack, comparing the context with rules that check: a behavior of the thread of the process, a changing, by the thread, of attributes of the file, and an access of the thread to the Internet, and based on a result of the comparison, performing at least one of: recognizing the file as being malicious, halting the execution of the thread, changing the context of the processor, and waiting for a next intercepted event.Type: GrantFiled: May 17, 2019Date of Patent: May 5, 2020Assignee: AO Kaspersky LabInventors: Vladislav V. Pintiysky, Denis V. Anikin, Denis Y. Kobychev, Maxim Y. Golovkin, Vitaly V. Butuzov, Dmitry V. Karasovsky, Dmitry A. Kirsanov
-
Publication number: 20200117796Abstract: Disclosed is a method for analyzing a log for conducting an antivirus scan of a file. The method includes opening a file in a virtual machine. The opening of the file includes execution of a guest process having a thread in a virtual processor of the virtual machine. A plurality of events in the thread of the guest process is intercepted. Registers associated with a system call made during execution of the first thread of the guest process are determined. Execution of the thread of the guest process is halted. In a log associated with the opening of the file, information is saved indicating events intercepted during execution of the thread in an altered guest physical memory page, and context data of the virtual processor. Using at least one template having rules, the saved log is analyzed to determine whether the file opened in the virtual machine is harmful.Type: ApplicationFiled: December 16, 2019Publication date: April 16, 2020Inventors: Vladislav V. Pintiysky, Denis V. Anikin, Denis Y. Kobychev, Maxim Y. Golovkin, Vitaly V. Butuzov, Dmitry V. Karasovsky, Dmitry A. Kirsanov
-
Patent number: 10546120Abstract: Disclosed are systems and methods for generating a log for conducting an antivirus scan of a file. The described technique includes opening a file in a virtual machine, which causes execution of a guest process and a thread in a (virtual) processor of the virtual machine. The technique includes identifying, during execution of the first thread, events that involve alteration of guest physical memory pages of the virtual machine. The technique determines altered guest physical memory page based on analysis of the log and identifies when a transfer of control to altered guest physical memory pages has occurred. The resultant log for analysis by a security application includes information indicating the events occurring during execution of the thread in the altered guest physical memory page, and context data of the virtual processor on which the thread is being executed.Type: GrantFiled: September 25, 2017Date of Patent: January 28, 2020Assignee: AO KASPERSKY LABInventors: Vladislav V. Pintiysky, Denis V. Anikin, Denis Y. Kobychev, Maxim Y. Golovkin, Vitaly V. Butuzov, Dmitry V. Karasovsky, Dmitry A. Kirsanov
-
Publication number: 20190272371Abstract: Disclosed are systems and methods for analysis of files for maliciousness and determining an action. An exemplary method comprises: opening a file, by a processor, in a virtual machine, intercepting an event arising in an execution of a thread of a process created upon opening of the file, determining, a context of the processor on which the thread is being executed, the determination including reading register values of the processor and a stack, comparing the context with rules that check: a behavior of the thread of the process, a changing, by the thread, of attributes of the file, and an access of the thread to the Internet, and based on a result of the comparison, performing at least one of: recognizing the file as being malicious, halting the execution of the thread, changing the context of the processor, and waiting for a next intercepted event.Type: ApplicationFiled: May 17, 2019Publication date: September 5, 2019Inventors: Vladislav V. Pintiysky, Denis V. Anikin, Denis Y. Kobychev, Maxim Y. Golovkin, Vitaly V. Butuzov, Dmitry V. Karasovsky, Dmitry A. Kirsanov
-
Patent number: 10387300Abstract: Disclosed are system and method for controlling execution of a computer program. An example method includes determining whether code instructions or data of interest are found in a portion of a page in an original virtual address space, when the code instructions or data are found in the portion of the page of a first type, tagging it as non-executable and tagging the portion of no interest as executable, when the code instructions or data are found in the portion of the second type, tagging it using an opcode and tagging the portion of no interest as executable, when the code instructions or data are found in the portion of the first type, duplicating the original virtual address space and tagging the portion of interest as executable and tagging the portion of no interest as non-executable and transferring execution of the computer program to a memory location other than the one in which a notification was received.Type: GrantFiled: November 16, 2018Date of Patent: August 20, 2019Assignee: AO Kaspersky LabInventors: Vladislav V. Pintiysky, Denis V. Anikin, Dmitry A. Kirsanov
-
Publication number: 20190243976Abstract: Disclosed herein are systems and methods of categorizing a .NET application. In one aspect, an exemplary method comprises, by a hardware processor of a security module, launching a CLR profiler upon launching of the .NET application, forming an execution log of the .NET application and adding information about events occurring during the execution of the .NET application via the launched CLR profiler, assigning to the .NET application, a category of a predetermined list of categories based on an analysis of the execution log of the .NET application, and determining whether the .NET application is categorized as being a malicious application.Type: ApplicationFiled: September 18, 2018Publication date: August 8, 2019Inventors: Vladimir A. Kuskov, Denis V. Anikin, Dmitry A. Kirsanov
-
Patent number: 10339301Abstract: Disclosed are systems and methods of analysis of files for maliciousness in a virtual machine. An exemplary method comprises: opening and executing a file by a processor in a virtual machine; intercepting an event arising in the process of execution of a thread of a process created upon opening of the file; halting the execution of the thread; reading the context of the processor on which the thread is being executed; comparing the context of the processor with one or more rules; and based on the results of the comparison, performing at least one of: recognizing the file as being malicious; halting the execution of the process created upon opening of the file; changing the context of the processor; and waiting for the next intercepted event.Type: GrantFiled: March 7, 2017Date of Patent: July 2, 2019Assignee: AO Kaspersky LabInventors: Vladislav V. Pintiysky, Denis V. Anikin, Denis Y. Kobychev, Maxim Y. Golovkin, Vitaly V. Butuzov, Dmitry V. Karasovsky, Dmitry A. Kirsanov
-
Patent number: 10261895Abstract: Disclosed are system and method for controlling execution of a computer program. An example method includes determining, by a processor, a memory sector for storing a portion of execution instructions of the computer program in virtual memory address space, determining, in the virtual memory address space, one or more pages that comprise code instructions and data associated with the memory sector, creating a duplicate of the virtual memory address space, tagging the memory sector and the one or more pages in both the virtual memory address space and the duplicate of the virtual memory address space, receiving a notification to transfer execution of the computer program between different memory sectors while executing instructions stored in either the virtual memory address space or the duplicate of the virtual memory address space and transferring execution of the computer program to a memory location other than the one in which the notification was received.Type: GrantFiled: November 16, 2018Date of Patent: April 16, 2019Assignee: AO Kaspersky LabInventors: Vladislav V. Pintiysky, Denis V. Anikin, Dmitry A. Kirsanov
-
Publication number: 20190095615Abstract: Disclosed are systems and methods for generating a log for conducting an antivirus scan of a file. The described technique includes opening a file in a virtual machine, which causes execution of a guest process and a thread in a (virtual) processor of the virtual machine. The technique includes identifying, during execution of the first thread, events that involve alteration of guest physical memory pages of the virtual machine. The technique determines altered guest physical memory page based on analysis of the log and identifies when a transfer of control to altered guest physical memory pages has occurred. The resultant log for analysis by a security application includes information indicating the events occurring during execution of the thread in the altered guest physical memory page, and context data of the virtual processor on which the thread is being executed.Type: ApplicationFiled: September 25, 2017Publication date: March 28, 2019Inventors: Vladislav V. Pintiysky, Denis V. Anikin, Denis Y. Kobychev, Maxim Y. Golovkin, Vitaly V. Butuzov, Dmitry V. Karasovsky, Dmitry A. Kirsanov
-
Publication number: 20190087318Abstract: Disclosed are system and method for controlling execution of a computer program. An example method includes determining whether code instructions or data of interest are found in a portion of a page in an original virtual address space, when the code instructions or data are found in the portion of the page of a first type, tagging it as non-executable and tagging the portion of no interest as executable, when the code instructions or data are found in the portion of the second type, tagging it using an opcode and tagging the portion of no interest as executable, when the code instructions or data are found in the portion of the first type, duplicating the original virtual address space and tagging the portion of interest as executable and tagging the portion of no interest as non-executable and transferring execution of the computer program to a memory location other than the one in which a notification was received.Type: ApplicationFiled: November 16, 2018Publication date: March 21, 2019Inventors: Vladislav V. Pintiysky, Denis V. Anikin, Dmitry A. Kirsanov
-
Publication number: 20190087319Abstract: Disclosed are system and method for controlling execution of a computer program. An example method includes determining, by a processor, a memory sector for storing a portion of execution instructions of the computer program in virtual memory address space, determining, in the virtual memory address space, one or more pages that comprise code instructions and data associated with the memory sector, creating a duplicate of the virtual memory address space, tagging the memory sector and the one or more pages in both the virtual memory address space and the duplicate of the virtual memory address space, receiving a notification to transfer execution of the computer program between different memory sectors while executing instructions stored in either the virtual memory address space or the duplicate of the virtual memory address space and transferring execution of the computer program to a memory location other than the one in which the notification was received.Type: ApplicationFiled: November 16, 2018Publication date: March 21, 2019Inventors: Vladislav V. Pintiysky, Denis V. Anikin, Dmitry A. Kirsanov
-
Patent number: 10162745Abstract: Disclosed are system and method for controlling execution of a program. An example method includes determining a memory sector for storing at least a portion of execution instructions of the computer program in virtual memory address space; determining, in the virtual memory address space, one or more pages that contain code instructions and data associated with the memory sector; creating a duplicate of the virtual memory address space comprising the memory sector and the one or more pages; tagging the memory sector and the one or more pages in both the virtual memory address space and its duplicate; receiving a notification to transfer execution of the computer program between different memory sectors while executing instructions stored in either the virtual memory address space or its duplicate; and transferring execution of the computer program to a memory location other than the one in which the notification was received.Type: GrantFiled: August 11, 2016Date of Patent: December 25, 2018Assignee: AO Kaspersky LabInventors: Vladislav V. Pintiysky, Denis V. Anikin, Dmitry A. Kirsanov
-
Publication number: 20180225447Abstract: Disclosed are systems and methods of analysis of files for maliciousness in a virtual machine. An exemplary method comprises: opening and executing a file by a processor in a virtual machine; intercepting an event arising in the process of execution of a thread of a process created upon opening of the file; halting the execution of the thread; reading the context of the processor on which the thread is being executed; comparing the context of the processor with one or more rules; and based on the results of the comparison, performing at least one of: recognizing the file as being malicious; halting the execution of the process created upon opening of the file; changing the context of the processor; and waiting for the next intercepted event.Type: ApplicationFiled: March 7, 2017Publication date: August 9, 2018Inventors: Vladislav V. Pintiysky, Denis V. Anikin, Denis Y. Kobychev, Maxim Y. Golovkin, Vitaly V. Butuzov, Dmitry V. Karasovsky, Dmitry A. Kirsanov
-
Publication number: 20170351600Abstract: Disclosed are system and method for controlling execution of a program. An example method includes determining a memory sector for storing at least a portion of execution instructions of the computer program in virtual memory address space; determining, in the virtual memory address space, one or more pages that contain code instructions and data associated with the memory sector; creating a duplicate of the virtual memory address space comprising the memory sector and the one or more pages; tagging the memory sector and the one or more pages in both the virtual memory address space and its duplicate; receiving a notification to transfer execution of the computer program between different memory sectors while executing instructions stored in either the virtual memory address space or its duplicate; and transferring execution of the computer program to a memory location other than the one in which the notification was received.Type: ApplicationFiled: August 11, 2016Publication date: December 7, 2017Inventors: Vladislav V. Pintiysky, Denis V. Anikin, Dmitry A. Kirsanov