Abstract: Disclosed herein are systems and methods for optimizing antivirus scanning of files on virtual machines. In one aspect, an exemplary method comprises, determining whether there is a record about a file in a verdict cache, when there is, assigning the verdict found in the verdict cache to the file, and when no record is found in the verdict cache, determining whether the file is currently being scanned in a parallel thread, when the file is currently being scanned in a parallel thread, blocking the scanning of the file until the scanning in the parallel thread is completed, and placing a result of the scanning in the parallel thread in the verdict cache, and when the file is not currently being scanned in a parallel thread, performing the scanning of the file on a current thread, and placing a result of the scanning on the current thread in the verdict cache.

Abstract: Disclosed herein are systems and methods for optimizing antivirus scanning of files on virtual machines. In one aspect, an exemplary method comprises, determining whether there is a record about a file in a verdict cache, when there is, assigning the verdict found in the verdict cache to the file, and when no record is found in the verdict cache, determining whether the file is currently being scanned in a parallel thread, when the file is currently being scanned in a parallel thread, blocking the scanning of the file until the scanning in the parallel thread is completed, and placing a result of the scanning in the parallel thread in the verdict cache, and when the file is not currently being scanned in a parallel thread, performing the scanning of the file on a current thread, and placing a result of the scanning on the current thread in the verdict cache.

Abstract: Disclosed are methods, systems and computer program products for antivirus checking of software objects in a virtual environment. An example method includes monitoring and identifying, by an antivirus agent running on a virtual machine in the virtual environment, an event occurring in the virtual machine, an object related to the event, and a type of the object; upon determining that the object needs an antivirus checking, sending, by the antivirus agent, to a control module in the virtual environment, information of the object and the event; determining, by the control module, priorities of executing one or more antivirus checking methods determined for the object; and distributing, by the control module, among one or more selected components of an antivirus system in the virtual environment, the one or more antivirus checking methods to be performed on the object based on the priorities.

Abstract: Disclosed are system and method for malware detection on virtual machines. An example method comprises: forming, on a virtual machine, a queue of identifiers of objects for malware analysis; determining a method for selecting objects in the queue for malware analysis; selecting one or more objects from the queue for malware analysis; providing identifiers of the selected objects to a security virtual machine for malware analysis; checking, by the security virtual machine, whether each of the selected objects has been previously provided for malware analysis by another virtual machine; when a selected object has not been previously provided by another virtual machine, performing, by the security virtual machine, a malware analysis of the selected object; and providing, to the virtual machine, a malware analysis result for the selected object.

Abstract: Disclosed are systems and methods for prioritizing scan requests. An example method includes reserving, by a computer processor, one or more connections between a thin client and a virtual machine of a computer; when one or more of the reserved connections are not used for communicating on-access scan (OAS) requests or on-demand scan (ODS) requests, allocating said one or more reserved connections for communicating OAS or ODS requests between the thin client and the virtual machine; and when all the reserved connections are used for communicating OAS or ODS requests, and at least one reserved connection is used for communicating ODS requests, reallocating for communicating the OAS requests the at least one reserved connection used for communicating ODS request.

Abstract: An initial trust status is assigned to a first object, the trust status representing one of either a relatively higher trust level or a relatively lower trust level. Based on the trust status, the first object is associated with an event type to be monitored, where the event type is selected from among: essential events, occurrence of which is informative as to trust status evaluating for an object, and critical events, including the essential events, and additional events, occurrence of which is informative as to execution of suspicious code. Occurrences of events relating to the first object are monitored. In response to the first object being assigned the relatively higher trust level, only the essential events are monitored. In response to the first object being assigned the relatively lower trust level, the critical events are monitored. A need for performing malware analysis is determined based on the trust status of the first object and the event type.

Abstract: An initial trust status is assigned to a first object, the trust status representing one of either a relatively higher trust level or a relatively lower trust level. Based on the trust status, the first object is associated with an event type to be monitored, where the event type is selected from among: essential events, occurrence of which is informative as to trust status evaluating for an object, and critical events, including the essential events, and additional events, occurrence of which is informative as to execution of suspicious code. Occurrences of events relating to the first object are monitored. In response to the first object being assigned the relatively higher trust level, only the essential events are monitored. In response to the first object being assigned the relatively lower trust level, the critical events are monitored. A need for performing malware analysis is determined based on the trust status of the first object and the event type.

Abstract: An initial trust status is assigned to a first object, the trust status representing one of either a relatively higher trust level or a relatively lower trust level. Based on the trust status, the first object is associated with an event type to be monitored, where the event type is selected from among: essential events, occurrence of which is informative as to trust status evaluating for an object, and critical events, including the essential events, and additional events, occurrence of which is informative as to execution of suspicious code. Occurrences of events relating to the first object are monitored. In response to the first object being assigned the relatively higher trust level, only the essential events are monitored. In response to the first object being assigned the relatively lower trust level, the critical events are monitored. A need for performing malware analysis is determined based on the trust status of the first object and the event type.

Abstract: Disclosed are methods, systems and computer program products for antivirus checking of software objects in a virtual environment. An example method includes monitoring, by an antivirus agent running on a virtual machine in the virtual environment, one or more events occurring in the virtual machine; determining an object related to the one or more monitored events and a type of the object; determining whether the object needs antivirus checking; sending, to a control module in the virtual environment, information about the object that needs antivirus checking, the type of the object, and the one or more identified events; determining one or more methods of antivirus checking to be performed on the object; selecting one or more components of an antivirus system in the virtual environment; and distributing among the selected components, the antivirus checking methods to be performed on the object.

Abstract: A pre-OS security agent runs in an environment independent of the operating system (OS) but interfaced with the file system and able to exchange information with a security application running over the OS. Prior to the start-up of the OS, an indication of a state or condition is obtained relating to a risk of an inability of the security application to function normally, or to a change in the computer system affecting the start-up of the OS. Based on the indication, a set of one or more actions are determined for resolving the state or condition. The pre-OS security agent executes the set of one or more actions in response to the indication.