Abstract: Disclosed herein are methods and systems for detecting malicious files by a user computer. For example, in one aspect, the method comprises registering application programming interface (API) calls made by a file during an execution of the file on the user computer in a local call log, the local call log comprising control flow graphs of processes launched from the file, searching for a rule that matches behavioral rules a local database, when the behavioral rules are found, determining the file is malicious and halting execution of the file on the user computer, otherwise, transmitting the local call log to a remote server, receiving a verdict, when the verdict indicates the file is malicious, receiving a virus signature corresponding to the verdict, and updating the local call log based on the verdict and virus signature, wherein the updating enables detection of subsequently received malicious files.

Abstract: Disclosed are systems and methods of adding tags for use in detecting computer attacks. In one aspect, the system comprises a computer protection module configured to: receive a security notification, extract an object from the security notification, search for the extracted object in a threat database, add a first tag corresponding to the extracted object in the threat database only when the extracted object is found in the threat database, search for signs of suspicious activity in a database of suspicious activities based on the received security notification and the added first tag, and when at least one sign of suspicious activity is found, extract a second tag from the database of suspicious activities and add the second tag to an object database, wherein the object database is used for identifying signature of targeted attacks based on security notifications, objects, first tags and second tags.

Abstract: Disclosed are systems and methods for creating antivirus records for antivirus applications. An exemplary method includes: analyzing a log of records of API function calls of a file for presence of malicious behavior using one or more behavioral rules; determining that the file is malicious when a behavioral rule corresponding to one or more records of API function calls from the log is identified; extracting from the log the one or more API function calls associated with the identified behavioral rule; determining whether the one or more extracted records of API function calls are supported by an antivirus application of a user device; and when the one or more extracted records of API function calls are not supported by the antivirus application, adding to the antivirus application, a support for registering the unsupported records of API function calls.

Abstract: Disclosed are systems and methods of adding tags for use in detecting computer attacks. In one aspect, the system comprises a computer protection module configured to: receive a security notification, extract an object from the security notification, search for the extracted object in a threat database, add a first tag corresponding to the extracted object in the threat database only when the extracted object is found in the threat database, search for signs of suspicious activity in a database of suspicious activities based on the received security notification and the added first tag, and when at least one sign of suspicious activity is found, extract a second tag from the database of suspicious activities and add the second tag to an object database, wherein the object database is used for identifying signature of targeted attacks based on security notifications, objects, first tags and second tags.

Abstract: Disclosed herein are methods and systems for detecting malicious files by a user computer. For example, in one aspect, the method comprises registering application programming interface (API) calls made by a file during an execution of the file on the user computer in a local call log, the local call log comprising control flow graphs of processes launched from the file, searching for a rule that matches behavioral rules a local database, when the behavioral rules are found, determining the file is malicious and halting execution of the file on the user computer, otherwise, transmitting the local call log to a remote server, receiving a verdict, when the verdict indicates the file is malicious, receiving a virus signature corresponding to the verdict, and updating the local call log based on the verdict and virus signature, wherein the updating enables detection of subsequently received malicious files.

Abstract: Disclosed are systems and methods for creating antivirus records for antivirus applications. An exemplary method includes: analyzing a log of records of API function calls of a file for presence of malicious behavior using one or more behavioral rules; determining that the file is malicious when a behavioral rule corresponding to one or more records of API function calls from the log is identified; extracting from the log the one or more API function calls associated with the identified behavioral rule; determining whether the one or more extracted records of API function calls are supported by an antivirus application of a user device; and when the one or more extracted records of API function calls are not supported by the antivirus application, adding to the antivirus application, a support for registering the unsupported records of API function calls.

Abstract: Disclosed are systems and methods for cloud detection, investigation and elimination of targeted attacks. In one exemplary aspect, the system comprises a computer protection module configured to: gather information on an object in a computer in a network; and save a security notification with the object in an object database in the network; and a module for protection against targeted attacks configured to: search for the object in a threat database in the network; add one or more tags to the object when the object is found in the threat database and adding a correspondence between a record in the object database and the threat database; and determine that a computer attack has occurred when the one or more tags correspond to signatures in a database of computer attacks.

Abstract: Disclosed herein are methods and systems of detecting malicious files. According to one aspect, a method comprises receiving one or more call logs from respectively one or more computers, each call log comprising function calls made from a file executing on a respective computer, combining the one or more call logs into a combined call log, searching the combined call log to find a match for one or more behavioral rules stored in a threat database, determining, when the behavioral rules are found in the call log, a verdict about the file being investigated and transmitting information regarding the verdict to the one or more computers.

Abstract: Disclosed herein are systems and methods of creating antivirus records. An exemplary method comprises: analyzing, by a protector against targeted attacks, a log of API function calls of a file for presence of malicious behavior using one or more behavioral rules; determining that the file is malicious when a behavioral rule corresponding to records of a log of API function calls is identified; extracting one or more records of API function calls associated with the identified behavioral rule; determining whether at least one extracted record of the API function calls can be registered by a protector of a computing device; and when the at least one extracted record can be registered by the protector of the computing device, creating an antivirus record for the protector of the computing device, wherein the created antivirus record includes at least the extracted records of the API function calls.

Abstract: Disclosed herein are systems and methods of creating antivirus records. An exemplary method comprises: analyzing, by a protector against targeted attacks, a log of API function calls of a file for presence of malicious behavior using one or more behavioral rules; determining that the file is malicious when a behavioral rule corresponding to records of a log of API function calls is identified; extracting one or more records of API function calls associated with the identified behavioral rule; determining whether at least one extracted record of the API function calls can be registered by a protector of a computing device; and when the at least one extracted record can be registered by the protector of the computing device, creating an antivirus record for the protector of the computing device, wherein the created antivirus record includes at least the extracted records of the API function calls.

Abstract: Disclosed herein are methods and systems of detecting malicious files. According to one aspect, a method comprises receiving one or more call logs from respectively one or more computers, each call log comprising function calls made from a file executing on a respective computer, combining the one or more call logs into a combined call log, searching the combined call log to find a match for one or more behavioral rules stored in a threat database, determining, when the behavioral rules are found in the call log, a verdict about the file being investigated and transmitting information regarding the verdict to the one or more computers.

Abstract: Disclosed are systems and methods for cloud detection, investigation and elimination of targeted attacks. In one exemplary aspect, the system comprises a computer protection module configured to: gather information on an object in a computer in a network; and save a security notification with the object in an object database in the network; and a module for protection against targeted attacks configured to: search for the object in a threat database in the network; add one or more tags to the object when the object is found in the threat database and adding a correspondence between a record in the object database and the threat database; and determine that a computer attack has occurred when the one or more tags correspond to signatures in a database of computer attacks.

Abstract: Disclosed are systems, methods and computer program products for determining a security status of at least one potentially malicious file in a customer network. An example method comprising receiving, by a client computer system, client heuristics information from a server system for determining a security status of client data generated by at least one client application; monitoring and identifying at least one suspicious file of the client data as a potentially malicious file by analyzing metadata associated with the at least one suspicious file using the client heuristics information; collecting threat-identification information of the potentially malicious file to exclude confidential information associated with a content of the potentially malicious file; transmitting the threat-identification information to the server system for determining a security status of the potentially malicious file; and receiving security tools from the server system to block or remove the potentially malicious file.

Abstract: System and method for detecting ransomware. A current user behavior pattern is monitored based on user input via a user input device. The user behavior is compared against a reference set of behavior patterns associated with user frustration with non-responsiveness of the user interface module. A current status pattern of the operating system is also monitored. The current status pattern is compared against a reference set of operating system status patterns associated with predefined ransomware behavior. In response to indicia of current user frustration with non-responsiveness of the user interface, and further in response to indicia of the current status pattern having a correlation to the predefined ransomware behavior, an indication of a positive detection of ransomware executing on the computer system is provided.

Abstract: System and method for detecting ransomware. A current user behavior pattern is monitored based on user input via a user input device. The user behavior is compared against a reference set of behavior patterns associated with user frustration with non-responsiveness of the user interface module. A current status pattern of the operating system is also monitored. The current status pattern is compared against a reference set of operating system status patterns associated with predefined ransomware behavior. In response to indicia of current user frustration with non-responsiveness of the user interface, and further in response to indicia of the current status pattern having a correlation to the predefined ransomware behavior, an indication of a positive detection of ransomware executing on the computer system is provided.

Abstract: A server system that includes one or more processors and memory receives, from a client, metadata for a plurality of suspicious files for which the client was unable to conclusively determine a security status. The server system also analyzes the metadata using threat-identification information to identify potentially malicious files and requests authorization to receive the potentially malicious files from the client. In response to the request, upon authorization for the server system to receive the potentially malicious files, the server system automatically receives one or more potentially malicious files from the client that were authorized based on a confidentiality level of the potentially malicious files.