Abstract: Disclosed are system and method for detecting malicious code in files. One exemplary method comprises: intercepting, by a processor, one or more application program interface (API) calls during an execution of a process launched from a file of a computing device; determining and detecting, by the processor, a presence of an exit condition of the process; in response to detecting the exit condition, identifying one or more signatures of a first type and transferring one or more saved memory dumps of the computing device to an emulator for execution; and determining and identifying a malicious code in the file in response to detecting one or more signatures of a second type based at least upon execution results of the transferred memory dumps of the computing device.

Abstract: Disclosed are systems and methods for controlling execution of programs on a computer. An exemplary method includes detecting an unknown program installed on a computer; identifying undesirable actions performed by the unknown program on the computer, wherein the undesirable actions include at least one of: actions performed by the program without knowledge of a user, actions for accessing personal user data on the computer, and actions effecting user's working with other programs or operating system of the computer determining whether the unknown program is undesirable or not based on the identified undesirable actions of the program; when the unknown program is determined be undesirable, prompting the user to select whether to allow or prohibit execution of the undesirable program on the computer; and when the unknown program is determined not to be undesirable, allowing execution of the unknown program on the computer.

Abstract: Disclosed are systems and methods for controlling execution of programs on a computer. An exemplary method includes detecting an unknown program installed on a computer; identifying undesirable actions performed by the unknown program on the computer, wherein the undesirable actions include at least one of: actions performed by the program without knowledge of a user, actions for accessing personal user data on the computer, and actions effecting user's working with other programs or operating system of the computer determining whether the unknown program is undesirable or not based on the identified undesirable actions of the program; when the unknown program is determined be undesirable, prompting the user to select whether to allow or prohibit execution of the undesirable program on the computer; and when the unknown program is determined not to be undesirable, allowing execution of the unknown program on the computer.

Abstract: Disclosed are system and method for detecting malicious code in address space of a process. An exemplary method comprises: detecting a first process executed on the computer in association with an application; intercepting at least one function call made by the first process to a second process; determining one or more attributes associated with the at least one function call; determining whether to perform malware analysis of code associated with the at least one function call in an address space associated with the second process based on application of one or more rules to the one or more attributes; and upon determining to perform malware analysis of the code, determining whether the code in the address space is malicious.

Abstract: Disclosed are system and method for detecting malicious code in random access memory. An exemplary method comprises: detecting, by a hardware processor, a process of an untrusted program on the computer; identifying, by the hardware processor, function calls made by the process of the untrusted program, including inter-process function calls made by the process to a destination process; determining, by the hardware processor, whether to perform malware analysis of a code in an address space of the destination process that was subject of an inter-process function call made by the process of the untrusted program; and when it is determined to perform malware analysis, analyzing the code in an address space of the destination process that was subject of an inter-process function call made by the process of the untrusted program using antivirus software executable by the hardware processor.

Abstract: Disclosed are systems and methods for controlling installation of programs on a computer. An exemplary system is configured to detect installation of an unknown program on a computer; suspend installation of the unknown program; execute the unknown program in a secure environment; detect undesirable actions of the unknown program, including: actions performed by the program without knowledge of a user, actions for accessing personal user data on the computer, and actions effecting user's working with other programs or operating system of the computer; determine whether the unknown program is undesirable or not based on the detected undesirable actions of the program; when the unknown program is determined be undesirable, prompt the user to select whether to allow or prohibit installation of the undesirable program on the computer; and when the unknown program is determined not to be undesirable, allow installation of the unknown program on the computer.

Abstract: System and method for detection of malicious code injected into processes associated with known programs. Execution of processes in a computer system is monitored. From among the processes being monitored, only certain processes are selected for tracking. For each of the processes selected, function calls made by threads of the process are tracked. From among the tracked function calls, only those function calls which are critical function calls are identified. For each identified critical function call, program instructions that caused the critical function call are subjected to analysis to assess their maliciousness.

Abstract: Disclosed herein are systems, methods and computer program products for protecting computer systems from software vulnerabilities. In one aspect, a system is configured to detect execution of a software application and determine whether the detected application has vulnerabilities. When the application has vulnerabilities, the system may analyze the application to identify typical actions performed by the application. The system may then create one or more restriction rules based on the identified typical actions of the application. The restriction rules allow application to perform typical actions and block atypical actions. The system then controls execution of the application using the created restriction rules.

Abstract: Protection of a computer system against exploits. A computer system has a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory. An association of the process thread and the first portion of memory is recorded. A limited access regime in which one of the write and execute privileges is disabled, is established, and is monitored for any exceptions occurring due to attempted writing or execution in violation thereof. In response to the exception being determined as a write exception, the associated process thread is looked up, and analyzed for a presence of malicious code. In response to the exception type being determined as an execute exception, the first portion of memory is analyzed for a presence of malicious code. In response to detection of a presence of malicious code, execution of the malicious code is prevented.

Abstract: Disclosed herein are systems, methods and computer program products for protecting computer systems from software vulnerabilities. In one aspect, a system is configured to detect execution of a software application and determine whether the detected application has vulnerabilities. When the application has vulnerabilities, the system may analyze the application to identify typical actions performed by the application. The system may then create one or more restriction rules based on the identified typical actions of the application. The restriction rules allow application to perform typical actions and block atypical actions. The system then controls execution of the application using the created restriction rules.

Abstract: System and method for detection of malicious code injected into processes associated with known programs. Execution of processes in a computer system is monitored. From among the processes being monitored, only certain processes are selected for tracking. For each of the processes selected, function calls made by threads of the process are tracked. From among the tracked function calls, only those function calls which are critical function calls are identified. For each identified critical function call, program instructions that caused the critical function call are subjected to analysis to assess their maliciousness.

Abstract: System and method for detecting ransomware. A current user behavior pattern is monitored based on user input via a user input device. The user behavior is compared against a reference set of behavior patterns associated with user frustration with non-responsiveness of the user interface module. A current status pattern of the operating system is also monitored. The current status pattern is compared against a reference set of operating system status patterns associated with predefined ransomware behavior. In response to indicia of current user frustration with non-responsiveness of the user interface, and further in response to indicia of the current status pattern having a correlation to the predefined ransomware behavior, an indication of a positive detection of ransomware executing on the computer system is provided.

Abstract: System and method for detecting ransomware. A current user behavior pattern is monitored based on user input via a user input device. The user behavior is compared against a reference set of behavior patterns associated with user frustration with non-responsiveness of the user interface module. A current status pattern of the operating system is also monitored. The current status pattern is compared against a reference set of operating system status patterns associated with predefined ransomware behavior. In response to indicia of current user frustration with non-responsiveness of the user interface, and further in response to indicia of the current status pattern having a correlation to the predefined ransomware behavior, an indication of a positive detection of ransomware executing on the computer system is provided.

Abstract: Protection against a malicious set of program instructions (e.g., a malicious program) executable by a process virtual machine. The program instructions of process virtual machine are augmented to establish an exception monitoring module within the process virtual machine. When the process virtual machine executes a subject set of program instructions, the exception monitoring module detects a security policy violation exception occurring as a result. In response thereto, the exception monitoring module gathers context information representing circumstances surrounding the occurrence of the exception, and provides the context information for analysis of a presence of malicious code. The exception monitoring module determines, based on a result of the analysis, whether to permit further execution of the subject set of program instructions by the process virtual machine.

Abstract: A system and method for optimization of AV processing of disk files. The system includes an AV scanner, a data cache module, an AV service and file analysis module. The optimization allows for reduction of time needed for the AV processing. Trusted files associated with a trusted key file are found. The trusted files that have been found are cached and excluded from further AV processing and the AV processing time is reduced.

Abstract: Disclosed are systems, methods and computer program products for performing antivirus analysis of a file. Particularly, antivirus software detects an attempt to execute a file on a computer and collects information about current file attributes. The software retrieves information about old file attributes. The software then compares current file attributes with the old file attributes to determine whether the file has been modified. When the file is determined to be modified, the software synchronously accesses the file to perform antivirus analysis thereof. During the synchronous access of the file, one or more other programs are prohibited from accessing the analyzed file. When the file is determined to be unmodified, the software asynchronously accesses the file. During the asynchronous access of the file one or more of the other programs are allowed to access the analyzed file.

Abstract: System and method for assessing a risk level associated with launching acquired objects on an associated computer system. Events occurring on the computer system are detected, including an event representing launching of a first object. An association of a detected launching of the first object with user input effecting that launching, if any, is stored. In response to a launching of the first object, a determination is made as to whether an association exists between the launching, and any user input initiating that launching. A risk assessment record is updated for the first object such that, in response to the launching of the first object being either associated or not associated with user input initiating that launching, the risk assessment record is updated to reduce an indicated risk level for the first object, or to increase the indicated risk level for the first object, respectively.

Abstract: A system and method for optimization of AV processing of disk files. The system includes an AV scanner, a data cache module, an AV service and file analysis module. The optimization allows for reduction of time needed for the AV processing. Trusted files associated with a trusted key file are found. The trusted files that have been found are cached and excluded from further AV processing and the AV processing time is reduced.

Abstract: Disclosed are systems, methods and computer program products for protecting a computer from activities of malicious objects. The method comprises: monitoring events of execution of one or more processes on the computer; identifying auditable events among the monitored events, including events of creation, alteration or deletion of files, events of alteration of system registry, and events of network access by processes executed on the computer; recording the identified auditable events in separate file, registry and network event logs; performing a malware check of one or more software objects on the computer; if an object is determined to be malicious, identifying from the file, registry and network event logs the events associated with the malicious object; performing rollback of file events associated with the malicious object; performing rollback of registry events associated with the malicious object; terminating network connections associated with the malicious object.

Abstract: A method, computer program product and system for monitoring execution behavior of a program product in a data processing system include development of a trace tool having trace strings written in a human language and provided with data fields for diagnostic information relevant to executable portions of the program product. Identifiers of the trace tool, trace strings, and data fields and components of the diagnostic information are encoded using a coded binary language. After monitoring execution of the program product, a trace report of the trace tool is translated for an intended recipient from the coded binary language into the human language, whereas an unauthorized access to the contents of the trace record is restricted. The encoding or decoding operations are performed using databases containing the respective identifiers and components of the diagnostic information in the coded binary language and the human language.