Abstract: A system, method, and computer program product for identifying malware components on a computer, including detecting an attempt to create or modify an executable file or an attempt to write to a system registry; logging the attempt as an auditable event; performing a malware check on executable files of the computer; if malware is detected on the computer, identifying all other files created or modified during the auditable event, and all other processes related to the auditable event; terminating the processes related to the auditable event; deleting or quarantining the executable files created or modified during the auditable event; and if the deleted executable files include any system files, restoring the system files from a trusted backup. Optionally, all files and processes having a parent-child relationship to a known malware component or known infected file are identified. A log of auditable events is maintained, and is recoverable after system reboot.

Abstract: A system, method and computer program product for treating a malware in a computer having multiple copies of the same malicious code activated, where the multiple copies monitor each other's existence, including (a) identifying a presence of the malicious code on the computer; (b) blocking actions that permit one active copy of the malicious code to activate another copy of the malicious code; (c) deleting, from persistent storage, a file containing executable code of the malware; and (d) rebooting the computer. The actions include disabling writes to the persistent storage, disabling writes to a system registry, and/or blocking activation of new processes. The blocking utilizes a driver loaded into the kernel space. The identifying can use signature identification for malware detection.

Abstract: Disclosed are systems, methods and computer program products for detection of malware with complex infection patterns. The system provides enhanced protection against malware by identifying potentially harmful software objects, monitoring execution of various processes and threads of potentially harmful objects, compiling contexts of events of execution of the monitored processes and threads, and merging contexts of related processes and threads. Based on the analysis of the individual and merged object contexts using malware behavior rules, the system allows detection of malicious objects that have simple and complex behavior patterns.

Abstract: A method, computer program product and system for monitoring execution behavior of a program product in a data processing system include development of a trace tool having trace strings written in a human language and provided with data fields for diagnostic information relevant to executable portions of the program product. Identifiers of the trace tool, trace strings, and data fields and components of the diagnostic information are encoded using a coded binary language. After monitoring execution of the program product, a trace report of the trace tool is translated for an intended recipient from the coded binary language into the human language, whereas an unauthorized access to the contents of the trace record is restricted. The encoding or decoding operations are performed using databases containing the respective identifiers and components of the diagnostic information in the coded binary language and the human language.

Abstract: A system, method and computer program product for scanning an executable file for malware presence, the method comprising: (a) detecting an attempt to execute a file on a computer; (b) identifying whether the file is known or unknown; (c) if the file is a known file, performing a signature malware check; (d) if the file is an unknown file, performing risk analysis and risk assessment for the file; (e) based on the risk analysis and the risk assessment, identifying which malware detection algorithms need to be used for the file, in addition to signature detection; (f) performing the malware detection algorithms on the file; and (g) if no malware is detected, permitting execution of the file. The risk analysis is based on file source, file origin, file path, file size, whether the file is digitally signed, whether the file is a download utility, whether the file is packed, whether the file was received from a CDROM.

Abstract: A method, computer program product and system for monitoring execution behavior of a program product in a data processing system include development of a trace tool having trace strings written in a human language and provided with data fields for diagnostic information relevant to executable portions of the program product. Identifiers of the trace tool, trace strings, and data fields and components of the diagnostic information are encoded using a coded binary language. After monitoring execution of the program product, a trace report of the trace tool is translated for an intended recipient from the coded binary language into the human language, whereas an unauthorized access to the contents of the trace record is restricted. The encoding or decoding operations are performed using databases containing the respective identifiers and components of the diagnostic information in the coded binary language and the human language.

Abstract: A system, method and computer program product for software updates includes (a) generating a set of differences between a latest version of a file and a plurality of prior versions of the file, wherein the differences convert any of the plurality of prior versions into the latest version, but not to any other version; (b) publishing the set of differences; and (c) providing, to the client, in response to a client requesting an update to a client's version of the file and the client providing an identifier corresponding to the client's version of the file, a difference between the client's version of the file and one of (i) the latest version of the file, and (ii) a version of the file prior to the latest version.

Abstract: Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.

Abstract: Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.

Abstract: Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.

Abstract: A system, method and computer program product that manage storage device load, including (a) classifying processes that access a storage device as high priority and low priority; (b) monitoring access activity to the storage device by the high priority processes; and (c) regulating the access activity of the low priority processes based on the access activity of the high priority processes. A counter can be used to monitor the access activity of the high priority processes, so that a request to the storage device increases the counter and a response from the storage device decreases the counter, and access to the storage device for the low priority processes when the counter is zero. The low priority processes can be backup processes, security system processes, anti-virus processes, compression processes, archive systems, and applications that monitor storage device access.

Abstract: Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.

Abstract: Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.

Abstract: A system, method, and computer program product for secure rating of processes in an executable file for malware presence comprising: (a) detecting an attempt to execute a file on a computer; (b) performing an initial risk assessment of the file; (c) starting a process from code in the file; (d) analyzing an initial risk pertaining to the process and assigning an initial security rating to the process; (e) monitoring the process for the suspicious activities; (f) updating the security rating of the process when the process attempts to perform the suspicious activity; (g) if the updated security rating exceeds a first threshold, notifying a user and continuing execution of the process; and (h) if the updated security rating exceeds a second threshold, blocking the action and terminating the process.

Abstract: A system, method and computer program product for monitoring file integrity that includes intercepting a function call by a user application to change a timestamp of a file; updating a record of a number of times the timestamp has been changed, wherein the record is maintained in operating system space; in response to a monitoring application requesting the record, providing, to the monitoring application, the record for comparison with information maintained by the monitoring application; and changing behavior of a user application if the record does not correspond to the information maintained by the monitoring application. This can be performed for multiple files, and each file can have a corresponding record. The records can be maintained in a database in operating system space. The monitoring application can maintain a database of a number of times the timestamps of the files have been modified. The record is, e.g., a counter.

Abstract: Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.

Abstract: Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.

Abstract: A system, method, and computer program product for identifying malware components on a computer, including detecting an attempt to create or modify an executable file or an attempt to write to a system registry; logging the attempt as an auditable event; performing a malware check on executable files of the computer; if malware is detected on the computer, identifying all other files created or modified during the auditable event, and all other processes related to the auditable event; terminating the processes related to the auditable event; deleting or quarantining the executable files created or modified during the auditable event; and if the deleted executable files include any system files, restoring the system files from a trusted backup. Optionally, all files and processes having a parent-child relationship to a known malware component or known infected file are identified. A log of auditable events is maintained, and is recoverable after system reboot.

Abstract: A system, method and computer program product for scanning an executable file for malware presence, the method comprising: (a) detecting an attempt to execute a file on a computer; (b) identifying whether the file is known or unknown; (c) if the file is a known file, performing a signature malware check; (d) if the file is an unknown file, performing risk analysis and risk assessment for the file; (e) based on the risk analysis and the risk assessment, identifying which malware detection algorithms need to be used for the file, in addition to signature detection; (f) performing the malware detection algorithms on the file; and (g) if no malware is detected, permitting execution of the file. The risk analysis is based on file source, file origin, file path, file size, whether the file is digitally signed, whether the file is a download utility, whether the file is packed, whether the file was received from a CDROM.