Abstract: Disclosed herein are methods and systems for detecting malicious files by a user computer. For example, in one aspect, the method comprises registering application programming interface (API) calls made by a file during an execution of the file on the user computer in a local call log, the local call log comprising control flow graphs of processes launched from the file, searching for a rule that matches behavioral rules a local database, when the behavioral rules are found, determining the file is malicious and halting execution of the file on the user computer, otherwise, transmitting the local call log to a remote server, receiving a verdict, when the verdict indicates the file is malicious, receiving a virus signature corresponding to the verdict, and updating the local call log based on the verdict and virus signature, wherein the updating enables detection of subsequently received malicious files.

Abstract: A method for processing information security events of a computer system includes receiving information related to a plurality of information security events occurred in the computer system. Each of the events includes an event related to a possible violation of information security of the computer system. A verdict is determined for each of the events. The verdict includes: i) information security incident or ii) false positive. The verdict is false positive if the probability of a false positive for the corresponding event is greater than a first threshold. Verdicts are changed for a subset of the events from the false positive to the information security incident. A number of events in the subset is lower than a second threshold. An analysis of the events having a verdict of the information security incident is performed to determine if the computer system is under a cyberattack.

Abstract: Disclosed are systems and methods of adding tags for use in detecting computer attacks. In one aspect, the system comprises a computer protection module configured to: receive a security notification, extract an object from the security notification, search for the extracted object in a threat database, add a first tag corresponding to the extracted object in the threat database only when the extracted object is found in the threat database, search for signs of suspicious activity in a database of suspicious activities based on the received security notification and the added first tag, and when at least one sign of suspicious activity is found, extract a second tag from the database of suspicious activities and add the second tag to an object database, wherein the object database is used for identifying signature of targeted attacks based on security notifications, objects, first tags and second tags.

Abstract: Disclosed are systems and methods for creating antivirus records for antivirus applications. An exemplary method includes: analyzing a log of records of API function calls of a file for presence of malicious behavior using one or more behavioral rules; determining that the file is malicious when a behavioral rule corresponding to one or more records of API function calls from the log is identified; extracting from the log the one or more API function calls associated with the identified behavioral rule; determining whether the one or more extracted records of API function calls are supported by an antivirus application of a user device; and when the one or more extracted records of API function calls are not supported by the antivirus application, adding to the antivirus application, a support for registering the unsupported records of API function calls.

Abstract: A method for processing information security events of a computer system includes receiving information related to a plurality of information security events occurred in the computer system. Each of the events includes an event related to a possible violation of information security of the computer system. A verdict is determined for each of the events. The verdict includes: i) information security incident or ii) false positive. The verdict is false positive if the probability of a false positive for the corresponding event is greater than a first threshold. Verdicts are changed for a subset of the events from the false positive to the information security incident. A number of events in the subset is lower than a second threshold. An analysis of the events having a verdict of the information security incident is performed to determine if the computer system is under a cyberattack.

Abstract: Disclosed herein are methods and systems for detecting malicious files by a user computer. For example, in one aspect, the method comprises registering application programming interface (API) calls made by a file during an execution of the file on the user computer in a local call log, the local call log comprising control flow graphs of processes launched from the file, searching for a rule that matches behavioral rules a local database, when the behavioral rules are found, determining the file is malicious and halting execution of the file on the user computer, otherwise, transmitting the local call log to a remote server, receiving a verdict, when the verdict indicates the file is malicious, receiving a virus signature corresponding to the verdict, and updating the local call log based on the verdict and virus signature, wherein the updating enables detection of subsequently received malicious files.

Abstract: Disclosed are systems and methods of adding tags for use in detecting computer attacks. In one aspect, the system comprises a computer protection module configured to: receive a security notification, extract an object from the security notification, search for the extracted object in a threat database, add a first tag corresponding to the extracted object in the threat database only when the extracted object is found in the threat database, search for signs of suspicious activity in a database of suspicious activities based on the received security notification and the added first tag, and when at least one sign of suspicious activity is found, extract a second tag from the database of suspicious activities and add the second tag to an object database, wherein the object database is used for identifying signature of targeted attacks based on security notifications, objects, first tags and second tags.

Abstract: Disclosed are systems and methods for creating antivirus records for antivirus applications. An exemplary method includes: analyzing a log of records of API function calls of a file for presence of malicious behavior using one or more behavioral rules; determining that the file is malicious when a behavioral rule corresponding to one or more records of API function calls from the log is identified; extracting from the log the one or more API function calls associated with the identified behavioral rule; determining whether the one or more extracted records of API function calls are supported by an antivirus application of a user device; and when the one or more extracted records of API function calls are not supported by the antivirus application, adding to the antivirus application, a support for registering the unsupported records of API function calls.

Abstract: Disclosed are systems and methods for cloud detection, investigation and elimination of targeted attacks. In one exemplary aspect, the system comprises a computer protection module configured to: gather information on an object in a computer in a network; and save a security notification with the object in an object database in the network; and a module for protection against targeted attacks configured to: search for the object in a threat database in the network; add one or more tags to the object when the object is found in the threat database and adding a correspondence between a record in the object database and the threat database; and determine that a computer attack has occurred when the one or more tags correspond to signatures in a database of computer attacks.

Abstract: Disclosed herein are methods and systems of detecting malicious files. According to one aspect, a method comprises receiving one or more call logs from respectively one or more computers, each call log comprising function calls made from a file executing on a respective computer, combining the one or more call logs into a combined call log, searching the combined call log to find a match for one or more behavioral rules stored in a threat database, determining, when the behavioral rules are found in the call log, a verdict about the file being investigated and transmitting information regarding the verdict to the one or more computers.

Abstract: Disclosed herein are systems and methods of creating antivirus records. An exemplary method comprises: analyzing, by a protector against targeted attacks, a log of API function calls of a file for presence of malicious behavior using one or more behavioral rules; determining that the file is malicious when a behavioral rule corresponding to records of a log of API function calls is identified; extracting one or more records of API function calls associated with the identified behavioral rule; determining whether at least one extracted record of the API function calls can be registered by a protector of a computing device; and when the at least one extracted record can be registered by the protector of the computing device, creating an antivirus record for the protector of the computing device, wherein the created antivirus record includes at least the extracted records of the API function calls.

Abstract: Disclosed herein are systems and methods of creating antivirus records. An exemplary method comprises: analyzing, by a protector against targeted attacks, a log of API function calls of a file for presence of malicious behavior using one or more behavioral rules; determining that the file is malicious when a behavioral rule corresponding to records of a log of API function calls is identified; extracting one or more records of API function calls associated with the identified behavioral rule; determining whether at least one extracted record of the API function calls can be registered by a protector of a computing device; and when the at least one extracted record can be registered by the protector of the computing device, creating an antivirus record for the protector of the computing device, wherein the created antivirus record includes at least the extracted records of the API function calls.

Abstract: Disclosed herein are methods and systems of detecting malicious files. According to one aspect, a method comprises receiving one or more call logs from respectively one or more computers, each call log comprising function calls made from a file executing on a respective computer, combining the one or more call logs into a combined call log, searching the combined call log to find a match for one or more behavioral rules stored in a threat database, determining, when the behavioral rules are found in the call log, a verdict about the file being investigated and transmitting information regarding the verdict to the one or more computers.

Abstract: Disclosed are systems and methods for cloud detection, investigation and elimination of targeted attacks. In one exemplary aspect, the system comprises a computer protection module configured to: gather information on an object in a computer in a network; and save a security notification with the object in an object database in the network; and a module for protection against targeted attacks configured to: search for the object in a threat database in the network; add one or more tags to the object when the object is found in the threat database and adding a correspondence between a record in the object database and the threat database; and determine that a computer attack has occurred when the one or more tags correspond to signatures in a database of computer attacks.