Abstract: Disclosed herein are systems and methods for categorizing an application on a computing device including gathering a set of attributes of an application. The set of attributes of the application includes at least one of: a number of files in an application package of the application; a number of executable files in the application package; numbers and types of permissions being requested; a number of classes in the executable files in the application package; and a number of methods in the executable files in the application package. sending the gathered set of attributes to a trained classification model. The application is classified, using the classification model, based on the gathered set of attributes by generating one or more probabilities of the application belonging to respective one or more categories of applications. A category of the application is determined based on the generated one or more probabilities.

Abstract: Disclosed herein are systems and methods of categorizing a .NET application. In one aspect, an exemplary method comprises, by a hardware processor of a security module, launching a CLR profiler upon launching of the .NET application, forming an execution log of the .NET application and adding information about events occurring during the execution of the .NET application via the launched CLR profiler, assigning to the .NET application, a category of a predetermined list of categories based on an analysis of the execution log of the .NET application, and determining whether the .NET application is categorized as being a malicious application.

Abstract: Disclosed herein are systems and methods for categorizing an application on a computing device including gathering a set of attributes of an application. The set of attributes of the application includes at least one of: a number of files in an application package of the application; a number of executable files in the application package; numbers and types of permissions being requested; a number of classes in the executable files in the application package; and a number of methods in the executable files in the application package. sending the gathered set of attributes to a trained classification model. The application is classified, using the classification model, based on the gathered set of attributes by generating one or more probabilities of the application belonging to respective one or more categories of applications. A category of the application is determined based on the generated one or more probabilities.

Abstract: Disclosed herein are systems and methods for categorizing an application on a computing device. In one aspect, an exemplary method comprises, obtaining results of a classification of an application from a security server, when the results of the classification satisfy rules of relevance, designating the results of the classification as relevant and determining a category of the application based on the designation of the results as relevant, and when the results of the classification do not satisfy the rules of relevance, performing at least one of: terminating the categorization of the application, and updating the classification of the application based on a set of attributes of the application.

Abstract: Systems and methods for performing a repeat antivirus scan of a file are disclosed. A local database is saved on a mobile device, where each record is added to the database when the corresponding file is recognized as being non-malicious as a result of an antivirus scan. A short hash sum of the file is computed and the long hash sum of the file and information about the antivirus scan performed and corresponding to the first hash sum of the file are found in the aforementioned database. Using the long hash sum, a verdict on the file is requested from the cloud services. An antivirus scan of the file is performed, except when the verdict obtained is unchanged (as compared to the verdict contained in the information about the antivirus scan performed of the obtained record corresponding to the file), and no updating of the antivirus databases has occurred since the date of performing the antivirus scan.

Abstract: Disclosed are system and method for building statistical models of malicious elements of web pages. One exemplary method comprises: obtaining, by a control server, data about malicious elements of web pages; transforming, by the control server, the obtained data into at least one N-dimensional vector; creating, by the control server, at least one cluster based on elements of the at least one N-dimensional vector; and building, by the control server, the statistical model of the malicious elements of the web page based on the created at least one cluster.

Abstract: Disclosed herein are systems and methods for categorizing an application on a computing device. In one aspect, an exemplary method comprises, obtaining results of a classification of an application from a security server, when the results of the classification satisfy rules of relevance, designating the results of the classification as relevant and determining a category of the application based on the designation of the results as relevant, and when the results of the classification do not satisfy the rules of relevance, performing at least one of: terminating the categorization of the application, and updating the classification of the application based on a set of attributes of the application.

Abstract: Systems and methods for performing a repeat antivirus scan of a file are disclosed. A local database is saved on a mobile device, where each record is added to the database when the corresponding file is recognized as being non-malicious as a result of an antivirus scan. A short hash sum of the file is computed and the long hash sum of the file and information about the antivirus scan performed and corresponding to the first hash sum of the file are found in the aforementioned database. Using the long hash sum, a verdict on the file is requested from the cloud services. An antivirus scan of the file is performed, except when the verdict obtained is unchanged (as compared to the verdict contained in the information about the antivirus scan performed of the obtained record corresponding to the file), and no updating of the antivirus databases has occurred since the date of performing the antivirus scan.

Abstract: Disclosed are system and method for building statistical models of malicious elements of web pages. One exemplary method comprises: obtaining, by a control server, data about malicious elements of web pages; transforming, by the control server, the obtained data into at least one N-dimensional vector; creating, by the control server, at least one cluster based on elements of the at least one N-dimensional vector; and building, by the control server, the statistical model of the malicious elements of the web page based on the created at least one cluster.

Abstract: Disclosed are system and method for detecting anomalous or malicious elements of a web page. One exemplary method comprises: obtaining data about elements of a tested web page; generating at least one N-dimensional vector characterizing elements of the tested web page; retrieving a statistical model of known malicious web page elements; comparing the at least one N-dimensional vector with clusters of the statistical model of known malicious web page elements, by measuring the distance of the N-dimensional vector of the element and centers of all clusters of the statistical model; and identifying at least one malicious element of the tested web page based on results of the comparison.

Abstract: Disclosed herein are systems and methods of categorizing a .NET application. In one aspect, an exemplary method comprises, by a hardware processor of a security module, launching a CLR profiler upon launching of the .NET application, forming an execution log of the .NET application and adding information about events occurring during the execution of the .NET application via the launched CLR profiler, assigning to the .NET application, a category of a predetermined list of categories based on an analysis of the execution log of the .NET application, and determining whether the .NET application is categorized as being a malicious application.

Abstract: Disclosed are system and method for detecting anomalous elements of web pages. One exemplary method comprises: obtaining access to a web site, by a client computing device, by requesting a web page associated with the web site via a web server; executing the web page by the client computing device to gather data relating to the web page; determining at least one N-dimensional vector based at least on the gathered data; creating at least one cluster comprising a set of values of coordinates of vectors for at least one element of the web page in N-dimensional space based on the at least one N-dimensional vector; creating a statistical model of the web page based on the at least one cluster; and using the statistical model for detecting anomalous elements of the web page.

Abstract: Disclosed are systems and method for secure transmission of web pages using encryption of their content. An exemplary method comprises: receiving from a remote server, by a processor of a proxy server, a web page requested by a user device; analyzing, by the processor, the received web page to select one or more elements of the web page for encryption based at least upon a list of web page elements predetermined by the proxy server to protect against malware attacks; encrypting the code of the one or more selected elements; generating a script containing the encrypted code of the one or more selected elements; and replacing the code of the one or more selected elements in the web page with the script containing the encrypted code of the one or more selected elements prior to transmitting the web page to the user device.

Abstract: Disclosed are system and method for detecting anomalous or malicious elements of a web page. One exemplary method comprises: obtaining data about elements of a tested web page; generating at least one N-dimensional vector characterizing elements of the tested web page; retrieving a statistical model of known malicious web page elements; comparing the at least one N-dimensional vector with clusters of the statistical model of known malicious web page elements, by measuring the distance of the N-dimensional vector of the element and centers of all clusters of the statistical model; and identifying at least one malicious element of the tested web page based on results of the comparison.

Abstract: Disclosed are system and method for detecting anomalous elements of web pages. One exemplary method comprises: obtaining access to a web site, by a client computing device, by requesting a web page associated with the web site via a web server; executing the web page by the client computing device to gather data relating to the web page; determining at least one N-dimensional vector based at least on the gathered data; creating at least one cluster comprising a set of values of coordinates of vectors for at least one element of the web page in N-dimensional space based on the at least one N-dimensional vector; creating a statistical model of the web page based on the at least one cluster; and using the statistical model for detecting anomalous elements of the web page.

Abstract: Disclosed are a system and method for determining web pages modified with malicious code. An example method includes: intercepting an attempt to access a website; selecting, by a processor, one or more malicious software configuration files based on the intercepting of the attempt to access the website; creating a verification web page based on one or more code fragments from the selected one or more malicious software configuration files; opening the verification web page; and determining, by the processor, whether malicious code has been injected into the opened verification web page.

Abstract: Disclosed are systems and method for secure transmission of web pages using encryption of their content. An exemplary method comprises: receiving from a remote server, by a processor of a proxy server, a web page requested by a user device; analyzing, by the processor, the received web page to select one or more elements of the web page for encryption based at least upon a list of web page elements predetermined by the proxy server to protect against malware attacks; encrypting the code of the one or more selected elements; generating a script containing the encrypted code of the one or more selected elements; and replacing the code of the one or more selected elements in the web page with the script containing the encrypted code of the one or more selected elements prior to transmitting the web page to the user device.

Abstract: Disclosed are systems and method for encrypted transmission of web pages. One exemplary method comprises: receiving, by a proxy server, a web page requested by a user device; analyzing, by a hardware processor of the proxy server, the received web page to identify code of elements of the web page; selecting one or more identified elements of the web page for encryption; encrypting, by the hardware processor, the code of the one or more selected elements; generating, by the hardware processor, a script containing the encrypted code of the one or more selected elements; modifying the web page, by the hardware processor, by replacing in the web page the code of the one or more selected elements with the script containing the encrypted code of said one or more selected elements; and transmitting, by the proxy server, the modified web page to the user device.

Abstract: Disclosed are a system and method for determining web pages modified with malicious code. An example method includes: intercepting an attempt to access a website; selecting, by a processor, one or more malicious software configuration files based on the intercepting of the attempt to access the website; creating a verification web page based on one or more code fragments from the selected one or more malicious software configuration files; opening the verification web page; and determining, by the processor, whether malicious code has been injected into the opened verification web page.

Abstract: Disclosed is a system and method for determining modified web pages. An example method includes: extracting a plurality of malware trigger code fragments from a configuration file of the malicious software; creating a verification web page by adding the plurality of malware trigger code fragments into a template page; storing, in a database, data relating to an initial state of the verification web page; opening the verification web page and identifying data relating to an opened state of the verification web page; comparing the data relating to the initial state and the data relating to the opened state of the verification web page; and based on detected differences between the data relating to the initial state and the data relating to the opened state of the verification web page, identifying at least one modified code fragment of the verification web page.