Abstract: Disclosed herein are systems and methods for filtering events for transmission to a remote device. In one aspect, an exemplary method comprises, collecting events and identifying, for each event of the collected events, a type the collected events belong to from among a predetermined list of types of events, and determining, for each type of events that is identified, a selection coefficient that indicates a proportion of events of the type of events to be transmitted to a remote device, when a predetermined number of collected events is reached, combining the collected events into a sequence, and determining, for the sequence, a time interval for which a given number of events is collected, for each type of events, selecting events for transmission to the remote device based on the selection coefficient of the respective type of events, and transmitting the selected events to the remote device.

Abstract: Disclosed herein are systems and methods for blocking network connections to network resources of forbidden categories.

Abstract: Disclosed herein are systems and methods for detecting unauthorized alteration with regard to a certificate store. In one aspect, an exemplary method comprises, tracking changes in a file system or a system registry of an operating system of a device with regard to the certificate store, detecting an alteration or an attempted alteration with regard to the certificate and sending information about the alternation or the attempted alteration to an analysis module, obtaining information about at least one certificate with which a change in the file system or the system registry with regard to the certificate store is connected, and determining a class of the change, where the class of the change is determined from a portion of the respective system registry or the file system in which the change occurred and from an action associated with the change, and comparing the obtained information to similar information on known certificates.

Abstract: Disclosed herein are systems and methods for blocking network connections. In one aspect, an exemplary method comprises, intercepting a certificate from the server when establishing a protected connection between a server and a client, determining whether the intercepted certificate is similar to one or more forbidden certificates, the determination of whether the intercepted certificate is similar to one or more forbidden certificates comprising transforming the intercepted certificate in accordance with a method of determining similarities between certificates and a method of saving forbidden certificates in a database of forbidden certificates, and blocking the connection when the intercepted certificate is similar to the one or more forbidden certificates.

Abstract: Disclosed herein are systems and methods for detecting unauthorized alteration with regard to a certificate store. In one aspect, an exemplary method comprises, tracking changes in a file system or a system registry of an operating system of a device with regard to the certificate store, detecting an alteration or an attempted alteration with regard to the certificate and sending information about the alternation or the attempted alteration to an analysis module, obtaining information about at least one certificate with which a change in the file system or the system registry with regard to the certificate store is connected, and determining a class of the change, where the class of the change is determined from a portion of the respective system registry or the file system in which the change occurred and from an action associated with the change, and comparing the obtained information to similar information on known certificates.

Abstract: Disclosed herein are systems and methods for blocking network connections. In one aspect, an exemplary method comprises, intercepting a certificate from the server when establishing a protected connection between a server and a client, determining whether the intercepted certificate is similar to one or more forbidden certificates, the determination of whether the intercepted certificate is similar to one or more forbidden certificates comprising transforming the intercepted certificate in accordance with a method of determining similarities between certificates and a method of saving forbidden certificates in a database of forbidden certificates, and blocking the connection when the intercepted certificate is similar to the one or more forbidden certificates.

Abstract: Disclosed herein are systems and methods for blocking network connections to network resources of forbidden categories.

Abstract: A method for detection of malicious encryption programs, the method comprising: intercepting, at a server, a file operation request from a client on a file stored on the server; collecting information about at least the requested file and the requested operation; determining, by a hardware processor of the server, based on the collected information, whether the file operation request came from a known malicious encryption program; when the file operation request came from an unknown program, then calculating, by the hardware processor, entropies of at least a portion of the file before and after the execution of the requested operation on the file; and calculating, by the hardware processor, a difference between the calculated entropies; when the difference is below a threshold, allowing the requested operation on the file; and when the difference is above the threshold, denying the requested operation on the file.

Abstract: Disclosed are systems and methods for altering a functionality of an application installed in a computer. In one aspect, an exemplary method comprises, by a hardware processor of the computer, receiving an application update to the application, wherein the application update comprises one or more of a patch, service pack and software update, updating the application based on the application update by applying the application update to the application, detecting one or more events occurring on a computer after the updating of the application based on the application update, determining one or more portions of the application which caused the one or more events to occur on the computer, and altering the one or more portions of the application when a number of detected events exceeds a threshold, wherein how the one or more portions are altered depends on the one or more events.

Abstract: Disclosed are systems and methods for altering functionality of an application. An example method comprises receiving, by a hardware processor, an application update to the application, wherein the application update comprises one or more of a patch, service pack and software update, updating, by the hardware processor, the application based on the application update by applying the application update to the application, detecting, by the hardware processor, one or more events occurring on a computer after updating the application based on the application update, determining, by the hardware processor, one or more portions of the application which caused the one or more events to occur on the computer, altering, by the hardware processor, the one or more portions of the application when a number of detected events exceeds a threshold, wherein how the one or more portions are altered depends on the one or more events.

Abstract: Disclosed are systems and methods for altering functionality of an application. An example method comprises updating the application, wherein the application includes one or more functional modules; detecting events occurring on the computer after the updating, wherein types of the detected events belong to a set of detectable events; determining which of the one or more functional modules of the application caused the detected events; and altering the one or more detected functional modules, wherein the altering of the functional modules and which functional modules are altered depend on the detected events and on which functional modules caused the detected events.

Abstract: A method for detection of malicious encryption programs, the method comprising: intercepting, at a server, a file operation request from a client on a file stored on the server; collecting information about at least the requested file and the requested operation; determining, by a hardware processor of the server, based on the collected information, whether the file operation request came from a known malicious encryption program; when the file operation request came from an unknown program, then calculating, by the hardware processor, entropies of at least a portion of the file before and after the execution of the requested operation on the file; and calculating, by the hardware processor, a difference between the calculated entropies; when the difference is below a threshold, allowing the requested operation on the file; and when the difference is above the threshold, denying the requested operation on the file.

Abstract: Disclosed are systems, methods and computer program products for controlling access to encrypted files. In one aspect, the system detects a request from an application to access an encrypted file. The system identifies the application that requested access to the encrypted file and one or more file access policies associated with the application. The file access policy specifies at least a file access method associated with the application. The system then controls access to the file based on the identified one or more file access policies.

Abstract: Disclosed are systems and methods for altering functionality of an application. An example method comprises updating the application, wherein the application includes one or more functional modules; detecting events occurring on the computer after the updating, wherein types of the detected events belong to a set of detectable events; determining which of the one or more functional modules of the application caused the detected events; and altering the one or more detected functional modules, wherein the altering of the functional modules and which functional modules are altered depend on the detected events and on which functional modules caused the detected events.

Abstract: Disclosed are systems, methods and computer program products for providing user access to encrypted data. In one example, a system is configured to receive a security policy for the user device, wherein the security policy includes data access conditions and data encryption conditions for one or more users of the user device; identify one or more user accounts in the OS of the user device as specified in the data access conditions; create a pre-boot authentication account (PBA) for the identified user accounts based on the data access conditions, for storing pre-boot authentication credentials for authenticating a user before booting of the OS on the user device; and encrypt at least a portion of data stored on the user device based on the data encryption conditions, wherein access to the encrypted portion of data is granted to the user upon entry of the correct pre-boot authentication credentials.

Abstract: Disclosed are systems, methods and computer program products for controlling access to encrypted files. In one aspect, the system detects a request from an application to access an encrypted file. The system identifies the application that requested access to the encrypted file and one or more file access policies associated with the application. The file access policy specifies at least a file access method associated with the application. The system then controls access to the file based on the identified one or more file access policies.

Abstract: Disclosed are systems, methods and computer program products for providing user access to encrypted data. In one example, a system is configured to receive a security policy for the user device, wherein the security policy includes data access conditions and data encryption conditions for one or more users of the user device; identify one or more user accounts in the OS of the user device as specified in the data access conditions; create a pre-boot authentication account (PBA) for the identified user accounts based on the data access conditions, for storing pre-boot authentication credentials for authenticating a user before booting of the OS on the user device; and encrypt at least a portion of data stored on the user device based on the data encryption conditions, wherein access to the encrypted portion of data is granted to the user upon entry of the correct pre-boot authentication credentials.

Abstract: Disclosed are systems, methods and computer program products for providing user access to encrypted data. In one example, a system is configured to receive a security policy for the user device, wherein the security policy includes data access conditions and data encryption conditions for one or more users of the user device; identify one or more user accounts in the OS of the user device as specified in the data access conditions; create a pre-boot authentication account (PBA) for the identified user accounts based on the data access conditions, for storing pre-boot authentication credentials for authenticating a user before booting of the OS on the user device; and encrypt at least a portion of data stored on the user device based on the data encryption conditions, wherein access to the encrypted portion of data is granted to the user upon entry of the correct pre-boot authentication credentials.

Abstract: Disclosed are systems, methods and computer program products for providing user access to encrypted data. In one example, a system is configured to receive a security policy for the user device, wherein the security policy includes data access conditions and data encryption conditions for one or more users of the user device; identify one or more user accounts in the OS of the user device as specified in the data access conditions; create a pre-boot authentication account (PBA) for the identified user accounts based on the data access conditions, for storing pre-boot authentication credentials for authenticating a user before booting of the OS on the user device; and encrypt at least a portion of data stored on the user device based on the data encryption conditions, wherein access to the encrypted portion of data is granted to the user upon entry of the correct pre-boot authentication credentials.