Abstract: Disclosed are systems and methods for adapting a pattern of dangerous behavior of programs. A teaching module may load into an activity monitor the pattern and establish a first usage mode for it, during which the activity monitor detects threats that correspond to that pattern, but does not perform actions for their removal. Later, in the course of a teaching period, the activity monitor detects threats based on the detection of events from the mentioned pattern. If the events have occurred as a result of user actions, and the events have a recurring nature or are regular in nature, the teaching module adds parameters to the pattern which exclude from subsequent detection those events or similar events. Upon expiration of the teaching period, the teaching module converts the pattern of dangerous behavior of programs to the second usage mode, during which threats are detected using the modified pattern and removed.

Abstract: Disclosed are systems and methods for adapting a pattern of dangerous behavior of programs. A teaching module may load into an activity monitor the pattern and establish a first usage mode for it, during which the activity monitor detects threats that correspond to that pattern, but does not perform actions for their removal. Later, in the course of a teaching period, the activity monitor detects threats based on the detection of events from the mentioned pattern. If the events have occurred as a result of user actions, and the events have a recurring nature or are regular in nature, the teaching module adds parameters to the pattern which exclude from subsequent detection those events or similar events. Upon expiration of the teaching period, the teaching module converts the pattern of dangerous behavior of programs to the second usage mode, during which threats are detected using the modified pattern and removed.

Abstract: Disclosed are systems and methods for adapting a pattern of dangerous behavior of programs. A teaching module may load into an activity monitor the pattern and establish a first usage mode for it, during which the activity monitor detects threats that correspond to that pattern, but does not perform actions for their removal. Later, in the course of a teaching period, the activity monitor detects threats based on the detection of events from the mentioned pattern. If the events have occurred as a result of user actions, and the events have a recurring nature or are regular in nature, the teaching module adds parameters to the pattern which exclude from subsequent detection those events or similar events. Upon expiration of the teaching period, the teaching module converts the pattern of dangerous behavior of programs to the second usage mode, during which threats are detected using the modified pattern and removed.

Abstract: Disclosed are systems and methods for adapting a pattern of dangerous behavior of programs. A teaching module may load into an activity monitor the pattern and establish a first usage mode for it, during which the activity monitor detects threats that correspond to that pattern, but does not perform actions for their removal. Later, in the course of a teaching period, the activity monitor detects threats based on the detection of events from the mentioned pattern. If the events have occurred as a result of user actions, and the events have a recurring nature or are regular in nature, the teaching module adds parameters to the pattern which exclude from subsequent detection those events or similar events. Upon expiration of the teaching period, the teaching module converts the pattern of dangerous behavior of programs to the second usage mode, during which threats are detected using the modified pattern and removed.

Abstract: Disclosed are systems and methods for controlling execution of programs on a computer. An exemplary method includes detecting an unknown program installed on a computer; identifying undesirable actions performed by the unknown program on the computer, wherein the undesirable actions include at least one of: actions performed by the program without knowledge of a user, actions for accessing personal user data on the computer, and actions effecting user's working with other programs or operating system of the computer determining whether the unknown program is undesirable or not based on the identified undesirable actions of the program; when the unknown program is determined be undesirable, prompting the user to select whether to allow or prohibit execution of the undesirable program on the computer; and when the unknown program is determined not to be undesirable, allowing execution of the unknown program on the computer.

Abstract: Disclosed is a system and method for restoring modified data. An example method includes intercepting, by an activity tracking module, a request from a program to modify data; determining, by an analysis module, parameters of the intercepted request; generating, by the analysis module, a request to generate a backup copy of the data based on at least one of the determined parameters of the intercepted request; and generating and storing, by a backup module, the backup copy of the data in an electronic database.

Abstract: Disclosed are systems and methods for controlling execution of programs on a computer. An exemplary method includes detecting an unknown program installed on a computer; identifying undesirable actions performed by the unknown program on the computer, wherein the undesirable actions include at least one of: actions performed by the program without knowledge of a user, actions for accessing personal user data on the computer, and actions effecting user's working with other programs or operating system of the computer determining whether the unknown program is undesirable or not based on the identified undesirable actions of the program; when the unknown program is determined be undesirable, prompting the user to select whether to allow or prohibit execution of the undesirable program on the computer; and when the unknown program is determined not to be undesirable, allowing execution of the unknown program on the computer.

Abstract: Disclosed is a system and method for restoring modified data. An example method includes intercepting, by an activity tracking module, a request from a program to modify data; determining, by an analysis module, parameters of the intercepted request; generating, by the analysis module, a request to generate a backup copy of the data based on at least one of the determined parameters of the intercepted request; and generating and storing, by a backup module, the backup copy of the data in an electronic database.

Abstract: Disclosed are systems and methods for controlling installation of programs on a computer. An exemplary system is configured to detect installation of an unknown program on a computer; suspend installation of the unknown program; execute the unknown program in a secure environment; detect undesirable actions of the unknown program, including: actions performed by the program without knowledge of a user, actions for accessing personal user data on the computer, and actions effecting user's working with other programs or operating system of the computer; determine whether the unknown program is undesirable or not based on the detected undesirable actions of the program; when the unknown program is determined be undesirable, prompt the user to select whether to allow or prohibit installation of the undesirable program on the computer; and when the unknown program is determined not to be undesirable, allow installation of the unknown program on the computer.

Abstract: System and method for detecting ransomware. A current user behavior pattern is monitored based on user input via a user input device. The user behavior is compared against a reference set of behavior patterns associated with user frustration with non-responsiveness of the user interface module. A current status pattern of the operating system is also monitored. The current status pattern is compared against a reference set of operating system status patterns associated with predefined ransomware behavior. In response to indicia of current user frustration with non-responsiveness of the user interface, and further in response to indicia of the current status pattern having a correlation to the predefined ransomware behavior, an indication of a positive detection of ransomware executing on the computer system is provided.

Abstract: System and method for detecting ransomware. A current user behavior pattern is monitored based on user input via a user input device. The user behavior is compared against a reference set of behavior patterns associated with user frustration with non-responsiveness of the user interface module. A current status pattern of the operating system is also monitored. The current status pattern is compared against a reference set of operating system status patterns associated with predefined ransomware behavior. In response to indicia of current user frustration with non-responsiveness of the user interface, and further in response to indicia of the current status pattern having a correlation to the predefined ransomware behavior, an indication of a positive detection of ransomware executing on the computer system is provided.

Abstract: Disclosed are systems, methods and computer program products for protecting a computer from activities of malicious objects. The method comprises: monitoring events of execution of one or more processes on the computer; identifying auditable events among the monitored events, including events of creation, alteration or deletion of files, events of alteration of system registry, and events of network access by processes executed on the computer; recording the identified auditable events in separate file, registry and network event logs; performing a malware check of one or more software objects on the computer; if an object is determined to be malicious, identifying from the file, registry and network event logs the events associated with the malicious object; performing rollback of file events associated with the malicious object; performing rollback of registry events associated with the malicious object; terminating network connections associated with the malicious object.

Abstract: Disclosed are systems, methods and computer program products for detection of malware with complex infection patterns. The system provides enhanced protection against malware by identifying potentially harmful software objects, monitoring execution of various processes and threads of potentially harmful objects, compiling contexts of events of execution of the monitored processes and threads, and merging contexts of related processes and threads. Based on the analysis of the individual and merged object contexts using malware behavior rules, the system allows detection of malicious objects that have simple and complex behavior patterns.