公开(公告)号：US08181247B1

公开(公告)日：2012-05-15

申请号：US13220056

申请日：2011-08-29

Applicant: Mikhail A. Pavlyushchik ,  Vladislav V. Martynenko ,  Yuri G. Slobodyanuk

Inventor： Mikhail A. Pavlyushchik ,  Vladislav V. Martynenko ,  Yuri G. Slobodyanuk

IPC: H04L29/06

CPC classification number: H04L63/145 ,  G06F21/552 ,  G06F21/554 ,  G06F21/564 ,  G06F21/566

Abstract: Disclosed are systems, methods and computer program products for protecting a computer from activities of malicious objects. The method comprises: monitoring events of execution of one or more processes on the computer; identifying auditable events among the monitored events, including events of creation, alteration or deletion of files, events of alteration of system registry, and events of network access by processes executed on the computer; recording the identified auditable events in separate file, registry and network event logs; performing a malware check of one or more software objects on the computer; if an object is determined to be malicious, identifying from the file, registry and network event logs the events associated with the malicious object; performing rollback of file events associated with the malicious object; performing rollback of registry events associated with the malicious object; terminating network connections associated with the malicious object.

Abstract translation: 公开了用于保护计算机免受恶意物体活动的系统，方法和计算机程序产品。 该方法包括：监视计算机上一个或多个进程的执行事件; 在监视的事件之间识别可审计事件，包括创建，更改或删除文件的事件，系统注册表的更改事件以及在计算机上执行的进程的网络访问事件; 将识别的可审计事件记录在单独的文件，注册表和网络事件日志中; 对计算机上的一个或多个软件对象执行恶意软件检查; 如果一个对象被确定为恶意的，从文件中识别，注册表和网络事件记录与恶意对象相关联的事件; 执行与恶意对象相关联的文件事件的回滚; 执行与恶意对象相关联的注册表事件的回滚; 终止与恶意对象相关联的网络连接。

公开(公告)号：US07559086B2

公开(公告)日：2009-07-07

申请号：US11866302

申请日：2007-10-02

Applicant: Andrey V. Sobko ,  Mikhail A. Pavlyushchik

Inventor： Andrey V. Sobko ,  Mikhail A. Pavlyushchik

IPC: G08B23/00

CPC classification number: G06F21/566

Abstract: Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.

公开(公告)号：US08656494B2

公开(公告)日：2014-02-18

申请号：US13406754

申请日：2012-02-28

Applicant: Mikhail A. Pavlyushchik

Inventor： Mikhail A. Pavlyushchik

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  G06F21/00 ,  G06F21/56

CPC classification number: G06F21/00 ,  G06F21/56 ,  G06F21/561 ,  G06F21/565 ,  G06F21/567

Abstract: A system and method for optimization of AV processing of disk files. The system includes an AV scanner, a data cache module, an AV service and file analysis module. The optimization allows for reduction of time needed for the AV processing. Trusted files associated with a trusted key file are found. The trusted files that have been found are cached and excluded from further AV processing and the AV processing time is reduced.

Abstract translation: 一种用于优化磁盘文件的AV处理的系统和方法。 该系统包括AV扫描器，数据缓存模块，AV服务和文件分析模块。 优化可以减少AV处理所需的时间。 找到与受信任密钥文件关联的受信任文件。 已经发现的可信文件被缓存并被排除在进一步的AV处理之外，并且AV处理时间被减少。

公开(公告)号：US07620992B2

公开(公告)日：2009-11-17

申请号：US11866287

申请日：2007-10-02

Applicant: Alexey V. Monastyrsky ,  Andrey V. Sobko ,  Mikhail A. Pavlyushchik

Inventor： Alexey V. Monastyrsky ,  Andrey V. Sobko ,  Mikhail A. Pavlyushchik

IPC: G08B23/00

CPC classification number: G06F21/566

Abstract: Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.

Abstract translation: 使用仿真引擎，事件检测器和事件分析器检测计算机程序的恶意行为。 仿真引擎包括被配置为在隔离计算机环境中模拟计算机系统的至少一部分和被配置为在隔离计算机环境中模拟计算机程序的执行的系统仿真器，包括执行多个可执行程序 计算机程序的组件，如执行过程和线程。 事件检测器被配置为监视由两个或多个可执行组件生成的事件。 事件分析器被配置为基本上实时地基于多个可执行部件中的两个或更多个可执行部件中的每一个生成的至少一个或多个事件来确定计算机程序是否表现出恶意行为，其中单独地一个或多个 多个可执行组件可以表现出良性的行为。

公开(公告)号：US07555621B1

公开(公告)日：2009-06-30

申请号：US11461526

申请日：2006-08-01

Applicant: Mikhail A. Pavlyushchik

Inventor： Mikhail A. Pavlyushchik

IPC: G06F12/00

CPC classification number: G06F3/0659 ,  G06F3/0611 ,  G06F3/0673

Abstract: A system, method and computer program product that manage storage device load, including (a) classifying processes that access a storage device as high priority and low priority; (b) monitoring access activity to the storage device by the high priority processes; and (c) regulating the access activity of the low priority processes based on the access activity of the high priority processes. A counter can be used to monitor the access activity of the high priority processes, so that a request to the storage device increases the counter and a response from the storage device decreases the counter, and access to the storage device for the low priority processes when the counter is zero. The low priority processes can be backup processes, security system processes, anti-virus processes, compression processes, archive systems, and applications that monitor storage device access.

Abstract translation: 一种管理存储设备负载的系统，方法和计算机程序产品，包括（a）将访问存储设备的进程分类为高优先级和低优先级; （b）通过高优先级进程监视存储设备的访问活动; （c）根据高优先级流程的访问活动来调节低优先级进程的访问活动。 可以使用计数器来监视高优先级进程的访问活动，使得对存储设备的请求增加计数器，并且来自存储设备的响应减少计数器，并且当对低优先级进程进行存储时， 计数器为零。 低优先级进程可以是备份进程，安全系统进程，防病毒进程，压缩进程，归档系统和监视存储设备访问的应用程序。

公开(公告)号：US20090089878A1

公开(公告)日：2009-04-02

申请号：US12017493

申请日：2008-01-22

Applicant: Alexey V. Monastyrsky ,  Andrey V. Sobko ,  Mikhail A. Pavlyushchik

Inventor： Alexey V. Monastyrsky ,  Andrey V. Sobko ,  Mikhail A. Pavlyushchik

IPC: G06F11/00

CPC classification number: G06F21/566

Abstract: Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.

Abstract translation: 使用仿真引擎，事件检测器和事件分析器检测计算机程序的恶意行为。 仿真引擎包括被配置为在隔离计算机环境中模拟计算机系统的至少一部分和被配置为在隔离计算机环境中模拟计算机程序的执行的系统仿真器，包括执行多个可执行程序 计算机程序的组件，如执行过程和线程。 事件检测器被配置为监视由两个或多个可执行组件生成的事件。 事件分析器被配置为基本上实时地基于多个可执行部件中的两个或更多个可执行部件中的每一个生成的至少一个或多个事件来确定计算机程序是否表现出恶意行为，其中单独地一个或多个 多个可执行组件可以表现出良性的行为。

公开(公告)号：US20130227692A1

公开(公告)日：2013-08-29

申请号：US13406754

申请日：2012-02-28

Applicant: Mikhail A. Pavlyushchik

Inventor： Mikhail A. Pavlyushchik

IPC: G06F21/00

CPC classification number: G06F21/00 ,  G06F21/56 ,  G06F21/561 ,  G06F21/565 ,  G06F21/567

Abstract: A system and method for optimization of AV processing of disk files. The system includes an AV scanner, a data cache module, an AV service and file analysis module. The optimization allows for reduction of time needed for the AV processing. Trusted files associated with a trusted key file are found. The trusted files that have been found are cached and excluded from further AV processing and the AV processing time is reduced.

Abstract translation: 一种用于优化磁盘文件的AV处理的系统和方法。 该系统包括AV扫描器，数据缓存模块，AV服务和文件分析模块。 优化可以减少AV处理所需的时间。 找到与受信任密钥文件关联的受信任文件。 已经发现的可信文件被缓存并被排除在进一步的AV处理之外，并且AV处理时间被减少。

公开(公告)号：US08117602B2

公开(公告)日：2012-02-14

申请号：US12060832

申请日：2008-04-01

Applicant: Mikhail A. Pavlyushchik

Inventor： Mikhail A. Pavlyushchik

IPC: G06F9/44 ,  G06F11/00

CPC classification number: G06F11/323 ,  G06F11/3466

Abstract: A method, computer program product and system for monitoring execution behavior of a program product in a data processing system include development of a trace tool having trace strings written in a human language and provided with data fields for diagnostic information relevant to executable portions of the program product. Identifiers of the trace tool, trace strings, and data fields and components of the diagnostic information are encoded using a coded binary language. After monitoring execution of the program product, a trace report of the trace tool is translated for an intended recipient from the coded binary language into the human language, whereas an unauthorized access to the contents of the trace record is restricted. The encoding or decoding operations are performed using databases containing the respective identifiers and components of the diagnostic information in the coded binary language and the human language.

Abstract translation: 一种用于监视数据处理系统中的程序产品的执行行为的方法，计算机程序产品和系统包括开发具有以人类语言编写的跟踪字符并具有与该程序的可执行部分相关的诊断信息的数据字段的跟踪工具 产品。 诊断信息的跟踪工具，跟踪字符串，数据字段和组件的标识符使用编码的二进制语言进行编码。 在监视程序产品的执行之后，跟踪工具的跟踪报告将从编码的二进制语言转换为人类语言，而对跟踪记录内容的未经授权的访问受到限制。 使用包含编码二进制语言和人类语言的诊断信息的相应标识符和组件的数据库执行编码或解码操作。

公开(公告)号：US08099785B1

公开(公告)日：2012-01-17

申请号：US11743730

申请日：2007-05-03

Applicant: Mikhail A. Pavlyushchik

Inventor： Mikhail A. Pavlyushchik

IPC: G06F21/00

CPC classification number: G06F21/55 ,  G06F21/56

Abstract: A system, method and computer program product for treating a malware in a computer having multiple copies of the same malicious code activated, where the multiple copies monitor each other's existence, including (a) identifying a presence of the malicious code on the computer; (b) blocking actions that permit one active copy of the malicious code to activate another copy of the malicious code; (c) deleting, from persistent storage, a file containing executable code of the malware; and (d) rebooting the computer. The actions include disabling writes to the persistent storage, disabling writes to a system registry, and/or blocking activation of new processes. The blocking utilizes a driver loaded into the kernel space. The identifying can use signature identification for malware detection.

Abstract translation: 一种用于处理计算机中的恶意软件的系统，方法和计算机程序产品，所述计算机具有激活的多个副本的多个副本，其中所述多个副本监视彼此的存在，包括（a）在所述计算机上识别所述恶意代码的存在; （b）阻止允许恶意代码的一个主动副本激活恶意代码的另一副本的动作; （c）从永久存储中删除包含恶意软件可执行代码的文件; 和（d）重新启动计算机。 这些操作包括禁用对永久存储的写入，禁用对系统注册表的写入和/或阻止新进程的激活。 阻塞使用加载到内核空间中的驱动程序。 识别可以使用恶意软件检测的签名标识。

公开(公告)号：US07725941B1

公开(公告)日：2010-05-25

申请号：US12120699

申请日：2008-05-15

Applicant: Mikhail A. Pavlyushchik

Inventor： Mikhail A. Pavlyushchik

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00

CPC classification number: G06F21/562 ,  G06F21/564

Abstract: A system, method and computer program product for scanning an executable file for malware presence, the method comprising: (a) detecting an attempt to execute a file on a computer; (b) identifying whether the file is known or unknown; (c) if the file is a known file, performing a signature malware check; (d) if the file is an unknown file, performing risk analysis and risk assessment for the file; (e) based on the risk analysis and the risk assessment, identifying which malware detection algorithms need to be used for the file, in addition to signature detection; (f) performing the malware detection algorithms on the file; and (g) if no malware is detected, permitting execution of the file. The risk analysis is based on file source, file origin, file path, file size, whether the file is digitally signed, whether the file is a download utility, whether the file is packed, whether the file was received from a CDROM.

Abstract translation: 一种用于扫描可执行文件以进行恶意软件存在的系统，方法和计算机程序产品，所述方法包括：（a）检测在计算机上执行文件的尝试; （b）识别文件是否已知或未知; （c）如果该文件是已知文件，执行签名恶意软件检查; （d）文件是否为未知文件，对档案进行风险分析和风险评估; （e）除了签名检测之外，还基于风险分析和风险评估，识别哪些恶意软件检测算法需要用于文件; （f）对文件执行恶意软件检测算法; 和（g）如果没有检测到恶意软件，则允许执行该文件。 风险分析基于文件源，文件起始，文件路径，文件大小，文件是否经过数字签名，文件是否为下载实用程序，文件是否打包，文件是否从CDROM接收。