US Pat. No. 9,286,105

SYSTEM AND METHOD FOR FACILITATING JOINT OPERATION OF MULTIPLE HYPERVISORS IN A COMPUTER SYSTEM

AO KASPERSKY LAB, Moscow...

1. A system for coordinating joint operation of multiple hypervisors, the system comprising:
a computing platform having a processor, data storage, and input/output facilities, the processor being switchable between
a hypervisor mode and a supervisor mode, the hypervisor mode providing a higher privilege level than the supervisor mode,
the computing platform containing instructions that, when executed by the computing platform, cause the computing platform
to implement:

a persistent hypervisor and a non-persistent hypervisor;
a scheduler engine configured to coordinate operation of the non-persistent hypervisor in the supervisor mode;
a handler engine configured to coordinate operation of the persistent hypervisor in the hypervisor mode such that:
the handler engine monitors, and responds, to an attempted mode transition of the processor between the hypervisor and supervisor
modes;

in response to an attempted mode transition from the hypervisor mode to the supervisor mode, the handler engine suspends execution
of the persistent hypervisor, including saving of a state of the processor, and transitions the processor to execute the non-persistent
hypervisor in the supervisor mode; and

wherein in response to a conclusion of execution of supervisor-mode instruction, the handler engine suspends execution of
the non-persistent hypervisor, including saving of the processor state, and transitions the processor to execute the persistent
hypervisor in the hypervisor mode, wherein the handler engine includes an interceptor engine configured to suspend execution
of a processor mode change in response to a detection of an attempt to make such a mode change.

US Pat. No. 9,396,334

SYSTEM AND METHOD FOR DETECTING HARMFUL FILES EXECUTABLE ON A VIRTUAL STACK MACHINE

AO Kaspersky Lab, Moscow...

1. A method for detecting a harmful file executed on a virtual stack machine, the method comprising:
identifying, by a hardware processor, data from a file executed on the virtual stack machine, the data including at least
one of parameters of a file section of the file and parameters of a function of the file;

based on the identified data, searching in a database, for at least one cluster of safe files that contains a value of one
of the parameters of the file section exceeding a number of local variables being used by the function;

based at least partially on the identified at least one cluster of safe files, creating, by the hardware processor, at least
one cluster of data of the file executed by the virtual stack machine, wherein at least one cluster of data includes a cluster
containing section header types and sizes of these sections, a cluster containing numbers of local variables used by the function
of the file, and a cluster containing names of the function that is executable by the virtual stack machine;

calculating, by the hardware processor, a fuzzy checksum of the created cluster of data comprising one or more of a checksum
of the cluster containing section header types and sizes of these sections, a checksum of the cluster containing numbers of
local variables used by the function of the file, and a checksum of the cluster containing names of the function that is executable
by the virtual stack machine; and

determining, by the hardware processor, that the file executed on the virtual stack machine is a harmful file if the computed
fuzzy checksum matches a checksum in a database of checksums of harmful files.

US Pat. No. 9,621,570

SYSTEM AND METHOD FOR SELECTIVELY EVOLVING PHISHING DETECTION RULES

AO KASPERSKY LAB, Moscow...

1. A method for selectively evolving phishing detection rules with a computing system, the method comprising:
intercepting data with the computing system, the intercepted data being sent from a server and intended for a client;
examining, with the computing system, the intercepted data against a rule set, the rule set comprising a plurality of rules
related to potential phishing indicia of the intercepted data, the examining including

(a) determining, as a result of the examining, a categorization from a plurality of categories of the intercepted data,
(b) determining, as a result of the examining, at least one categorization-specific phishing detection criterion of the intercepted
data, and

(c) determining, as a result of the examining, at least one parameter score, the at least one parameter score comprising a
likelihood of a presence of phishing content in the intercepted data based on at least the categorization-specific phishing
detection criterion;

comparing the at least one parameter score against at least one rule generation criterion;
generating, with the computing system, a new rule and adding the new rule to the rule set to establish a second rule set if
the at least one parameter score satisfies the at least one rule generation criterion; and

recursively examining, with the computing system, the intercepted data against the second rule set to determine further rule
set evolution, the examining including

(a) determining, as a result of the examining, a second categorization from the plurality of categories of the intercepted
data,

(b) determining, as a result of the examining, a second at least one categorization-specific phishing detection criterion
of the intercepted data, and

(c) determining, as a result of the examining, a second at least one parameter score, the second at least one parameter score
comprising a likelihood of a presence of phishing content in the intercepted data based on at least the second categorization-specific
phishing detection criterion.

US Pat. No. 9,537,895

SYSTEM AND METHOD FOR SECURING USE OF A PORTABLE DRIVE WITH A COMPUTER NETWORK

AO KASPERSKY LAB, Moscow...

1. A system for securing use of a portable drive with a computer network, the system comprising:
a computing platform interfaced with the computer network, the computing platform including computing hardware of at least
one processor, data storage, and input/output facilities, and an operating system implemented on the computing hardware; and

instructions that, when executed on the computing platform, cause the computing platform to implement:
a drive registration engine configured to autonomously write and maintain a data store containing entries corresponding to
a plurality of portable drives initialized for use with the computer network, each entry corresponding to at least one identifiable
drive, wherein the plurality of portable drives includes drives that, when disconnected from the computer network, are unable
to enforce a security policy and are distinct from any computing device configurable to enforce a security policy;

a drive monitoring engine operatively coupled with the drive registration engine and configured to autonomously monitor events
occurring on the computer network involving use of each of the plurality of portable drives;

a security policy determination engine operatively coupled with the drive monitoring engine and configured to autonomously
apply predefined security policy determination criteria, including drive mobility assessment criteria indicative of the usage
history of the portable drive such that a determination of whether the portable drive is mobile or non-mobile is made by the
security policy determination engine and drive content sensitivity criteria indicative of the liability of the portable drive
to vulnerabilities of software in a computer system with which the portable drive is interfaced is made by the security policy
determination engine, to determine a drive-specific security policy for each one of the plurality of portable drives;

a security policy enforcement engine operatively coupled with the security policy determination engine, and configured to
autonomously execute a set of at least one policy enforcement action corresponding to a determined drive-specific security
policy in response to detected usage activity for each one of the plurality of portable drives.

US Pat. No. 9,391,936

SYSTEM AND METHOD FOR SPAM FILTERING USING INSIGNIFICANT SHINGLES

AO Kaspersky Lab, Moscow...

1. A computer-implemented method for detecting spam in a message, the method comprising:
identifying in a received message one or more insignificant text portions based on a text pattern database storing defined
insignificant text patterns not containing spam;

removing at least a portion of the one or more identified insignificant text portions from the message to generate an abridged
and canonized message;

generating a set of shingles from the abridged and canonized message;
identifying in the set of shingles one or more shingles based on a shingles database storing defined insignificant shingles
that occur only in messages not containing spam;

removing one or more identified shingles from the set of shingles to generate a reduced set of shingles upon detecting the
one or more identified shingles matching at least one of the defined insignificant shingles; and

determining whether the received message contains spam based on the reduced set of shingles.

US Pat. No. 9,357,394

SYSTEM AND METHOD FOR SELECTING MEANS FOR INTERCEPTING NETWORK TRANSMISSIONS

AO Kaspersky Lab, Moscow...

1. A method for selecting a means for intercepting network transmissions, the method comprising:
determining, by a hardware processor, one or more parameters of a network transmission and one or more parameters of a user
device that receives the network transmission;

determining characteristics of a plurality of network transmission intercepting means that provide different levels of security
to intercepted network transmissions based on the determined transmission parameters and user device parameters;

selecting out of the plurality of network transmission interception means one means whose characteristics match the parameters
of the network transmission, parameters of the user device, and a required security level for the network transmission; and

installing on the user device the selected network transmission interception means that provide the required security level
for the network transmission received by the user device;

wherein the network transmission interception means comprises a firewall, a proxy server, or a virtual private network (VPN)
client.

US Pat. No. 9,292,701

SYSTEM AND METHOD FOR LAUNCHING A BROWSER IN A SAFE MODE

AO Kaspersky Lab, Moscow...

1. A method for launching a web browser in a safe mode, the method comprising:
intercepting a request from the web browser to access data from a server;
determining, by a hardware processor, whether the browser is required to operate in a safe mode when displaying data from
the server;

when the browser is required to operate in the safe mode, analyzing, by the hardware processor, the data received from the
server;

when the received data includes a webpage, generating, by the hardware processor, a temporary webpage containing a script
for evaluating at least one criterion for determining whether to display the webpage received from the server by the browser;

executing the script contained in the temporary webpage by the browser; and based on an evaluation result of the at least
one criterion by the script, launching the browser in the safe mode to display the webpage received from the server;

wherein determining whether the browser is required to operate in the safe mode includes determining a category of the server
based on at least one of contents of the server and at least one security policy associated with the server.

US Pat. No. 9,338,137

SYSTEM AND METHODS FOR PROTECTING CONFIDENTIAL DATA IN WIRELESS NETWORKS

AO KASPERSKY LAB, Moscow...

1. A system for protecting data transferred over a wireless network having a wireless access point, the system comprising:
a computing platform including computing hardware of at least one processor and memory operably coupled to the at least one
processor;

a network interface in electrical communication with the computing hardware and operably coupled to the wireless access point
and configured to transmit outgoing wireless network data and receive incoming wireless network data to the system over the
wireless network; and

instructions that, when executed on the computing platform, cause the computing platform to implement:
a network traffic interception engine configured to intercept wireless network traffic transmitted over the wireless network,
a wireless networks database storage engine configured to store historical wireless network traffic data and heuristic records,
a wireless networks analysis engine configured to analyze the intercepted wireless network traffic and determine a trust level
of the wireless network using at least one of the historical wireless network traffic data or the heuristic records, wherein
analyzing the intercepted wireless network traffic includes identifying one or more fields of a data structure of the intercepted
wireless network traffic, wherein confidential data within the intercepted wireless network traffic is unanalyzed,

a traffic monitoring engine configured to receive the determination of the trust level of the wireless network and detect
transfer of confidential data over the wireless network, and

a protection engine configured to determine a network resource type and secure the wireless network for the confidential data
based at least on the network resource type, if confidential data is detected over the wireless network.

US Pat. No. 9,182,974

SYSTEM AND METHODS FOR UPDATING SOFTWARE OF TEMPLATES OF VIRTUAL MACHINES

AO Kaspersky Lab, Moscow...

1. A method for updating software on virtual machines, the method comprising:
determining, by a hardware processor, a first coefficient indicative of a level of importance of a continuous operation of
one or more virtual machines created from a virtual machine template;

determining a second coefficient indicative of a level of criticality of software updates on the one or more virtual machines
created from the virtual machine template;

determining a third coefficient as a function of the first coefficient and the second coefficient;
when the third coefficient exceeds a threshold, updating the software on the virtual machine template to generate an updated
virtual machine template; and

determining whether the updated virtual machine template is suitable for being used for one or more virtual machines by detecting
events causing an incorrect execution of at least one virtual machine during a period of operating a test virtual machine
created from the up virtual machine template.

US Pat. No. 9,460,306

SYSTEM AND METHOD FOR CONTROLLING ACCESS OF MACHINE CODE TO OPERATING SYSTEM RESOURCES

AO Kaspersky Lab, Moscow...

1. A method for controlling an access of a native image of a machine code to resources of an operating system of a device,
the method comprising:
obtaining, by a processor, the native image of the machine code;
identifying, by the processor, a parent assembly from which the native image was created;
respectively determining, by the processor, a data structure of the parent assembly and the native image;
determining and generating, by the processor, a template based at least upon the respective data structure of the parent assembly
and the native image;

determining and forming, by the processor, a correspondence between the native image and the parent assembly based at least
upon the template;

in response to detecting an update to the native image, generating, by the processor, an updated image of the native image;
determining, by the processor, whether there is a correspondence between the updated image of the native image and the parent
assembly based at least upon the template; and

in response to detecting no correspondence between the updated image of the native image and the parent assembly, restricting,
by the processor, an access of the updated image of the native image to the resources of the operating system of the device.

US Pat. No. 9,444,832

SYSTEMS AND METHODS FOR OPTIMIZING ANTIVIRUS DETERMINATIONS

AO KASPERSKY LAB, Moscow...

1. A system for excluding an executable file not having executable code from an antivirus check, the system comprising:
a computing platform including computing hardware of at least one processor, data storage, and input/output facilities;
computer program instructions stored on a tangible media that, when executed on the computing platform, cause the computing
platform to implement:

a check tool configured to—
receive an executable file for an antivirus check,
send the executable file to a breakdown tool, and
exclude from the antivirus check an executable file not having executable code, based on a decision received from an analysis
tool;

the breakdown tool configured to—
analyze a structure of the executable file and identify a format of the executable file by checking a heading of the executable
file, and

send information about the format of the executable file and the structure of the executable file to the analysis tool;
the analysis tool configured to—
select a list of conditions from a database based at least on the information about the format of the executable file, the
list of conditions including a plurality of conditions for the analysis of the structure of the executable file, wherein the
list of conditions selected from the database is specific to the format of the executable file,

perform an analysis of the structure of the executable file using the selected list of conditions, the analysis including
checking whether each condition from the selected list of conditions is met,

build a result based on the analysis, the result including information on whether each checked condition is met,
issue a decision based on the result, wherein the decision is of the absence of executable code in the executable file when
all conditions from the list of conditions are met,

send the issued decision to the check tool; and
a database operably coupled to the analysis tool and configured to store lists of conditions.

US Pat. No. 9,390,266

SYSTEM AND METHOD OF PREVENTING INSTALLATION AND EXECUTION OF UNDESIRABLE PROGRAMS

AO Kaspersky Lab, Moscow...

1. A method for controlling installation of programs, the method comprising:
detecting, by a processor, installation of an unknown program on a computer;
suspending, by the processor, installation of the unknown program;
executing, by the processor, the unknown program in a secure environment;
detecting, by the processor, undesirable actions of the unknown program, wherein the undesirable actions include at least
one of: actions performed by the program without knowledge of a user, actions for accessing personal user data on the computer,
and actions effecting user's working with other programs or operating system of the computer;

determining, by the processor, whether the unknown program is undesirable or not based on the detected undesirable actions
of the program;

when the unknown program is determined be undesirable, prompting the user to select whether to allow or prohibit installation
of the undesirable program on the computer; and

when the unknown program is determined not to be undesirable, allowing installation of the unknown program on the computer;
analyzing graphical user interface (GUI) of a program installer for presence of active undesirable GUI elements; and
deactivating one or more detected undesirable GUI elements to prevent execution of one or more undesirable actions of the
program.

US Pat. No. 9,407,658

SYSTEM AND METHOD FOR DETERMINING MODIFIED WEB PAGES

AO Kaspersky Lab, Moscow...

1. A method for determining modified web pages, the method comprising:
extracting, by a hardware processor, a plurality of malware trigger code fragments from at least one configuration file of
a malicious software;

creating, by the hardware processor, a verification web page by adding the plurality of malware trigger code fragments into
a template page;

storing, in a database, data relating to an initial state of the verification web page;
opening the verification web page and identifying data relating to an opened state of the verification web page;
comparing, by the hardware processor, the data relating to the initial state and the data relating to the opened state of
the verification web page; and

based on detected differences between the data relating to the initial state and the data relating to the opened state of
the verification web page, identifying at least one modified code fragment of the verification web page.

US Pat. No. 9,336,390

SELECTIVE ASSESSMENT OF MALICIOUSNESS OF SOFTWARE CODE EXECUTED IN THE ADDRESS SPACE OF A TRUSTED PROCESS

AO KASPERSKY LAB, Moscow...

1. A method for detection of malicious code injected into processes associated with known programs in a computing device comprising
a plurality of computing resources including computing hardware and an operating system executing on the computing hardware,
and a plurality of programs interfaced with the computing resources and executable as processes having one or more threads,
the method comprising:
monitoring execution of processes on the computing hardware, each of the processes capable of executing program code;
selecting, from among the processes being monitored, a subset of processes consisting of only those processes which are susceptible
processes, wherein the selecting is based on predefined process selection criteria that relates to a likelihood of malicious
code being present;

for each of the susceptible processes of the subset of processes selected, tracking function calls made by threads of the
process;

identifying, from among the tracked function calls, a subset of function calls consisting of only those function calls which
are critical function calls, wherein the identifying of the critical function calls is based on critical function determination
criteria that relates to a likelihood of malicious code being executed in an address space of a susceptible process by creation
of a new thread or a new process in the address space of the susceptible process;

for each identified critical function call, identifying program instructions that caused the critical function call; and
assessing maliciousness of the program instructions based on predefined assessment criteria.

US Pat. No. 9,325,715

SYSTEM AND METHOD FOR CONTROLLING ACCESS TO PERSONAL USER DATA

AO Kaspersky Lab, Moscow...

1. A method for controlling access of a consumer to personal data of a user, comprising:
collecting information about the consumer of personal data, wherein the collected information comprises at least one of a
plurality of elements including service usage parameters associated with the consumer, statistical data associated with the
consumer, and security incidents involving the consumer;

comparing, by a hardware processor, the collected information with one or more templates to determine a risk that is associated
with the consumer, wherein each template includes a set of criteria corresponding to at least two of the plurality of elements,
each criterion is assigned a numeric value and a weighting factor based on the collected information, and the risk corresponds
to a summation of the numeric value and weighting factor of each criterion;

setting, based on the determined risk, by the hardware processor, consumer access parameters for the consumer to access the
personal data of the user;

controlling, by the hardware processor, access of the consumer to the personal data of the user based on the consumer access
parameters;

automatically modifying the consumer access parameters upon detecting that the summation exceeds a selected range of a defined
threshold value; and

notifying the user, without modifying the consumer access parameters, of the risk upon detecting that the summation does not
exceed the selected range of the defined threshold value.

US Pat. No. 9,363,286

SYSTEM AND METHODS FOR DETECTION OF FRAUDULENT ONLINE TRANSACTIONS

AO Kaspersky Lab, Moscow...

1. A method for providing security for online transactions, comprising:
determining, by a computer processor, that an online transaction related to a payment service has been initiated by a user
computer;

collecting, by the computer processor, first information from the user computer and second information from the payment service,
where the first information includes: (1) capabilities of an antivirus program installed on the user computer based on at
least a current version of the antivirus program, and (2) a status of the antivirus program indicating at least a date of
a last scan of the user computer by the antivirus program and an identification of prior malicious programs found by the last
scan;

determining, by the computer processor, based on both the first information from the user computer and the second information
from the payment service, whether the online transaction is suspicious and processing the online transaction when the online
transaction is not determined to be suspicious, including a determination that no prior malicious programs were found by the
last scan of the user computer;

when the computer processor determines that the online transaction is suspicious, analyzing, by the computer processor, the
capabilities and the status of the antivirus program to determine whether the antivirus program is currently configured to
detect one or more malicious programs on the user computer;

when the computer processor determines that the antivirus program is currently configured to detect the one or more malicious
programs and the one or more malicious programs is detected by the antivirus program, performing, by the computer processor,
one or more remedial actions with respect to the detected one or more malicious programs, including cancelling the online
transaction;

when the computer processor determines that the antivirus program is not currently configured to detect the one or more malicious
programs, performing additional actions to detect the one or more malicious programs on the user computer, the additional
actions including downloading a latest version of the antivirus program to perform an updated scan of the user computer and
rebooting the user computer with checks for rootkits and bootkits;

if the one or more malicious programs is detected in response to the additional actions, performing, by the computer processor,
one or more remedial actions of the detected one or more malicious programs; and

cancelling the online transaction if the additional actions do not identify the one or more malicious programs.

US Pat. No. 9,596,221

ENCRYPTION OF USER DATA FOR STORAGE IN A CLOUD SERVER

AO Kaspersky Lab, Moscow...

1. A method for encryption of user data for storage on a remote server, comprising:
collecting, by a software client executed by a hardware processor, one or more sets of user authentication data from a user
device, wherein the user authentication data includes one or more sets of: user's login and password, user's email account
name and password, user's social network account name and password, user's instant messaging account name and password, one
or more user's biometric identifiers, one or more unique identifiers of the user device, and geolocation data of the user
device;

performing user authentication using the one or more sets of user authentication data;
when user authentication is successful, calculating a hash of at least one set of the user authentication data;
generating an encryption key from the hash of the user authentication data;
encrypting the user data using the generated encryption key;
transmitting the encrypted user data to the remote network server for storage; and
periodically encrypting the user data by at least: generating random data that are used as an additional input to a one-way
function that hashes a selected portion of the user authentication data for each unique user, generating a new encryption
key based on a hash result of the one-way function, and encrypting the user data using the new encryption key.

US Pat. No. 9,386,024

SYSTEM AND METHOD FOR DETECTING MODIFIED OR CORRUPTED EXTERNAL DEVICES

AO Kaspersky Lab, Moscow...

1. A method for analyzing a device connected to a computer system, the method comprising:
storing, in at least one database, data relating to devices previously connected to the computer system and rules that specify
at least one condition indicating when the device should be further analyzed as being possibly corrupted;

receiving from the device data relating to the device or to a connection between the device and the computer system;
performing, by a hardware processor, an analysis of the received data by comparing the received data and the stored data relating
to devices previously connected to the computer system;

applying, by the hardware processor, results of the analysis of the received data to the rules to determine whether the at
least one condition is satisfied and indicates that the device is possibly modified or corrupted and should be further analyzed
for presence of malware; and

generating and storing an additional rule in the at least one database upon determining that the device is corrupted, wherein
the additional rule is based on the analysis of the received data of the corrupted device.

US Pat. No. 9,367,686

SYSTEM AND METHOD FOR ANTIVIRUS CHECKING OF NATIVE IMAGES OF SOFTWARE ASSEMBLIES

AO Kaspersky Lab, Moscow...

1. A method for performing antivirus analysis of native images of machine code, the method comprising:
receiving, by a hardware processor, a native image of the machine code;
collecting, by the hardware processor, data about native image of the machine code including data stored in an operating system
about creation of the native images of the machine code;

identifying, by the hardware processor, based on the collected data, a parent assembly, which was used to create the native
image of the machine code;

performing, by the hardware processor, antivirus analysis of the parent assembly; and
excluding from the antivirus analysis the native image of the machine code by associating results of the antivirus analysis
of the parent assembly with the native image.

US Pat. No. 9,348,998

SYSTEM AND METHODS FOR DETECTING HARMFUL FILES OF DIFFERENT FORMATS IN VIRTUAL ENVIRONMENTS

AO Kaspersky Lab, Moscow...

1. A method for analyzing suspicious files in different formats, the method comprising:
providing a plurality of virtual machines configured to analyze a plurality of suspicious files with different formats and
a master virtual machine configured to allocate malware analysis tasks to the plurality of virtual machines;

determining, using an antivirus software, if a suspicious file is clean or harmful; and
when the antivirus software fails to determine whether the suspicious file is clean or harmful:
allocating, by the master virtual machine, based on at least a file format of the suspicious file, the suspicious file to
a virtual machine selected from the plurality of virtual machines for a malware analysis;

opening the suspicious file using a file format associated program in the selected virtual machine;
collecting data of at least one activity on the virtual machine, wherein the data comprises information about at least one
of an application programming interface (API) call and/or memory associated with a process opening the suspicious file; and

determining, by the virtual machine, the maliciousness of the suspicious file by analyzing the data using a signature database
containing signatures specific to the file format of the suspicious file, and/or by performing a heuristic analysis using
at least one file format specific heuristic algorithm.

US Pat. No. 9,154,517

SYSTEM AND METHOD FOR PREVENTING SPREAD OF MALWARE IN PEER-TO-PEER NETWORK

AO Kaspersky Lab, Moscow...

1. A computer-implemented method for preventing spread of malware in a peer-to-peer (P2P) network, the method comprising:
maintaining, by a server, a database of verified clean metadata objects, a database of verified malicious metadata objects,
and a database of unverified metadata objects;

receiving, by the server, from a peer client computer on the P2P network a request for a metadata object, containing information
about an associated data object;

checking, by a hardware processor of the server, if the requested metadata object is found in one of the database of verified
clean metadata objects, the database of verified malicious metadata objects and the database of unverified metadata objects;

if the requested metadata object is found in the database of verified clean data objects, transmitting, by the server, the
requested metadata object to the peer client computer;

if the requested metadata object is found in the database of unverified data objects, determining, by the hardware processor,
if the peer client computer has an antivirus software for testing the unverified data object for malware when the data object
is downloaded from the P2P network;

if the peer client computer has an antivirus software, transmitting, by the server, to the peer client computer the requested
metadata object; and

if the peer client computer does not have an antivirus software, denying the request to provide the metadata object to the
peer client computer.

US Pat. No. 9,407,648

SYSTEM AND METHOD FOR DETECTING MALICIOUS CODE IN RANDOM ACCESS MEMORY

AO Kaspersky Lab, Moscow...

1. A method for detection of malware on a computer, the method comprising:
detecting, by a hardware processor, a process of an untrusted program on the computer;
identifying, by the hardware processor, function calls made by the process of the untrusted program, including inter-process
function calls made by the process to a destination process;

collecting, by the hardware processor, information about the untrusted program;
applying, by the hardware processor, heuristic rules to information about the identified function calls and the information
about the untrusted program to determine whether to perform malware analysis of a code in an address space of the destination
process that was subject of an inter-process function call made by the process of the untrusted program; and

when it is determined to perform malware analysis, analyzing the code in an address space of the destination process that
was subject of the inter-process function call made by the process of the untrusted program using antivirus software executable
by the hardware processor.

US Pat. No. 9,386,031

SYSTEM AND METHOD FOR DETECTION OF TARGETED ATTACKS

AO Kaspersky Lab, Moscow...

1. A method for detection of targeted attacks from a network resource, comprising:
receiving, by a hardware processor of a computing device connecting with a plurality of computer systems and devices, data
about the network resource, wherein each of the plurality of computer systems and devices has a set of parameters and associated
parameter values;

detecting a presence of a suspect indicator in respective data received from each of a first group of the plurality of computer
systems, the suspect indicator indicating a possibility of an attack from the network resource;

detecting an absence of the suspect indicator in respective data received from each of a second group of the plurality of
computer systems;

determining and setting at least one suspect parameter to a first parameter value in each of the first group of the plurality
of computer systems and devices;

determining and setting the at least one suspect parameter to a second parameter value in each of the second group of the
plurality of computer systems and devices, the second parameter value being different from the first parameter value; and

estimating a probability of a targeted attack from the network resource based on the suspect indicator, the at least one suspect
parameter, and the first and second parameter values.

US Pat. No. 9,332,034

SYSTEM AND METHODS FOR AUTOMATIC DESIGNATION OF ENCRYPTION POLICIES FOR USER DEVICES

AO Kaspersky Lab, Moscow...

1. A method for designation of encryption policies for each of a plurality of user devices connected in a network, comprising:
determining, by a hardware processor of a computing device connected with each of the plurality of user devices via the network,
one or more criteria for sorting the plurality of user devices in accordance with encryption requirements of each user device;

determining numeric values for each of the one or more criteria;
determining a coefficient for each user device based on the numeric values;
determining an encryption queue by sorting the plurality of user devices based on each respective coefficient;
selecting an encryption policy from a plurality of encryption policies for each user device based on the coefficient, wherein
the encryption policies are configured to:

correspond to a plurality of defined coefficient numerical ranges for indicating: a full disk encryption of all sectors of
data media of each user device, an encryption of all files on each user device excluding executable files and libraries of
components, an encryption of one or more of confidential, secret and all text documents and images, and no encryption, and

indicate at least a position of each user device in the encryption queue; and
applying the selected encryption policy to each user device.

US Pat. No. 9,178,892

SYSTEM AND METHOD FOR MANAGING ACCESS TO COMPUTER RESOURCES

AO Kaspersky Lab, Moscow...

1. A method for managing access to computer resources, the method comprising:
receiving a request, from a client process, for performing an operation on a computer resource, including receiving the request
by a kernel of an operating system for creating a separate process to perform the requested operation on the computer resource;

obtaining, by a resource manager, metadata of the computer resource and data relating to operations requested by other client
processes on the computer resource;

determining, based on the metadata, whether the requested operation alters the metadata and violates an isolation condition
of the computer resource;

determining, based on the data relating to the operations requested by the other client processes, whether the requested operation
distorts the operations requested by the other client processes; and

performing the requested operation on the resource upon detecting that the requested operation does not: alter the metadata,
violate the isolation condition of the computer resource, and distort the operations requested by the other client processes.

US Pat. No. 9,154,519

SYSTEM AND METHOD FOR ANTIVIRUS CHECKING OF OBJECTS FROM A PLURALITY OF VIRTUAL MACHINES

AO Kaspersky Lab, Moscow...

1. A method for malware detection on virtual machines, the method comprising:
forming, on at least one virtual machine configured to perform an antivirus check, a queue of identifiers of objects for malware
analysis;

selecting objects in the queue for malware analysis, wherein selecting comprises: dividing the objects in the queue for malware
analysis into a number of blocks corresponding to a number of virtual machines when a number of virtual machines configured
to perform the antivirus check is above a predetermined threshold, and randomly selecting the objects in the queue for malware
analysis when the number of virtual machines configured to perform the antivirus check is below the predetermined threshold;

providing identifiers of the selected objects to a security virtual machine for malware analysis;
checking, by the security virtual machine, whether each of the selected objects has been previously provided for malware analysis
by another virtual machine;

when a selected object has not been previously provided by another virtual machine, performing, by the security virtual machine,
a malware analysis of the selected object; and

providing, from the security virtual machine to the at least one virtual machine, a malware analysis result for the selected
object.

US Pat. No. 9,230,107

SECURITY DEVICES AND METHODS FOR DETECTION OF MALWARE BY DETECTING DATA MODIFICATION

AO Kaspersky Lab, Moscow...

1. A method for detection of computer malware by a portable security device physically connected to a computer, comprising:
storing in the portable security device a database of data storage device identifiers containing information about different
models and types of data storage devices;

performing a malware detection experiment by the portable security device by simulating a connection to the computer of a
simulated data storage device containing a set of test data, the connection including identifying to the computer the portable
security device as the simulated data storage device using one or more of the data storage device identifiers;

determining, by the portable security device, if there are any modifications in the set of test data contained in the simulated
data storage device after termination of the malware detection experiment; and

based on whether there are any modifications in the set of test data, determining, by the portable security device, whether
to perform one or more additional malware detection experiments, wherein each of the one or more additional malware detection
experiments simulates a different connection to the computer of a different simulated data storage device using one or more
different data storage device identifiers.

US Pat. No. 9,497,218

SYSTEM AND METHOD FOR DETECTION OF PHISHING SCRIPTS

AO Kaspersky Lab, Moscow...

1. A method for detection of phishing scripts, the method comprising:
identifying, by a processor, in a script, commands responsible for functions of writing of data to disk, working with objects
of file system and execution of programs;

grouping, by processor, the identified script commands into a plurality of functional groups;
generating, by the processor, a bytecode for each functional group;
computing, by the processor, a hash sum of the generated bytecode;
determining, by the processor, a degree of similarity between the hash sum of the bytecode and hash sums in one or more groups
of hash sums of known phishing scripts;

identifying, by the processor, at least one group of hash sums that contains a hash sum whose degree of similarity with the
hash sum of the bytecode is within a threshold;

determining, by the processor, a coefficient of compactness of the identified group of hash sums and a coefficient of trust
of the identified group of hash sums; and

determining, by the processor, whether the script is a phishing script based on the degree of similarity, the coefficient
of compactness and the coefficient of trust.

US Pat. No. 9,384,353

SYSTEM AND METHOD FOR ENCRYPTION OF DISK BASED ON PRE-BOOT COMPATIBILITY TESTING

AO Kaspersky Lab, Moscow...

1. A method of full disk encryption of a boot disk of a computer, comprising:
upon determining, by a processor, no test booting of the computer, performing one or more pre-boot compatibility tests to
boot an operating system of the computer;

upon detecting a successful test booting, performing booting the operating system of the computer or performing the one or
more pre-boot compatibility tests again;

upon detecting an unsuccessful test booting, restoring a process of ordinary booting of the operating system and performing
an ordinary booting of the operating system;

determining one or more encryption policies applicable to a pre-boot execution stage of the computer; and
comparing results of the one or more pre-boot compatibility tests with the encryption policies to determine whether to apply
a full disk encryption to the boot disk.

US Pat. No. 9,552,478

TEAM SECURITY FOR PORTABLE INFORMATION DEVICES

AO KASPERSKY LAB, Moscow...

1. A portable information device including a user interface device adapted to originate and consume information on behalf
of a user, the device having a security arrangement adapted for team-assisted security functionality, the device comprising:
computer circuitry, including a processor operatively coupled to a data store;
a user interface, including display and user input devices;
wireless communications circuitry; and
a power supply that provides power to the computer circuitry, user interface, and wireless communications circuitry, the power
supply including an on-board energy source;

wherein the computer circuitry includes a security module adapted to provide team-assisted security services in the portable
information device, the security module including:

a thick client security portion adapted to locally process security-related tasks on the computer circuitry;
a security team connection module adapted to facilitate local wireless connectivity via the wireless communication circuitry
between the portable information device and a security module of at least one other portable information device; and

a security task coordinator module adapted to locally decide, exclusive of the security team connection module, which of the
security-related tasks is to be processed remotely by the security team in lieu of being processed locally on the portable
information device using the computer circuitry, by at least determining, by a local analysis executed by the security task
coordinator module, an indication of security priority for the portable information device;

wherein the security module is adapted to conduct an exchange of security-related information between the thick client security
portion and the at least one other portable information device via the security team connection module; and

wherein the security module is configured to process, via the thick client security portion, a first security task of the
security-related tasks on the computer circuitry to produce a first security task output, and to transmit, via the security
team connection module, the first security task output to at least one portable information device of the security team.

US Pat. No. 9,501,742

SYSTEM AND METHOD FOR ASSESSING CATEGORIZATION RULE SELECTIVITY

AO KASPERSKY LAB, Moscow...

1. A system for assessing the selectivity of categorization rules, the system comprising:
a computer system including at least one processor, a non-transitory data storage medium interfaced with the at least one
processor, and input/output facilities, the data storage medium containing instructions that, when executed by the at least
one processor, implement:

a categorization rule application engine configured to apply at least one categorization rule to a set of un-categorized objects
to produce a categorization result set representing assignment of objects of the set into at least two categories into which
the objects of the set are divided when the categorization rule is applied, the categorization rule application engine further
configured to gather statistical information relating to the categorization result set based on properties of objects assigned
to each of the at least two categories, and including at least one rule-specific aggregating statistic characterizing the
application of to the categorization rule to all of the objects and at least one categorization-specific statistic characterizing
the objects of one of the at least two categories;

a selectivity determination engine configured to
assess a numerical selectivity score for the at least one categorization rule, the numerical selectivity score representing
an estimation of selectivity accuracy of the at least one categorization rule to provide an evaluation of the at least one
categorization rule, the numerical selectivity score being calculated by the application of at least one trained selectivity
determination algorithm to the statistical information including the at least one rule-specific aggregating statistic representing
information on the set of files belonging to each of the categories defined in the categorization rule, the application of
the at least one trained selectivity determination algorithm to the statistical information including considering each of
a plurality of parameters derived from the statistical information and in accordance with the at least one categorization
rule,

and compare the selectivity score against a predefined selectivity threshold, wherein a selectivity score that exceeds the
selectivity threshold is deemed highly selective; and

an algorithm training engine configured to produce each of the at least one trained selectivity determination algorithm based
on application of a plurality of specially-selected categorization rules to a set of pre-categorized training data, wherein
the application of each one of the specially-selected categorization rules to the set of training data produces at least one
uniform grouping of objects in which the objects all meet a predefined similarity criterion, and wherein the trained selectivity
determination algorithms are unrelated to the plurality of specially-selected categorization rules.

US Pat. No. 9,509,833

SYSTEM AND METHOD CONTROLLING ACCESS TO APPLICATIONS ON A MOBILE DEVICE

AO Kaspersky Lab, Moscow...

1. A method for controlling access to applications of a mobile device, the method comprising:
collecting, by a controlled shell of an operating system (OS) of the mobile device, information about at least one application
of the mobile device;

generating a probability distribution associated with the at least one application based on the collected information, the
probability distribution indicating a likelihood that the at least one application belongs to a category designation of a
plurality of category designations;

determining the category designation of the application based on the probability distribution;
determining, by the controlled shell, whether the category designation of the application complies with one or more rules
of a usage policy of the mobile device;

blocking, by the controlled shell, user access to the application if it is determined that a rule exists prohibiting use of
applications in the designated category or if no rule exists permitting use of the applications in the designated category;
and

permitting, by the controlled shell, user access to the application if it is determined that a rule exists allowing use of
applications in the designated category or if no rule exists prohibiting use of the applications in the designated category
refrain.

US Pat. No. 9,501,643

SYSTEMS AND METHODS FOR DETECTING MALICIOUS EXECUTABLE FILES CONTAINING AN INTERPRETER BY COMBINING EMULATORS

AO KASPERSKY LAB, Moscow...

1. A system for detecting a malicious executable file, the executable file including an interpreter, the system comprising:
a computing platform including computing hardware of at least one processor, data storage, an operating system implemented
on the computing hardware, and input/output facilities;

a memory operably coupled to the at least one processor and configured to store instructions invoked by the at least one processor,
the instructions, when executed on the computing platform, cause the computing platform to implement:

an analyzer configured to de-obfuscate a script prior to converting the script into pseudocode, the script being related to
the executable file, convert the script into pseudocode, monitor an emulation process of the pseudocode, and detect a transition
from pseudocode to machine code,

a script emulator configured to sequentially emulate the pseudocode and write emulation results to an emulator operation log,
and

a machine code emulator configured to emulate the pseudocode when a transition from pseudocode to machine code is detected
by the analyzer,

wherein the analyzer is further configured to analyze the emulator operation log to determine when the executable file is
malicious,

wherein the instructions are implemented with a single thread of execution, the single thread of execution being configured
to switch between the machine code emulator and the script emulator.

US Pat. No. 9,448,785

SYSTEM AND METHOD UPDATING FULL DISK ENCRYPTION SOFTWARE

AO Kaspersky Lab, Moscow...

1. A method for updating full disk encryption (FDE) software on a computer, comprising:
blocking operations of the FDE software on a boot drive of the computer;
installing one or more components of the updated FDE software on the computer;
deploying an updated pre-boot compatibility verification component of updated FDE software that checks compatibility of the
boot disk with the updated FDE software;

rebooting the computer and executing, before booting of an operating system, the updated pre-boot compatibility verification
component of the updated FDE software;

determining, by the updated pre-boot compatibility verification component of the updated FDE software, a compatibility of
the boot disk with the updated FDE software without decrypting and encrypting the boot disk of the computer by the updated
FDE software;

if the boot disk is determined to be compatible with the updated FDE software, authenticating a computer user and booting
the operating system of the computer; and

unblocking one or more operations of the updated FDE software on the boot drive of the computer.

US Pat. No. 9,350,756

SYSTEM AND METHOD FOR CORRECTING ANTIVIRUS RECORDS USING ANTIVIRUS SERVER

AO Kaspersky Lab, Moscow...

1. A computer-implemented method for malware detections, the method comprising:
receiving, by a hardware processor executing an antivirus application, a software object for malware detections using an antivirus
database and an antivirus cache, the antivirus database comprising antivirus records and the antivirus cache comprising corrections
of the antivirus records;

determining that software objection is malicious by activating an antivirus record based on information in the antivirus database
or the antivirus cache;

transmitting information relating to the antivirus record to a server prior to executing actions associated with the antivirus
record in response to detecting a selected status indicator of the antivirus record, the transmitting comprising transmitting
a unique identifier of the antivirus record and statistical information of the software object collected during an activation
of the antivirus record by the antivirus application; and

receiving a correction of the antivirus record from the server for processing the software object.

US Pat. No. 9,332,029

SYSTEM AND METHOD FOR MALWARE DETECTION IN A DISTRIBUTED NETWORK OF COMPUTER NODES

AO Kaspersky Lab, Moscow...

1. A method of distributed detection of malware, the method comprising:
deploying a first security client on a first client computer, wherein the first security client is operable to identify and
communicate with a plurality of second security clients deployed on respective second client computers;

performing, by a hardware processor of the first client computer executing the first security client, a malware analysis of
files on the first client computer;

identifying metadata of an unknown file that could not be determined as either malicious or clean by the malware analysis;
collecting, by the hardware processor executing the first security client, the metadata of the unknown file identified during
the malware analysis of the unknown file by the first security client;

multicasting, by the hardware processor executing the first security client, to the plurality of second client computers,
a request that includes the metadata of the unknown file and a remediation tool for the unknown file;

receiving responses from at least two of the plurality of second client computers, where the responses contain information
relating to the unknown file;

selecting, by the hardware processor of the first client computer, one of the at least two second client computers as a source
client computer;

receiving, from the source client computer, a copy of the unknown file, an identification of the unknown file as a malicious
file and the malware remediation tool for the identified malicious file, wherein the remediation tool includes information,
statistics data and malware repair or removal instructions for the malicious file;

updating a local malware database on the first client computer with the identification of the unknown file as the malicious
file and the malware remediation tool; and

using, by the hardware processor executing the first security client, the malware remediation tool to repair the first client
computer.

US Pat. No. 9,189,630

SYSTEMS AND METHODS FOR ACTIVE OPERATING SYSTEM KERNEL PROTECTION

AO KASPERSKY LAB, Moscow...

1. A machine-implemented method for intercepting computing device system calls, the computing device including a kernel including
a system call table, the method comprising:
executing a hypervisor on the computing device, the hypervisor configured to control at least one computing device processor
register, the at least one computing device processor register configured to be used by the kernel;

creating at least one modified kernel structure, the modified kernel structure including a modified system call table;
determining a memory address of an original system call handler, the original system call handler configured to receive and
execute kernel operation commands;

determining a size of a loaded image of the original system call handler;
creating a copy of the original system call handler as a second system call handler; and
intercepting, by the second system call handler as directed by the hypervisor, a computing device system call.

US Pat. No. 9,183,383

SYSTEM AND METHOD OF LIMITING THE OPERATION OF TRUSTED APPLICATIONS IN PRESENCE OF SUSPICIOUS PROGRAMS

AO Kaspersky Lab, Moscow...

1. A method for limiting the operation of trusted applications in presence of suspicious programs, the method comprising:
identifying, by a hardware processor, one or more trusted applications installed on a computer;
collecting, by the hardware processor, data relating to the identified one or more trusted applications and to programs installed
on the computer;

detecting, based at least partially on the collected data, one or more suspicious programs using suspicious program detection
rules indicating that the one or more suspicious programs can access protected information of a given trusted application
of the identified one or more trusted applications without authorization;

upon detecting at least one suspicious program, temporarily limiting an operation of the given trusted application;
producing, based on both the data relating to the identified one or more trusted applications and data relating to the detected
at least one suspicious program, a list of actions to remove or terminate the at least one suspicious program from the computer;
and

removing limitation of the operation of the given trusted application after the list of actions are performed to remove or
terminate the at least one suspicious program from the computer.

US Pat. No. 9,542,683

SYSTEM AND METHOD FOR PROTECTING ELECTRONIC MONEY TRANSACTIONS

AO Kaspersky Lab, Moscow...

1. A method for protecting electronic money transactions, comprising:
scanning a computer to detect software objects associated with electronic money, wherein said software objects include at
least one electronic wallet configured to store electronic money and resources used by the electronic wallet to exchange the
electronic money;

providing a set of security modules comprising a wallet protection module configured to provide data security to the detected
electronic wallet and resources and a traffic control module configured to analyze protocols and control the transmission
of data relating to the exchange of the electronic money by the detected electronic wallet; and

upon detection of an electronic wallet:
controlling, by the wallet protection module, access to the resources used by the electronic wallet to protect an exchange
of the electronic money by the electronic wallet;

tracking and protecting execution of the electronic wallet, by the wallet protection module, by monitoring and controlling
access to at least one of virtual memory, network connections, and threads used by the electronic wallet, wherein access is
reduced upon detection of suspicious activity, and wherein controlling access to virtual memory comprises protecting virtual
memory used by a running process of an executable file of the electronic wallet by prohibiting injection of an external malicious
code;

monitoring, by the traffic control module, network connections used by the electronic wallet to determine whether the exchange
of electronic money by the electronic wallet is a transmission to an untrusted recipient based on protocol analyzer data obtained
from analyzing the network connections; and

upon determination that the transmission is to an untrusted recipient, controlling, by the traffic control module, the exchange
of electronic money between the electronic wallet and the untrusted recipient by at least one of filtering malicious packets
or controlling network connections.

US Pat. No. 9,450,986

SYSTEM AND METHOD FOR SECURING USE OF A PORTABLE DRIVE WITH A COMPUTER NETWORK

AO KASPERSKY LAB, Moscow...

1. A system for securing use of a portable drive with a computer network, the system comprising:
a computing platform interfaced with the computer network, the computing platform including computing hardware of at least
one processor, data storage, and input/output facilities, and an operating system implemented on the computing hardware; and

instructions that, when executed on the computing platform, cause the computing platform to implement:
a drive registration engine configured to autonomously write and maintain a data store containing entries corresponding to
a plurality of portable drives initialized for use with the computer network, each entry corresponding to at least one identifiable
drive, wherein the plurality of portable drives includes drives that, when disconnected from the computer network, are unable
to enforce a security policy and are distinct from any computing device configurable to enforce a security policy;

a drive monitoring engine operatively coupled with the drive registration engine and configured to autonomously monitor events
occurring on the computer network involving use of each of the plurality of portable drives;

a security policy determination engine operatively coupled with the drive monitoring engine and configured to autonomously
apply predefined security policy determination criteria, including drive mobility assessment criteria indicative of the usage
history of the portable drive such that a determination of whether the portable drive is mobile or non-mobile is made by the
security policy determination engine and drive content sensitivity criteria indicative of the liability of the portable drive
to vulnerabilities of software in a computer system with which the portable drive is interfaced is made by the security policy
determination engine, to determine a drive-specific security policy for each one of the plurality of portable drives;

a security policy enforcement engine operatively coupled with the security policy determination engine, and configured to
autonomously execute a set of at least one policy enforcement action corresponding to a determined drive-specific security
policy in response to detected usage activity for each one of the plurality of portable drives.

US Pat. No. 9,444,765

DYNAMIC CATEGORIZATION OF NETWORK RESOURCES

AO KASPERSKY LAB, Moscow...

1. A computing device for categorizing a plurality of network resources, the computing device interfaced with a computer network
and including computing hardware of at least one processor, data storage, and input/output facilities, and an operating system
implemented on the computing hardware, and instructions executable on the computing device comprising:
a subcategory assessment engine configured to obtain subcategory assignment data from one or more security components for
one of the plurality of network resources and generate a subcategory assessment;

a content evaluator engine configured to evaluate content of the network resource and generate a preliminary content evaluation;
a category comparator engine configured to compare the subcategory assessment and the preliminary content evaluation against
pre-defined category criteria and one or more criteria thresholds and output a set of one or more categories assigned to the
network resource; and

a re-categorization controller engine operably coupled to the subcategory assessment engine, the content evaluator engine,
and the category comparator engine and configured to

receive a list of categorization intervals, the list of categorization intervals including a category re-assignment interval
for each network resource,

check the passage of time against each category re-assignment interval, and
upon the passage of time of the category re-assignment interval for each network resource, initiate a re-categorization by
utilizing the subcategory assessment engine, the content evaluator engine, and the category comparator engine.

US Pat. No. 9,432,406

SYSTEM AND METHOD FOR RESOLVING CONFLICTS BETWEEN APPLICATION CONTROL RULES

AO Kaspersky Lab, Moscow...

1. A computer-implemented method for configuring application control rules, comprising:
installing security software on a plurality of computing devices in a network, wherein the security software is configured
to control execution of applications on the computing devices using a plurality of application control rules, each computing
device being associated with one or more user accounts, each user account having a first unique identifier, and each application
having a second unique identifier;

during launching of at least one application on at least one of the plurality of computing devices for testing a new application
control rule, transmitting, by the security software from each of the plurality of computing devices in the network, to an
administrative server, information relating to one or more user account records and software applications deployed on each
computing device for the identification and resolution of conflicts between the new application control rule and one or more
existing application control rules, wherein the one or more existing application control rules comprise information linking
at least one or more applications each having the second unique identifier with each user account having the first unique
identifier, and the conflict is resolved by assigning different priorities to the conflicting rules;

based at least upon the second unique identifier corresponding to the at least one application launched, receiving from the
administrative server, by the security software on the at least one of the plurality of computing devices, an application
control rule reconfigured with a lower or higher priority than one or more conflicting application control rules to eliminate
a conflict between the new application control rule and the one or more existing application control rules; and

applying, by the security software, the one or more application control rules to the applications on the computing devices
based on the priorities of said application control rules.

US Pat. No. 9,384,364

SYSTEM AND METHOD OF CONTROLLING ACCESS OF A NATIVE IMAGE OF A MACHINE CODE TO OPERATING SYSTEM RESOURCES

AO Kaspersky Lab, Moscow...

1. A method for controlling access of a native image of a machine code to resources of an operating system of a device, the
method comprising:
restricting, by a hardware processor, writing access to the native image of the machine code;
identifying, by the hardware processor, a parent assembly which was used to create the native image having a restricted writing
access;

updating, by the hardware processor, the native image by replacing at least a part of the native image with a new native image
based on the parent assembly;

determining, by the hardware processor, a category of trust of the parent assembly;
assigning, by the hardware processor, a category of trust of the parent assembly to the updated native image; and
restricting, by the hardware processor, access of the updated native image that has an untrusted category of trust to the
resources of the operating system of the device.

US Pat. No. 9,860,267

METHOD AND SYSTEM OF ELIMINATING VULNERABILITIES OF SMART DEVICES

AO KASPERSKY LAB, Moscow...

1. A method for eliminating vulnerabilities of smart devices connected to a data network, the method comprising:
identifying, by a processor, a router configured to provide access to the data network;
obtaining access to the network by connecting to the router;
transmitting, by the processor, a broadcast request through the data network to obtain access to at least one smart device
communicatively coupled to the router;

accessing the at least one smart device communicatively coupled to the router;
obtaining settings of the at least one smart device by accessing a configuration file stored on the at least one smart device
and containing settings of the smart device, wherein the settings of the at least one smart device includes one or both of
a parameter or an attribute of the at least one smart device;

comparing, in a database, each of the settings of the at least one smart device with settings of known vulnerabilities to
identify at least one network vulnerability of the at least one smart device that can be exploited by the processor by identifying
a setting with a similar vulnerable status in the database;

determining, by the processor, an action for repairing the at least one network vulnerability associated with the at least
one setting of the at least one smart device based on comparing of the each of the settings with the settings of known vulnerabilities
in the database to identify the setting with the similar vulnerable status in the database; and

transmitting instructions to the at least one smart device to perform the action for repairing the at least one network vulnerability
associated with the at least one setting of the at least one smart device, wherein the action comprises adjusting the setting
of the smart device by making changes in the configuration file itself.

US Pat. No. 9,436,824

SYSTEM AND METHOD FOR PERFORMING ANTIVIRUS SCANS OF FILES

AO Kaspersky Lab, Moscow...

1. A method for performing antivirus scans of files, the method comprising:
detecting, by an antivirus application executed by a hardware processor, opening of a file for writing of data to the file;
performing, by the antivirus application, antivirus scan of at least a portion of the file;
when the file is determined to be clean, obtaining a record of antivirus scans of the file;
determining from the record a number of performed antivirus scans on the file by the antivirus application and a maximum number
of required antivirus scans;

increasing by one the number of performed antivirus scans;
when the increased number of performed antivirus scans is below the maximum number of required antivirus scans, continue antivirus
scans of the file by the antivirus application; and

when the increased number of performed antivirus scan is equal to the maximum number of required antivirus scans, discontinue
antivirus scans of the file by the antivirus application.

US Pat. No. 9,253,208

SYSTEM AND METHOD FOR AUTOMATED PHISHING DETECTION RULE EVOLUTION

AO KASPERSKY LAB, Moscow...

1. In a computing system that includes a processor, data storage, and input/output devices including a network interface device,
a method for automatically developing detection rules, the method comprising:
(a) obtaining, by the computing system, incoming data directed to a destination;
(b) detecting, by the computing system, any indicia of phishing present in the incoming data, the detecting being performed
by application of a plurality of phishing detection rules;

(c) computationally determining, by the computing system, a quantitative score for each of a plurality of predefined parameters,
each of the parameters relating to at least one of the phishing indicia, and each quantitative score representing a likelihood
of a presence of phishing content in the incoming data for the at least one of the phishing indicia;

(d) assessing, by the computing system, a requirement for evolving a phishing detection rule, including applying a predefined
set of rule evolution criteria to a combination of the determined quantitative scores of a plurality of parameters;

(e) in response to an assessment of the requirement for evolving a phishing rule, generating, by the computing system, a new
phishing detection rule based on selected parameter scores meeting the rule evolution criteria and on corresponding content
of the phishing indicia relating to those selected parameter scores;

by the computing system, recursively performing (b)-(e) based on any new phishing detection rules having been evolved in (e);
identifying, by the computing system, any phishing-related objects based on selected parameter scores exceeding a phishing
detection threshold and on corresponding content of the phishing indicia relating to those selected parameter scores;

modifying, by the computing system, content relating to the phishing-related objects in the incoming data to remove or reduce
maliciousness of the phishing-related objects.

US Pat. No. 9,111,096

SYSTEM AND METHOD FOR PRESERVING AND SUBSEQUENTLY RESTORING EMULATOR STATE

AO Kaspersky Lab, Moscow...

1. A method for emulating a file on a computer system, the method comprising:
loading the file into an emulator of the computer system;
determining whether an emulation is being performed for the first time or not;
when the emulation is performed for the first time,
emulating the file using an initial image of the emulator state;
during emulation of the file, creating and storing one or more new images of the emulator state upon occurrence of one or
more predefined conditions that resulted when running the emulation, and loading a state of virtual file system, a virtual
registry, and a tree data structure of virtual objects into the emulator while detecting malicious codes in the computer system;

when the emulation is not performed for the first time,
identifying one or more new images of the emulator state created during an initial emulation of the file; and
loading into the emulator the one or more identified images of the emulator state-to be used for emulating the file.

US Pat. No. 9,244,671

SYSTEM AND METHOD FOR DEPLOYING PRECONFIGURED SOFTWARE

AO KASPERSKY LAB, Moscow...

1. A system for automated deployment of a software application to be installed, via a software installation package provided
over a computer network, onto a plurality of different user devices for a plurality of different users, the system comprising:
a set of instructions executable by computing hardware and stored in a non-transitory storage medium that, when executed,
cause the computing hardware to implement:

a task manager module that obtains an initial software installation package, and automatically communicates with a network
attributes data store via the computer network to obtain information representing (a) associations between the plurality of
users and the plurality of user devices, (b) user attributes from which access privilege level information for individual
users is determinable, and (c) device attributes for each of the plurality of user devices, including network connectivity
information;

a configurator module that:
determines a user-associated security policy requirement based on the obtained information representing (a), (b), and (c);
custom-configures the initial software installation package for individual ones of the plurality of user devices based on
the obtained information to produce a plurality of different specially-configured software installation packages, each one
of which corresponds to one or more specific users and one or more specific user devices, wherein each specially-configured
software installation package includes installation parameters that establish functionality for the software application based
on the access privilege level of the corresponding one or more specific users and on the user-associated security policy requirement;
and

determines a type of data transfer network and a type of destination address, based on the obtained information for each one
of the user devices to receive the software installation package delivery;

selects and custom-configures data transfer channels for delivering the specially-configured software installation packages
to respective individual ones of the plurality of user devices based on the obtained information, and further based on the
determined type of data transfer network and the determined type of destination address for each one of the user devices,
each data transfer channel being automatically selected by the configurator module from among a plurality of different operative
data transfer channels, each of the plurality of different operative data transfer channels configured to meet the security
policy requirement such that data transfer channels incompatible with the security policy requirement are excluded from the
plurality of different operative data transfer channels, and each selected data transfer channel corresponding to one or more
specific users and one or more specific user devices, wherein each selected data transfer channel is associated with a selected
data transfer protocol determined by the configurator module to meet the security policy requirement for the one or more specific
user devices from among a set of different available data transfer protocols.

US Pat. No. 9,141,431

SYSTEM AND METHOD FOR PRIORITIZING ON ACCESS SCAN AND ON DEMAND SCAN TASKS

AO Kaspersky Lab, Moscow...

1. A method for prioritizing scan requests, the method comprising:
reserving, by a computer processor, two or more connections between a thin client and a security virtual machine on a computer,
wherein the thin client is running on another virtual machine of the computer;

when one or more of the reserved connections, are not used for communicating on-access scan (OAS) requests or on-demand scan
(ODS) requests, allocating said one or more reserved connections for communicating OAS or ODS requests between the thin client
and the security virtual machine, wherein the OAS and ODS requests are requested by the thin client for execution by the security
virtual machine, and wherein the OAS and ODS requests cannot share a same reserved connection;

determining whether all the reserved connections are used for communicating OAS or ODS requests and at least one reserved
connection is used for communicating ODS requests; and

when none of the reserved connections are used for communicating OAS requests and responsive to the determining, reallocating
for communicating the OAS requests the at least one reserved connection used for communicating ODS requests.

US Pat. No. 9,147,069

SYSTEM AND METHOD FOR PROTECTING COMPUTER RESOURCES FROM UNAUTHORIZED ACCESS USING ISOLATED ENVIRONMENT

AO Kaspersky Lab, Moscow...

1. A method for protecting resources from unauthorized access, comprising:
providing, via a hardware processor, a library of handler functions, where the handler functions control an access of one
or more applications to protected resources via a computer device;

associating a security policy with each of the library of handler functions, where the security policy specifies a first set
of access rules for accessing the protected resources on a network by the one or more applications via the computer device
and a second set of access rules for accessing the protected resources on the computer device;

modifying the one or more applications to access the library of handler functions instead of corresponding application program
interface (API) functions of the computer device by replacing one or more classes or methods of the one or more applications
that perform function calls to the protected resources with one or more function calls to corresponding handler functions
contained in the library;

receiving by a handler function an API function call from a modified application;
determining whether the received API function call complies with the first and second sets of access rules; and
when the API function call complies with the first and second sets of access rules, performing by the handler function the
API function call from the modified application to the protected resources; and

when the API function call violates the first and second sets of access rules, blocking the API function call.

US Pat. No. 9,774,568

COMPUTER SECURITY ARCHITECTURE AND RELATED COMPUTING METHOD

AO KASPERSKY LAB, Moscow...

1. A system for providing a computer security architecture, the system comprising:
computing hardware, including at least one processor, a data store, and input/output facilities interfaced with the at least
one processor, the data store containing an operating system and a plurality of subject entities executable by the at least
one processor;

the data store further containing a security subsystem executable by the at least one processor, that, when executed, causes
the computing hardware to implement:

a security server engine configured to apply selected rules, from among a set of rules defining one or more security policies,
to a given set of security context parameters, to produce a security verdict representing whether a certain action requested
by a subject entity is permissible, wherein each of the one or more security policies is associated with a corresponding communication
interface, and wherein each of the one or more security policies is defined by at least a conjunction of a first predefined
access mechanism and a second predefined access mechanism, and each of the first predefined access mechanism and the second
predefined access mechanism are described in a configuration language accessible by the security server engine to implement
the security policy without recompilation of the security server engine; and

a plurality of gateway engines, each gateway engine being associated with at least one of the subject entities and dedicated
to interfacing with the security server, each of the gateway engines being configured to: monitor requested actions by the
associated at least subject entity and, for each requested action detected, identify a security context, determine an applicable
security policy for the requested action based on a corresponding identified security context, and request a security verdict
corresponding to the applicable security policy from the security server engine via a communication interface, wherein the
request for the security verdict includes at least one security context parameter transmitted to the security server engine,
the at least one security context parameter related to the requested actions, the security context, or the applicable security
policy for the requested action, wherein the gateway engine is unable to produce a security verdict, and wherein the gateway
engine is configured by

a system-level configuration applicable to all subject entities on the system, and
a reflection configuration unique to one of the subject entities; and
a security enforcement engine configured to either permit or deny each of the requested actions according to the security
verdict.

US Pat. No. 9,582,335

SYSTEM AND METHOD FOR DISTRIBUTING PROCESSING OF COMPUTER SECURITY TASKS

AO KASPERSKY LAB, Moscow...

1. An agent computer system for operation in a distributed computation system in which security-related tasks are delegated
to agents via a distributed computing service for the benefit of a beneficiary computer, the agent computer system comprising:
computing hardware including a processor, a memory device, a user interface, and a communications interface;
a plurality of protectors interfaced with the computing hardware and adapted to cause the computing hardware to perform various
security-related operations for a user of the agent computer system; and

a distributed processor that includes:
a task acceptor adapted to compute a determination of suitability of the agent computer system to accept delegation of at
least one task of the security-related tasks to be performed for the benefit of the beneficiary computer via the distributed
computing service, the determination being made by the agent computer system exclusive of the beneficiary computer and including
obtaining parameters of the at least one task that include computational requirements for performing the at least one task,
determining a computing capacity of the agent computer system based on available resources, determining an operating system
of the agent computer system, determining resource consumption of one or more applications installed on the agent computer
system, and rendering a decision of whether the computing capacity is sufficient to meet the computational requirements, whether
the operating system is sufficient to meet the computational requirements, and whether the resource consumption of the one
or more applications is sufficient to meet the computational requirements, the determination further being made by obtaining
and considering user parameters including a possibility relating to attempts by malicious programs to end processes of anti-virus
applications, and information about conflicts with the anti-virus applications that can affect an effectiveness of the security-related
tasks; and

a task executor adapted to obtain the at least one task delegated from the beneficiary computer via the distributed computing
service in response to the determination of the suitability of the agent computer system, and to execute the at least one
task via at least one of the plurality of protectors.

US Pat. No. 9,811,661

SYSTEM AND METHOD FOR PROTECTING COMPUTERS FROM UNAUTHORIZED REMOTE ADMINISTRATION

AO Kaspersky Lab, Moscow...

1. A computer-implemented method of detecting a remote administration of a computer system, the method comprising:
intercepting, via a processor of the computer system, a plurality of events occurring in the computer system;
determining respective parameters of each of the plurality of intercepted events;
identifying, based at least on the determined parameters, each intercepted event as being relating to a first data transfer
by an application in a computer network or a second data transfer to the application from a peripheral data input device of
the computer system;

determining, based on the determined parameters, a first of the identified intercepted events as being dependent on a second
of the identified intercepted events;

generating a rule defining a dependency of the identified and determined parameters of the respective intercepted events,
the rule identifying the dependency of the identified parameter of the first identified intercepted event on the identified
parameter of the second identified intercepted event;

comparing the generated rule to a previously created rule that defines one or more dependencies of parameters of events occurring
in the computer system during the remote administration;

determining a degree of similarity of the generated rule and the previously created rule;
when the degree of similarity exceeds a threshold value, identifying at least one application as a remote administration application
that created the first and second identified intercepted events; and

blocking the identified remote administration application from exchanging data with the computer system.

US Pat. No. 9,536,101

SYSTEM AND METHOD FOR CONTROLLING ACCESS TO DATA USING API FOR USERS WITH DISABILITIES

AO Kaspersky Lab, Moscow...

1. A method for controlling data access using accessibility API, the method comprising:
registering by a processor of a user device a security application as an accessibility service, wherein the security application
comprises a library of accessibility application programming interface (API) functions, an interception module, a categorization
module and an access control module;

executing by the processor the security application and one or more user applications;
intercepting, by the interception module of the security application using the accessibility API functions, data accessed
by a user application being executed on the user device;

determining, by the categorization module of the security application, a category of intercepted data;
intercepting, by the interception module using the accessibility API functions, one or more events of user's interaction with
a user interface of the user application on the user device;

determining, by the access control module of the security application, an access control policy that specifies whether to
allow or prohibit user's access to the intercepted data based on the category of intercepted data and types of intercepted
events; and

controlling, by the access control module using the accessibility API functions, access of the user application to the intercepted
data based on the determined access control policy.

US Pat. No. 9,485,098

SYSTEM AND METHOD OF USER AUTHENTICATION USING DIGITAL SIGNATURES

AO Kaspersky Lab, Moscow...

1. A method for authenticating a user to access first data stored on a remote data storage system, the method comprising:
calculating, by a processor, a biometric key based on biometric data of the user;
encrypting, by the processor, confidential information of the user based on the biometric data of the user;
decrypting, by the processor, confidential information of the user using the calculated biometric key;
calculating, by the processor, a cryptographic key using at least a first portion of the decrypted confidential information
of the user;

generating, by the processor, an electronic digital signature of the user by encrypting, using the cryptographic key a random
set of second data and a timestamp for when the encrypted confidential information of the user is identified in an electronic
database;

verifying, by the processor, the electronic digital signature using at least a second portion of the decrypted confidential
information; and

authenticating, by the processor, the user to access the first data stored on the remote data storage system if the electronic
digital signature is verified;

wherein verifying the electronic digital signature, comprises:
decrypting the electronic digital signature using the second portion of the decrypted confidential information; and
comparing the timestamp from the decrypted electronic digital signature with an original timestamp for when the encrypted
confidential information of the user is identified in the electronic database.

US Pat. No. 9,866,539

SYSTEM AND METHOD FOR PROTECTING TRANSMISSION OF AUDIO DATA FROM MICROPHONE TO APPLICATION PROCESSES

AO Kaspersky Lab, Moscow...

1. A method for preventing unauthorized access to audio data, the method comprising:
receiving, by a processor of a computer, a request from one software process selected from a plurality of software processes
to obtain an audio stream from an audio endpoint device;

determining, by the processor, a process identifier for the one software process that transmitted the request to obtain the
audio stream;

allocating, by the processor, a data buffer selected from a plurality of data buffers for the one software process according
to the determined process identifier;

processing and encrypting audio data received from the audio endpoint device by at least one audio processing object, wherein
the audio data is associated with the requested audio stream;

storing, by the processor, the encrypted audio data in the allocated data buffer for the one software process;
based on the determined process identifier, installing an interceptor of an application program interface (API) function call
for the one software process corresponding to the determined process identifier, such that the installed interceptor is configured
to access the encrypted audio data from the allocated data buffer and decrypt the encrypted audio data only for the one software
process; and

decrypting the encrypted audio data from the allocated data buffer by the one software process using the interceptor of the
API function call.

US Pat. No. 9,654,486

SYSTEM AND METHOD FOR GENERATING SETS OF ANTIVIRUS RECORDS FOR DETECTION OF MALWARE ON USER DEVICES

AO Kaspersky Lab, Moscow...

8. A system for generating sets of antivirus records, the system comprising:
a server having a hardware processor configured to:
maintain a database of malicious files;
generate at least one antivirus record for each malicious file in the database of malicious files;
calculate effectiveness of each antivirus record by determining how many different malicious files were detected using each
antivirus record and a number of false positive detections by said antivirus record;

generate a set of the most effective antivirus records, by:
selecting for each known malicious file the most effective antivirus record used in detection of said malicious file, wherein
the most effective antivirus record is calculated as a function of both the number of different malicious files detected by
said antivirus record and the number of false positive detections by said antivirus record;

determining whether the selected antivirus record is already in the set; and
when the selected antivirus record is not in the set, adding said record to the set; and
transmit the set of most effective antivirus records to a client device.

US Pat. No. 9,460,305

SYSTEM AND METHOD FOR CONTROLLING ACCESS TO ENCRYPTED FILES

AO Kaspersky Lab, Moscow...

1. A method for controlling access to encrypted files, the method comprising:
storing, in a database, priority information assigned to a plurality of applications and a plurality of file access policies
that are respectively assigned to the priority information for the plurality of applications, where the plurality of file
access policies each specify a different rule for accessing an encrypted file, including (i) providing access to the encrypted
file, (ii) decrypting the encrypted file and providing an access to a decrypted file, and (iii) blocking access to the encrypted
file;

detecting, via a processor, a request from a first application of the plurality of applications to access the encrypted file;
identifying the first application that requested access to the encrypted file including identifying, in the database, a priority
assigned to the first application, and, the file access policy assigned to the priority of the first application;

identifying a child application activated by the first application for accessing the encrypted file including identifying,
in the database, a priority assigned to the child application;

determining a condition associated with the request from the first application, the condition relating to at least one of
a time criteria and a security policy relating to the request;

selecting a first priority selection rule if the condition satisfies a first rule selection condition of whether the request
by the first application is made during a first time of day and a second priority selection rule if the condition satisfies
a second rule selection condition of whether the request by the first application is made during a second time of day different
than the first time of day;

if the first priority selection rule is selected, controlling access to the encrypted file by the child application based
on the access policy, assigned to the priority of the child application; and

if the second priority selection rule is selected, controlling access to the encrypted file by the child application based
on the file access policy, assigned to the priority of the first application that activated the child application.

US Pat. No. 9,178,902

SYSTEM AND METHOD FOR DETERMINING ENTERPRISE INFORMATION SECURITY LEVEL

AO Kaspersky Lab, Moscow...

1. A computer-implemented method for determining an information security level for an enterprise, the method comprising:
collecting data relating to a structure of the enterprise including a plurality of elements, the plurality of elements including
equipment and control systems for the equipment of the enterprise;

creating, by a hardware processor, a model of an operation of the plurality of elements of the enterprise based on at least
one function of each element that is determined from the collected data;

identifying, by the hardware processor, criteria to evaluate the operation of the plurality of elements based the at least
one function of each element;

determining, by the hardware processor, a coefficient indicating a functional effectiveness of the plurality of elements of
the enterprise based on the identified criteria;

simulating, by the hardware processor, control of the enterprise by applying different sequences of events and actions to
increase or decrease the coefficient, where the different sequences of events and actions are based on previous events for
one or more simulation iterations using the at least one function of each element; and

determining, the hardware processor, an information security level for the enterprise based on a value of the coefficient
in response to the simulated control of the enterprise by applying the different sequences of events and actions.

US Pat. No. 10,019,587

SYSTEM AND METHOD FOR GENERATING APPLICATION CONTROL RULES

AO Kaspersky Lab, Moscow...

1. A method for configuring control rules for applications executable on a computer, the method comprising:classifying, by the hardware processor, at least one computer application into one of a plurality of classification groups that include a trusted classification group, a malicious classification group, and an unknown classification group;
configuring, by the hardware processor, at least one control rule when the at least one application is classified in the unknown classification group by:
determining, a computer competency score for a user of the computer, wherein the computer competency score comprises a numerical evaluation indicating a level of computer competence of the user;
categorizing, based on system library application programming interface (API) functions used by the at least one application, the at least one application into a plurality of categories, wherein at least one category indicates an access capability of the at least one application;
calculating, a criticality score of the at least one application as a sum of the criticality scores of the categories in which of the at least one application appears divided by a sum of criticality scores of all predefined categories and multiplied by a correction factor; and
generating the at least one control rule for the at least one application that denies use of the application based on a comparison of the determined computer competency score for the user and the calculated criticality score of the at least one application; and
blocking execution of the at least one application based on the generated control rule.

US Pat. No. 9,864,626

COORDINATING JOINT OPERATION OF MULTIPLE HYPERVISORS IN A COMPUTER SYSTEM

AO KASPERSKY LAB, Moscow...

1. A system for coordinating joint operation of multiple hypervisors, the system comprising:
a computing platform having a processor, data storage, and input/output facilities, the processor being switchable between
a hypervisor mode and a supervisor mode, the hypervisor mode providing a higher privilege level than the supervisor mode,
the computing platform containing instructions that, when executed by the computing platform, cause the computing platform
to implement:

a persistent hypervisor and a non-persistent hypervisor;
a scheduler engine configured to coordinate operation of the non-persistent hypervisor in the supervisor mode;
a handler engine configured to coordinate operation of the persistent hypervisor in the hypervisor mode such that:
the handler engine monitors, and responds, to an attempted mode transition of the processor between the hypervisor and supervisor
modes;

in response to an attempted mode transition from the hypervisor mode to the supervisor mode, the handler engine suspends execution
of the persistent hypervisor, including saving of a state of the processor, and transitions the processor to execute the non-persistent
hypervisor in the supervisor mode, wherein the handler engine is configured to monitor by a command detector engine at least
one command associated with a processor mode transition between the hypervisor mode and the supervisor mode; and

wherein in response to a conclusion of execution of supervisor-mode instruction based on at least the at least one command
associated with the processor mode transition monitored by the command detector engine, the handler engine suspends execution
of the non-persistent hypervisor, including saving of the processor state, and transitions the processor to execute the persistent
hypervisor in the hypervisor mode.

US Pat. No. 9,588,848

SYSTEM AND METHOD OF RESTORING MODIFIED DATA

AO Kaspersky Lab, Moscow...

1. A method for restoring modified data, the method comprising:
intercepting, by a processor of a computer, a request from a program to modify data stored in a data storage;
determining, prior to the program modifying the data, parameters of the intercepted request that relate to the data to be
modified;

computing criteria based on the determined parameters and analyzing the computed criteria based on at least one rule indicating
at least: an integrity of the data to be modified is important to an operating system of the computer or important to a user
of the computer, and whether, based on the parameters of the intercepted request, a method of working with the data storage
and a type of data operations on the data storage result in modifications of the data;

generating, prior to the program modifying the data, a request to generate a backup copy of the data when the at least one
rule is satisfied;

generating and storing, prior to the program modifying the data, a backup copy in the data storage;
analyzing, one or more parameters of a process of the program that relates to the data operations to modify the data; and
blocking further operation by the program based on an analysis of the one or more parameters of the process.

US Pat. No. 9,553,889

SYSTEM AND METHOD OF DETECTING MALICIOUS FILES ON MOBILE DEVICES

AO Kaspersky Lab, Moscow...

1. A method of detecting malicious files, the method comprising:
analyzing, by a hardware processor, a file comprising code written in an object-oriented program language to identify at least
one or more classes of the analyzed file and one or more methods contained in said one or more classes;

determining, by the hardware processor, a number of the identified one or more classes and a number of the identified one
or more methods of the analyzed file;

identifying, by the hardware processor, a bytecode array for each identified method;
determining, by the hardware processor, instructions contained in each method by identifying a corresponding operation code
from the bytecode array of each method;

dividing, by the hardware processor, the determined instructions for each method into a plurality of groups based on similarity
of functionality among said instructions;

forming, by the hardware processor, a vector for each method on the basis of the results of the division of the instructions
into the plurality of groups, the vector for each method including a point in n-dimensional Euclidean space;

comparing at least one of the number of classes and the number of methods of the analyzed file to known malicious files in
a database to identify the known malicious files for comparison that have at least one of a number of classes and a number
of methods that differs less than a predetermined percentage than the number of classes and the number of methods, respectively,
of the analyzed file;

comparing, by the hardware processor, the formed vectors for the methods of the analyzed file with a plurality of vectors
of the identified known malicious files for comparison to determine a degree of similarity between the compared vectors; and

determining, by the hardware processor, whether the analyzed file is malicious or clean based on the degree of similarity
between the compared vectors.

US Pat. No. 9,513,889

SYSTEM AND METHOD OF AUTOMATING INSTALLATION OF APPLICATIONS

AO Kaspersky Lab, Moscow...

1. A method for creating an installation rule for automating installation of software applications on a plurality of computers,
the method comprising:
launching, by a processor, an application installer having a sequence of windows for installing a software application in
an operating system of a computer;

searching for and identifying, by an examination module, all active elements in an active window of the application installer;
activating, by the examination module, each identified active element and tracking changes in status of all other active elements
to identify the active elements that are control elements for transitioning the active window to a subsequent window in the
sequence of windows of the application installer during installation of the software application in the operating system of
the computer;

activating, by the examination module, the identified control elements in the active window to transition to the subsequent
window in the sequence of windows of the application installer;

identifying, by the examination module, control elements in the subsequent window and in all other windows in the sequence
of windows of the application installer to verify that activation of each identified control element transitions the sequence
of windows to a final window in the sequence of windows during an installation of the software application in the operating
system of the computer;

generating an automatic installation rule for the software application that includes a series of commands to automatically
activates control elements in each window in the sequence of windows of the application installer to install the software
application in each operating system of the plurality of computers without a participation of a user;

testing the generated automatic installation rule to verify that the software application is successfully installed without
the participation of the user; and

amending the generated automatic installation rule to generate a new automatic installation rule when the software application
is not successfully installed without the participation of the user.

US Pat. No. 9,122,872

SYSTEM AND METHOD FOR TREATMENT OF MALWARE USING ANTIVIRUS DRIVER

AO Kaspersky Lab, Moscow...

1. A method for treatment of malicious objects on a computer, the method comprising:
performing, by an antivirus software executable by a hardware processor, an antivirus scan of a first plurality of objects
associated with the operating system of the computer and a second plurality of objects requiring separate corresponding drivers
to access;

detecting, by the antivirus software, a malicious object on the computer;
formulating at least one task for treatment of the detected malicious object;
configuring and activating on the computer an antivirus driver of the antivirus software to execute the at least one formulated
task for treatment of the detected malicious object;

before rebooting the computer, checking an integrity of the at least one task by using another driver;
rebooting the computer by the antivirus software;
upon detecting a modification of the at least one task by the detected malicious object, restoring the at least one task by
using the another driver; and

loading the antivirus driver to execute the at least one task for treatment of the detected malicious object.

US Pat. No. 10,162,964

SYSTEM AND METHOD FOR PROTECTION OF MEMORY PAGES USING A HYPERVISOR

AO KASPERSKY LAB, Moscow...

1. A method for protecting memory pages of a computing device using a bare-metal hypervisor, the method comprising:in response to receiving a hypercall from a trusted program, detecting, by the bare-metal hypervisor, a token associated with the trusted program, wherein the trusted program is a driver of a host operating system (OS) present on the computing device and the trusted program is loaded during initialization of the host OS;
checking the token associated with the trusted program against a saved token of the hypervisor;
creating, by the hypervisor, a memory page comprising a safe hypercall address of the hypervisor by which the hypercall can be executed and a plurality of other memory addresses;
in response to detecting that the token associated with the trusted program matches the saved token of the hypervisor, transmitting addresses of the memory page from the hypervisor to the trusted program; and
allowing, by the hypervisor, execution of the hypercall by the trusted program accessing the safe hypercall address found at the addresses of the memory page.

US Pat. No. 9,853,995

SYSTEM AND METHOD FOR RESTRICTING PATHWAYS TO HARMFUL HOSTS IN COMPUTER NETWORKS

AO KASPERSKY LAB, Moscow...

1. An automated computer-implemented method for detecting malicious activity in a computer network that includes hosts and
connectors between the hosts, the method comprising:
exploring, by a system of at least one computer running under program control, network pathways to a plurality of investigated
hosts, wherein the network pathways to each of the plurality of investigated hosts are explored by the at least one computer
from a first entry point to the computer network and a second entry point to the computer network, the second entry point
being varied from the first entry point;

forming a graph data structure based on results of the exploring of the network pathways, the graph data structure representing
topology of explored portions of the computer network, including connectors between the investigated hosts and intermediary
hosts situated along explored pathways that include the investigated hosts, and an indication of a prevalence of connectors
in pathways to each of the investigated hosts;

obtaining registration information for all of the plurality of investigated hosts;
determining whether the registration information for a particular investigated host matches an address in a malicious host
database;

adding the address for the particular investigated host matching the registration information to the malicious host database;
comparing the prevalence of connectors along pathways to each of the investigated hosts against a prevalence threshold;
identifying, among the hosts situated along pathways to a common investigated host, any suspicious host that is associated
with a connector having a low prevalence that is below the prevalence threshold, wherein the prevalence threshold comprises
an intensity of use for the connector to transmit information to and from a particular host to determine the connector role
in accessing malicious content;

associating, by the system, an access restriction with the suspicious host and at least one intermediate host situated between
the common investigated host and the connector and associated with the connector having a low prevalence, wherein each of
the investigated hosts is a trusted host, and wherein the access restriction is applied to the at least one intermediate host
that corresponds to a connector having a prevalence that is less than the prevalence value the connector used in a previous
attempt to transfer data to and from the investigated host; and

adding the suspicious host and the at least one intermediate host situated between the common investigated host and the connector
and associated with the connector having a low prevalence to the malicious host database.

US Pat. No. 9,536,088

SYSTEM AND METHOD FOR PROTECTION OF MEMORY IN A HYPERVISOR

AO Kaspersky Lab, Moscow...

1. A method for secure execution of a hypervisor, the method comprising:
loading, by a hardware processor of a computing device, a hypervisor configured to check integrity of protected virtual memory
pages;

loading, by the hardware processor, a trusted program configured to make hypercalls to the hypervisor;
making by the trusted program a first hypercall to the hypervisor;
responsive to the first hypercall, generating by the hypervisor a token, which is used by the hypervisor to identify the trusted
program during subsequent hypercalls;

allocating, by the hardware processor, a memory page for storing the token and a memory address of the hypervisor; and
returning the allocated memory page address to the trusted program.

US Pat. No. 10,162,745

SYSTEM AND METHOD OF TRANSFER OF CONTROL BETWEEN MEMORY LOCATIONS

AO Kaspersky Lab, Moscow...

1. A computer-implemented method for controlling execution of a computer program, the method comprising:determining, by a processor, a memory sector for storing at least a portion of execution instructions of the computer program in virtual memory address space;
determining, in the virtual memory address space, one or more pages that contain code instructions and data associated with the memory sector;
creating a duplicate of the virtual memory address space comprising the memory sector and the one or more pages;
tagging the memory sector and the one or more pages in both the virtual memory address space and the duplicate of the virtual memory address space;
receiving a notification to transfer execution of the computer program between different memory sectors while executing instructions stored in either the virtual memory address space or the duplicate of the virtual memory address space; and
transferring execution of the computer program to a memory location other than the one in which the notification was received.

US Pat. No. 9,647,975

SYSTEMS AND METHODS FOR IDENTIFYING SPAM MESSAGES USING SUBJECT INFORMATION

AO KASPERSKY LAB, Moscow...

1. A system for identifying a spam email message, the system comprising:
a computing platform including computing hardware of at least one processor, a memory operably coupled to the at least one
processor and configured to store instructions invoked by the at least one processor, an operating system implemented on the
computing hardware, and input/output facilities;

a rules database configured to store a plurality of ratio determination rules including a set of conditions for a text string
for which the rules are applied to determine an n-value of words in a gram and a k-value of words to skip in an input text;

a vectors database configured to store a plurality of known vectors, wherein the plurality of known vectors are classified
by thematic category;

instructions that, when executed on the computing platform, cause the computing platform to implement:
a message processing tool configured to receive an email message via the input/output facilities, the email message containing
a subject field,

a gram building tool configured to build a k-skip-n-gram set of word combinations according to the ratio of the k-value and
the n-value for the subject field as the input text as determined by the ratio determination rules in the rules database,

a vector building tool configured to receive, from the gram building tool, the k-skip-n-gram set of word combinations, and
build a vector for each k-skip-n-gram word combination, and

a spam identification tool configured to determine a spam presence threshold based on the cosine similarity for each k-skip-n-gram
word combination and the plurality of known vectors for the particular email message subject field thematic category, and
determine that the email message contains spam when the spam presence threshold is exceeded.

US Pat. No. 9,659,172

SYSTEM AND METHOD OF PREVENTING EXECUTION OF UNDESIRABLE PROGRAMS

AO Kaspersky Lab, Moscow...

1. A method for controlling execution of programs, the method comprising:
detecting, by a processor, an unknown program installed on a computer;
identifying, by the processor, undesirable actions performed by the unknown program on the computer, wherein the undesirable
actions include at least one of: actions performed by the program without knowledge of a user, actions for accessing personal
user data on the computer, and actions effecting user's working with other programs or operating system of the computer;

determining, by the processor, whether the unknown program is undesirable or not based on the identified undesirable actions
of the program;

when the unknown program is determined to be undesirable, prompting the user to select whether to allow or prohibit execution
of the undesirable program on the computer; and

when the unknown program is determined not to be undesirable, allowing, by the processor, execution of the unknown program
on the computer, analyzing graphical user interface (GUI) of the program installer for presence of active undesirable GUI
elements; and deactivating one or more detected undesirable GUI elements to prevent execution of one or more undesirable actions
of the program.

US Pat. No. 9,667,657

SYSTEM AND METHOD OF UTILIZING A DEDICATED COMPUTER SECURITY SERVICE

AO Kaspersky Lab, Moscow...

1. A method for utilizing computer security services, the method comprising:
storing, in an electronic database, a plurality of policies that indicate when to use either a private cloud service or a
public cloud service configured to analyze software objects using different types of security services to determine whether
the software objects are malicious,

wherein the policies relate to at least one of: a predetermined time period when software of the private cloud service was
last updated, a type of the at least one security service provided by the private cloud service, a type of data being sent
in a request to the service, and a traffic quota of requests sent to at least one of the private or public service;

receiving a request from a client computer to access the at least one private or public cloud security service, wherein the
request includes an unknown software object;

determining, by a processor, at least one parameter relating to the received request, including at least one of a type of
the security service being accessed and a type of the software object included in the request, including one of a file, a
link and a hash sum;

applying, by the processor, the at least one parameter to the plurality of policies to determine whether to transmit the request
to the private cloud service or the public cloud service; and

based on the determination, transmitting the request to one of the private cloud service or the public cloud service.

US Pat. No. 9,571,471

SYSTEM AND METHOD OF ENCRYPTED TRANSMISSION OF WEB PAGES

AO Kaspersky Lab, Moscow...

1. A method for secure transmission of web page data, the method comprising:
receiving, by a proxy server, a web page requested by a user device;
analyzing, by a hardware processor of the proxy server, the received web page to identify code of elements of the web page;
selecting one or more identified elements of the web page for encryption from (i) user input elements and (ii) output elements
containing confidential user data;

encrypting, by the hardware processor, the code of the one or more selected elements;
generating, by the hardware processor, a script containing the encrypted code of the one or more selected elements;
modifying the web page, by the hardware processor, by replacing in the web page the code of the one or more selected elements
with the script containing the encrypted code of said one or more selected elements; and

transmitting, by the proxy server, the modified web page to the user device.

US Pat. No. 9,860,272

SYSTEM AND METHOD FOR DETECTION OF TARGETED ATTACK BASED ON INFORMATION FROM MULTIPLE SOURCES

AO KASPERSKY LAB, Moscow...

1. A method for detecting targeted attacks from a network resource, comprising:
obtaining, by a processor of a computing device, data from multiple computer systems and devices connected with one another
in a communications network to determine a possibility of a targeted attack from the network resource, the data comprising
information relating to the network resource and a set of parameters of each computer system or device in accessing the network
resource;

detecting discrepancies in the obtained data relating to the possibility of the targeted attack from the network resource
from the multiple computer systems and devices;

forming and sending queries, by the processor, to a group of computer systems and devices detecting the possibility of the
targeted attack with the set of parameters of the group of computer systems and devices in accessing the network resource,
wherein the parameters are varied at least until one parameter or set of parameters is identified that is common to the computer
systems in the group for which presence of the discrepancy is confirmed; and

calculating a probability of the targeted attack from the network resource based at least upon information received from the
group of computer systems and devices in response to the queries.

US Pat. No. 9,639,698

SYSTEMS AND METHODS FOR ACTIVE OPERATING SYSTEM KERNEL PROTECTION

AO KASPERSKY LAB, Moscow...

1. A computing device kernel comprising:
an address space;
an original system call handler loaded on the address space and configured to receive and execute computing device kernel
operation commands; and

a substitute system call handler loaded on the address space, wherein the substitute system call handler is generated as a
copy of the original system call handler by determining a memory address of the original system call handler and determining
a size of a loaded image of the original system call handler,

wherein the substitute system call handler is configured to intercept a computing device system call as directed by a hypervisor
operably coupled to the address space.

US Pat. No. 9,898,739

SYSTEM AND METHOD FOR ENSURING SAFETY OF ONLINE TRANSACTIONS

AO KASPERSKY LAB, Moscow...

1. In a computing system that includes a processor, data storage, and input/output devices including a network interface device
configured to communicate over a network, and an operating system, a method for securing online financial transactions, the
method comprising:
detecting, by the computing system, a start of an online financial transaction over the network between a user-controlled
online transaction application executing on the computing system and a remote payment service based on at least one of a launch
of the online transaction application, access of the remote payment service over the network, transmission of content indicative
of a connection to the remote payment service, or a predefined pattern of activity;

executing, by the computing system, a protected data input module configured to apply a selected protection scheme to limit
access by unauthorized processes to an input sequence via at least one of the input/output devices over the network while
permitting the input sequence to be accepted by an authorized process;

executing, by the computing system, a protected environment module configured to apply a selected protection scheme to protect
the user-controlled online transaction application from being compromised by malware;

executing, by the computing system, a safe data transfer module configured to apply a selected protection scheme to determine
whether a connection with the remote payment service over the network is a correct connection with a reputable party;

in response to detection of the start of the financial transaction, assessing, by the computing system, a risk level of conducting
the financial transaction on the network based on a vulnerability assessment and on a present condition of the computing system
including the input device operated by the user, wherein the vulnerability assessment includes a weighted determination including
consideration of vulnerabilities of the online financial transaction application, incidents logged in the operating system,
incidents having occurred on a local network computing system, update status of an antivirus program installed on the computing
system, use of hardware authentication modules on the computing system, frequency of online financial transactions by the
computing system, and a nature of data having been accessed by the user;

setting, by the computing system, an initial protection scheme for each of the protected data input module, the protected
environment module, and the safe data transfer module based on the risk level;

adjusting, by the computing system, a protection scheme for at least one of the protected data input module, the protected
environment module, and the safe data transfer module based on the risk level to a different protection scheme than the initial
protection scheme for each of the at least one corresponding modules,

wherein adjusting the protection scheme includes accessing a plurality of protection settings that represent each item of
protective functionality facilitated by the protected data input module, the protected environment module, and the safe data
transfer module, and changing at least one of the protection settings of the plurality of protection settings to either increase,
or decrease, an extent of functionality of protection commensurately with the risk level, wherein the plurality of protection
settings includes a range of protection levels for the respective protective functionality facilitated by the protected data
input module, the protected environment module, and the safe data transfer module, wherein at least one of

a protected data input level is adjusted among a predetermined range of protected data input levels that differs from the
protected data input level set at the initial protection scheme,

a protected environment module level is adjusted among a predetermined range of protected environment levels that differs
from the protected environment module level set at the initial protection scheme, or

a safe data transfer level is adjusted among a predetermined range of safe data transfer levels that differs from the safe
data transfer level set at the initial protection scheme, and

detecting, by the computing system, completion of the online financial transaction by determining that all data related to
the online financial transaction has been transferred on the network; and

automatically ending, by the computing system, the protection scheme upon detection that the online financial transaction
has completed.

US Pat. No. 9,860,270

SYSTEM AND METHOD FOR DETERMINING WEB PAGES MODIFIED WITH MALICIOUS CODE

AO KASPERSKY LAB, Moscow...

1. A method for determining modified web pages, the method comprising:
intercepting an attempt to access a website;
selecting, by a processor, one or more malicious software configuration files based on the intercepting of the attempt to
access the website;

creating a verification web page based on one or more code fragments from the selected one or more malicious software configuration
files;

opening the verification web page; and
determining, by the processor, whether malicious code has been injected into the opened verification web page.

US Pat. No. 9,838,420

SYSTEM AND METHOD FOR DISTRIBUTING MOST EFFECTIVE ANTIVIRUS RECORDS TO USER DEVICES

AO Kaspersky Lab, Moscow...

1. A method for distributing antivirus records to a user device, the method comprising:
collecting, by a server, statistics on the use of a plurality of antivirus records deployed on a plurality of user devices;
calculating, by the server, a coefficient of effectiveness of each antivirus record based on the collected statistics on the
use of the plurality of antivirus records by the plurality of user devices, wherein the coefficient of effectiveness of an
antivirus record is calculated as a function of a number of different malicious files detected using the antivirus record
and an average time between detections of malicious files using said antivirus record;

identifying, by the server, a group of the plurality of antivirus records having the largest coefficients of effectiveness,
wherein the group is a number of the plurality of antivirus records not exceeding a threshold value; and

transmitting, by the server, the group of antivirus records to at least one of the plurality of user devices for storage in
an antivirus database for use by an antivirus application of the at least one user device.

US Pat. No. 9,825,977

SYSTEM AND METHOD FOR CONTROLLING ACCESS TO DATA OF A USER DEVICE USING A SECURITY APPLICATION THAT PROVIDES ACCESSIBILITY SERVICES

AO Kaspersky Lab, Moscow...

1. A method for controlling access to data of a user device using a security application installed as an accessibility service
on the user device, the method comprising:
executing, by a processor of the user device, the security application and one or more user applications;
intercepting, by an interception module of the security application using a plurality of accessibility application program
interface (API) functions, data accessed by a user application being executed on the user device;

determining, by a categorization module of the security application, a category of intercepted data;
intercepting, by the interception module using the accessibility API functions, one or more events of user's interaction with
a user interface of the user application on the user device; and

determining, by an access control module of the security application, an access control policy that specifies and controls
whether to allow a user's access to the intercepted data based on the category of intercepted data and types of intercepted
events.

US Pat. No. 9,787,710

METHOD AND SYSTEM OF ELIMINATING VULNERABILITIES OF A ROUTER

AO Kaspersky Lab, Moscow...

1. A method for eliminating vulnerabilities on a data network including a router for directing data in the data network, the
method comprising:
transmitting, by a processor, a broadcast request through the data network to obtain access to at least one device communicatively
coupled to the data network;

accessing, by the processor, a web interface of at least one device communicatively coupled to the data network, wherein the
web interface comprises at least one web page containing parameters and attributes of the at least one device;

obtaining using the web interface a list of available resources of the at least one device that can be remotely accessed or
adjusted by the processor, wherein the list of available resources includes one or both of a parameter or an attribute of
the at least one device;

comparing, by the processor, each of the available resources of the at least one device with resource rules in a database
to identify at least one network vulnerability of the at least one device that can be exploited by the processor by identifying
a resource with a similar vulnerable status in the database;

determining, by the processor, an action for repairing the at least one network vulnerability associated with the one available
resource of the at least one device based on comparing of the each of the available resources with the resource rules in the
database to identify the resource with the similar vulnerable status in the database; and

transmitting instructions to the at least one device to perform the action for repairing the at least one network vulnerability
associated with the one available resource by adjusting the device through the web interface of the device.

US Pat. No. 9,740,864

SYSTEM AND METHOD FOR EMULATION OF FILES USING MULTIPLE IMAGES OF THE EMULATOR STATE

AO Kaspersky Lab, Moscow...

1. A method for emulating a file on a computer system, the method comprising:
loading the file into an emulator of the computer system;
initiating emulation of the file by the emulator;
storing a first image of an initial state of the emulator in a tree data structure;
continuing the emulation of the file and detecting an occurrence of a condition that results during the emulation of the file;
creating and storing a second image of a second state of the emulator in the tree data structure when the occurrence of the
condition is detected;

determining that the emulation of the file has terminated correctly in response to at least detecting a harmful behavior of
the file during the emulation;

determining that the emulation of the file has terminated incorrectly in response to detecting an occurrence of an anti-emulation
trick; and

upon determining that the emulation of the file has terminated incorrectly,
navigating along the tree data structure to identify the second image of the second state of the emulator as a state of the
emulator prior to the incorrect termination,

loading the second image of the second state into the emulator and
resuming the emulation of the file from the second state of the emulators;
performing a change to a state of the resumed emulation to circumvent the anti-emulation trick, wherein the change to the
state of the resumed emulation includes at least one of a jump to a different code branch at a conditional jump, a change
in a status of a resource handler, a reversal of a previously made change, and a change to a return value an executed function.

US Pat. No. 9,697,361

SYSTEM AND METHOD OF CONTROLLING OPENING OF FILES BY VULNERABLE APPLICATIONS

AO Kaspersky Lab, Moscow...

1. A method for controlling opening of computer files by software applications on a user computer, the method comprising:
detecting, by a hardware processor of the user computer, a request from a software application to open a computer file on
the user computer;

determining, by the hardware processor, one or more parameters of the computer file;
determining, by the hardware processor, a file access policy associated with the requested computer file based on the parameters
of the computer file, wherein the file access policy specifies at least access rights of the software application to computer
resources of the user computer when working with the requested computer file;

identifying, by the hardware processor, vulnerabilities of the software application;
determining, by the hardware processor, an application launching policy for the software application based at least on the
determined vulnerabilities, wherein the application launching policy specifies at least whether opening of the computer file
is permitted or prohibited; and

controlling, by the hardware processor, opening of the computer file on the user computer and accessing of the computer resources
by the software application working with the opened computer file based at least on the file access policy and application
launching policy.

US Pat. No. 9,614,867

SYSTEM AND METHOD FOR DETECTION OF MALWARE ON A USER DEVICE USING CORRECTED ANTIVIRUS RECORDS

AO Kaspersky Lab, Moscow...

1. A computer-implemented method for malware detection on a user's computing device, the method comprising:
detecting, by an antivirus application executing on the user's computing device, that an antivirus record is activated on
the computing device for detecting a maliciousness of a software object, the antivirus record having a selected status indicator
indicating at least one of: a working record, a test record, or an inactive record;

in response to detecting the antivirus record having working or test status, checking, by the antivirus application, for a
correction of the antivirus record with a server, wherein said correction includes a change in the status of the antivirus
record;

in response to receiving from the server the correction of the antivirus record, using by the antivirus application said correction
for processing of the software object comprising: upon detecting the status being changed to the inactive record, avoiding
generating notifications to the user for indicating the software object is malicious and blocking subsequent transmissions
of collected statistical information relating to the software object to the server; and

in response to receiving from the server a notification of no change of the status of the antivirus record, transmitting information
relating to the antivirus record from the computing device to the server for at least performing an antivirus check of the
software object, the information including a unique identifier of the antivirus record and statistical information of the
software object collected during an activation of the antivirus record.

US Pat. No. 9,578,065

SYSTEM AND METHOD FOR DISTRIBUTING ANTIVIRUS RECORDS TO USER DEVICES

AO Kaspersky Lab, Moscow...

1. A method for distributing antivirus records to user devices, the method comprising:
collecting, by a server, statistics on the use of a plurality of antivirus records;
calculating, by the server, a coefficient of effectiveness of each antivirus record based on the collected statistics on the
use of a plurality of antivirus records;

identifying, by the server, one or more most effective antivirus records whose coefficients of effectiveness exceed a predetermined
effectiveness threshold;

identifying, by the server, one or more less effective antivirus records whose coefficients of effectiveness do not exceed
the predetermined effectiveness threshold;

transmitting, by the server, the one or more identified most effective antivirus records to a plurality of user devices for
storage in antivirus databases of the user devices;

receiving, from the user devices, one or more less effective antivirus records removed from the antivirus databases of the
user devices; and

storing the one or more received less effective antivirus records in an antivirus database of the server if said antivirus
records were not in the antivirus database of the server.

US Pat. No. 10,095,865

DETECTING UNAUTHORIZED REMOTE ADMINISTRATION USING DEPENDENCY RULES

AO KASPERSKY LAB, Moscow...

1. A method of detecting a remote administration of a computer system, the method comprising:intercepting a plurality of events occurring in the computer system including a first event and a second event associated with data transfer with an application executing in the computer system;
determining that the first intercepted event is dependent on the second intercepted event based on parameters of the first intercepted event and the second intercepted event, wherein the parameters include a time elapsed between the interception of the first event and the interception of the second event and a pre-determined time threshold;
generating a rule defining a dependency of at least one parameter of the first intercepted event on at least one parameter of the second intercepted event;
responsive to determining a degree of similarity of the generated rule and a previously created rule exceeds a threshold value, identifying at least one application as a remote administration application that created the first and second identified intercepted events; and
blocking the identified remote administration application from exchanging data with the computer system.

US Pat. No. 10,013,555

SYSTEM AND METHOD FOR DETECTING HARMFUL FILES EXECUTABLE ON A VIRTUAL STACK MACHINE BASED ON PARAMETERS OF THE FILES AND THE VIRTUAL STACK MACHINE

AO KASPERSKY LAB, Moscow...

1. A method for detecting a harmful file executed on a virtual stack machine, the method comprising:analyzing, by a processor, a file executable on the virtual stack machine to identify both parameters of a file section of the file and parameters of a function of the virtual stack machine when executing the file;
identifying, in a database, at least one cluster of safe files based on the identified parameters of the file section of the file and the identified parameters of the function of the virtual stack machine, wherein the identified cluster of safe files contains a value of one of the parameters of the function executable by the virtual stack machine exceeding a number of local variables being used by the function;
creating, by the processor using at least one clustering rule, at least one data cluster of the file being analyzed and based on the identified at least one cluster of safe files, wherein the at least one clustering rule includes a first rule specifying that the parameters of the file section are not used to create the at least one data cluster of the file being analyzed if the size of the data of the file section is equal to zero, and a second rule specifying that the parameters of the function are not used to create the at least one data cluster of the file being analyzed if a number of local variables being used by the function is equal to zero;
calculating, by the processor, at least one checksum of the created data cluster of the file being analyzed; and
determining, by the processor, that the file executable on the virtual stack machine is harmful if the calculated at least one checksum of the created data cluster of the file being analyzed matches a checksum in a database of checksums of harmful files.

US Pat. No. 9,965,602

SYSTEM AND METHOD FOR SELECTING SECURE DATA ENTRY MECHANISM

AO Kaspersky Lab, Moscow...

1. A method for selecting a data entry mechanism for a program, the method comprising:detecting, by a hardware processor, an activity state of the program during execution of the program on a user device, wherein the activity state comprises a request for data entry from a user of the user device and wherein the program is created with a dynamically selected data entry mechanism;
determining, by the hardware processor, security requirements, received from a network resource, associated with the activity state, wherein the security requirements comprise one or more of varying a display of entered characters for a user interface element of the program that allows the data entry mechanism, varying an order of characters in the data entry mechanism, verifying code of the program, and verifying integrity of the program;
selecting, by the hardware processor, a data entry mechanism for the program based on the security requirements, wherein selection of the data entry mechanism includes: selecting a data entry device, selecting an interface for transmission of data from the data entry device, and selecting a method of storing the entered data;
activating, by the hardware processor, the selected data entry mechanism for receiving user input for the program; and
performing, by the hardware processor, one or more of varying the display of entered characters for the user interface element of the program that allows the data entry mechanism, varying the order of characters in the data entry mechanism, verifying the code of the program, and verifying the integrity of the program.

US Pat. No. 9,690,944

SYSTEM AND METHOD UPDATING DISK ENCRYPTION SOFTWARE AND PERFORMING PRE-BOOT COMPATIBILITY VERIFICATION

AO Kaspersky Lab, Moscow...

1. A method for updating full disk encryption (FDE) software on a computer, the computer including a hard disk with an existing
pre-boot compatibility verification component, the method comprising:
obtaining an updated version of the FDE software;
blocking operations of the FDE software on a boot drive of the computer;
updating one or more components of the FDE software based on the updated version of the FDE software;
modifying a booting process of an operating system of the computer to allow execution of a new version of the pre-boot compatibility
verification component before the booting process;

executing the new version of the pre-boot compatibility verification component, without decrypting and encrypting data on
the boot drive, to determine if the boot drive is compatible with the updated FDE software; and

if the boot drive is determined to be compatible with the updated FDE software, performing the booting process of the operating
system of the computer.

US Pat. No. 9,875,248

SYSTEM AND METHOD FOR IDENTIFYING A FILE PATH USING TREE DATA STRUCTURE

AO KASPERSKY LAB, Moscow...

1. A method for identifying a path in a tree data structure having a plurality of levels, the method comprising: receiving
a request from a software application to access a resource in a computer file system using a requested path to the resource;
identifying, by a hardware processor, a first element in the requested path to the resource; comparing, by the hardware processor,
the first element with a plurality of nodes in a first level of the tree data structure to identify an exact match, wherein
the tree data structure comprises a nested listing of paths in the computer file system, the listing corresponding to paths
permissible to access by the software application; when the hardware processor does not identify an exact match between the
first element and one of the plurality of nodes in the first level of the tree data structure, comparing the first element
with at least one mask node in the first level of the tree data structure to identify a match by mask and wherein during comparing,
narrower masks are compared with the first element before broader and recursive masks; the hardware processor does not identify
a match by mask between the first element and one of the at least one mask nodes in the first level of the tree data structure,
determining that the requested path is not in the tree data structure; granting the software application access to the resource
in the computer file system using the requested path only when the requested path is in the tree data structure.

US Pat. No. 9,742,769

METHOD AND SYSTEM FOR DETERMINING TRUSTED WIRELESS ACCESS POINTS

AO Kaspersky Lab, Moscow...

1. A method for determining trusted wireless access points, the method comprising:
identifying, by a mobile device, one or more wireless access points available to connect to a network to access a data hosted
on a computer in the network;

calculating an access point coefficient for each of the one or more identified wireless access points based on values representing
a plurality of access point characteristics and further based on significance factors corresponding to the access point characteristics,
wherein the plurality of access point characteristics include at least one of a period of operation of each of the one or
more wireless access points, an existence of security incidents for each of the one or more wireless access points, a trust
level for each of the one or more wireless access points, and a frequency of changing setup parameters of each of the one
or more wireless access points; and

calculating a network resource coefficient for the data hosted on the computer based on values representing a plurality of
network resource characteristics and further based on significance factors corresponding to the network resource characteristics,
wherein the plurality of network resource characteristics include network security requirements and authentication requirements
to access the data;

comparing, by the mobile device, each calculated access point coefficient to the calculated network resource coefficient;
determining, based on the comparison of each calculated access point coefficient to the calculated network resource coefficient,
at least one trusted wireless access point of the one or more identified wireless access points that is acceptable for establishing
a connection to access the data hosted on the computer in the network responsive to the calculated access point coefficient
of the trusted wireless access point being equal to or greater than the calculated network resource coefficient; and

establishing a connection to the network via the trusted wireless access points to access the data hosted on the computer.

US Pat. No. 9,740,855

SYSTEM AND METHOD FOR MODIFYING A SOFTWARE DISTRIBUTION PACKAGE WITHOUT RECALCULATING DIGITAL SIGNATURES

AO Kaspersky Lab, Moscow...

1. A method for installing a software distribution package, comprising:
receiving, by a processor, a software distribution package comprising a plurality of compressed files, each compressed file
having a local file headline and a compressed data section;

determining, by the processor, whether it is necessary to modify the software distribution package for a user that will receive
the software distribution package;

identifying a free region between the plurality of compressed files of the software distribution package, comprising identifying
the free region between the compressed data section of a first compressed file and the local file headline of a second, adjacent
second compressed file;

writing one or more modifications to the software distribution package in the free region, wherein the modifications are user-specific
and comprise at least one rule configuring an antivirus application and the modifications are written into the free region
without recalculating digital signatures for the one or more compressed files included in the software distribution package;
and

installing the software distribution package by using the modifications as supplemental parameters for installation of the
software distribution package.

US Pat. No. 9,648,032

SYSTEM AND METHOD FOR BLOCKING EXECUTION OF SCRIPTS

AO Kaspersky Lab, Moscow...

1. A method for blocking execution of malicious scripts, the method comprising:
intercepting, by a processor of a client, a script requested by the client from a server by providing, on the client, a driver
configured to intercept network script requests by rerouting at least one transmission channel of the script from the client
to the driver;

generating, by the processor, a bytecode of the intercepted script;
computing, by the processor, a hash sum of the generated bytecode;
determining, by the processor, a degree of similarity between the hash sum of the bytecode and a plurality of hash sums of
malicious and clean scripts stored in a database;

identifying, by the processor, a similar hash sum from the database whose degree of similarity with the hash sum of the bytecode
is within a threshold of similarity;

determining, by the processor, a coefficient of trust of the similar hash sum;
determining, by the processor, whether the requested script is malicious based on the degree of similarity and the coefficient
of trust of the similar hash sum; and

blocking, by the processor, the execution of the malicious script on the client.

US Pat. No. 9,665,714

SYSTEM AND METHOD OF DETECTING MALICIOUS FILES ON VIRTUAL MACHINES IN A DISTRIBUTED NETWORK

AO Kaspersky Lab, Moscow...

1. A method for detecting malicious files on a virtual machine in a distributed network, the method comprising:
receiving, by a thin client operating on the virtual machine, data relating to characteristics of computing resources of a
plurality of servers in the distributed network, where each of said servers is configured to perform malware scan of files;

based on the received data, determining, by the thin client, for each one of the plurality of servers, a speed of performing
a malware scan based on a measure of central tendency of at least one of: time spent by a plurality of files in a queue of
each server before being scanned for malware, speed of filling the queue of each server, total time elapsed between obtaining
a file from the virtual machine and scanning of said file for malware by each of said servers, and speed of use of computing
power of each of the said servers;

obtaining, by the thin client, at least one file on the virtual machine to be scanned for malicious software;
selecting, by the thin client, based on the determined speed of performing a malware scan of each server, one of the plurality
of servers to perform the malware scan of the at least one file; and

transmitting, by the thin client, to the selected server the at least one file to be scanned by the selected server for malware.

US Pat. No. 10,172,004

SYSTEM AND METHOD FOR RULES-BASED SELECTION OF NETWORK TRANSMISSION INTERCEPTION MEANS

AO Kaspersky Lab, Moscow...

1. A method for selecting a means for intercepting network transmissions for a device, the method comprising:determining parameters of the device associated with access rights to resources of an operating system of the device and presence of resources of the operating system;
determining characteristics of available network transmission intercepting means, the available network transmission intercepting means comprising one or more of a proxy server, a virtual private network (VPN) client, and a firewall;
selecting a network transmission intercepting means whose characteristics satisfy the parameters of the operating system of the device based on one or more selection rules related to availability of the resources of the operating system, Wherein the selection rules comprise one or more of a rule associated with at least one of a security level of data transmitted by the device, an ability to process a source of intercepted data, and an ability to process data transmitted by hypertext transfer protocol (HTTP);
causing transmission by the device to be processed by the selected network transmission intercepting means in order to optimize utilization of the resources of the operating system.

US Pat. No. 10,002,070

SYSTEM AND METHOD FOR ALTERING FUNCTIONALITY OF AN APPLICATION

AO Kaspersky Lab, Moscow...

1. A method for altering functionality of an application installed on a computer, the method comprising:receiving, by the computer, an application update comprising a patch, service pack, or software update, wherein the application update is transmitted from a remote server to the computer via a network, or (ii) loaded into the computer from a removable data medium;
updating the application, by a hardware processor of the computer, based upon the application update, wherein the application includes one or more functional modules;
detecting one or more events occurring on the computer after the updating, wherein types of the detected events belong to a set of detectable events;
determining, by the hardware processor of the computer, which of the one or more functional modules of the application caused the one or more detected events; and
altering the one or more determined functional modules when a number of detected events per a predetermined time interval exceeds a threshold, wherein the altering of the functional modules and which functional modules are altered depend on the detected events and on which functional modules caused the detected events.

US Pat. No. 9,990,495

ELIMINATION OF FALSE POSITIVES IN ANTIVIRUS RECORDS

AO KASPERSKY LAB, Moscow...

1. A method for managing antivirus records, the method comprising: providing a data store of antivirus records;providing an antivirus application to be executed on each of a plurality of user computers, each antivirus application configured to access the data store and at least one antivirus record, wherein the antivirus application is further configured to detect a malicious software file for antivirus records having a test status and detect and contain a malicious software file for antivirus records having a working status; and
executing instructions by a remote server, the remote server including computing hardware of at least one processor, a memory operably coupled to the at least one processor and configured to store instructions invoked by the at least one processor, an operating system implemented on the computing hardware, and input/output facilities, cause the remote server to implement:
a processing tool configured to:
collect at least one antivirus record parameter for a particular antivirus record from the plurality of user computers, the antivirus record having a working status after occurrence of the detection event of the antivirus record on one of the plurality of user computers, wherein each detection event is associated with the antivirus record,
collect statistical data of the detection events of the antivirus record from the plurality of user computers, and
determine whether a total number of user computers on which the detection event of the antivirus record occurred over a predetermined period of time exceeds a detection threshold, wherein the detection threshold is based on the at least one antivirus record parameter, and a classification tool configured to:
determine, when the total number of user computers on which the detection event of the antivirus record occurred exceeds the detection threshold, whether the antivirus record contains a false activation by at least one classification algorithm comprising a support vector machine operating on antivirus records in attribute space using the at least one antivirus record parameter and statistical data of the detection event, wherein the support vector machine generates a linear separation of antivirus records with a hyperplane based on a training set of antivirus records, wherein a first class grouping of the attribute space define false activation antivirus records and a second class grouping of the attribute space discrete from the first class grouping define malicious antivirus records, and
change the status of the antivirus record from working status to test status, wherein the processing tool is further configured to receive the changed status of the antivirus record from the classification tool and distribute the changed status to the data store.

US Pat. No. 9,740,865

SYSTEM AND METHOD FOR CONFIGURING ANTIVIRUS SCANS

AO Kaspersky Lab, Moscow...

1. A method for configuring antivirus scans of software objects, the method comprising:
identifying, by a processor, a software object that requires an antivirus scan at a scheduled date and time;
collecting, by the processor, information relating to the software object for setting the antivirus scan of the object, wherein
the collected information includes an antivirus database update associated with a software object format;

modifying, by the processor, the scheduled date and time for starting the antivirus scan of the object based on satisfaction
by the collected information of at least one condition of one or more antivirus setting rules for determining a date and time
for starting the antivirus scan, wherein the software object format of the collected information matches a format of the identified
software object;

selecting, by the processor, an antivirus scan method based on the collected information relating to the software object,
the modified date and time, and the one or more antivirus setting rules; and

performing, by the processor, the antivirus scan of the object using the selected antivirus scan method and at the modified
date and time, wherein the modified date and time occurs earlier than the scheduled date and time.

US Pat. No. 10,127,381

SYSTEMS AND METHODS FOR SWITCHING EMULATION OF AN EXECUTABLE FILE

AO KASPERSKY LAB, Moscow...

1. A system for switching emulation of an executable file, the system comprising:a processor and memory operably coupled to the at least one processor;
a first emulator stored on the memory and executable by the processor and including a first virtual environment, the first emulator configured to process a set of instructions in a first instruction set, wherein the first virtual environment is unique to the first instruction set;
a second emulator stored on the memory and executable by the processor and including a second virtual environment, the second emulator configured to process a set of instructions in a second instruction set, wherein the second virtual environment is unique to the second instruction set; and
an analyzer including:
a converter including converting logic stored on the memory and executable by the processor, the converting logic comprising instructions to remove non-functional code from a script related to the executable file, then convert the script into pseudocode, the pseudocode comprising an intermediary form of commands decipherable by one of the first emulator or the second emulator, and
an emulator switcher including processing logic stored on the memory and executable by the processor, the processing logic comprising instructions to process the pseudocode between the first emulator and the second emulator by switching between the first emulator and the second emulator based on at least one switching criteria, the at least one switching criteria including a pseudocode processing task specific to one of the first instruction set or second instruction set,
wherein the first virtual environment comprises an interpreter of a language in which the script was written, and the first emulator processes the first instruction set by reading a plurality of pseudocode commands from the converted script, determining an action for each of the pseudocode commands using the interpreter, performing emulation of the actions, and writing the results of the emulation to an emulator operation log.

US Pat. No. 10,084,812

METHOD AND SYSTEM OF REPAIRING VULNERABILITIES OF SMART DEVICES

AO Kaspersky Lab, Moscow...

1. A method for repairing vulnerabilities of smart devices connected to a data network, the method comprising:transmitting, by a processor, a broadcast request through the data network to obtain access to a smart device communicatively coupled to the data network;
obtaining settings of the smart device by accessing a configuration file stored on the smart device, the configuration file containing settings of the smart device, wherein the settings of the smart device comprises a parameter and an attribute of the at least one smart device;
comparing each of the settings of the smart device with settings of known vulnerabilities to identify a network vulnerability of the smart device that can be exploited by the processor by identifying a setting with a similar vulnerable status in the database;
determining a repair action for repairing the at least one network vulnerability associated with at least one setting of the smart device based on the setting with the similar vulnerable status in the database identified by the comparison; and
transmitting, by the processor, instructions to the smart device to perform the repair action wherein the repair action comprises adjusting the setting of the smart device by making changes in the configuration file.

US Pat. No. 10,511,974

SYSTEM AND METHOD OF IDENTIFYING POTENTIALLY DANGEROUS DEVICES DURING THE INTERACTION OF A USER WITH BANKING SERVICES

AO KASPERSKY LAB, Moscow...

1. A method for identifying potentially dangerous devices during the interaction of a user with banking services, wherein the method comprises:responsive to detecting an interaction between a user device and banking services, acquiring a digital fingerprint associated with the user device, wherein the digital fingerprint indicates at least one characteristic of the user device;
generating one or more clusters associated with the user device based on the digital fingerprint, wherein each of the one or more clusters are associated with at least one characteristic and a corresponding threat degree;
determining that the user device is a threat risk when a threat degree of a predetermined quantity of the one or more clusters is greater than a predetermined threshold, wherein at least one cluster with a threat degree higher than the predetermined threshold comprises characteristics of a firmware of the device associated with a geographic region and the user device being located in the same geographic region; and
responsive to determining that the user device is a threat risk based on the one or more generated clusters, blocking a transaction being carried out between the user device and the banking services during the interaction.

US Pat. No. 10,313,324

SYSTEM AND METHOD FOR ANTIVIRUS CHECKING OF FILES BASED ON LEVEL OF TRUST OF THEIR DIGITAL CERTIFICATES

AO Kaspersky Lab, Moscow...

1. A method for performing antivirus checking of a file, the method comprising:obtaining a digital certificate of the file, wherein the digital certificate is an end certificate associated with a certificate chain;
determining, by a hardware processor, validity of the obtained digital certificate by decrypting a digital signature of the obtained digital certificate using a public key of an intermediate certificate authority, calculating a hash value of the digital certificate, and determining a match of the decrypted digital signature with the calculated hash value;
assigning a level of trust to the digital certificate based on the determined validity or invalidity of the digital certificate of the file and further based on a set of intermediate digital certificates in the certificate chain,
wherein a low level of trust is assigned to the end certificate based on a determination that at least one intermediate digital certificate of the set of intermediate digital certificates is a digital certificate used to sign a known malicious file,
wherein a medium level of trust is assigned to the end certificate based on a determination that at least one intermediate digital certificate of the set of intermediate digital certificates is a valid digital certificate, and
wherein a high level of trust is assigned to the end certificate based on a determination that at least one intermediate digital certificate of the set of intermediate digital certificates being issued by a trusted certification authority; and
performing an antivirus checking method on the file based on the assigned level of trust of the digital certificate of the file, wherein one or more of heuristic analysis, emulation, and blocking execution is performed on the file having a digital certificate with an assigned low level of trust.

US Pat. No. 10,133,880

SYSTEM AND METHOD OF PREVENTING UNFAIR EVALUATION OF APPLICATIONS BY USERS

AO KASPERSKY LAB, Moscow...

1. A method for controlling access to interface elements of a page of an application in an applications store, the method comprising:executing a restrictive application that restricts use of a computing device;
determining that a page of the restrictive application in the applications store is being presented on a display of the computing device during execution of the restrictive application by receiving access rights at the computing device using an accessibility application programming interface (API) for processing of events associated with the accessibility API of the computing device;
blocking access to one or more interface elements of the page of the application in the applications store, wherein the one or more interface elements are controls for evaluation of the application in the applications store;
obtaining authentication data associated with an authorized user using the computing device; and
responsive to determining that the authentication data satisfies one or more conditions for unblocking, providing access to the interface elements of the page of the application in the applications store.

US Pat. No. 10,101,738

SECURE CONTROL OF AUTOMOTIVE SYSTEMS USING MOBILE DEVICES

AO KASPERSKY LAB, Moscow...

1. A method for secure control of automotive systems of a vehicle, the method comprising:connecting a vehicle, as a peripheral device, to a mobile device, which acts as a master device, via a security device of the vehicle, wherein the security device provides secure transmission of data and commands between the vehicle and the mobile device;
receiving, by the mobile device, via the security device, from one or more measurement devices of the vehicle, measurement data from one or more automotive systems of the vehicle;
based on the received measurement data, forming by the mobile device one or more control commands for one or more actuating devices of the vehicle, wherein the control commands enable and/or regulate operation of the actuating devices of the vehicle; and
transmitting, by the mobile device, via the security device, the one or more control commands to the actuating devices of the vehicle.

US Pat. No. 10,255,431

SYSTEM AND METHOD OF DETECTING UNWANTED SOFTWARE

AO Kaspersky Lab, Moscow...

1. A computer-implemented method of detecting one or more unwanted applications installed on a computing device, the method comprising:detecting a first file associated with a first application installed on the computing device;
identifying a second file installed on the computing device and related to the first file based at least upon selected conditions;
identifying a second application installed on the computing device using at least one of the first and second files;
determining a first frequency of use for the first application and a second frequency of use for the second application, wherein frequency of use comprises one or more of frequency of use of the application, frequency of launching the application until performing a virus scan of the application, frequency of calling of API functions of the operating system by the application, frequency of modification of files until the virus scan, and frequency of actions carried out using interface elements of the application;
determining that the second application was installed at substantially the same time as the first application based on a comparison of a first feature vector formed from the first frequency of use and a second feature vector formed from the second frequency of use; and
determining that the first application is an unwanted application when the comparison of the first feature vector and the second feature vector results in a degree of similarity greater than a threshold value.

US Pat. No. 10,242,186

SYSTEM AND METHOD FOR DETECTING MALICIOUS CODE IN ADDRESS SPACE OF A PROCESS

AO Kaspersky Lab, Moscow...

1. A method for detection of malware on a computer, the method comprising:detecting a first process executed on the computer in association with an application;
intercepting at least one function call made by the first process to a second process, wherein the at least one function call made by the first process is configured to execute code from an address space associated with the second process;
determining one or more attributes associated with the at least one function call;
determining whether to perform malware analysis of the code associated with the at least one function call in the address space associated with the second process based on application of one or more heuristic rules to the one or more attributes, wherein the one or more heuristic rules indicate that the code is to be analyzed when one of: the first process is writing data containing a header into the second process, the first process started from a predetermined directory, or the second process is a trusted system process;
upon determining to perform malware analysis of the code, determining whether the code in the address space is malicious and determining system functions that are executed by the code by comparing addresses of functions called by the code and addresses of functions loaded in the address space associated with the second process; and
generating one or more application control rules that prevent calling the system functions by the first process in the address space of the second process.

US Pat. No. 10,210,348

SYSTEM AND METHOD OF BLOCKING ACCESS TO PROTECTED APPLICATIONS

AO Kaspersky Lab, Moscow...

1. A method for controlling access of applications on a user's computing device, the method comprising:intercepting an access by a process to first information, the first information being information that is to be displayed on the user's device;
determining second information based on the interception of the access by the process, the second information being information associated with the process;
determining a region on a display of the user's device associated with the first information;
analyzing one or more intersections between the region and at least one graphic interface associated with the process; and
blocking the access by the process to the first information based on the analysis of the one or more intersections between the region and the at least one graphic interface associated with the process.

US Pat. No. 10,437,618

SYSTEM AND METHOD OF EMULATING EXECUTION OF FILES

AO Kaspersky Lab, Moscow...

1. A method for emulating an execution of a file, wherein the method comprises:generating an image of a file comprised of instructions read from the file;
detecting at least one known set of instructions in a portion read from the file, wherein the detected at least one known set of instructions comprises an instruction set of an interpreter library configured to process instructions of the file different from machine instructions;
generating an image of a library file of the interpreter library;
inserting a break point into a position in the generated image of the file corresponding to a start of the detected at least one known set of instructions from the read portion of the file; and
emulating execution of the file by emulating execution of instructions from the generated image of the file and from the generated image of the library file, and adding corresponding records to an emulation log associated with the emulated execution of the at least one known set of instructions.

US Pat. No. 10,291,640

SYSTEM AND METHOD FOR DETECTING ANOMALOUS ELEMENTS OF WEB PAGES

AO Kaspersky Lab, Moscow...

1. A computer-implemented method for detecting anomalous elements of a web page, the method comprising:obtaining access to a web site, by a client computing device, by requesting a web page associated with the web site via a web server;
executing the web page by the client computing device to gather data relating to the web page;
determining at least one N-dimensional vector based at least on the gathered data;
creating at least one cluster comprising a set of values of coordinates of vectors for at least one element of the web page in N-dimensional space based on the at least one N-dimensional vector;
creating a statistical model of the web page based on the at least one cluster;
using the statistical model for detecting anomalous elements of the web page; and
determining and identifying the at least one element of the web page as being anomalous, wherein the web server is configured to:
disable a connection with the client computing device in response to detecting that the at least one element of the web page is anomalous;
perform an antivirus scan of the at least one element of the web page to at least determine a statistical significance of the at least one element in connection with a threshold value; and
in response to detecting that the statistical significance of the at least one element is greater than the threshold value, identify the at least one element as being safe and re-establish the connection with the client computing device.

US Pat. No. 10,216,947

SYSTEM AND METHOD FOR ACTIVATING A DATA ENTRY MECHANISM

AO Kaspersky Lab, Moscow...

1. A method for activating a data entry mechanism for an application, the method comprising:detecting, by a hardware processor, an activity state of the application during an execution of the application on a user device;
determining, by the hardware processor, security requirements associated with the activity state, wherein the security requirements comprise properties for the data entry mechanism;
activating, by the hardware processor, the data entry mechanism for receiving user input for the application, wherein the data entry mechanism is governed according to the properties of the security requirements;
receiving user input from the user device in accordance with the data entry mechanism; and
displaying, by the hardware processor, a modified version of the user input according to the properties of the security requirement.

US Pat. No. 10,204,036

SYSTEM AND METHOD FOR ALTERING APPLICATION FUNCTIONALITY

AO Kaspersky Lab, Moscow...

1. A method for altering a functionality of an application installed on a computer, the method comprising:receiving, by a hardware processor, an application update to the application, wherein the application update comprises one or more of a patch, service pack and software update, and wherein the application comprises one or more functional modules;
updating, by the hardware processor, the application based on the application update by applying the application update to the application;
detecting, by the hardware processor, one or more events occurring on the computer after the updating of the application based on the application update;
determining, by the hardware processor, one or more portions of the application which caused the one or more events to occur on the computer; and
altering, by the hardware processor, the one or more portions of the application when a number of detected events exceeds a threshold, wherein how the one or more portions are altered depends on the one or more events, and the altering comprises reverting at least one functional module to a state of the at least one functional module before the update by at least one of: (a) replacing one or more files stored in a file system accessible to the computer with previous versions of the one or more files, and (b) modifying one or more registry keys of an operating system installed on the computer.

US Pat. No. 10,261,895

SYSTEM AND METHOD FOR TRANSFERRING EXECUTION OF A COMPUTER PROGRAM

AO Kaspersky Lab, Moscow...

1. A computer-implemented method for controlling execution of a computer program, the method comprising:determining, by a processor, a memory sector for storing a portion of execution instructions of the computer program in virtual memory address space;
determining, in the virtual memory address space, one or more pages that comprise code instructions and data associated with the memory sector;
creating a duplicate of the virtual memory address space;
tagging the memory sector and the one or more pages in both the virtual memory address space and the duplicate of the virtual memory address space;
receiving a notification to transfer execution of the computer program between different memory sectors while executing instructions stored in either the virtual memory address space or the duplicate of the virtual memory address space; and
transferring execution of the computer program to a memory location other than the one in which the notification was received.

US Pat. No. 10,238,972

SYSTEM AND METHOD OF MODELING THE BEHAVIOR OF GAME ELEMENTS DURING A REMOTE GAME

AO Kaspersky Lab, Moscow...

1. A method for modeling behavior of game elements during a remote game between at least two users, the method comprises:determining, by a hardware processor, parameters for at least two game elements representing physical objects, wherein mutual disposition and physical properties of the physical objects are determined by the parameters of the game elements, wherein the parameters for the game elements characterize the states of the game elements;
responsive to detecting a physical action performed by a user in order to exert a force action on at least one game element, calculating, by a game manipulator, one or more physical parameters characterizing the physical action;
determining, by a device, the game element to be subject to the detected physical action based on the determined parameters of at least one game element and the calculated physical parameters;
calculating, by the device, the parameters of that force action on the determined game element;
performing, by the device, a force action on the determined game element in accordance with the calculated parameters of the force action;
determining, by the hardware processor, one or more behavior parameters for the game elements, wherein the behavior parameters characterize a change in state of the game elements; and
generating, by the hardware processor, a behavior model of the game elements based on the determined parameters of the game elements and the determined behavior parameters of the game elements.

US Pat. No. 10,235,673

SYSTEM AND METHOD OF DETECTING FRAUDULENT USER TRANSACTIONS

AO KASPERSKY LAB, Moscow...

1. A method for detecting fraudulent activity in user transactions, the method comprising:collecting user behavior data specifying the user's interaction via an input device with a plurality of groups of elements of a graphical interface of a first application on a computing device for interaction with a remote server;
calculating, by a processor, an anomalous user behavior coefficient for each of the groups of elements of the graphical interface by applying a simple probabilistic classifier to the collected user behavior data specifying the user's interaction with each of the groups of elements of the graphical user interface, wherein the anomalous user behavior coefficient represents a likelihood that the user's interaction with the plurality of groups of elements of the graphical interface was imitated by software;
calculating, by the processor, a combination of the anomalous user behavior coefficients;
detecting, by the processor, a fraudulent activity when the combination of anomalous user behavior coefficients exceeds a predetermined threshold value;
in response to detecting a fraudulent activity, blocking, by the processor, the interaction of the user with the remote server; and
further responsive to detecting the fraudulent activity, determining a second application executing on the computing device based on access by the second application of the user behavior data during the user's interaction with the graphical interface, and classifying the second application as malicious.

US Pat. No. 10,484,416

SYSTEM AND METHOD FOR REPAIRING VULNERABILITIES OF OBJECTS CONNECTED TO A DATA NETWORK

AO Kaspersky Lab, Moscow...

1. A method for repairing vulnerabilities of objects connected to a data network, the method comprising:transmitting, by a hardware processor, a request throughout the data network;
obtaining responses from a plurality of accessible objects in the data network;
determining, by the hardware processor, whether access to the plurality of accessible objects is available using a plurality of access methods;
when access to an object is available, accessing the object and obtaining a list of resources of the accessed object;
crawling through an administrative console of the object to determine a list of resources of the object and open ports of the object, each resource comprising an adjustable parameter and/or an attribute of the object;
comparing, by the hardware processor, the list of resources and the open ports with a database of resources with associated network vulnerabilities to identify one or more resources from the list of resources that have a similar vulnerable status as a vulnerable resource in the database of resources with associated network vulnerabilities;
identifying one or more repair actions from the database of resources with associated network vulnerabilities based on the identified one or more resources; and
repairing the network vulnerabilities associated with the accessed object by applying the one or more repair actions associated with the vulnerable resource to the accessed object.

US Pat. No. 10,474,812

SYSTEM AND METHOD FOR SECURE EXECUTION OF SCRIPT FILES

AO KASPERSKY LAB, Moscow...

1. A method for execution of script files, the method comprising:providing a security container associated with a script interpreter, wherein the security container includes at least action limiting policies for the interpreter;
intercepting, by a processor, actions of the interpreter during execution of a script file comprising a trusted script file;
determining using the security container whether an intercepted action is permitted;
responsive to determining that the intercepted action is permitted, determining using the security container whether any limitations are associated with the intercepted action;
responsive to determining that a limitation is associated with the intercepted action:
performing a virtual action corresponding to the intercepted action instead of the intercepted action itself, wherein execution of the virtual action by a security application returns a result to the interpreter analogous to a result of the intercepted action but without execution by an operating system of the intercepted action,
determining whether the intercepted action of the interpreter is a network operation for obtaining data from a network, and responsive to determining the intercepted action of the interpreter is a network operation for obtaining data from a network, performing a corresponding virtual action comprised of reading data from a file,
determining whether the intercepted action of the interpreter is a request to read a target file, and responsive to determining the intercepted action of the interpreter is a request to read a target file, performing a corresponding virtual action comprised of copying the target file to another location, and providing the interpreter an empty file or a file containing predetermined secure content; and
responsive to determining that no limitations are associated with the intercepted action, executing, by the operating system, the intercepted action.

US Pat. No. 10,387,300

SYSTEM AND METHOD FOR TRANSFERRING CONTROL OF INSTRUCTION EXECUTION BETWEEN ADDRESS SPACES

AO Kaspersky Lab, Moscow...

1. A computer-implemented method for controlling execution of a computer program, the method comprising:determining, by a hardware processor, whether code instructions or data of interest are found in a portion of a page of a first type or a second type in an original virtual address space,
when the code instructions or data are found in the portion of the page of the first type, tagging the portion of the page corresponding to a memory sector of interest as non-executable and tagging the portion of the page corresponding to a memory sector of no interest as executable;
when the code instructions or data are found in the portion of the page of the second type, tagging the code instructions or data directly using an opcode of the hardware processor and tagging the portion of the page corresponding to the memory sector of no interest as executable;
when the code instructions or data are found in the portion of the page of the first type, duplicating the original virtual address space and tagging the portion of the page corresponding to the memory sector of interest as executable and tagging the portion of the page corresponding to the memory sector of no interest as non-executable; and
transferring execution of the computer program to a memory location other than the one in which a notification was received.

US Pat. No. 10,375,086

SYSTEM AND METHOD FOR DETECTION OF MALICIOUS DATA ENCRYPTION PROGRAMS

AO KASPERSKY LAB, Moscow...

1. A method for detection of malicious encryption programs, the method comprising:intercepting a file operation request from a client device on a file stored on a server;
responsive to intercepting the file operation request, creating and saving a backup copy of the file at the server;
collecting information about at least the client device, the requested file and the file operation request, wherein the collected information includes data buffers with original contents of the file and data that the file operation request is attempting to write in place of the file;
determining based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation request on the server;
when the file operation request came from an unknown encryption program, calculating, by a hardware processor, a difference between a first entropy of a header of the file before the execution of the file operation request and a second entropy of a header of the data that the file operation request is attempting to write in place of the file;
when the difference is below a threshold, allowing the file operation request of the unknown encryption program on the file to be performed on the server and deleting the backup copy of the file, otherwise blocking a connection between the client device and the server and restoring the backup copy of the file at the server; and
sending information about the unknown encryption program to a component on the client device, the information comprising a name of a process executing the program, wherein the component is enabled to search and stop the process on the client device initiating the file operation request based on a reception of the information.

US Pat. No. 10,372,900

SYSTEM AND METHOD FOR EXECUTING CALLS FROM OS PROCESS TO FILE SYSTEM

AO Kaspersky Lab, Moscow...

1. A method for executing calls to a file system of a computer, the method comprising:intercepting, by a software agent executed by a processor, a first call to the file system;
determining two or more parameters of the first call that identify at least one functionality of the call, the two or more parameters comprising a first call parameter specifying a type of operation of the first call and a second call parameter specifying a file identifier of the first call;
determining an execution priority associated with the first call based on the two or more parameters;
storing information about the first call, the parameters, and the execution priority to a database, wherein the stored information is combined with a data block associated with a second call of a plurality of calls stored in the database into a set of call data blocks, wherein call parameters of the second call specifying a type of operation of the second call and a file identifier of the second call are the same as at least two of the parameters of the first call, each call data block including a respective call, parameters of the respective call, and execution priority of the respective call;
selecting, from the database, one or more calls for execution based at least in part on relative priorities of execution of the plurality of calls stored in the database;
determining whether to execute or not to execute a selected call based on whether the selected call interferes with execution of an earlier selected call having a same file identifier as the selected call, wherein the earlier selected call is from a process of an antivirus application and has a higher relative execution priority;
responsive to determining that the selected call does not interfere with execution of the earlier selected call, passing the selected call to the file system for execution; and
responsive to determining that the selected call does interfere with execution of the earlier selected call, sending the selected call to a caching module.

US Pat. No. 10,372,907

SYSTEM AND METHOD OF DETECTING MALICIOUS COMPUTER SYSTEMS

AO Kaspersky Lab, Moscow...

1. A computer-implemented method for detecting a malicious computer system, the method comprising:collecting, by a processor, characteristics of a computer system, wherein the characteristics of the computer system are represented as points of a multidimensional space in which each dimension represents one characteristic of the computer system;
determining relations between collected characteristics of the computer system;
determining a time dependency of at least one state of the computer system based on determined relations, wherein the time dependency includes rules describing changes in values of the characteristics describing the at least one state of the computer system as a function of time;
determining the at least one state of the computer system based at least on the time dependency and the changes in values of the characteristics, wherein the at least one state comprises nonstandard behaviors of the computer system, wherein the state of the computer system is represented as a closed surface in the multidimensional space encompassing a region of space whose points characterize a legal state of the computer system; and
determining a degree of harmfulness of the computer system based on an analysis of the at least one state of the computer system in connection with one or more selected patterns representing a legal or malicious computer system, wherein the analysis comprises calculation of at least one scalar product of a first vector in the multidimensional space and a second vector from the one or more selected patterns, wherein the scalar product represents a degree of difference from the one or more selected patterns representing a legal or malicious computer system.

US Pat. No. 10,339,301

SYSTEM AND METHOD OF ANALYSIS OF FILES FOR MALICIOUSNESS IN A VIRTUAL MACHINE

AO Kaspersky Lab, Moscow...

1. A method for analysis of files for maliciousness, the method comprises: opening and executing a file, by a processor, in a virtual machine; intercepting, by the processor, an event arising during an execution of a thread of a process created upon opening of the file; halting the execution of the thread of the process upon interception of the event; reading a context of the processor on which the thread of the process created upon opening of the file is being executed; comparing, by the processor, the context of the processor with a plurality of rules that check: a path of the file, a type of the file, an extension of the file, a behavior of the thread of the process created upon opening of the file, a changing, by the thread of the process, of attributes of the file, and an access of the thread of the process to the Internet; and based on a result of the comparison, performing at least one of: recognizing the file as being malicious, halting the execution of the process created upon opening of the file, changing the context of the processor, and waiting for a next intercepted event.

US Pat. No. 10,339,312

SYSTEM AND METHOD FOR DETECTING MALICIOUS COMPOUND FILES

AO KASPERSKY LAB, Moscow...

1. A computer-implemented method for detecting malicious compound files, the method comprising:obtaining, by a processor of a computing device, at least one compound file;
identifying, by the processor, a first set of features of the at least one compound file including features associated with a header of the at least one compound file;
subsequent to identifying the first set of features, identifying, by the processor, a second set of features of the at least one compound file including features associated with at least one directory of the at least one compound file;
determining a hash of the at least one compound file based on the first and second set of features by concatenating byte representations of the first set of features with byte representations of the second set of features and byte representations of a size of the compound file;
comparing the hash of the at least one compound file with information associated with a plurality of compound files stored in a database; and
identifying the at least one compound file as being malicious, trusted or untrusted based at least on comparison results.

US Pat. No. 10,338,909

SYSTEM AND METHOD OF DISTRIBUTING SOFTWARE UPDATES

AO Kaspersky Lab, Moscow...

1. A method for distributing software updates to terminal nodes in a network comprising:installing, by a network administration server, on a plurality of terminal nodes in the network, security applications configured to at least manage security of said terminal nodes;
receiving, by the network administration server, from the security applications installed on the plurality of terminal nodes in the network, criteria characterizing the terminal nodes on which said security applications are installed and identifiers of other terminal nodes in broadcast domains of the terminal nodes on which said security applications are installed, wherein the criteria comprises at least information assessing the vulnerability of the terminal node to a malware attack;
based on the criteria characterizing the terminal nodes, selecting, by the network administration server, terminal nodes to be used as active and passive update agents for each broadcast domain, wherein an active update agent is configured to receive software updates from the network administration server and other update agents, and a passive update agent is configured to receive software updates from other update agents only; and
transmitting, by the network administration server, to the security applications of the selected active update agents for each broadcast domain in the network, one or more software updates for further distribution of the software updates by the active update agents to one or more passive update agents and the plurality of terminal nodes in the same broadcast domain.

US Pat. No. 10,321,349

SYSTEM AND METHOD OF DOWNLOADING FILTERING RULES ONTO A MOBILE DEVICE

AO Kaspersky Lab, Moscow...

1. A method for downloading data including filtering rules from a remote server onto a mobile device, wherein the method comprises:determining a first list, from a plurality of lists of filtering rules, having a highest indicator of frequency of actuation of the filtering rules from the list, wherein the filtering rules from the lists are designated for use by a first application on the mobile device;
transmitting the determined list to the mobile device with the aid of a second application, the second application on the mobile device being a provider of the filtering rules for the first application;
dividing each of the remaining non-downloaded lists of filtering rules intended for downloading onto the mobile device into a plurality of parts having a first size;
generating a set of groups of filtering rules based on frequency of actuation within each of the remaining non-downloaded lists of filtering rules, wherein each group of filtering rules includes a part of a first non-downloaded list of filtering rules and a part of a second, different non-downloaded list of filtering rules, and wherein in each of whose groups is placed not more than one part of each remaining non-downloaded list of filtering rules; and
transmitting the groups of filtering rules to the mobile device during time intervals having a first duration until the generated set of groups are fully downloaded onto the mobile device.

US Pat. No. 10,284,543

SYSTEM AND METHOD FOR SECURE ONLINE AUTHENTICATION

AO KASPERSKY LAB, Moscow...

1. A computer-implemented method for secure online authentication, the method comprising:determining, via a processor of a secure connection device, a connection being established between a browser application installed on a computer system and a protected website, wherein the computer system is distinct from the device;
obtaining, at the device, information relating to the protected website in response to a plugin of the browser application determining that the computer system has obtained a request for authentication from the protected website;
establishing a protected data transmission channel between the device and the protected website to receive, at the device, at least one certificate of the protected website;
receiving a complete tree of certificates, except a root certificate, associated with the protected website from the plugin of the browser application;
verifying validity of the complete tree of certificates based on a list of root certificates stored on the device;
when the validity of the complete tree of certificates is not verified, disconnecting the protected data transmission channel;
responsive to the complete tree being verified, performing authentication and transmitting, from the device, authentication data stored on the device to the protected website; and
in response to an indication of a successful authentication from the protected website, transmitting a new session identifier from the device to the plugin of the browser application for enabling access to the protected website.

US Pat. No. 10,275,597

SYSTEM AND METHOD OF EXECUTION OF CODE BY AN INTERPRETER

AO KASPERSKY LAB, Moscow...

1. A method of execution of program code by an interpreter, the method comprising:executing, by the interpreter, instructions of the program code in an emulated computer environment;
in response to detecting, by the interpreter, an instruction of the program code associated with an object for which the interpreter lacks a rule of interpretation, halting by the interpreter further execution of the instructions of the program code;
obtaining, by the interpreter, an auxiliary code corresponding to the object, wherein a result of execution of the auxiliary code corresponds to the result of the execution of the object, and wherein the auxiliary code contains objects for which the interpreter has a rule of interpretation;
executing, by the interpreter, the instructions of the auxiliary code; and
after completion of the execution of the auxiliary code, by the interpreter, resuming the execution of the instructions of the program code.

US Pat. No. 10,258,851

SYSTEM AND METHOD FOR CALCULATING PROJECTED IMPACT GENERATED BY SPORTS IMPLEMENTS AND GAMING EQUIPMENT

AO Kaspersky Lab, Moscow...

1. A system for projecting and modeling an impact on an object, the system comprising:at least one subject of impact, wherein the subject is associated with a sensor configured to measure one or more characteristics of movement of the subject in response to an external stimuli;
an electronic memory configured to store:
at least one first measurement received from the sensor associated with the subject that includes one or more characteristics of movement of the subject in response to the external stimuli,
at least one second measurement received from a sensor associated with an object of impact, and
statistical data on impacts of the subject on the object in previous situations; and
a computer processor coupled to the memory and configured to:
calculate a probability of a projected impact of the subject on the object in a current situation before the actual impact based at least on the one or more characteristics of movement of the subject and the collected statistical information;
generate a model of movement of the object in response to the impact by the subject based at least on the projected impact determined by the projection tool and one or more rules defining a movement of the object based on the projected impact by the subject;
calculate results of the projected impact on the basis of the at least one first measurement, the model of movement, and the calculated probability of the projected impact, when the calculated probability is above a threshold indicating that an impact is likely;
determine a correspondence between the model of movement of the object and the actual movement of the object after the impact to improve modeling;
stop generation of the model of movement when a rule of the one or more rules is fulfilled; and
create one or more images related to the results and augment a visual display with the one or more images.

US Pat. No. 10,505,973

SYSTEM AND METHODS OF DETECTING MALICIOUS ELEMENTS OF WEB PAGES

AO Kaspersky Lab, Moscow...

1. A method for detecting malicious elements of a web page, the method comprising:deploying, by a server, on a user device a script configured to:
(i) collect data from web pages accessed by the user device, the data including inline scripts whose executable code is part of a content of the web pages;
(ii) transform the data collected from a web page into at least one N-dimensional vector characterizing elements of the web page, the elements including a number and a type of operators in the inline scripts; and
(iii) transmit, to the server, the at least one N-dimensional vector and predetermined operators and constructions of the elements of the web page;
retrieving, by the server, from a database, a statistical model of known malicious inline scripts organized into one or more clusters based on function;
comparing, by the server, the at least one N-dimensional vector with clusters of the retrieved statistical model, the comparison including measuring a distance of the N-dimensional vector and centers of the one or more clusters; and
identifying, by the server, at least one malicious element of the web page based on results of the comparison when a measure of proximity between the at least one N-dimensional vector and the centers of the one or more clusters is less than a selected threshold value.

US Pat. No. 10,496,819

SYSTEM AND METHOD OF DISTRIBUTING FILES BETWEEN VIRTUAL MACHINES FORMING A DISTRIBUTED SYSTEM FOR PERFORMING ANTIVIRUS SCANS

AO KASPERSKY LAB, Moscow...

1. A method for detecting malicious files in a distributed network having a plurality of protected virtual machines, the method comprising:obtaining, by a first protected virtual machine of the plurality of protected virtual machines, at least one file from a thin client installed on the first protected virtual machine, for performing an antivirus scan of the at least one file;
collecting, by the first protected virtual machine, data relating to characteristics of computing resources of the plurality of protected virtual machines and one or more parameters relating to the antivirus scan;
determining an approximation time function of the characteristics of the computing resources of the plurality of virtual machines based on analysis of the data relating to the characteristics of the computing resources;
determining an approximation function of the one or more parameters relating to the antivirus scan based at least on collected data defining behavior of the antivirus scan;
determining an approximation time function of effectiveness of the antivirus scan based at least on the approximation time function of the characteristics of the computing resources and the approximation function of the one or more parameters, wherein effectiveness of the antivirus scan is determined by comparing defined properties of the antivirus scan with predetermined criteria; and
based at least on the approximation time function of effectiveness of the antivirus scan, selecting at least one virtual machine from the plurality of virtual machines to perform the antivirus scan in order to determine whether the at least one file is malicious according to the desired effectiveness of the antivirus scan.

US Pat. No. 10,489,586

SYSTEM AND METHOD OF DETECTING ANOMALOUS EVENTS

AO Kaspersky Lab, Moscow...

1. A method for detecting anomalous events occurring in an operating system of a computing device, the method comprising:detecting, by a hardware processor of the computing device, at least one event occurring in the operating system of the computing device during execution of a software process;
determining, by the hardware processor, a context of the detected at least one event that has occurred in the operating system during the execution of the software process, wherein the determination of the context comprises determining at least one of:
a dump of an address space of the software process containing code that was being executed at a moment of occurrence of the detected at least one event;
data relating to jumps from at least a last branch record and a branch trace store; and
a list of executable software program codes loaded in the software process before the occurrence of the detected at least one event;
transforming, by the hardware processor, selected features of the determined context of the detected at least one event into at least one of: string or vector representations suitable for mathematical and logical operations;
determining, by the hardware processor, a popularity of the string or vector representations by polling a database containing data relating to a frequency of a plurality of detected events occurring in a plurality of client devices, the plurality of detected events corresponding to the detected at least one event; and
determining, by the hardware processor, that the detected at least one event is an anomalous event if the determined popularity is below a threshold value.

US Pat. No. 10,469,527

SYSTEM AND METHOD OF PROTECTION OF TECHNOLOGICAL SYSTEMS FROM CYBER ATTACKS

AO Kaspersky Lab, Moscow...

1. A method for monitoring operation of a technologic al system (TS), the method comprising:obtaining a real state of the TS at a first point in time, wherein the state of the TS is determined based on states of one or more elements of the TS, wherein the elements of the TS comprise a multilevel control subsystem comprising a plurality of control subjects configured to control operations of a material production process;
initializing a cybernetic control system (CCS) by synchronizing the CCS with the TS in terms of time or in terms of state of the one or more elements of the TS, wherein synchronizing CCS in terms of state is done by synchronizing state of each cybernetic block of the CCS with the state of a corresponding element of the TS;
comparing, by the CCS, the obtained real state of the TS with an ideal state of the TS, wherein the ideal state of the TS comprises a state of the CCS determined for the first point in time by modeling carried out by the CCS;
based on the comparison, identifying a deviation of the real state of the TS from the ideal state of the TS;
responsive to identifying the deviation, checking an integrity of at least one functional interconnection of the states of a plurality of control subjects including a first control subject and a second control subject that is functionally connected to the first control subject based on a pairwise comparison between real states of the first and second control subjects and corresponding ideal states of the first and second control subjects;
determining that the ideal state of the TS for the point in time is a modeling error based on one or more confirmed sustained functional interconnections between the control subjects of the TS; and
determining that one or more anomalies has occurred in the TS based on one or more disturbed functional interconnections between the control subjects of the TS identified during the integrity check.

US Pat. No. 10,460,099

SYSTEM AND METHOD OF DETECTING MALICIOUS CODE IN FILES

AO Kaspersky Lab, Moscow...

1. A computer-implemented method for detecting malicious code in files, the method comprising:intercepting, by a processor, one or more application program interface (API) calls during an execution of a process launched from a file of a computing device;
detecting, by the processor, a fulfillment of an exit condition of the process, wherein the exit condition is based on weights assigned to types of suspicious events;
in response to detecting the exit condition, identifying one or more signatures of a first type and transferring one or more saved memory dumps of the computing device to an emulator for execution, wherein the execution of the transferred one or more saved memory dumps of the computing device in the emulator comprises disassembling one or more executable codes contained in the one or more saved memory dumps and maintaining in succession in a second log records of the intercepted API calls, wherein each record in the second log contains information for an API function called, the information including a unique identifier (PID) of a process launched from a corresponding file; and
identifying a malicious code in the file in response to detecting one or more signatures of a second type based at least upon execution results of the transferred memory dumps of the computing device.

US Pat. No. 10,409,987

SYSTEM AND METHOD FOR ADAPTIVE MODIFICATION OF ANTIVIRUS DATABASES

AO Kaspersky Lab, Moscow...

1. A method for adaptively modifying an antivirus database, the method comprising:storing in the antivirus database a list of different object types comprising characteristic templates of each object type;
receiving an antivirus scan log that contains information about software objects of an unknown object type which is not recorded in the list of object types;
determining, by a hardware processor, whether to modify the antivirus database to include the unknown object type by:
analyzing the antivirus scan log to identify file extensions of the software objects and isolating in a group the software objects with a same file extension;
responsive to determining that a total number of software objects in the group is greater than a threshold number, analyzing file data of each of the software objects in the group to determine software objects with identical file portions, wherein the identical file portion is an identical sequence of bytes located in a same address offset in each of the respective software objects;
generating a characteristic template based on the identical file portion for the software objects in the group when the number of software objects having the identical file portion is greater than a selected percentage;
modifying the antivirus database by (i) adding to the list of object types a new object type corresponding to the characteristic template associated with the unknown object type, and (ii) adding a new antivirus list in the antivirus database based on the new object type; and
when at least one software object having the same file extension and having the unknown object type is identified as harmful, designating as harmful the software objects associated with the new antivirus list of antivirus database.

US Pat. No. 10,373,135

SYSTEM AND METHOD FOR PERFORMING SECURE ONLINE BANKING TRANSACTIONS

AO KASPERSKY LAB, Moscow...

1. A method for performing a secure online banking operation, the method comprising:collecting, by a processor of a security server, data related to at least one transaction of the online banking operation requested by a user device to a banking server, wherein the banking server is directly accessible to the user device;
creating, by the processor, a plurality of verification scripts based at least on the collected data, wherein each verification script comprising at least one rule requiring collection of one or more types of identification data associated with the transaction of the banking operation;
collecting the identification data from the user device that executed the plurality of verification scripts, wherein the collected identification data comprises logs of network activities of applications running on the user device and logs of function calls from applications running on the user device;
determining, by the processor, a level of security of performing the banking operation based at least on the identification data collected by the plurality of verification scripts; and
determining, by the processor, whether to perform or not to perform the requested banking operation based on the determined level of security.

US Pat. No. 10,482,272

SYSTEM AND METHOD FOR RECEIVING USER DATA USING A DATA ENTRY MECHANISM ACTIVATED FOR AN APPLICATION

AO Kaspersky Lab, Moscow...

1. A method for receiving user input using a data entry mechanism activated for an application, the method comprising:detecting, by a hardware processor, an activity state of the application during an execution of the application on a user device;
determining, by the hardware processor, security requirements associated with the activity state, wherein the security requirements comprise properties for the data entry mechanism;
selecting, by the hardware processor, a data entry mechanism corresponding to the determined security requirements associated with the activity state;
activating, by the hardware processor, the selected data entry mechanism for receiving user input for the application, wherein the selected data entry mechanism is governed according to the properties of the security requirements associated with the activity state;
receiving, by the hardware processor, the user input in accordance with the activated data entry mechanism; and
displaying, by the hardware processor, a modified version of the user input according to the properties of the security requirements.

US Pat. No. 10,482,273

SYSTEM AND METHOD FOR ACTIVATING A DATA ENTRY MECHANISM FOR AN APPLICATION BASED ON SECURITY REQUIREMENTS

AO Kaspersky Lab, Moscow...

1. A method for activating a data entry mechanism for an application based on security requirements, the method comprising:detecting, by a hardware processor, an activity state of the application during an execution of the application on a user device;
determining, by the hardware processor, the security requirements associated with the detected activity state, wherein the determined security requirements comprise properties for the data entry mechanism;
activating, by the hardware processor, the data entry mechanism for receiving user input for the application, wherein the data entry mechanism is based on the determined security requirements; and
receiving, by the hardware processor, user input in accordance with the activated data entry mechanism.

US Pat. No. 10,419,472

SYSTEM AND METHOD FOR REPAIRING VULNERABILITIES OF DEVICES CONNECTED TO A DATA NETWORK

AO Kaspersky Lab, Moscow...

1. A method for repairing vulnerabilities of devices connected to a data network, the method comprising:accessing, by a hardware processor, a device communicatively coupled to the data network;
accessing, by the hardware processor, a configuration of the device, the configuration containing settings of the device;
comparing, by the hardware processor, each of the settings of the accessed device with settings of devices with known vulnerabilities from a database of vulnerabilities to identify at least one vulnerability of the device that can be exploited;
retrieving by the hardware processor, from the database, the settings of the devices with known vulnerabilities that repair the identified vulnerability in the accessed device;
determining, by the hardware processor, a repair action for repairing the at least one vulnerability, the repair action comprising adjusting one or more settings of the device based on the retrieved settings; and
transmitting, by the hardware processor, instructions to the accessed device to perform the repair action, the instructions comprising updating a setting of the accessed device by crawling a web page of an administrative console of the accessed device to identify controlling elements in the web page for the setting, and modifying values of the controlling elements based on the instructions.

US Pat. No. 10,528,727

SYSTEM AND METHOD OF DETECTING ANOMALOUS EVENTS BASED ON KNOWN SAFE EVENTS

AO Kaspersky Lab, Moscow...

1. A method for detecting anomalous events occurring in a computing device, the method comprising:detecting, by a hardware processor, at least one safe event occurring in an operating system of a secure computing device;
determining, by the hardware processor, a context of the detected at least one safe event that has occurred in the operating system of the secure computing device;
forming, by the hardware processor, at least one convolution of the detected at least one safe event based on selected features of the determined context of the detected at least one safe event;
storing, in at least one database by the hardware processor, the formed at least one convolution of the detected at least one safe event;
detecting, by the hardware processor, at least one unclassified event occurring in an operating system of the computing device during execution of a software process;
determining, by the hardware processor, a context of the detected at least one unclassified event that has occurred in the operating system during the execution of the software process;
forming, by the hardware processor, a convolution of the detected at least one unclassified event based on selected features of the determined context of the detected at least one unclassified event; and
determining, by the hardware processor, whether the detected at least one unclassified event is an anomalous event by comparing the formed convolution of the detected at least one unclassified event with the formed at least one convolution of the detected at least one safe event stored in the at least one database.

US Pat. No. 10,361,998

SECURE GATEWAY COMMUNICATION SYSTEMS AND METHODS

AO KASPERSKY LAB, Moscow...

1. A security system comprising:a microkernel configured to provide a gateway for communication between a first entity and a second entity, wherein the first entity and second entity are configured to initiate actions subject to monitoring, and wherein the microkernel is further configured to intercept an action along the gateway between the first entity and the second entity;
computing hardware, including at least one processor, a data store, and input/output facilities interfaced with the at least one processor, the data store including a security subsystem executable by the at least one processor, that, when executed, causes the computing hardware to implement:
a security server engine configured to check whether the action is permissible by computing a verdict based on a plurality of policies, wherein the security server is unable to apply the verdict, and wherein each of the plurality of policies are defined by a conjunction of at least a first predefined access mechanism and a second predefined access mechanism;
a first gateway associated with the first entity and configured to apply a first verdict to the first entity; and
a second gateway associated with the second entity and configured to apply a second verdict to the second entity,
wherein the first gateway and the second gateway are configured according to a system-level configuration applicable to both the first entity and the second entity, and a reflection configuration specific to the one of the first entity or the second entity, wherein the reflection configuration maps a plurality of entity actions to a security policy.

US Pat. No. 10,223,522

SYSTEM AND METHOD FOR PROTECTING MOBILE DEVICE WHEN INTERACTING WITH A COMPUTER

AO Kaspersky Lab, Moscow...

1. A computer-implemented method for protecting data of a mobile device, the method comprising:connecting the mobile device with a computer via a security adapter for charging the mobile device, wherein the security adapter is connected to the mobile device and the computer via a wired transmission interface;
in response to receiving a request from the computer for exchanging data with the mobile device, determining and collecting, by a processor of the mobile device, a plurality of parameters relating to an establishment of a data transmission mode between the computer and the mobile device;
in response to receiving a request to determine a security level of the mobile device, the request transmitted from a transceiver of the security adapter to the mobile device, determining, by the processor of the mobile device, a security level of the establishment of the data transmission mode based at least on the plurality of parameters; and
transmitting the security level to the transceiver of the security adapter for determining rules for establishing the data transmission mode between the computer and the mobile device.

US Pat. No. 10,223,539

SYSTEM AND METHOD FOR SELECTING A DATA ENTRY MECHANISM DURING APPLICATION CREATION

AO Kaspersky Lab, Moscow...

1. A method for selecting a data entry mechanism for an application, the method comprising:determining a plurality of activity states of an application during a creation of the application;
determining, for each of the plurality of activity states, whether a data entry mechanism of the application is dependent on one of the plurality of activity states;
determining security requirements corresponding to each of the plurality of activity states during the creation of the application;
selecting a data entry mechanism for each of the determined security requirements; and
activating a corresponding data entry mechanism of the application during an activation of each corresponding activity of the plurality of activity states.