FIELD: physics, computer engineering.
SUBSTANCE: invention relates to antivirus systems. A method of determining required analysis of events during antivirus inspection based on the current trusted status of the process includes the following steps: a) monitoring execution of the process in the operating system by process monitoring means; b) assigning an initial process status by the process monitoring means, wherein the process status is a trusted process or non-trusted process; c) using the process monitoring means, in accordance with the current process status, to establish at least one event type, the events of which are detected in a stream of all events for said process, wherein the established event types are at least mandatory or critical events, wherein if said process has a trusted process status, then a mandatory event type is established therefor, and if said process has a non-trusted process status, at least two event types are established therefor, specifically a critical event type and a mandatory event type, where: the mandatory event is an event upon detection of which evaluation of the process status should be performed for possible change of the current process status; the critical event is an event upon detection of which evaluation of process status should be performed based on antivirus inspection of the launched process or file, from which said process was launched; d) performing analysis of each detected event according to the current process status using evaluation criteria which define the need to change the process status using event processing means, wherein information on evaluation criteria is stored in an evaluation criteria database; e) making a decision on the need to change the current process status based on the performed analysis using the event processing means; f) using the process monitoring means to change the current process status based on the decision and switching to step c).
EFFECT: reducing the number of events associated with execution of the process requiring analysis during antivirus inspection.
15 cl, 5 dwg
| Title | Year | Author | Number |
|---|---|---|---|
| METHOD FOR EXCLUDING PROCESSES OF ANTIVIRUS SCANNING ON THE BASIS OF DATA ON FILE | 2015 |
|
RU2595510C1 |
| SYSTEM AND METHOD OF DETERMINING THE CATEGORY OF PROXY APPLICATION | 2014 |
|
RU2580032C2 |
| SYSTEM AND METHOD OF DETERMINING UNKNOWN STATUS APPLICATION | 2014 |
|
RU2580053C2 |
| SYSTEM AND METHOD OF ASSESSMENT OF HARMFULLNESS OF CODE EXECUTED IN ADDRESSING SPACE OF CONFIDENTIAL PROCESS | 2013 |
|
RU2531861C1 |
| SYSTEM AND METHOD OF ADAPTING PATTERNS OF DANGEROUS PROGRAM BEHAVIOR TO USERS' COMPUTER SYSTEMS | 2017 |
|
RU2652448C1 |
| METHOD OF SELECTIVE USE OF PATTERNS OF DANGEROUS PROGRAM BEHAVIOR | 2017 |
|
RU2665909C1 |
| SYSTEM AND METHOD OF PROTECTING COMPUTING DEVICE FROM MALICIOUS OBJECTS USING COMPLEX INFECTION SCHEMES | 2011 |
|
RU2454705C1 |
| METHOD OF CREATING ANTIVIRUS RECORD WHEN DETECTING MALICIOUS CODE IN RANDOM-ACCESS MEMORY | 2015 |
|
RU2592383C1 |
| SYSTEM AND METHOD OF DETECTING FRAUDULENT ONLINE TRANSACTIONS | 2014 |
|
RU2571721C2 |
| SYSTEM AND METHOD FOR DETECTING MALWARE BY INTERCEPTING ACCESS TO INFORMATION DISPLAYED TO USER | 2016 |
|
RU2634176C1 |
