RU2536664C2 - System and method for automatic modification of antivirus database - Google Patents

Abstract

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to optimisation of antivirus scanning. A method of updating information in an antivirus database by creating an antivirus list in the antivirus database, the antivirus list corresponding to a new type of object, comprises steps of: storing a list of types of objects containing distinctive features for determining types of objects, and antivirus lists divided according to type of objects and containing antivirus records for corresponding types of objects; determining the type of an obtained object for subsequent selection of an antivirus list for antivirus scanning of the object; performing antivirus scanning of the obtained object for content of malicious code using the antivirus list corresponding to the determined type of object, and forming scan results; analysing the scan results to identify objects whose type was determined as unknown; updating the antivirus database by adding distinctive features of the identified type of at least one object to the list of types of objects and creating an antivirus list corresponding to the identified type of object, wherein said lists do not contain antivirus records.

EFFECT: faster antivirus scanning.

22 cl, 7 dwg

Description

Technical field

The present invention relates to systems and methods for optimizing anti-virus scanning of files, and more particularly, to systems and methods for analyzing the results of anti-virus scanning and subsequent modification of the anti-virus database.

State of the art

Currently, malicious programs, which, in particular, can include network worms, trojans, computer viruses and other programs that cause any harm to the computer, are becoming more widespread. One of the most effective ways to counter malware is to use antivirus software. Antivirus software contains a set of technologies designed to detect and remove from the computer operating system the maximum possible number of malicious (or potentially harmful) programs. One of the malware detection methods used by antivirus software is to scan all or part of the files present on the hard and network drives of a computer.

One of the main methods for checking file infection is signature scanning. In anti-virus applications, as a rule, during signature scanning, each file is scanned over the entire list of signatures (templates) of malicious code contained in the anti-virus database. Every year the anti-virus database is constantly growing, which leads to an increase in the scan time in this way. To optimize this method of verification (for example, to increase the speed of verification), it has now become advisable to use preliminary analysis of files.

A preliminary analysis allows you to further optimize the basic anti-virus scan and may consist, for example, in filtering files according to the assigned criteria; prioritize files before checking; identifying the necessary file parameters for further anti-virus scanning; in converting files to a specific view. During the preliminary analysis, anti-virus applications use various evaluation criteria, for example, file type, hash file, file size, file creation date, file name, etc. Based on the selected criterion or set of criteria, the antivirus application detects files, and then conducts a preliminary analysis of the identified files in accordance with the settings. So, for example, if the preliminary analysis is to prioritize files, then according to the identified criteria, a file verification queue will be formed. In another example, if the preliminary analysis is to filter files, then according to the identified criteria, the files will be filtered (skipped or eliminated from further verification).

In the future, we consider the case when the preliminary analysis consists in filtering files. With this approach, acceleration of antivirus scan of files can be achieved by excluding from the scan files that do not meet the filter criteria. For example, filtering can be based on determining the type of file and filtering out further checks of files whose type is a safe type, because Files of this type do not need to be scanned. A safe type is the type of file among the files of which no malicious file or file containing malicious code was detected. In other words, we can say that this type of file is a legitimate ("clean") type.

So, in the patent US 7620991 B2 describes a preliminary analysis based on determining the correspondence of the type of file being transferred to the user from a remote server with any known type of files for the purpose of subsequent decision making on the need for anti-virus scanning. In the event that the detected file type corresponds to a file type that does not contain malicious code, the file is excluded from the anti-virus scan. Otherwise, an anti-virus scan will be performed. The type of file will be determined based on a search in the file structure of the “magic number” (a certain sequence of file bytes (signature), which is typical only for a certain type of file) that corresponds to one or another type of file.

In the application US 20120159631 describes a method of checking files for malicious objects. A feature of this method is the presence of an intermediate (preliminary) check, on the basis of which a decision is made on further verification of the file. An intermediate check consists in checking the file using various simple operations that eliminate the likelihood that the file is malicious. Such operations include checking checksums, file headers, the number of file sections and other file properties that distinguish malicious files from safe ones.

Also, antivirus software, if used on mobile devices, has a number of limitations associated with the more limited resources of the mobile devices themselves. As a rule, restrictions are associated with the speed of operation, the amount of memory and the time of use of the mobile device due to the periodic need to recharge the battery. As a result, the task of efficient use of the provided resources by a mobile device appears. For example, you can reduce the number of technologies used by antivirus software by using various methods of preliminary analysis or filtering files during their antivirus scan.

In addition, using a filtering system by the file parameters that were previously selected as a preliminary analysis, you can further increase the speed of anti-virus scanning by dividing the database by the corresponding file parameters. For example, anti-virus scanning using signatures uses databases containing criteria for detecting malicious code. Signatures of malicious code can include code samples in the form of strings, hash sums of malicious code or parts thereof, etc. Therefore, in the case of dividing the database, for example, by file type, a distributed database appears, which will optimize (increase) the speed of file analysis, because verification will not be carried out on the entire database, but only on the relevant part.

So, in patent US 6675170 describes a method for dividing a database into two or more subsets in order to simplify the placement of elements in the database and accelerate the receipt of data from the database in accordance with the request.

However, it is also necessary to take into account the following circumstance: with a huge and constantly growing number of new file types and new samples (signatures) of malicious code, anti-virus databases also constantly increase and, as a result, the scan time of files increases. For this reason, in order to effectively take advantage of the preliminary analysis (filtering), for example, by file type, as well as a split anti-virus database, it is necessary that the set of file types used during the preliminary analysis be adapted (i.e. relevant ) for the system in which this check is performed.

Therefore, although the inventions listed in the above patents and applications are aimed at solving certain problems in the field of preliminary analysis by file type and working with a shared database, they have one common drawback - the lack of adaptation for systems in which anti-virus scanning is performed. Elimination of this drawback will significantly reduce the time of anti-virus scanning.

Another disadvantage is the fragmentation of various databases used by antivirus software, such as a database containing hash amounts of malicious code; a database containing hash sums of legitimate code, a database containing file types; etc. This feature constantly affects the amount of resources occupied, in particular, on a mobile device.

Another disadvantage is the huge number of safe files that are also scanned for viruses, which significantly increases the scan time.

An analysis of the prior art and the possibilities that arise when combining them in one system allows you to get a new result, namely a system for automatically modifying the anti-virus database. The present invention, which will be described later, allows to eliminate the disadvantages described above, and more efficiently and effectively solve the problem of increasing the speed of anti-virus file scanning.

SUMMARY OF THE INVENTION

The present invention is intended to increase the speed of anti-virus scanning of objects.

The technical result of the present invention is to increase the speed of antivirus scans. The specified technical result is achieved by taking into account when processing updated information stored in the anti-virus database.

As one implementation option, a method for updating information in an anti-virus database by creating an anti-virus list in an anti-virus database is proposed, and the anti-virus list corresponds to a new type of object, it contains steps in which: they store a list of object types containing distinctive features for determining types objects, and anti-virus lists, divided by type of objects and containing anti-virus entries for the corresponding types of objects; determine the type of the received object for the purpose of subsequent selection of the antivirus list for the antivirus scan of the object; conduct an anti-virus scan of the received object for the content of malicious code using the anti-virus list corresponding to a certain type of object, and generate the scan results; analyze the results of the check in order to identify objects in which the type of object was identified as an unknown type of object; identify the type of at least one object whose type of object has been defined as an unknown type of object; update the anti-virus database by adding the distinctive features of the detected type of at least one object to the list of object types and creating an anti-virus list corresponding to the detected type of object, while these lists do not contain anti-virus entries.

As another implementation option, anti-virus entries are malicious code templates.

As another implementation option, anti-virus entries are at least the metadata of the object, the extension of the object, the hash of the object, the size of the object, the MIME type, the location of the object, the platform tin on which the object is running.

In yet another embodiment, determining the type of object includes at least determining the location of the object in the file system and determining the type of platform on which the object is running.

As another option, determine the type and duration of the anti-virus scan of the object based on the detected platform type or the location of the object in the file system.

As another implementation option, the type of antivirus scan is at least signature analysis, heuristic analysis, and analysis using an emulator.

As another implementation option, the type of platform is at least Symbian, Android, IOS and Windows.

In yet another embodiment, an anti-virus scan of objects with an object type that is defined as an unknown object type is performed using an anti-virus list for unknown object types.

As another implementation option, the identification of the type of objects is based on an analysis of the structure of objects.

As another implementation option, the detection of the type of objects is based on a request to the anti-virus server.

In another embodiment, the identification of the type of objects is based on an analysis of the contents of the objects.

As another implementation option, an analysis of the contents of the objects is a byte comparison of the contents of the objects and the subsequent selection of at least one identical portion of the contents of the objects.

In yet another embodiment, a sequence of bytes of 2 bytes or more is used as an identical portion of the contents of the objects and at the same time is contained in all analyzed objects at the same offset.

In one embodiment, a system for updating information in an anti-virus database by generating an anti-virus list in an anti-virus database is proposed, and the anti-virus list corresponds to a new type of object, which contains: an anti-virus database for storing a list of types of objects containing information about types objects, and anti-virus lists for each type of objects that contain anti-virus entries, and providing the specified list of types of objects to the preliminary device analysis and specified anti-virus lists to the detection device; a preliminary analysis device for determining the type of the object being checked using the list of object types and transmitting information about the type of object to the detection device; a detection device designed to detect malicious code in the file being scanned using an anti-virus list that matches a specific type of object and transmit the results of the scan to the device for analyzing the results of the scan; a device for analyzing scan results, intended for analyzing the results of anti-virus scan of objects, forming, based on the analysis, a decision on the need to adjust the database and transmit the corresponding information to the database modification device; a database modification device for updating the database by creating a new anti-virus list that does not contain anti-virus entries and adding information about the new type of object to the list of object types in accordance with the information received from the analysis analysis device.

As another embodiment, the system also includes a database update device for updating entries in anti-virus lists stored in the anti-virus database.

As another implementation option, anti-virus entries are malicious code templates.

In yet another embodiment, the anti-virus entries are at least the metadata of the object, the extension of the object, the hash of the object, the size of the object, the MIME type, the location of the object, the type of platform on which the object is running.

In yet another embodiment, determining the type of object includes at least determining the location of the object in the file system and determining the type of platform on which the object is running.

As another option, determine the type and duration of the anti-virus scan of the object based on the detected platform type or the location of the object in the file system.

As another implementation option, the type of antivirus scan is at least signature analysis, heuristic analysis, and analysis using an emulator.

As another implementation option, the type of platform is at least Symbian, Android, IOS and Windows.

As another implementation option, a device for analyzing scan results, analyzing the results of an anti-virus scan of objects, selects objects whose object type has been defined as an unknown type of object for the subsequent determination of these unknown types of objects.

As another implementation option, unknown object types are determined by analyzing the structure of the objects.

In yet another embodiment, unknown types of objects are determined using a request to an anti-virus server.

As another implementation option, unknown types of objects are determined by analyzing the contents of the objects.

As another implementation option, the analysis of the contents of the files is a byte comparison of the contents of the objects and the subsequent selection of at least one identical portion of the contents of the objects.

In yet another embodiment, a sequence of bytes of 2 bytes or more is used as an identical portion of the contents of the objects and at the same time is contained in all analyzed objects at the same offset.

As another implementation option, the detection device detects malicious code in objects whose object type has been defined as an unknown object type using an anti-virus list for unknown object types.

Brief description of the attached drawings

The accompanying drawings, which are included to provide an additional understanding of the invention and form part of this description, show embodiments of the invention and, together with the description, serve to explain the principles of the invention.

The claimed invention is illustrated by the following drawings, in which:

FIG. 1 shows a block diagram of the operation of an adaptive anti-virus database tuning system for anti-virus file scanning.

FIG. 2 shows an example of the interaction of a preliminary analysis device, a malware detection device in a file, and an anti-virus database.

FIG. 3 shows a diagram of the algorithm of the adaptive settings of the anti-virus database during the anti-virus scan of files.

FIG. 4 shows a diagram of the algorithm for the adaptive tuning of the anti-virus database.

FIG. 5 shows a diagram of the algorithm for the adaptive tuning of the anti-virus database by counting the ratio of the number of scanned files of a safe file type to the total number of scanned files.

FIG. 6 shows a graph comparing file contents.

FIG. 7 shows an example of a general purpose computer system on which the invention may be implemented.

Description of Embodiments

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, it can be embodied in various forms. The essence described in the description is nothing more than the specific details necessary to assist the specialist in the field of technology in a comprehensive understanding of the invention, and the present invention is defined in the scope of the attached claims.

The presented invention can be used for various devices that contain a file system. Such devices, first of all, are a personal computer, laptop, mobile device, for example, a smartphone, etc. In addition, the presented invention should also be part of the device on which the tasks will be solved.

In the general case, the structural diagram of the adaptive anti-virus database tuning system for anti-virus file scanning has the form shown in FIG. 1. The adaptive anti-virus database configuration system for anti-virus scanning of files 100 (hereinafter referred to as the adaptive system) consists of a preliminary analysis device 110, a malicious code detection device in file 120 (hereinafter referred to as a detection device), an anti-virus database 130, an analysis results analysis device 140 , database modification devices 150, and in a particular case, database updating devices 170.

It should be noted that when describing various options for implementing an adaptive anti-virus database system, for the purpose of readability, it is made with reference to computer files, but is not limited to them and can be applied to other types of program objects. Such objects can be at least scripts, applets, emails, URLs, SMS and MMS messages.

The preliminary analysis device 110 is designed to determine the type of file being scanned from the file system 10 using the list of file types stored in the anti-virus database 130, and transfer the installed file type along with the file to the detection device 120. It should be noted that the file being scanned may not be transmitted from device to device, and only a link will be transmitted indicating the location of the file in the file system 10, which must be checked. The list of file types contains records of various file types (file formats), according to which you can determine exactly what type of files the analyzed file belongs to. Each entry in the list of file types contains information in the form of various parameters that characterize a particular type of file. Such parameters can be: file extension, a sequence of byte lines (“magic number”, signature), which can be found by the offset (a value that shows, with a relative addressing method, the offset of the memory cell relative to the base address) from the beginning of the file, metadata (information file data; may contain information about file size, file type, creation date, etc.), MIME type (specification for encoding information and formatting messages so that they can be sent over the Internet) , parameters of the firmware platform on which a file of the indicated type and other distinguishing parameters of files can be launched. In the particular case of implementation, the device 110 is designed to determine the type of platform on which the analyzed file can be run, and determine the location of the file in the file system in order to determine the type of anti-virus scan and the duration of the scan required for further anti-virus scanning by the detection device 120.

The detection device 120 is designed for anti-virus scanning of received files and subsequent transmission of information about the results of the scan to the analysis analysis device of the verification results 140. The anti-virus scan is carried out by calling the anti-virus list 135 (hereinafter - the AV list) from the database 130, which corresponds to the type of the file being checked, and then comparing scanned file with entries in the AV list 135, which contain parameters for determining malicious code. The parameters of the malicious code are a sample of malicious code, the hash of the file containing the malicious code, various external attributes of the file (size, creation date, for example), etc.

In the particular case of the implementation, depending on the specific type and duration of the required anti-virus scan, the scan described above can be used as an anti-virus scan by preliminary unpacking files - archives to the nth level or more complex scan methods. At least the heuristic method and emulation are more complex verification methods. The type and duration of the anti-virus scan may depend on the hardware or software platform on which the system 100 is running. For example, mobile device platforms, such as Android and Symbian, are limited in data processing due to limitations in memory size and battery life, compared, for example, with PC platforms such as Windows and Unix. Thus, on mobile device platforms, the detection device 120 can use faster and easier verification methods, such as signature verification (comparing the file being checked with entries from the AV list 135); and more complex and time-consuming types of checks, such as heuristic analysis and emulation, do not hold or postpone (for example, while the mobile device is not in use). On PC platforms, the 120 detection device can use more thorough and time-consuming verification methods that can be run in the background without interfering with the use of the PC.

In another aspect, the type and duration of the anti-virus scan may depend on the location of the file. For example, on some mobile platforms, the detection device 120 may decide whether to perform or cancel the anti-virus scan of the file based on the location of the file in the mobile OS file system. The detection device 120 may, for example, first check files located in application folders (software), and then only files located in data folders (system folders). This definition is due to the fact that, for example, on the Android platform, application folders and files are usually installed in a folder with the name of the application itself (for example, "/ storage / sdcard0 / data / app", where "arr" is the name of the application ), while data files (such as media files) are stored in the data folder "/ storage / sdcard0 / DCIM". Therefore, the detection device 120 will perform a more thorough and laborious scan of files from application folders and a less thorough scan of files from data folders.

A feature of adaptive system 100 is the anti-virus database 130. As noted above, the anti-virus database 130 includes two types of data lists - a list of file types and AV lists 135, which are provided to devices 110 and 120, respectively. It should be noted that among the AV lists 135 there is an AV list that is responsible for checking files whose type has not been determined (in other words, the file is a file of unknown type). An unknown type of files is a file type whose entries are not in the list of file types; therefore, this type cannot be determined by the preliminary analysis device 110. In addition, the anti-virus database 130 contains not only information about file types whose files contain malicious code, but also information about safe (legitimate) file types. A safe type of file is that type of file, among the files of which the system 100 does not know a single file containing malicious code. Therefore, among AV lists 135 there are AV lists 135 of safe file types that do not contain any entries about malicious files and, accordingly, are empty lists, which increases the speed of scanning files from file system 10, the type of which is safe (the option of generating an AV list for a safe file type will be described below). In the particular case of the implementation of the AV lists 135, they are filled and changed using the database update device 170. The database update device 170 for filling the anti-virus database 130 makes requests to the anti-virus server 180 (hereinafter referred to as the AV server) to update the AV lists 135 If the AV server 180 contains new records of samples (for example, an MD5 hash) of malicious code, then the AV server 180 will forward them to the database update device 170, which, in turn, will add them to the corresponding AV lists. Otherwise, the AV server 180 will send a notification about the absence of new records.

Another feature of the anti-virus database 130 is that at the beginning of the adaptive system 100, which is installed, for example, on a mobile device, the anti-virus database 130 may contain entries in the list of file types about file types for which AV lists have not been created. AV lists are not created for some types of files, as these types of files do not contain malicious code and, accordingly, are not malicious files. During operation of the system 100, the anti-virus database 130 will be adapted in accordance with the needs of the mobile device, i.e. depending on the scanned files and their specific types. One of the criteria for adapting the base can be adaptation in accordance with the software and hardware platform of the corresponding device. For example, for the Symbian platform, only file types that can work on the corresponding platform will be added / left.

The main difference between the adaptive system 100 and the existing state of the art is the availability of a database modification device 150. The database modification device 150 is intended for updating the anti-virus database 130 by adding an entry about a new file type to the list of file types and creating the corresponding AV list, in accordance with a solution received from the device for analyzing the results of verification 140. In turn, the device for analyzing the results of verification 140 is intended to analyze information received from the device about detection 120, and to make a decision about the need to modify the anti-virus database 130. Information can be transmitted in the form of a scan log that contains various information about scanning files from the file system 10. The information contained in the scan log can be, for example, decision information taken in relation to the file being scanned (malicious file or not), file type, unknown file type and its features, scan time, etc.

The stages of interaction between the preliminary software analysis device, the detection device 120 and the anti-virus database 130, as well as the generation of the verification log will be described in FIG. 2. After the files from the file system 10 are checked by the detection device 120 and the verification log is generated in accordance with the results of the verification of files from the file system 10, the specified verification log is transmitted to the analysis result analysis device 140. The analysis result analysis device 140 analyzes the verification log , on the basis of which it makes a decision on the need to modify the anti-virus database 130. If modification is necessary, the device for analyzing the results of scan 140 transmits information to the database modification device 150. Otherwise, it terminates.

One example of a situation where a modification of the database 130 is necessary, may be the case when a new file type was identified during the analysis of the scan log, information about which is not in the list of file types from the anti-virus database 130. In this case, the analysis results analysis device 140 transmits information about the new file style to the database modification device 150. After that, the database modification device 150 according to the received information forms a new entry in the file type list and creates a new AV list 135 in accordance with the new file type.

An option to identify a new type of file is a request to the AV server 180, which contains information about the results of the file scan from the scan log. In turn, the AV server 180 analyzes the received information about the file, after which it sends the decision to the device for analyzing the results of the verification 140. The solution may contain information about the type of file that the provided information corresponds to, and information about the inability to determine the file type. Another option for determining a new file type during the analysis of the verification log is possible if the list of file types is updated using the database update device 170. This update occurs automatically with a certain predetermined frequency, as described above for updating AV lists 135.

Another option for identifying a new file type during the analysis of the audit log by the analysis result analysis apparatus 140 is a method for analyzing file structure. The method is based on the analysis of file formats, namely, on the analysis of the specification of the structure of the data recorded in the file. The data structure specification gives an idea of how various pieces of information are located inside a file. Since there are specifications for many file formats that describe in detail the file structure of the corresponding format, the analysis result analysis device 140 can analyze the structure of a file whose type has been defined as an unknown file type for compliance with any known file format. Therefore, in case of coincidence with any known format, the type of the analyzed file will be determined. It is worth noting that the method of analyzing the file structure can be performed on the AV server 180. In this case, the device for analyzing the results of verification 140 will only query the AV server 180 for files whose type was defined as an unknown file type and receive answers with the result analysis on the AV server 180.

Another option for identifying a new file type during the analysis of the audit log by the analysis result analysis apparatus 140 is a method for comparing file contents. The method is based on comparing byte values at fixed offsets and subsequently identifying similar byte sequences. Consider the situation when the device for analyzing the results of verification (hereinafter referred to as the analysis device) 140 revealed in the verification log information about several files for which the file type was determined to be an unknown file type. As it was written above, the analysis device 140 can make a request to the AV server 180, but at the same time receive a negative answer about the type of files, i.e. file type has not been determined. Next, the analysis device 140 will check the file extension and select those files whose file extension matches. A file extension is the part of the file name that follows the dot after the name and indicates the type of file (for example, readme.txt, autorun.exe). If the extensions of two or more files coincide, then the analysis device 140 will analyze the file data and generate the result in the form of a graph shown in FIG. 6. In FIG. 6 is a graph showing the distribution of file byte values relative to their positions (offsets) in the file contents. Next, the analysis device 140 will identify all characteristic (identical) portions of the contents of the files. At the same time, in one embodiment, sections that contain the sequences “00” and “0FFh” can be skipped — values in the hexadecimal notation (in Fig. 6, the code values are presented in decimal notation and, therefore, the analysis device 140 will ignore the values equal to 0 and 255). An identical section of files is a sequence of bytes equal to 2 bytes or more and at the same time contained in all analyzed files at the same offset (it is worth noting that the most optimal sequence is a sequence of 4 bytes). If at least one identical section is detected, then based on this section of the code a characteristic pattern will be generated for identifying files of this type. Otherwise, if at least one identical section is not detected for all analyzed files, then the following actions can be applied to the files:

a) if the number of files provided for analysis was 10 or less, then the files will be saved until the next analysis of the verification log and re-analyzed or transferred to AV server 180 for subsequent analysis;

b) if the number of files was more than 10, then the analysis device 140 will re-analyze the graph. Then, if an identical code section is found for 80% of the files from all analyzed files, then this group of files will be selected and for them the analysis device 140 will form a characteristic pattern for identifying files of this type. The analysis 140 will save the remaining files until the next analysis of the verification log.

The template and file type information will be transferred to the database modification device 150. It is worth noting that the more unknown files of the same type are analyzed, the more likely the file type (signature) will be detected.

It is also worth noting that in one embodiment, the parsing of the file code can be limited to only the first 100 bytes of the code, because with the highest probability, information about file types (signatures) will be located in this area of the code. This statement is based on the experience of analyzing various file formats and structures.

Thus, during the modification of the list of file types, the anti-virus database 130 is replenished with AV lists 135, which correspond to the detected new file types. It is worth noting that the new AV lists 135 will be empty lists, because adaptive system 100 does not know the new type of files that would contain malicious code. Therefore, we can say that the corresponding file types will be considered legitimate (safe) file types until the database update device 170 receives records of malicious files of the corresponding types from the anti-virus server 180. Another example of determining that the file type is not safe, is a search for records of a file of the corresponding type in the AV list 135 for unknown file types. If such a record is found, this record will be moved to the corresponding AV list, and the file type will become a malicious file type.

Another example of a situation where a modification of the database 130 is necessary, may be the case when, during the analysis of the verification log by the analysis analysis device 140, it was found that a significant amount of verification time takes time to verify the files, the type of which is a safe file type. This statement is due to the fact that initially the anti-virus database 130 contains entries only about malicious files and the verification of files that correspond to safe file types is carried out using the AV list for unknown file types 135, which can contain many times more records than other AV lists 135. A significant scan time will be determined, for example, by counting the number of scanned files of a safe type and the total number of scanned files. If the number of scanned files of a safe type takes 10% or more of the total number of scanned files within a specified period of time, then the analysis result analysis device 140 transmits to the database modification device 150 information about the need to create a new AV list for this file type. In turn, the database modification device 150 will generate a new AV list 135 for checking files of the specified safe file type. After that, the new AV list 135 will be added to the anti-virus database 130. The time interval during which the calculation is carried out can be set either with the help of the user or in the automatic mode. It is worth noting that this AV list will be empty, because files of this type of file do not contain malicious code, which will allow adaptive system 100 to conduct an accelerated scan of files of this type.

In the particular case of the implementation, the modification of the anti-virus database 130 is possible in the case when the device for analyzing the results of the scan 140, during the analysis of the scan log received from the detection device 120, analyzes the file, the type of which was identified as unknown. In this case, the detection device 120 checks the file with an unknown file type using the AV list for unknown file types (as will be described in Fig. 2). After that, a decision will be made on the presence of malicious code, and the scan results will be sent to the device for analyzing the results of the scan 140. If the file is determined as a malicious file, and the device for analyzing the results of the scan 140 will then determine the file type of this malicious file (as described above) , the database modification device 150 will add information about this file type to the list of file types. In addition, the modification device 150 will create an AV list that will correspond to this type and add to it the corresponding entry from the AV list for unknown types. Otherwise, if the file is determined to be a safe file, the database modification device 150 will perform the actions as described above.

In the particular case of implementing the database modification device 150, after adding a new AV list to the anti-virus database 130, it will analyze the AV list for unknown file types from the anti-virus database 130 for the contents of the entries in it that belong to the file type to which the new AV list corresponds. If such records are identified, they will also be added to the new AB list.

In another particular case of the adaptation of the anti-virus database 130, the analysis result analysis device 140 analyzes the AV list 135 for unknown file types. The need for this analysis is that this AV list 135 contains entries for all files for which the file type was not defined, and the number of such entries is constantly growing. The growth of entries in the AV list 135 for unknown file types is associated with the constant emergence of new file types that cannot be recognized. Therefore, checking files from the file system using this AV list can take up the bulk of the scan, which will increase the scan time. This is especially true if there are a large number of files of unknown types. One example of determining unknown file types is a method identical to the method of determining the new file type by the analysis device 140, which was described above. Another example is the case when over time these file types will be recognized and determined (for example, by disclosing information about a file type by a company-developer of this type or by conducting special studies to determine this type by various competent organizations), which will allow to separate records belonging to this type in a separate AV list. Consider the situation when the device for analyzing the results of verification 140 received information from the AV server 180, with the help of which it is possible to determine the type of file that has not been previously determined. After receiving this information, the analysis results analysis device 140 checks the AV list 135 for unknown file types. The analysis is based on the identification of records related to this type of file. After at least one such record has been detected, the scan result analysis device 140 sends information about the new file type and the detected record to the database modification device 150. The database modification device 150 creates the corresponding AV list in the anti-virus database 130. Then, to the created one The AV list will move from the AV list for unknown file types the identified record whose file type corresponds to the created AV list.

In the particular case of implementation when using adaptive system 100 on mobile devices, it is advisable to initially store only information about file types in the database and, accordingly, AV lists 135, the files of which contain malicious code. And to add information about other types of files to the anti-virus database as they appear in the file system 10. In addition, it is worth noting that databases should also initially store information only on those types of files that correspond to the software and hardware platform of the corresponding device. Examples of hardware and software platform, at least, are: Symbian, Android, Windows and IOS.

Also for mobile devices, the rational use of device memory is relevant. Therefore, in another special case of implementation, the formation of new AV lists can occur only in the case when the device for analyzing the results of verification 140, when analyzing the verification log and identifying a new file type, will count the number of checked files of this type. If files of this type occupy 10% or more of the total number of scanned files within a specified period of time, then an AV list will be generated for checking files of this type. The generated AV list will initially be empty, because It was created based on the analysis of a safe file type. Then it will be added to the anti-virus database 130. The time interval can be set both by the user and in automatic mode.

In FIG. Figure 2 shows an example of the interaction of the preliminary analysis device 110, the malicious code detection device in file 120, and the anti-virus database 130. Suppose that it is necessary to carry out an anti-virus scan of several files in the file system 10. The preliminary analysis device 110 analyzes the file data from the file system 10 using the list of file types that was received from the anti-virus database 130. If the file type has been determined, a corresponding note is made about the detected file type, for example, as shown in FIG. 2:

1) file 1, type RE;

2) file 2, type pdf;

3) file 3, type png.

Otherwise, the analyzed file corresponds to a mark that the file type is unknown, for example, file 4, type unknown. Next, the preliminary analysis device 110 transmits the file with the installed file type to the detection device 120. The detection device 120, when checking each received file, uses the AV list from the anti-virus database 130, which corresponds to the installed file type. So, for example, for file 1, the file type was set to PE (executable file format). Therefore, the detection device 120 will call an AV list for the file type PE. Next, the detection device 120 compares the file with entries from the corresponding AV list. If matches are found, then the file is malicious. Otherwise, the file is safe (legitimate). In the case when the file type was defined as a legitimate file type (for example, png), the file check will consist in calling the corresponding AV list, and since given AV list is empty, then the subsequent definition of the file as a safe (legitimate) file. In the event that it was established that the file type is unknown, then the AV list for unknown file types is called. After checking the files, the verification results are transmitted to the analysis result analysis device 140.

In the most relevant implementation, the verification results are transmitted to the analysis result analysis device 140 only in case of analyzing a file for which the file type has not been determined.

It should be noted that the AV lists used in this system are not limited to the file types shown in this example.

In FIG. Figure 3 shows a diagram of the algorithm for the adaptive settings of the anti-virus database during anti-virus file scanning. At step 310, the preliminary analysis device 110 obtains a pointer to a file from the file system 10, which must be checked for malicious code. At step 320, the preliminary analysis device 110 searches for correspondences between the pre-formed distinguishing feature of the file being scanned and the entries contained in the list of file types stored in the anti-virus rule database 130. If matches are found, then at step 330 it is determined that the file type is being scanned The file is specific. Otherwise, if no matches are found, then at step 330, the file type will be determined as an unknown file type. Next, the file with the type set to it is transferred to the detection device 120. In the event that the type was determined, at step 340 an AV list is provided in accordance with the specified type from the anti-virus database, this 130. In the event that the type was not determined (i.e. e. the type is unknown), at step 350 an AV list is provided for unknown file types from the anti-virus database given 130. It is worth noting that this AV list may have entries from various types that have not been determined. At 360 , the detection device 120 compares the records from the received AV list and the received file. Then, at step 370, a decision will be made on the presence of malicious code in the file. If matches are found, then the file is malicious. Otherwise, the file is safe. After that, at step 380, the results of the verification will be sent to the device for analyzing the results of the verification 140. The analysis of the results of the verification will be described in FIG. four.

In the particular case of implementation, the verification results will be sent to the analysis result analysis device 140 only if the file type has not been determined.

In FIG. 4 shows a diagram of the algorithm for the adaptive tuning of the anti-virus database. At step 410, the verification result analysis device 140 receives the verification results from the detection device 120 and analyzes the indicated results at step 420. At step 430 , the verification result analysis device 140 determines what type of file the file belongs to, the type of which was originally identified as an unknown type.

An example of determining the type of file is a request to the AV server 180, which contains information about the results of the file scan. In turn, the AV server 180 analyzes the received information about the files, after which it sends the decision to the device for analyzing the results of the verification 140. The decision may contain both information about the type of files that the provided information corresponds to and information about the inability to determine the type of files. Another example of determining the file type during the analysis of the verification results is updating the list of file types using the database update device 170. Another example of identifying a new file type during the analysis of the verification log is a method for comparing file contents, which is based on comparing the file code and then identifying it similar sections of file contents and has been described with reference to FIG. one.

If the file type has not been determined, then the result analysis device 140 returns to step 410 and waits for the following file verification results. Otherwise, at step 440, the device 140 generates the necessary information for further determining the detected file type and transmits the specified information to the database modification device 150. At step 450 , the database modification device 170 generates an AV list for the detected file type, which then adds to other AV lists stored in the anti-virus database 130. In addition, the device 150 adds the received file type information to the list of file types, which is also stored in the anti-virus database 130. Then, on Tape 460 is completing work on the adaptation of the anti-virus database 130.

In FIG. Figure 5 shows a diagram of the algorithm for the adaptive tuning of the anti-virus database by counting the ratio of the number of scanned files of a safe file type to the total number of scanned files. At step 510, the verification result analysis device 140 receives the verification results from the detection device 120 and analyzes the indicated results at step 520. At step 530, the verification result analysis device 140 determines the availability of information about files whose file type refers to safe file types. If information about the specified files was not found, the device for analyzing the results of verification 140 returns to step 510 and waits for the following results of the verification of files. Otherwise, if information about the specified files was found, then the number of scanned files of safe type and the total number of scanned files of all types are counted. At step 550, it is determined whether the relationship between the counted files corresponds to the set value. The set value can be determined by the user, but with the goal of maximum efficiency, this value must meet the criterion of "10% or more" and is set by default. The criterion of "10% or more" means that the number of scanned files of the same safe type takes from 10% or more of the total number of scanned files. If the relation meets the specified criterion, then the analysis results analysis device 140 generates the necessary information for further creation of the AV list for subsequent checks of files of this type and transfers the generated information to the database modification device 150. Otherwise, if the ratio does not meet the specified criterion, then the analysis result analysis device 140 returns to step 510 and waits for the following file verification results. At step 560, the database modification device 170 generates an AV list in accordance with the information received, which is then added at step 570 to other AV lists stored in the anti-virus database 130. After which, at step 580, the adaptation of the anti-virus database 130 to those until new verification results are provided.

In FIG. 7 shows a computer system for which the described invention can be used.

FIG. 7 represents an example of a general purpose computer system (it can be either a personal computer or a server) 20, comprising a central processor 21, a system memory 22, and a system bus 23 that contains various system components, including memory associated with the central processor 21. The system bus 23 is implemented, like any bus structure known in the art, which in turn contains a bus memory or a bus memory controller, a peripheral bus and a local bus that is capable of interacting with any other bus architecture. The system memory contains read-only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26 contains the basic procedures that ensure the transfer of information between the elements of the personal computer 20, for example, at the time of loading the operating system using ROM 24.

The personal computer 20 in turn contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29, and an optical drive 30 for reading and writing to removable optical disks 31, such as a CD-ROM, DVD -ROM and other optical information carriers. The hard disk 27, the magnetic disk drive 28, the optical drive 30 are connected to the system bus 23 through the interface of the hard disk 32, the interface of the magnetic disks 33 and the interface of the optical drive 34, respectively. Drives and associated computer storage media are non-volatile means of storing computer instructions, data structures, software modules and other data of a personal computer 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29, and a removable optical disk 31, but it should be understood that other types of computer storage media 56 that can store data in a form readable by a computer (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.) that are connected to the system bus 23 through the controller 55.

Computer 20 has a file system 36 where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38, and program data 39. The user is able to enter commands and information into personal computer 20 via input devices (keyboard 40, keypad “ the mouse "42). Other input devices (not displayed) can be used: microphone, joystick, game console, scanner, etc. Such input devices are, as usual, connected to the computer system 20 via a serial port 46, which in turn is connected to the system bus, but can be connected in another way, for example, using a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor 47, the personal computer can be equipped with other peripheral output devices (not displayed), for example, speakers, a printer, etc. .

The personal computer 20 is capable of operating in a networked environment, using a network connection with another or more remote computers 49. The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the creature the personal computer 20 of FIG. 7. Other devices, such as routers, network stations, peer-to-peer devices, or other network nodes, may also be present on the computer network.

Network connections can form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local area network 50 via a network adapter or network interface 51. When using the networks, the personal computer 20 may use a modem 54 or other means of providing communication with a global computer network such as the Internet. The modem 54, which is an internal or external device, is connected to the system bus 23 via the serial port 46. It should be clarified that the network connections are only exemplary and are not required to display the exact network configuration, i.e. in reality, there are other ways to establish a technical connection between one computer and another.

In conclusion, it should be noted that the information provided in the description are examples that do not limit the scope of the present invention defined by the claims.

Claims (22)

1. A method for updating information in an anti-virus database by generating an anti-virus list in an anti-virus database, and the anti-virus list corresponds to a new type of object, comprising the steps in which:
a) store a list of types of objects containing distinctive features for determining the types of objects, and anti-virus lists, separated by type of objects and containing anti-virus records for the corresponding types of objects;
b) determine the type of the received object for the purpose of subsequent selection of the anti-virus list for the anti-virus scan of the object;
c) conduct an anti-virus scan of the received object for the content of malicious code using the anti-virus list corresponding to a certain type of object, and generate the scan results;
d) analyze the results of the audit in order to identify objects in which the type of object was identified as an unknown type of object;
e) identify the type of at least one object whose type of object has been defined as an unknown type of object;
f) update the anti-virus database by adding the distinguishing features of the detected type of at least one object to the list of object types and creating an anti-virus list corresponding to the detected type of object, while these lists do not contain anti-virus entries. 2. The method according to claim 1, wherein the anti-virus entries are malicious code templates. 3. The method according to claim 1, in which the anti-virus entries are at least the metadata of the object, the extension of the object, the hash of the object, the size of the object, the MIME type, the location of the object. 4. The method according to claim 3, in which determining the type of object includes, at least, determining the location of the object in the file system. 5. The method according to claim 1, in which an antivirus scan of files in which the type of an object has been defined as an unknown type of object is carried out using an antivirus list for unknown types of objects. 6. The method according to claim 1, in which the identification of the type of objects is based on the analysis of the structure of objects. 7. The method according to claim 1, in which the detection of the file type occurs, at least on the basis of the analysis of the file structure and the request to the anti-virus server. 8. The method according to claim 1, in which the identification of the type of objects is based on the analysis of the contents of the objects. 9. The method of claim 8, in which the analysis of the contents of the objects is a byte comparison of the contents of the objects and the subsequent selection of at least one identical portion of the contents of the objects. 10. The method according to claim 9, where as an identical section of the contents of the objects is a sequence of bytes equal to 2 bytes or more and at the same time contained in all the analyzed objects at the same offset. 11. The system for updating information in the anti-virus database by generating an anti-virus list in the anti-virus database, and the anti-virus list corresponds to a new type of object that contains:
a) anti-virus database intended for:
- storing a list of object types containing information about the types of objects and anti-virus lists for each type of objects that contain anti-virus entries, and
- providing the specified list of object types to the preliminary analysis device and the indicated anti-virus lists to the detection device;
b) a preliminary analysis device designed to determine the type of object being checked using a list of object types and transmitting information about the type of object to the detection device;
c) a detection device designed to detect malicious code in the object being scanned using an anti-virus list that matches a specific type of object and transmit the results of the scan to the device for analyzing the results of the scan;
d) a device for analyzing scan results, designed to analyze the results of anti-virus scanning of objects, forming, on the basis of analysis, a decision on the need to adjust the database and transmit the corresponding information to the database modification device;
e) a database modification device designed to update the database by creating a new anti-virus list that does not contain anti-virus entries and adding information about the new type of object to the list of object types in accordance with the information received from the analysis analysis device. 12. The system of claim 11, which comprises a database update device for updating records in anti-virus lists stored in an anti-virus database. 13. The system of claim 11, wherein the anti-virus entries are patterns of malicious code. 14. The system of claim 11, wherein the anti-virus entries are at least the metadata of the object, the extension of the object, the hash of the object, the size of the object, the MIME type, the location of the object. 15. The system of claim 14, wherein determining the type of object includes at least determining the location of the object in the file system. 16. The system according to claim 11, where the device for analyzing scan results, analyzing the results of anti-virus scan of objects, selects objects whose object type was defined as an unknown type of object, for the subsequent determination of these unknown types of objects. 17. The system according to clause 16, in which unknown types of objects are determined by analyzing the structure of objects. 18. The system according to clause 16, in which unknown types of objects are determined using a query to the anti-virus server. 19. The system of clause 16, in which unknown types of objects are determined by analyzing the contents of the objects. 20. The system according to claim 19, in which the analysis of the contents of the objects is a byte comparison of the contents of the objects and the subsequent selection of at least one identical portion of the contents of the objects. 21. The system according to claim 20, where as an identical section of the contents of the objects is a sequence of bytes equal to 2 bytes or more and at the same time contained in all analyzed objects at the same offset. 22. The system according to claim 11, in which the detection device detects malicious code in objects whose object type has been defined as an unknown object type, using an anti-virus list for unknown object types.

Images