Woburn, MA – July 15, 2014 - The United States Patent and Trademark Office has granted patent 8,762,948 to Kaspersky Lab for a technology that establishes a system for filtering insignificant events during software analysis to make security scans more efficient.
Emulation is one of the most effective methods of analyzing malicious software, but it requires a huge amount of data to be analyzed. It works as follows: the program code is divided into separate commands, each of which is run on a virtual machine. This approach makes it possible to monitor the behavior of the commands without compromising the operating system of the computer. This process generates an event log which is then analyzed to identify potentially harmful elements.
However, this log usually contains many insignificant events which do nothing to help identify if a program is malicious and can make the analysis process less effective. Analyzing these insignificant events complicates the identification of genuinely malicious events that might get lost in the mass of data. It also creates excessive strain on computing resources. Rather than overburdening the log with insignificant events, pre-filtering mechanisms are applied that can remove all insignificant events from the log prior to the start of the analysis. This special filtration module removes all insignificant events from the logs using an updated database of filtering rules.
The patent describes the method that generates these rules. The method is essentially the same program emulation carried out on a remote system in the antivirus company. At first, a number of test programs based on the most popular development tools are created. They are run on an isolated virtual machine where the event log is recorded. This log is analyzed and repetitive insignificant events are detected. Since these events do nothing to determine the level of malware danger, information about them is added to a database of filtering rules. Therefore, whenever a similar event appears in the log during the use of the emulator, the filtering module automatically removes it before beginning the analysis.
An example of a log event that would be deemed insignificant by this method would be the function call for ’GetVersion ()’ which is a request for the operating system version. This request is always made by any application written in Delphi 7 and is not an indication of malware.
“When developing an effective analytical module, it is important to maintain a balance so that effective protection does not restrict computing performance. First and foremost, we cannot overload this module with insignificant information – it already has enough work to do,” commented Oleg Zaitsev, Lead Technical Specialist at Kaspersky Lab and the author of the patented technology.
This technology is already integrated into Kaspersky Endpoint Security 8.0 for Windows, Kaspersky Endpoint Data Protection Edition (Endpoint 10), Kaspersky Internet Security, Kaspersky Internet Security for Virtualization and Kaspersky PURE.
Kaspersky Lab continues to obtain more and more patents for its cutting-edge information security technologies. As of July 2014, Kaspersky Lab’s portfolio includes 219 patents issued in Russia, the US, the EU and China. An additional 276 patent applications are currently under consideration by the patent authorities in these countries.
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report "Worldwide Endpoint Security 2013–2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2012.
For the latest in-depth information on security threat issues and trends, please visit:
Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter
Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter