Kaspersky to make security scans more efficient

Kaspersky to make security scans more efficient
x
Highlights

Kaspersky Lab patents system to prevent insignificant software events from being analyzed, making security scans more efficient

Kaspersky Lab patents system to prevent insignificant software events from being analyzed, making security scans more efficient:

The United States Patent and Trademark Office has granted patent 8,762,948 to Kaspersky Lab for a technology that establishes a system and method for filtering insignificant events during software analysis.

Emulation is one of the most effective methods of analyzing malicious software, but it requires a huge amount of data to be analyzed. It works as follows: the program code is divided into separate commands, each of which is run on a virtual machine. This approach makes it possible to monitor the behavior of the commands without compromising the operating system of the computer. This process generates an event log which is then analyzed to identify potentially harmful elements.
However, this log usually contains many insignificant events which do nothing to help identify whether a program is malicious, and can make the analysis process less effective. First of all, analyzing these insignificant events complicates the identification of genuinely malicious events that might just get lost in the mass of data. Secondly, it creates excessive strain on computing resources. Rather than overburdening the log with insignificant events, pre-filtering mechanisms are applied that can remove all insignificant events from the log prior to the start of the analysis. This special filtration module removes all insignificant events from the logs using an updated database of filtering rules.
The patent describes the method that generates these rules. The method is essentially the same program emulation carried out on a remote system in the antivirus company. At first, a number of test programs based on the most popular development tools are created. They are run on an isolated virtual machine where the event log is recorded. This log is analyzed and repetitive insignificant events are detected. Since these events do nothing to determine the level of malware danger, information about them is added to a database of filtering rules. Therefore, whenever a similar event appears in the log during the use of the emulator, the filtering module automatically removes it before beginning the analysis.
An example of a log event that would be deemed insignificant by this method would be the function call for ’GetVersion ()’ which is a request for the operating system version. This request is always made by any application written in Delphi 7, and is not an indication of malware.
Show Full Article
Print Article
Next Story
More Stories
ADVERTISEMENT
ADVERTISEMENTS