System and method for reducing load on an operating system when executing antivirus operations

Abstract

An initial trust status is assigned to a first object, the trust status representing one of either a relatively higher trust level or a relatively lower trust level. Based on the trust status, the first object is associated with an event type to be monitored, where the event type is selected from among: essential events, occurrence of which is informative as to trust status evaluating for an object, and critical events, including the essential events, and additional events, occurrence of which is informative as to execution of suspicious code. Occurrences of events relating to the first object are monitored. In response to the first object being assigned the relatively higher trust level, only the essential events are monitored. In response to the first object being assigned the relatively lower trust level, the critical events are monitored. A need for performing malware analysis is determined based on the trust status of the first object and the event type. In response to determination of the need for performing the malware analysis, the malware analysis for the first object is either performed, or not.

Description

PRIOR APPLICATION[0001]This Application claims the benefit of Russian Federation Patent Application No. 2013153767, filed Dec. 5, 2013, the content of which is incorporated by reference herein.FIELD OF THE INVENTION[0002]The invention relates generally to information processing systems and security and, more particularly, to systems and methods for improving efficiency of anti-malware operations.BACKGROUND OF THE INVENTION[0003]Malicious software, commonly referred to as malware, describes any software designed for infiltration into a computer system in order to gain control over such a system and to perform unauthorized actions, such as theft of confidential information, for example. A wide variety of malware exists today, including network worms, trojan programs, rootkits, exploits and computer viruses. Therefore, many owners of computer devices (for example, personal computers) use various antivirus applications for protection, which allow to detect and remove malicious programs....

AI Technical Summary

Benefits of technology

The invention relates to selectively performing malware analysis of objects in a computer system. It assigns a trust level to each object and monitors events that are informative of its trust status. Based on the trust level, the system determines if malware analysis is needed and performs it accordingly. The technical effect of this invention is improved efficiency and accuracy in identifying malicious software in an automated manner, while reducing the likelihood of false positives.

Problems solved by technology

The above-described technologies, used jointly to detect malicious programs, have one substantial deficiency.

This deficiency is related to the fact that a malicious code (for example, due to a vulnerability of the program or of the operating system) can infiltrate the address space of a trusted process and continue to be executed with the rights of the trusted process.

In known approaches for detecting malicious programs, monitoring, analysis, and evaluation of the behavior of all the processes, are very resource-consuming tasks, the performance of which can cause the so-called “freezing” of the applications run by the user or of the whole operating system.