Traditional signature analysis is not always able to detect a malicious file, especially polymorphic viruses, and also modified versions of a malicious file. Therefore, modern antivirus applications additionally employ a scan using a virtual machine. The file being scanned is executed on the virtual machine. The events occurring as a result of the execution of the process launched from the file are preserved in a log by way of interception of the various routines being executed by both the process and the operating system (OS). The antivirus application then analyzes the resulting log. The log usually saves the calls of API (application programming interface) functions carried out by said process during its execution, and also the returns from API functions that were called (transfer of control by return address). The execution of a file on a virtual machine usually occurs within a limited interval of time (up to several dozen seconds), because the execution of a file on a virtual machine and the interception of API function calls by an antivirus application significantly slow down the file execution speed. At the same time, in order to prevent detection of a malicious file by an antivirus application, hackers have begun to add code to the malicious file, which does not contain any malicious activity, but has cycles with a large number of API functions whose calls require a long time to intercept. Thus, the time devoted to executing the file on a virtual machine elapses even before the start of the execution of the malicious portion of the file code.