The rapid growth of computer technology and computer networks has been accompanied by an increase in the problems of providing protection against malicious objects which enter users' computers in the form of malicious programs, viruses, worms, undesirable applications and other types of malware. Many antivirus technologies are used at the present time, including signature and heuristic analysis, emulation and proactive protection.
The commonly owned U.S. Pat. No 7,530,106, which is incorporated by reference herein, discloses an antivirus technology that uses security rating rules for evaluating behavior of executable files in order to detect malicious behaviors therein. These security rating rules are formulated based on the study of behavior of known malicious programs. Each rule has a specified structure, as follows: rule identifier, name of the API function called (an API, or Application Programming interface, which is a set of prepared classes, functions, structures and constants provided by the operating system for use by external programs), API function's arguments, and security rating. The rule is activated to classify a tested file as malicious when a thread of execution of process started from that file calls one or more API functions with arguments specified by the rule, in which case the security rating of the file will be increased by the value specified in the rule.
However, the patented system has a number of shortcomings due to the frequently changing behaviors of malicious programs. Security rating rules of this kind may fail to trace a chain of events such as “downloading a file”, “storing a file on disk” and “setting autostart”, since each event of this type may not have a sufficiently high security rating or may have no security rating at all. This, in turn, means that an unknown malicious program which has performed these actions will not be blocked at the appropriate time. Moreover, the proposed system does not keep a count of the number of activations of the specified rules, the order of the activation of a series of rules, and the like. A system of this kind also has shortcomings associated with the appearance of errors of a first kind (false positives) and a second kind (false negatives). Accordingly, there is a need for a malware detection mechanism that overcomes the shortcoming of the prior antivirus technologies.