At present, the amount of malicious software (such as computer viruses, Trojan horses, Internet worms) is on the rise, aimed at causing harm to both the data of the user and to the user of an electronic device infected with malicious software. The harm may be caused by damage to or removal of user files, the unauthorized use of the resources of the user's computing device for “mining” cryptocurrencies, theft of electronic and confidential data of the user (e.g., correspondence, images, logins, passwords, bank card information) and other actions. Moreover, malicious software is constantly changing, as its creators resort to ever newer mechanisms of attack and defence against security applications. Various mechanisms are used, such as obfuscation of malicious code (in other words, placing an original text or executable program code in a form which preserves its functionality, yet resists analysis, understanding of the working algorithms and modification during decompiling, for example) or the use of emulation counteracting mechanisms (for example, malicious software endowed with functions of recognizing when it is being executed in an emulator, and does not manifest its malicious activity).
Furthermore, malicious software often does not manifest its malicious activity at once, but instead performs a multitude of calls of API functions (in the order of millions of calls), a huge number of cycles (in the order of billions of iterations), and stops working for a certain amount of time immediately after being launched (for example, for 1 hour by the use of the “Sleep ( )” function). The computing devices of a user today have high performance and multicore processors (there are also multiprocessor systems), so that a user might not notice or attach importance to the load status of one of the cores. Moreover, a user ordinarily makes use of the device after it has been turned on for more than one hour. Hence, there is no need for a malicious software to manifest its activity at once, if it has been launched.
In order to deal with the above approaches, the makers of security applications (such as antivirus applications) employ techniques making use of virtual machines in the form of an isolated environment for the safe execution of files. Often such virtual machines are known as sandboxes. The hypervisors under whose control such virtual machines run contain mechanisms for intercepting functions being called up by the applications being executed therein.
It should be noted that security applications employ various methods for detecting malicious software, for example, technologies such as signature and/or heuristic analysis. If the harmfulness of a file has not been determined in the analysis process (for example, if it does not have the digital signature of a trusted software manufacturer), it may be handed over by the security application for analysis of its behavior in the aforementioned virtual machine. The transferred file is then executed in the virtual machine, its actions and events being executed by calls for various functions are intercepted during the course of its execution, and the intercepted events and actions are kept in a log and subsequently analyzed by the security application or by an expert in computer security.
Thus, the known systems for intercepting and aggregating of events and actions work in two steps. In the first step, information is gathered, and in the second step it is analyzed.
One deficiency of the known systems and methods is that they do not influence the execution process during the process of execution of a file. For example, a process launched from a file being analyzed (or from an application which has opened the file being analyzed) might have halted its execution for an hour or attacks some email client or messenger (a program for exchanging messages) by accessing a file with saved passwords. But with the attacked program being absent in the virtual machine, the harmful behavior of the file will not be identified. This is because, not having found the required file with passwords, the malicious file concludes its execution itself and will not display its malicious activity.