RU2696236C1 - Method of generating information request about file during antivirus checking in order to exclude false operation - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: invention relates to computer security means. Method of generating a request for information on a file to verify the absence of a false decision when determining a file as safe during antivirus checking comprises synchronously selecting a portion of the file and counting the first hash sum of the file from the selected portion of the file on the user's computer, synchronously searching for the first hash sum of the file in the verdict cache, making a decision that the first hash sum of the file is not in the data cache, accessing the file and asynchronously counting the second hash sum of the file to exclude the false decision, where second hash sum of file is counted based on whole file, request to remote server and waiting for response, where the request contains the second hash sum of the file, depending on the received response from the remote server, determining the presence of a false decision and taking a final decision on the file severity.

EFFECT: shorter time for delaying file launch when performing check for false operations during antivirus scanning of a file.

9 cl, 5 dwg

Description

Technical field

The invention relates to computer security, and more particularly to a means of reducing the number of false solutions to antivirus systems.

State of the art

Computer viruses, worms, trojans, rootkits, and spyware are examples of malware that affects computer systems around the world. Despite the technical differences between each type of malware, in most cases they are called “viruses”. The entire set of viruses is aimed at both harming the computer itself and the personal data of users.

One of the most effective ways to counter malware is to use antivirus software (antivirus). Antivirus is a software package designed to detect and remove malware from a computer, as well as to eliminate the consequences of the presence of malware. To detect malicious applications, the antivirus program performs a full or selective scan of files present on local and network storage devices, such as hard drives.

A typical antivirus includes a file scanning engine and a database. The database contains at least anti-virus entries to identify known malware. Each anti-virus entry can be represented in the specified database in the form of a signature (checksum of the code section), heuristic rule, etc. To check the file for malicious code, the scanning engine opens the file and compares its contents with anti-virus entries from the database. Also, at present, not a direct comparison of anti-virus entries can be used, but a hash of the scanned files. File hash is the result of a file conversion by applying a hash algorithm using a specific hash function, for example, MD5 or SHA1.

One of the points of an anti-virus scan is a scan when you try to access a file (OAS, On-Access Scan), for example, when it starts or opens. At this point, the launch of the file is intercepted, followed by anti-virus scanning. During the anti-virus scan of the file, the hash of the file can be calculated and compared with the database, while the database can be placed both with the anti-virus application (in the same computer system) and remotely - on the remote (network) server . Although calculating the hash sum and comparing it is an effective solution, nevertheless, it still takes time to calculate the hash sum and subsequent comparison, during which there is no access to the file. Moreover, the larger the file, the longer the time it takes to calculate the hash of the file and the longer the anti-virus scan will take.

One of the solutions to this problem during the anti-virus scan can be the use of synchronous and asynchronous file scanning technology. In synchronous mode, when you try to access a file, all actions by other programs on the file that is being scanned are blocked by the antivirus program until the scan is complete. Blocking files also allows you to prevent the execution of malicious code from the file and isolate the malicious file in time. Asynchronous file checking is advisable in cases where, when accessing a file, the risk of malicious code execution is minimal, and file blocking is not necessary. In asynchronous mode, when accessing the file, blocking does not occur, and the file itself is checked in parallel with other ongoing actions on the file (for example, its execution). However, modern anti-virus scanning technologies using file scanning technologies in various ways mainly describe the ability to scan files in one way or another, but the question of deciding whether to select the necessary (optimal) type of corresponding scan is not taken into account.

Another drawback of anti-virus systems is that during anti-virus scanning there is a possibility of errors during operation. Errors are divided into the so-called errors of the first kind (English false positives) and errors of the second kind (English false negatives). Errors of the first kind appear when the anti-virus system detects a malicious object, although in fact the object does not pose any threat. Errors of the second kind with respect to antivirus systems are associated with the situation when the antivirus system does not detect it in the presence of a virus or other malicious object. In other words, a false positive occurs. To improve the quality of the antivirus system, there is a need to reduce the likelihood of errors of the first and second kind.

The technical solution proposed further has an advantage over modern systems. It allows you to reduce the time it takes to check the decision of the anti-virus system for false positives when determining the file as safe.

Disclosure of invention

In order to solve these drawbacks of the prior art, the present invention provides a solution to reduce the delay time for launching a file on a computer due to anti-virus scanning, namely, a method for generating a request for information about a file during anti-virus scanning and a system for implementing the method. In addition, this solution also allows you to reduce the delay time for launching a file in case of a false positive check during the specified anti-virus scan, where a false positive consists in deciding that the file is safe, but in fact it is malicious.

Another technical result of the present invention is to reduce the delay time of the launch of the file when checking for false positives during the anti-virus scan of the file. The indicated technical result is achieved by calculating a short hash function and selecting the optimal type of generating information request for false positives to the anti-virus server based on the search result of a short hash sum, where the selection is made in such a way as to ensure computer security.

As one embodiment of the present invention, there is provided a method of generating a request for information about a file to verify that there is no false solution when determining the file as safe during anti-virus scanning, the method comprising the steps of: synchronously selecting a part of the file and calculating the first hash of the file from the selected part of the file on the user's computer; synchronously search for the first hash of the file in the verdict cache, while the verdict cache contains information about known malicious files; make a decision that the first hash of the file is not in the data cache; provide access to the file and perform an asynchronous calculation of the second hash of the file to eliminate a false decision, where the second hash of the file is calculated based on the whole file; transmit the request asynchronously to the remote server and wait for a response, where the request contains the second hash of the file; depending on the response received from the remote server, they determine the presence of a false decision and make the final decision about the harmfulness of the file.

In another embodiment of the method, the verdict cache is located either on the same client computer or on a remote server.

In yet another embodiment of the method, a remote server containing a cache of verdicts is located either on the local or global network.

In another embodiment of the method, an additionally generated request is sent to another remote server, if there is no solution on the previously mentioned remote server.

In yet another embodiment of the method, the calculation of the first hash function of the file is based on the type of file, where each type of file has its own portion of the file to create a hash sum.

In another embodiment of the method for calculating the first hash of the file, part of the file is selected in such a way as to select the most unique part of files of a certain size.

In yet another embodiment of the method, the most unique part of a file is selected based on the file metadata.

In another embodiment of the method for calculating the first hash of the file, part of the file is selected based on a specific algorithm.

As another embodiment, a system is proposed that includes a permanent computer-readable medium storing computer-readable instructions, upon completion of which the system generates a request for information about the file to verify that there is no false solution when determining the file as safe, according to the above methods.

Brief Description of the Drawings

Additional objectives, features and advantages of the present invention will be apparent from reading the following description of an embodiment of the invention with reference to the accompanying drawings, in which:

In FIG. 1 schematically illustrates a system configured to implement various embodiments of the present invention.

FIG. 2 schematically illustrates an example composition of an antiviral agent in accordance with an embodiment of the present invention.

In FIG. 3 is a flowchart schematically illustrating a method for generating a request for file information during an anti-virus scan of a file.

In FIG. 4 is a flowchart schematically illustrating a method of generating a request for file information to check for a false decision.

FIG. 5 illustrates an example of a general purpose computer system on which the claimed invention can be implemented.

Although the invention may have various modifications and alternative forms, the characteristic features shown by way of example in the drawings will be described in detail. It should be understood, however, that the purpose of the description is not to limit the invention to its specific embodiment. On the contrary, the purpose of the description is to cover all changes, modifications that are included in the scope of this invention, as defined by the attached formula.

Description of Embodiments

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, it can be embodied in various forms. The above description is intended to help a person skilled in the art for a comprehensive understanding of the invention, which is defined only in the scope of the attached claims.

In FIG. 1 shows a system 100 configured to implement various embodiments of the present invention. In one embodiment, system 100 allows you to control the generation of file information requests during an anti-virus scan of a file in the most appropriate way. The requested information at least means information about the harmfulness or security of the scanned file. In one example implementation, the specified information is a label that indicates certain information. Also, information, for example, may contain information about the type of malicious file, methods of treatment, hash of the file, etc. Thus, the system 100 allows you to optimize the operation of antivirus applications by reducing the file delay time during antivirus scanning before executing it on a computer.

System 100 includes at least one computer 110a. In a general case, the computer implementation is the computer system described in FIG. 5. When implementing a computer can be understood as personal computers, such as desktop computers, laptops and netbooks, and electronic devices with wireless communications, for example, mobile phones, smartphones and tablets. In FIG. 1 computers 110a, 110b and 110v are implemented as personal computers. It is worth noting that with the further mention of one of the computers, similar work can be done on other computers. Except in cases where it is specifically indicated that we are talking about a specific implementation option.

Computer 110a includes various software, such as hardware, software, and / or system software. In one embodiment, computer 110a comprises at least an antivirus application (not shown). In general, the goal of an anti-virus application is to detect malicious files and to prevent attacks on user data stored on computer 110a through, for example, malicious files. The anti-virus application and its components are implemented in the form of software, while this implementation is not specifically limited. An example of an anti-virus application is the Kaspersky Total Security application of the company Kaspersky Lab JSC. In one implementation variant, the anti-virus application can be implemented as an anti-virus agent, a distinctive feature of the anti-virus application of which is the restriction in the composition of protection components, while, as a rule, the anti-virus agent interacts with remote security systems that have a more complete set of protection components and analysis. Thus, due to the antivirus agent, the load on various computer elements, such as the storage medium, processor, memory, etc., is optimized.

In one embodiment, with reference to FIG. 2, the anti-virus agent 210 includes at least such components as the monitoring tool 230 and the cache of verdicts 250. The monitoring tool 230 allows you to track the launch and execution of files on the computer 110a, intercept and stop the launch of the file until the anti-virus scan of the files is completed, and and the antivirus scan itself (depending on the implementation of Agent 210). In general, a file refers to an executable file. The cache of verdicts 250 of the antivirus agent 210 is designed to store information necessary for the fulfillment of the mission by the antivirus agent. An example of stored information is information about malicious and safe objects, in particular files. The information stored in the cache of verdicts can be updated both over time with a certain frequency, and on request. Information in the verdict cache is stored and provided (for example, to monitoring tool 230) in the preferred form for fulfilling the mission of the anti-virus agent components, for example, in the form of hash sums (hashes) of files. At the same time, the verdict cache 250 does not contain information about short hashes of safe files, only about full hashes. At the same time, anti-virus agent 210 may contain other components of the anti-virus application. The presence of this or that component depends on the specific implementation of the antivirus agent. Moreover, the components and their tasks can be different. Examples of tasks for components of an anti-virus agent are: anti-virus scanning of files stored on a client’s computer on demand (on demand scanning); antivirus scan on access (on access scanning); protection against network attacks; behavioral detection; monitoring system events; search for system abnormalities; analytical components; expert assessment, etc.

Anti-virus agent 210 has the ability to interact with other computers 110b and 110b and external servers, for example, security server 130 and information server 160, i.e. with other various electronic devices. The interaction of the computer 110a is through various networks. Depending on the embodiment of the present invention, the network can be either a global network 150, for example, an information and communication network "Internet", or a local network, for example, a network 140. Also, the network can be characterized as corporate, private, etc. In addition, communication through these networks will be carried out depending on the capabilities of the electronic devices themselves. So, for example, if the client’s computer is a wireless communication device (for example, a smartphone), then communication is made through a wireless network. Examples of wireless networks are 3G networks, 4G networks, Wireless Fidelity (WiFi®) networks, Bluetooth®, and the like. In cases where the computer is a portable computer, communications can be carried out both over wireless networks and wired (Ethernet-based connection).

In some embodiments, the anti-virus agent 210 will communicate with a security server 130 located on the local network 140 and / or with an information server 160 through the wide area network 150. Both servers can be implemented in one of the computer systems shown in FIG. 5. In some embodiments, the security server 130 is a server that uses the Kaspersky Security Center application containing the database 120, and the information server 160 is a database used within the framework of the Kaspersky Security Network infrastructure. Kaspersky Security Network (KSN) is a service that provides access to the knowledge base of Kaspersky Lab JSC on the reputation of files, Internet resources and software and other information. Also, one or both servers may be any suitable hardware and / or application software and / or system software or a combination thereof. In the present embodiment, servers 130 and 160 are represented as single servers. In other embodiments of the present invention, the functionality of the servers 130 and 160 may be split and executed using multiple servers.

In some embodiments, the functionality of the anti-virus agent 210 for performing anti-virus scanning of a file on a computer 110a allows at least one of the following to be performed: i) intercept the opening of the file, for example, when it is launched, on the computer and thus suspend the execution of the executable file; ii) synchronously calculate the first hash of the file on the client computer; iii) perform a synchronous search for the first hash sum in the verdict cache, which contains the hash sums and decisions on at least the known malicious files; iv) depending on the search result, select the synchronous or asynchronous type of forming a request for information about the file and then search for information according to the request, where with the synchronous type the file execution remains paused, and with the asynchronous type the file is restarted, while the mentioned formation consists in counting second hash of the file; v) search for a solution (verdict) for the file according to the generated request to complete the anti-virus scan; vi) decide on the file being scanned for malware or security. Anti-virus agent 210 may also be able to check for errors of the first and second kind when deciding on the harmfulness or security of the scanned file, in particular on the absence of a false decision when determining the file as safe.

The operation of the anti-virus agent 210 for anti-virus scanning of a file on the client computer 110a with the possibility of reducing the file delay time will be described in detail below.

For the purposes of the present description, it is assumed that, on the computer 110a, a process is started from an executable file. In this case, the anti-virus agent 210, for anti-virus scanning of the specified file, intercepts the file and thus suspends the execution of the file. Depending on the implementation of the invention, the indicated task can be carried out both using the antivirus agent 210 itself and using the components built into it, for example, as mentioned above, using the monitoring tool 230.

Next, the anti-virus agent 210 performs an anti-virus scan of the file, an attempt to access which has been intercepted. Depending on the implementation, for the anti-virus scan, the anti-virus agent 210 either independently analyzes the file for malicious program code, either uses a remote server, for example, a remote security server 130, or uses both analysis options, while separating the file analysis steps. Also, the anti-virus agent 210, during the anti-virus scan, selects the optimal type of scan during file analysis from the point of view of its blocking, namely, at different stages of the analysis, the anti-virus agent 210 analyzes and selects between synchronous and asynchronous scan modes (generating file information requests ) The synchronous scan mode indicates that the file is held during the anti-virus scan, i.e. the file is not executing. Asynchronous scan mode indicates the launch of the file for further execution, and the antivirus scan itself continues in parallel with the file execution. The selection of the appropriate type of verification is based on the calculation of hash sums and their search in the cache of verdicts 250 with further decision making.

It is worth noting that, regardless of the implementation of the invention, the antivirus agent 210 contains a cache of verdicts 250. In one embodiment, the cache of verdicts 250 is a database that contains information about files in the form of hash sums, while hash sums have at least two types: a short hash of the file and a full hash of the file. The verdict cache can also be part of another database, and also optionally contain at least decisions about the harmfulness or security of the files, which correspond to the full hashes of the files. In another embodiment, the verdict cache is a memory area containing a list of hash sums of files and decisions (verdicts) for the corresponding files. In addition, the verdict cache can be implemented both locally and remotely (for example, located on security server 130 in database 120). In the case of a remote location, it is preferable, but not necessary, that the interaction be carried out via a wired communication line and the server is on the same network as the user's computer on which the antivirus agent 210 is installed.

The short hash of the file or the first hash of the file is calculated only from any part or parts of the file. The advantage of such a hash sum is the reduction of its calculation time compared to the hash sum of the whole file, and the larger the file size, the more significant this advantage. The full hash of the file or the second hash is calculated from the entire file. The advantage of such a hash sum is the minimum probability of collision (i.e., the coincidence of the hash sums of two different files), which makes it possible to accurately determine whether there is any decision about the file in the database or the verdict cache. In turn, a short hash sum of a file can correspond to several files at the same time, which requires further refinement in order to eliminate a possible collision. In one embodiment, the methodology for selecting (determining) a part of a file for calculating a short hash sum of a file is formed empirically. Depending on the implementation of the invention, the selection of a part of the file for hashing can also be made based on a predetermined algorithm. For example, the selection of a part of a file may be based on the type of file, and for each type of file its own section of the file is defined to create the first hash sum. In particular, for different types of files various unique parts of files of a certain size will be selected. Or, for example, the method of selecting a part of the file for hashing takes into account various data about the file (file metadata), which allows you to select the most unique part of the file for hashing (counting the first hash sum). Examples of file metadata for selection are data such as size, type, name, creation and editing date, information about the creator / owner, header field values (if provided by the file format), and others.

In the general case, the anti-virus agent 210, after intercepting the start of the file process, synchronously calculates the first hash of the file on the computer and synchronously searches for the verdict cache. In a preferred embodiment, the verdict cache is shared with the antivirus agent on the same computer. Depending on the result of the search, the antivirus agent 210 selects further analysis / evaluation of the file, namely, it selects a synchronous or asynchronous operation mode. In the event that the first hash function was found in the verdict cache, file analysis continues in synchronous mode, during which a second request for the file to the verdict cache 250 is generated. The second request includes synchronous calculation of the second hash sum and its transfer to verdict cache 250. Next, a synchronous search in the verdict cache is performed. Otherwise, if the first hash is not found in the verdict cache, then the asynchronous type of further verification is selected, during which the execution / start of the process of the checked file is resumed and the second hash of the file is calculated, and the verdicts are transferred to the cache. After receiving a response from the cache of verdicts, the anti-virus agent 210 makes decisions about the harmfulness of the file based on the received response.

In addition, in one embodiment, if, based on a request to the verdict cache 250 from the first file hash, it was determined that the file belongs to safe files, then further calculation of the second hash amount and a request to the verdict cache 250 and / or the remote database 120 is based on the asynchronous type of operation of the antivirus agent 210 in order to exclude the possibility of making a false decision, i.e. false antivirus agent 210 triggering a verdict on a file as safe.

It is worth noting that when the first hash is detected in the verdict cache, the second hash is transferred to the same verdict cache. If the first hash is not found, then the second hash of the corresponding file is sent to the remote server (security server or information server) to exclude the indicated false positive if the verdict cache contains only information about malicious files.

In another embodiment, the verdict cache is located in the database 120 of the security server 130 on the local network 140. In this case, the antivirus agent interacts similarly to the option described earlier, namely, the first hash of the file is calculated and transferred to the verdict cache in synchronous form, and the formation of a request for information about the file, during which the second hash amount is calculated, with subsequent transfer to the verdict cache, is based on the response received from the verdict cache for the first hash sum. So, if the first hash is not found in the verdict cache or is found, but relates to a safe type of files or a collection of safe files, then the second hash is calculated asynchronously and further asynchronous work is performed, namely, transferring, searching for and making a decision on the verifiable file. Otherwise, if the first hash is found, anti-virus agent 210 performs synchronous operation. It is worth noting that a set of safe files refers to at least two files with the first hash sum identical.

In another embodiment of the invention, the anti-virus agent 210, after intercepting the file, performs a local anti-virus scan of the file, for example, using the local database 250. If the file is determined to be safe, then a false positive is checked. To do this, the anti-virus agent 210 synchronously counts and searches for the first hash of the file in the local cache of verdicts, while the local cache of verdicts contains the first hash of the files of only malicious files. If the first hash is detected in the local verdict cache, then the anti-virus agent 250 synchronously generates the second hash of the file and searches for it in the local verdict cache. If the second hash of the file is not detected in the local cache of verdicts, then the anti-virus agent 250 resumes the file and performs additional checks in asynchronous mode, sending a request for file information containing the second hash of the file to a remote server, for example, security server 130 After receiving a response from a remote server, anti-virus agent 250 makes a second decision. If the received answer confirms the first solution, then the operation of the anti-virus agent 250 ends with the file. If the answer contains information that refutes the decision, namely that the file is malicious, then the file is stopped and actions related to disinfecting or deleting the file are performed.

In another implementation, anti-virus agent 210 checks for false positives after deciding on a file, it does not matter if hash calculation has been used before or not. In the event that the file was determined to be malicious, then the further calculation of the full hash of the file and the request to the remote server 130 are performed synchronously. Otherwise, when the file is defined as safe, the calculation of the full hash sum and the formation of the request to the remote server 130 is performed asynchronously. After receiving the response, the anti-virus agent 210 either finishes working with the scanned file or adjusts the decision made, depending on the response received.

In FIG. 3 is a flowchart schematically illustrating a method for generating a request for file information during an anti-virus scan of a file in accordance with an embodiment of the present invention. The presented method is implemented using the system described in FIG. one.

At step 305, during the execution of the executable file on the user's computer (for example, such as computer 110a in Fig. 1), it is intercepted to conduct an anti-virus scan. At this moment, the start of the created process from the file is blocked and further execution of the file will be performed upon completion of the anti-virus scan or after receiving the corresponding instruction to start the file from the anti-virus system. At step 310, the first hash of the file is synchronously counted, with the first hash being calculated from only part of the file. It is worth noting that the mechanism for calculating the first hash sum can be implemented based on the current level of technology in the most preferred embodiment. For example, in one of the counting options, a counting mechanism will be generated that contains criteria for selecting the most preferable part of the file for generating the first hash sum. Examples of selection criteria are data such as file type, file size, and other metadata. Thus, to calculate the first hash, the choice of the file part is based on the analysis of the file metadata using criteria to determine the most preferable (unique) part of the file.

After the first hash is generated, at step 315, it is searched in the verdict cache. In one embodiment of the method, the verdict cache is part of a local database that contains, in addition to the verdict cache, decisions about both malicious files and trusted files. The verdict cache contains at least information about the short hash (first hash) and the whole hash (second hash) of the files.

At 320, it is determined whether the first hash is found in the verdict cache. In the event that the first hash is detected, at step 330, it is determined whether the file (first hash) is a malicious file. If relevant, then proceeds to step 335, which synchronously calculates the second hash of the file. It is worth noting that the second hash of the file is calculated from the whole file. After the second hash is generated, it is searched synchronously in the verdict cache of 340 and, if necessary, in the database 120 of the remote security server 130. According to the results of the search for the second hash, at step 380, the anti-virus agent 210 makes the final decision about the harmfulness of the file .

Otherwise, if the first hash is not related to malicious files, then the next step is performed at step 350. Also, if at step 320 the first hash of the file is not found in the verdict cache, go to step 350. At step 350 the anti-virus agent allows the launch of the file process on the computer providing access to the file. Next, at step 360, an asynchronous generation of a file information request is performed, during which a second hash is calculated. At step 370, an asynchronous search for file information in the database 250 of the security server 130 is performed according to the second hash of the file. At 380, search results are applied to make a final decision on the harmfulness or security of the file.

In the particular case of the invention, step 330 may be omitted. In this case, the verdict cache will contain either only information about malicious files, or the first hash amounts only for malicious files. Therefore, identifying the first hash sum in the verdict cache indicates that the file may be malicious files and, therefore, proceed from step 320 to step 335.

In FIG. 4 is a flowchart schematically illustrating a method for generating a request for file information for anti-virus scanning a file with the exception of making a false decision in accordance with an embodiment of the present invention. The presented method is implemented using the system described in FIG. one.

At step 405, the executable executable is intercepted on the client computer 110a using an anti-virus agent. Next, the anti-virus agent checks the file for malicious code. To do this, at step 410, the first hash is generated from the part of the file, and the synchronous type of verification is used. The options for generating the first hash were presented in the description of FIG. 1. At step 415, the anti-virus agent accesses the verdict cache, which, suppose in this embodiment, contains information only about files containing malicious code, i.e. about malicious files. At 420, a search is made for the generated first hash of the file in the verdict cache. In the event that the first hash is found, the anti-virus agent 210 proceeds to step 430. Otherwise, if the first hash is not found, it proceeds to step 450.

At step 430, a synchronous scan type remains, during which the anti-virus agent generates a second hash of the file from the entire file and transfers / accesses the verdict cache. At block 440, a second hash is searched in the verdict cache. Then, at step 480, based on the search result of the second hash, the anti-virus agent makes a final decision on the harmfulness of the file. So, if the second hash is detected in the verdict cache, then the file is determined to be malicious. After that, the file can be deleted, or its treatment, or a request to the user about further actions with the file. Otherwise, if the second hash is not found, then the file is defined as safe. Next, access to the file is provided.

At 450, file access is granted for execution on a computer. After that, the anti-virus agent at step 460 asynchronously generates a request for file information for transmission to a remote server for further analysis. During the formation of the request, the second hash is calculated from the entire file.

Additionally, at step 465, the antivirus agent, before sending the request to the server, can scan the file with a local database (if the antivirus agent has one), which contains information about malicious and safe files. Such verification will also be performed using the second hash in step 467. If there is no solution in the local database, the request will be sent to the remote server in step 470. Otherwise, if a solution is found, the anti-virus agent will accept one of the following of solutions:

- if the local database allows you to determine the hash amount as the hash amount of the malicious file, then at step 469 the anti-virus agent will stop the file and send a request to the remote server to exclude false positives when making the specified decision, and then the synchronous scan type will be used next ;

- if the local database allows you to determine the hash amount as the hash amount of a safe file, then the anti-virus agent finishes working with the file.

Next, at step 470, the transfer to the remote server is asynchronously performed and they await a response from the remote server for the search / analysis results for the second file hash. After receiving a response to the request, at step 480, the search results are applied to make a final decision on the harmfulness of the file.

It is worth noting that in addition, after determining the file safe at step 480, asynchronously a check can be made for a false positive when such a decision is made. It is most important to carry out such a check when the first hash of the file was found in the indicated verdict cache and the second hash of the file is no longer there. The check for false positives consists in the fact that the anti-virus agent makes a request to a remote server, while the request contains a second hash sum. After receiving a response, the anti-virus agent makes the final decision on the file based on the information contained in the response: it either leaves the previous decision in force or changes it with the ensuing consequences (for example, it blocks the file). In addition, a false positive check can also be performed when the file is detected as malicious. In this case, the verification continues with the synchronous type, i.e. the file will be locked at least until the end of such a check.

Depending on the implementation, the decision will be either to identify the file as malicious or safe, or to exclude a previously made false decision.

FIG. 5 is an example of a general purpose computer system 20 that can be used as a client computer (e.g., a personal computer) or server, as shown in FIG. 1. The computer system 20 comprises a central processor 21, a system memory 22, and a system bus 23 that contains various system components, including memory associated with the central processor 21. The system bus 23 is implemented as any bus structure known in the art, containing in turn, a bus memory or a bus memory controller, a peripheral bus, and a local bus that is capable of interfacing with any other bus architecture. The system memory contains read-only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26, contains the basic procedures that ensure the transfer of information between elements of the computer system 20, for example, at the time of loading the operating ROM systems 24.

The computer system 20, in turn, contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29, and an optical drive 30 for reading and writing to removable optical disks 31, such as a CD-ROM, DVD -ROM and other optical information carriers. The hard disk 27, the magnetic disk drive 28, the optical drive 30 are connected to the system bus 23 through the interface of the hard disk 32, the interface of the magnetic disks 33 and the interface of the optical drive 34, respectively. Drives and associated computer storage media are non-volatile means of storing computer instructions, data structures, software modules and other data of a computer system 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29, and a removable optical disk 31, but it should be understood that other types of computer storage media 56 that can store data in a form readable by a computer (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.) that are connected to the system bus 23 through the controller 55.

Computer 20 has a file system 36 where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38, and program data 39. The user is able to enter commands and information into personal computer 20 via input devices (keyboard 40, keypad “ the mouse "42). Other input devices (not displayed) can be used: microphone, joystick, game console, scanner, etc. Such input devices are, as usual, connected to the computer system 20 via a serial port 46, which in turn is connected to the system bus, but can be connected in another way, for example, using a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor 47, the personal computer can be equipped with other peripheral output devices (not displayed), for example, speakers, a printer, etc. .

The computer system 20 is capable of operating in a networked environment, using a network connection with another or more remote computers 49. The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the creature the computer system 20 of FIG. 1. Other devices, such as routers, network stations, peer-to-peer devices, or other network nodes, may also be present on the computer network.

Network connections can form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, a computer system (personal computer) 20 is connected to a local area network 50 via a network adapter or network interface 51. When using networks, the personal computer 20 can use a modem 54 or other means of providing communication with a global computer network, such as the Internet . The modem 54, which is an internal or external device, is connected to the system bus 23 via the serial port 46. It should be clarified that the network connections are only exemplary and are not required to display the exact network configuration, i.e. in reality, there are other ways to establish a technical connection between one computer and another.

In conclusion, it should be noted that the information provided in the description are examples that do not limit the scope of the present invention defined by the claims. One skilled in the art will recognize that there may be other embodiments of the present invention consistent with the spirit and scope of the present invention.

Claims (15)

1. A method of generating a request for information about a file to verify the absence of a false solution when determining a file as safe during anti-virus scanning, the method comprising the steps of: a) synchronously select a part of the file and calculate the first hash of the file from the selected part of the file on the user's computer; b) synchronously search for the first hash of the file in the verdict cache, while the verdict cache contains information about known malicious files; c) decide that the first hash of the file is not in the data cache; d) provide access to the file and perform asynchronous calculation of the second hash of the file to eliminate a false decision, where the second hash of the file is calculated based on the whole file; d) transmit the request asynchronously to the remote server and wait for a response, where the request contains the second hash of the file; e) depending on the response received from the remote server, they determine the presence of a false decision and make the final decision about the harmfulness of the file. 2. The method of claim 1, wherein the verdict cache is located either on the same client computer or on a remote server. 3. The method of claim 2, wherein the remote server containing the verdict cache is located on either a local or global network. 4. The method according to p. 2, in which the additionally generated request is sent to another remote server, if there is no solution on the previously indicated remote server. 5. The method according to claim 1, wherein the calculation of the first hash function of the file is based on the type of file, where each type of file has its own portion of the file to create a hash sum. 6. The method according to p. 1, in which to calculate the first hash of the file, part of the file is selected in such a way as to select the most unique part of files of a certain size. 7. The method according to claim 6, in which the selection of the most unique part of the file is based on the metadata of the file. 8. The method according to p. 1, in which to calculate the first hash of the file, part of the file can be selected both randomly and based on a specific algorithm. 9. A system comprising a permanent computer-readable medium storing computer-readable instructions, upon completion of which the system generates a request for information about the file to check for the absence of a false solution when determining the file as safe, according to the method according to any one of paragraphs. 1-8.

Images