主权项 |
1. A method for detecting a harmful file executed on a virtual stack machine, the method comprising:
identifying, by a hardware processor, data from a file executed on the virtual stack machine, the data including at least one of parameters of a file section of the file and parameters of a function of the file; based on the identified data, searching in a database, for at least one cluster of safe files that contains a value of one of the parameters of the file section exceeding a number of local variables being used by the function; based at least partially on the identified at least one cluster of safe files, creating, by the hardware processor, at least one cluster of data of the file executed by the virtual stack machine, wherein at least one cluster of data includes a cluster containing section header types and sizes of these sections, a cluster containing numbers of local variables used by the function of the file, and a cluster containing names of the function that is executable by the virtual stack machine; calculating, by the hardware processor, a fuzzy checksum of the created cluster of data comprising one or more of a checksum of the cluster containing section header types and sizes of these sections, a checksum of the cluster containing numbers of local variables used by the function of the file, and a checksum of the cluster containing names of the function that is executable by the virtual stack machine; and determining, by the hardware processor, that the file executed on the virtual stack machine is a harmful file if the computed fuzzy checksum matches a checksum in a database of checksums of harmful files. |