System and method for assessing danger of software using prioritized rules

摘要

Disclosed are system, method and computer program product for assessing security danger of software. The system collects information about a suspicious, high-danger software objects, including one or more malicious characteristics of the software object, security rating of the software object, and information about one or more security rating rules used in assessing the security rating of the software object. The system then determines whether the suspicious object is a clean (i.e., harmless). When the suspicious object is determined to be clean, the system identifies one or more unique, non-malicious characteristics of the software object and generates a new security rating rule that identifies the software object as clean based on the one or more selected non-malicious characteristics. The system then assigns high priority ranking to the new security rating rule to ensure that the rule precedes all other rules.

主权项

1. A computer-implemented method for assessing danger of software objects, the method comprising:
receiving, by a hardware processor, information about: a software object detected on a computer, one or more malicious characteristics of an Application Program Interface (API) function called by the software object, a security rating of the software object, and one or more security rating rules activated by the one or more malicious characteristics of the API to assess the security rating of the software object, determining a priority ranking of each security rating rule; applying the one or more security rating rules in a decreasing priority order until one of the one or more security rating rules indicates whether the software object is malicious or clean based on the one or more malicious characteristics of the API; upon determining that the software object is a clean object, identifying parameters of the API function call that are characteristic of a clean software object; generating a new security rating rule that identifies the software object as clean based on the parameters of the API function call; and assigning to the new security rule a higher priority ranking than the priority ranking of each of the security rating rules activated in assessing the security rating of the software object.