The standard implementation of the file system structure or system registry in emulation mode involves the creation of a hierarchical database. This database consists of numerous objects with information about them stored in different types of data fields (string, boolean expression, number, reference etc.). Every object in the database is characterised by its type and unique set of index fields through which the access is provided to the object. This structure provides high scalability and versatility without affecting performance.
The main features of the presented architecture are the hierarchical structures and cross references that allow access to the different fields of the various objects. The tree traversal that consists of 500,000 objects takes approximately one second.
The patent also describes the algorithm of the application emulator’s interaction with the operating memory and a method for ‘transparent’ reading and writing to a hard disk. Actual reading and writing operations are not performed in this instance; however, real-world working conditions are created for the programme being analysed. These methods allow in-depth analysis of suspicious programme activity in relation to the operating memory and information stored on the hard drive, without damaging the operating system or user information.
Kaspersky Lab technologies are currently protected by 40 patents in Russia and 29 patents in the USA. Furthermore, the patent offices in the USA, Russia, China and Europe are currently examining more than 100 Kaspersky Lab patent applications relating to a range of unique IT security technologies.
*Gartner, Inc., Market Share: Security Software, Worldwide, 2010, Ruggero Contu, Matthew Cheung, March 30, 2011.