Abstract: A system and method for malware detection uses static and dynamic analysis to augment a machine learning model. At the training step, static and dynamic features are extracted from training datasets and used to train a malware classification model. The malware classification model is used to classify unknown files based on verdicts from both static and dynamic models.

Abstract: Described herein are systems and methods for controlling access to a protected resource based on various criteria. In one exemplary aspect, a method comprises designating a plurality of program data installed on a computing system as protected program data; intercepting, by a kernel mode driver, a request from an untrusted application executing on the computing system to alter at least one of the protected program data; classifying, by a self-defense service, the untrusted application as a malicious application based on the intercepted request and information related to the untrusted application; and responsive to classifying the untrusted application as a malicious application, denying, by the kernel mode driver, access to the at least one of the protected program data.

Abstract: Disclosed herein are systems and method for performing failover during a cyberattack. In one exemplary aspect, a method comprises monitoring a computing device for the cyberattack and detecting that the cyberattack is in progress. While the cyberattack is in progress, the method comprises identifying a failover device that corresponds to the computing device, hardening the failover device to prevent the cyberattack from affecting the failover device, and performing failover by switching from the computing device to the failover device.

Abstract: Disclosed herein are systems and method for isolating private information in streamed data. In an exemplary aspect, a method may comprise receiving a stream of data, for storage in a first storage device, and an indication of how the stream will be utilized by an end user. The method may comprise comparing the indication against a plurality of rules, wherein each rule indicates a type of private information that should be isolated from a given input stream based on a respective indication of usage for the given input stream. The method may comprise identifying and extracting a first type of private information that should be isolated from the stream, modifying the stream by removing the first type of private information from the stream, storing the modified stream in the first storage device, and storing the extracted first type of private information in a different location from the modified stream.

Abstract: An anomaly detection system uses an AI engine to analyze configurations and backups to identify and assess anomalies. Backup data and configurations are used to characterize events as either secure or insecure.

Abstract: A system and method of anti-malware analysis including iterative techniques that combine static and dynamic analysis of untrusted programs or files. These techniques are used to identify malicious files by iteratively collecting new data for static analysis through dynamic run-time analysis.

Abstract: A method of continuous development of an internal threat scan engine based on an iterative quality assessment includes iteratively performing a dynamic assessment of a quality of a threat detection with a frequency defined for each of objects in an object collection, wherein a result of the dynamic assessment includes internal and external scan results of the objects and a consistency verdict of the internal and external scan results of the objects, changing a frequency of scanning iteration of the objects based on the consistency verdict of the external and internal scan results of the objects, classifying the objects based on the result of the dynamic assessment, and creating a development task including the internal and external scan results of the objects, meta-data of the objects, and automated test results to provide details for developing a software to fix inconsistency of the internal and external scan results.

Abstract: Disclosed herein are systems and method for adjusting data protection levels based on system metadata. A method may include monitoring a computing device for a cyberattack, wherein a kernel driver of the computing device is configured to allow access to kernel control paths and hash tables in accordance with a first protection level, and detecting that the cyberattack is in progress. While the cyberattack is in progress, the method may include identifying kernel control paths and hashes of software objects that will be affected by the cyberattack, and configuring the kernel driver to disable access to the identified kernel control paths and hashes of the software objects in accordance with a second protection level, wherein the second protection level includes greater access restrictions to the computing device than the first protection level.

Abstract: A system and method are disclosed for performing non-invasive scan of a target device. The system is configured for: i) loading an endpoint protection agent to a target device; ii) providing a remote direct memory access of the target device to the remote security server for reading a memory of the target device; iii) scanning, by a second memory scan engine of the remote security server, the memory of the target device upon the violation of the security policy; iv) identifying, by the second memory scan engine of the remote security server, a threat on the target device; and v) sending, by the remote security server, a security response action to the endpoint protection agent on the target device in accordance with the security policy.

Abstract: Disclosed herein are systems and methods for indexing and searching an encrypted archive. In one exemplary aspect, a method comprises generating, by a hardware processor, an encrypted data archive based on a user backup performed using a backup plan with an encryption flag enabled and a user key; generating, by the hardware processor, an index key for the encrypted data archive; encrypting, by the hardware processor, the index key using the user key; storing, by the hardware processor, the index key in a secure data storage; creating and mounting, by the hardware processor, an encrypted file system folder for the encrypted data archive using the index key; decrypting, by the hardware processor, data in the encrypted data archive using the user key; and indexing, by the hardware processor, the decrypted data.

Abstract: Disclosed herein are systems and methods for preventing malicious injections. In one aspect, a method includes monitoring active processes that are running in suspended mode. For each active process being monitored, the method includes injecting a dynamic link library (DLL) into the active process to hook an application programming interface (API) of an application corresponding to the active process, wherein the DLL is injected for tracking commands for suspension and resumption of the active process. The method includes monitoring file inputs and outputs of the application for anomalies while the active process is in the suspended mode, and when a command for resuming the active process is detected using the DLL, determining, based on the monitoring, whether a malicious process is inserted into the active process. The method includes allowing the suspended process to resume execution in response to determining that no malicious process is inserted in the active process.

Abstract: Disclosed herein are systems and method for determining a backup schedule on a computer system. In one exemplary aspect, a method may comprise collecting user behavior data on the computer system. The method may comprise analyzing the user behavior data to determine an optimal time of a backup session to create backup copies of modified data stored on a volume of the computer system and determining an optimal duration of the backup session based on the analyzed user behavior. The method may comprise determining a portion of the modified data that can be saved during the backup session within the optimal duration at the optimal time of backup, and performing the backup session comprising the portion.

Abstract: Disclosed herein are systems and method for providing nested frontend applications in a user interface of a management application. An exemplary method may include: generating a graphical user interface (GUI) for the management application, wherein the GUI includes a first extension point that includes a plurality of extensions, wherein each extension of the plurality of extensions is a standalone frontend application; injecting, during runtime of the management application, a first extension into the first extension point based on a personal configuration file, wherein the first extension is included in the plurality of extensions after injection; in response to receiving, via the GUI, a selection of the first extension, generating, on the GUI, a second extension point corresponding to the first extension, wherein the second extension point includes an additional plurality of extensions; and injecting, during the runtime, a second extension into the second extension point.

Abstract: A system and method of anti-malware analysis including iterative techniques. These techniques are used to create a file attribute tree used by a machine learning analyzer to identify malicious files.

Abstract: Disclosed herein are systems and method for anti-malware scanning, including identifying a plurality of objects in a backup archive that is connected to a first network comprising a plurality of computing devices; scanning the plurality of objects in the backup archive to generate a whitelist indicating a subset of the plurality of objects that do not need to be scanned at a subsequent time; performing, using the whitelist, a first malware scan in a computing device of the plurality of computing devices; detecting that the computing device has left the first network to join a second network; and performing a second malware scan on the computing device, wherein the second malware scan uses a different whitelist of the second network, and wherein the second malware scan comprises scanning a first object that is not in the different whitelist and was not scanned in the first malware scan.

Abstract: The IOC Infrastructure management system (100) and method is disclosed for building an IOC infrastructure and its management thereof. The system mainly includes a IOC processing unit and an endpoint engine. The IOC processing unit is configured to i) source raw IOCs from a plurality of external sources, ii) convert format of the raw IOCs into a predetermined format of an IOC database using a parser unit, where each parser of the parser unit corresponds to at least one IOC format, iii) build and apply syntax tree to the parsed IOCs, where the syntax tree supports complex expression-based toolsets, such as YARA, and sort the IOCs lexicographically to avoid duplication of IOC entry and render the malware detection scanning process faster and efficient.

Abstract: A data storage system uses erasure coding in combination with hashgraph to organize stored data and recover that data in a computing environment.

Abstract: Disclosed herein are systems and method for selectively restoring a computer system to an operational state. In an exemplary aspect, the method may include creating a backup image of the computer system comprising a set of data blocks, detecting that the computer system has begun an initial startup, identifying a subset of the data blocks read from a disk of the computer system during the initial startup. In response to determining that the computer system should be restored, the method may include restoring the subset of the data blocks such that the computer system is operational during startup, and restoring a remaining set of the data blocks from the backup image after the startup of the computer system.

Abstract: Disclosed herein are systems and method for protecting files indirectly related to user activity. In one exemplary aspect, a method may comprise identifying, on a computing device, a file that is directly accessed by a user of the computing device. The method may comprise determining an application that provides access to the file. The method may comprise identifying a plurality of program files that the application utilizes during execution. For each respective program file of the plurality of program files, the method may comprise determining whether the respective program file is required by the application to provide access to the file and in response to determining that the respective program file is required, determining a type of threat that can target the respective program file. The method may further comprise performing a data protection action on the respective program file based on the type of threat.

Abstract: Disclosed herein are systems and method for inspecting archived slices for malware. In one exemplary aspect, the method comprises identifying a first slice in a plurality of slices in a backup archive, wherein the first slice is an image of user data at a first time. The method comprises scanning the first slice of the plurality of slices in the backup archive and detecting at least one infected file in the first slice. The method comprises identifying a block of the first slice that corresponds to the at least one infected file. The method comprises mounting, to a disk, a second slice of the plurality of slices. The method comprises tracking the block and determining that the at least one infected file exists on the second slice and removing the infected file from the second slice by generating a respective cured slice of the second slice.