Abstract: A method, including collecting, by a security server, reports from multiple computing devices of events belonging to a set of specified event types occurring in execution of software processes on the devices, and collating the reports in the server to extract context information with respect to each of the events. Upon detecting an event occurring in execution of a process on a given device and matching one of the types, a software agent executing on the given device extracts, one or more features from the detected event, and conveys a query with respect to the detected event from the agent to the server. Upon receiving, from the server in response to the query, the context information with respect to the detected event, the agent decides to initiate a protective action on the given device based on the received context information and the one or more features extracted by the agent.

Abstract: Methods, apparatuses and computer program products implement embodiments of the present invention that include protecting a computer system coupled to a storage device by detecting an executing process that performed a specific type of modification to a number of files stored on the storage device. A processor compares the detected number to a specified threshold and initiates, on the executing process, a preventive action in response to determining that the detected number exceeds the specified threshold.

Abstract: Methods, apparatuses and computer program products implement embodiments of the present invention that include protecting a computer system coupled to a storage device by storing, to the storage device, a set of protected files and one or more decoy files, wherein any modification to the decoy file indicates a cyber-attack on the computer system. Upon receiving a request from a process executing on the computing device to enumerate files stored on the storage device, the process is analyzed so as to classify the process as benign or suspicious. The protected files are enumerated to the process whether the process was classified as benign or suspicious. However, the one or more decoy files are enumerated to the process only upon process being classified as suspicious.

Abstract: Methods, apparatuses and computer program products implement embodiments of the present invention that include protecting a computer system coupled to a storage device by storing, to the storage device, a set of protected files and one or more decoy files, wherein any modification to the decoy file indicates a cyber-attack on the computer system. Upon receiving a request from a process executing on the computing device to enumerate files stored on the storage device, the process is analyzed so as to classify the process as benign or suspicious. The protected files are enumerated to the process whether the process was classified as benign or suspicious. However, the one or more decoy files are enumerated to the process only upon process being classified as suspicious.