Abstract: A system and method for firewall policy control in a system comprising endpoints, including functionality for isolating network elements on endpoints under management. An endpoint management agent cooperates with a remote management service to carry out policy management and synchronization, implement isolation mode when required, and perform related supporting tasks.

Abstract: Disclosed herein are systems and method for authenticating user identity based on supplemental environment data. When a structured approach to acquiring user identifiers (e.g., facial images, voice clips, biometric data, etc.) of authorized user is inconclusive (e.g., a matching face is similar, but not a direct match) the systems and methods describe retrieving supplemental environment data that indirectly verifies a presence of the user in an environment. The systems and methods further comprise determining whether the supplemental environment data indicates that a respective identifier belongs to the user, and in response to determining that the supplemental environment data indicates that the respective identifier belongs to the user, authenticating the respective identifier as belonging to the user and storing the respective identifier in a database of identifiers.

Abstract: A system and method are disclosed for identifying malicious activity on a target device based on behavior analysis of the target device. The system includes a behavioral analyzer run on a virtual machine connected to the target device. The virtual machine collects system events and parameters from the target device and run a script, independent of the target device, to detect a threat. The script is a set of instructions executed to analyze behavior of an object by processing and correlating the events. The script includes a rule structure which stores signatures and expressions of the known malwares. By correlating the selected event parameters with known malware parameters, it is determined whether the event imposes a threat or not. A finite state machine is used for the state transition table.

Abstract: A system and method is provided for detecting a suspicious process in an operating system environment. In an exemplary aspect, a method comprises generating, by a hardware processor, a file honeypot in a directory in a file system and receiving a directory enumeration request from a process executing in the operating system environment. The method comprises determining whether the process is identified in a list of trusted processes and in response to determining that the process is not in the list of trusted processes, providing, to the process by the file system, a file list including the file honeypot responsive to the directory enumeration request. The method further comprises intercepting, by a file system filter driver, a file modification request for the file honeypot from the process, and identifying the process as a suspicious object responsive to intercepting the file modification request from the process.

Abstract: Disclosed herein are systems and method for scanning objects of a computing device, by an anti-malware, using a white list created for an organization based on data of the organization. In one aspect, an exemplary method comprises obtaining one or more objects of the organization from the computing device, and for each obtained object of the one or more objects, computing a hash value of the obtained object, determining whether the obtained object is whitelisted, and scanning the obtained object based on whether the obtained object is whitelisted, wherein the whitelist is created based on scanning of objects stored in archives of the organization, and the obtained object is determined as being whitelisted when the computed hash value of the obtained object matches a hash value of an object in a whitelist created for the organization.

Abstract: Disclosed herein are systems and methods for protecting user data. In one aspect, an exemplary method comprises, by a hardware processor, detecting one or more user files modified by a user on a user device; identifying user actions executed by the user to modify the one or more user files; training a machine learning algorithm to identify whether an arbitrary user action is performed by the user, wherein the user actions used by the user to modify the one or more user files are comprised in a training dataset of the machine learning algorithm; detecting a user action to modify a user file; determining, using the machine learning algorithm, whether the user action classifies as being performed by the user; and in response to determining that the machine learning algorithm classifies the user action as being performed by the user, modifying the user action to mask an identity of the user.

Abstract: Disclosed herein are systems and method for malicious behavior detection in processing chains comprising identifying and monitoring events generated by a first process executing on a computing device; storing snapshots of data modified by any of the events; determining a level of suspicion for the first process, wherein the level of suspicion is a likelihood of the first process being attributed to malware based on the data modified by any of the events; in response to determining that the first process is not trusted based on the determined level of suspicion, identifying at least one sub-process of the first process; and restoring, from the snapshots, objects affected by the first process and the at least one sub-process.

Abstract: Disclosed herein are systems and method for generating and storing forensics-specific metadata. In one aspect, a digital forensics module is configured to generate a backup of user data stored on a computing device in accordance with a backup schedule. The digital forensics module identifies, from a plurality of system metadata of the computing device, forensics-specific metadata of the computing device based on predetermined rules, wherein the forensics-specific metadata is utilized for detecting suspicious digital activity. The digital forensics module generates a backup of the forensics-specific metadata in accordance with the backup schedule and analyzes the forensics-specific metadata for an indication of the suspicious digital activity on the computing device. In response to detecting the suspicious digital activity based on the analysis, generates a security event indicating that the suspicious digital activity has occurred.

Abstract: Disclosed herein are systems and method for customizing a user workspace environment using user action sequence analysis. In one exemplary aspect, a method may comprise detecting user actions in a user workspace environment that provides access to a plurality of workspace elements further comprising a plurality of files and a plurality of applications and identifying a plurality of user action sequences based on each timestamp of a respective user action. The method may comprise generating action sequence groups, each comprising a unique subset of the user action sequences and sequence trigger. In response to detecting a particular sequence trigger, the method may comprise executing a corresponding customization action that alters the user workspace environment such that an amount of steps and/or processing time to perform in the user workspace environment to access workspace elements associated with the associated action sequence group is reduced.

Abstract: Disclosed are systems and methods for detecting malicious applications. An exemplary method may comprise detecting that a first process has been launched on a computing device. The method may comprise receiving, from the first process, an execution stack associated with one or more control points of the first process. The method may comprise applying a machine learning classifier on the execution stack, wherein the machine learning classifier is configured to classify whether a process is malicious based on activity on control points captured on a given execution stack, and wherein a feature of a malicious process is detection of a system call to create a remote thread that runs in a virtual address space of a shared-service process configured to import third-party processes to be embedded as separate threads. The method may comprise generating an indication that the execution of the first process is malicious/non-malicious.

Abstract: Methods for file archiving using machine learning are disclosed herein. An exemplary method comprises archiving a first file of a plurality of files from a storage server to a tiered storage system, training a machine learning module based on file access operations for the plurality of files, determining one or more rules for predicting access to the archived files using the machine learning module, determining a prediction of access of the archived file based on the one or more rules and retrieving the archived file from the tiered storage system into a file cache in the storage server based on the prediction of access.

Abstract: Disclosed herein are systems and method for preventing malware reoccurrence when restoring a computing device using a backup image. In one exemplary aspect, a method may identify, from a plurality of backup images for a computing device, a backup image that was created most recently before the computing device was compromised. The method may mount the backup image as a disk and scanning the disk for malicious software. The method may disable all ports and services on the computing device to prevent unauthorized network connections and service launches. The method may restore data to the computing device from the mounted disk. The method may update software on the computing device and applying latest patches, and reopen the ports and restart the services on the computing device subsequent to updating the software and applying the latest patches.

Abstract: The present disclosure includes methods and systems for protecting network resources. A method may start, by a processor, copy-on-write snapshotting for modifications to a plurality of files stored on electronic storage. A method may monitor, by the processor, access to objects within a file system associated with the electronic storage for a set of operations. A method may intercept, by the processor, one or more operation of the set of operations for modifying a region of a file in the file system. A method may capture, by the processor, one or more of original contents, modified contents and written contents of the region. A method may end, by the processor, copy-on-write snapshotting. A method may perform malware and/or ransomware analysis on a process performing the modification to the region of the file in the file system.

Abstract: A system and method for implementing management of a system context database is disclosed herein. The system context from a target computing system is collected. The system context is set in accordance with the configuration status of a context consumer. The context consumer includes one or more data security components. A system context database is initialized in response to the configuration status. The collected system context is restored in a cache. The attributes from the cache are provided to the context consumer where the attributes are compared with predefined attributes of the known malware threats. Each data security component of the context consumer is configured to access the cache in a synchronized manner to avoid duplication of the scanning process. The comparison result indicates the presence of a malware threat.

Abstract: Disclosed herein are systems and method for inspecting archived slices for malware using empty spare files. In one exemplary aspect, the method comprises generating a backup slice and a virtual volume comprising a list of files in the backup slice and associated file information. The method comprises mounting the virtual volume to a disk. The method comprises creating, in the virtual volume, empty sparse files that are placeholders of the files reference in the list of files. The method comprises detecting a change between a respective empty sparse file and a corresponding file in a previous backup slice and accordingly storing the actual content of the file in the virtual volume in place of the respective empty sparse file. The method comprises scanning the virtual volume for malicious software and generating a cured slice that replaces the backup slice in the backup archive upon detection.

Abstract: Disclosed herein are methods and systems for providing data recovery recommendations. In an exemplary aspect, a method may comprise identifying a plurality of storage devices. For each respective device of the plurality of storage devices, the method may comprise extracting a respective input parameter indicative of a technical attribute of the respective device, inputting the respective input parameter into a machine learning algorithm configured to output both a first likelihood of the respective device needing a data recovery and a second likelihood that the data recovery will fail, and determining a respective priority level of the respective device based on the first likelihood and the second likelihood. The method may comprise normalizing each respective priority level, and recommending a device of the plurality of storage devices for a test data recovery procedure based on each normalized priority level.

Abstract: Aspects of the disclosure describe methods and systems for performing an antivirus scan using file level deduplication. In an exemplary aspect, prior to performing an antivirus scan on files stored on at least two storage devices, a deduplication module calculates a respective hash for each respective file stored on the storage devices. The deduplication module identifies a first file stored the storage devices and determines whether at least one other copy of the first file exists on the storage devices. In response to determining that another copy exists, the deduplication module stores the first file in a shared database, replaces all copies of the first file on the storage devices with a link to the first file in the shared database, and performs the antivirus scan on (1) the first file in the shared database and (2) the files stored on the storage devices.

Abstract: A system and method that provides customized graphical user interfaces on mobile devices based on user inputs. An exemplary method includes detecting a computing device remotely connected to a remote server over a network and having an active session of a software application running on the remote server. Moreover, the method further includes identifying and selecting one or more hotkey buttons based on the detected software application, transmitting the one or more hotkey buttons to the computing device to be displayed in a customized interface while the software application is active, detecting an activation of the one or more hotkey buttons displayed on the computing device, and executing, by the remote server, an operation for the active software application in response to the activation of the one or more hotkey button by the user.

Abstract: Disclosed herein are systems and methods for synchronizing anonymized linked data across multiple queues for SMPC. The systems and methods guarantee that data is kept private from a plurality of nodes, yet can still be synced within a local queue, across the plurality of local queues. In conventional SMPC frameworks, specialised data known as offline data is required to perform key operations, such as multiplication or comparisons. The generation of this offline data is computationally intensive, and thus adds significant overhead to any secure function. The disclosed system and methods aid in the operation of generating and storing offline data before it is required. Furthermore, the disclosed system and methods can help start functions across multi-parties, preventing concurrency issues, and align secure input data to prevent corruption.

Abstract: Disclosed herein are systems and method for performing secure computing while maintaining data confidentiality. In one exemplary aspect, a method receives, via an application, both data and a request to perform a secure operation on the data, wherein the secure operation is to be performed using a secure compute engine on a cloud platform such that the data is not viewable to a provider of the cloud platform. The method applies transformations to the data so that the data is not viewable to the provider. The method transmits the transformed data to the secure compute engine on the cloud platform to perform the secure operation on the transformed data, receives a result of the secure operation from the secure compute engine, and transmits the result to the application.