Abstract: A computer-implemented method can be used for restoring a computer system following an infection event. The computer system can have a plurality of machines, in which a plurality of back-up copies are associated with each one of the plurality of machines, and in which each of the plurality of back-up copies associated with a particular machine is a different version back-up. The method can include searching the plurality of back-up copies to identify one or more clean-back-up copies that do not comprise a signature of the infection event and restoring one or more of the plurality of machines using a respective clean-back-up copy.

Abstract: The disclosure relates to a method for detecting a suspected infection event, the method comprising: receiving data associated with back-up copies of a plurality of machines including at least a first machine and a second machine, in which the data is indicative of a size of the associated back-up copy; and determining whether to classify data associated with at least one back-up copy associated with at least a second machine as anomalous based on an anomalous pattern identified in data associated with a back-up copy associated with a first machine.