Abstract: Disclosed herein are systems and method for performing recovery using a backup image. In one exemplary aspect, a method comprises scanning a plurality of files on one or more storage devices of a computing device. The method may determine a first set of files from the plurality of files that will be used during recovery of the one or more storage devices, and tag a second set of files that will not be used during recovery. The method may copy the second set of files that have been tagged to an external storage device, and may store the first set of files in a backup image for the computing device (excluding the tagged second set of files from the backup image). The method may add, to the backup image, a respective link to each of the tagged second set of files in the external storage device.

Abstract: A system and method is provided for detecting a suspicious process in an operating system environment. In an exemplary aspect, a method comprises generating, by a hardware processor, a file honeypot in a directory in a file system and receiving a directory enumeration request from a process executing in the operating system environment. The method comprises determining whether the process is identified in a list of trusted processes and in response to determining that the process is not in the list of trusted processes, providing, to the process by the file system, a file list including the file honeypot responsive to the directory enumeration request. The method further comprises intercepting, by a file system filter driver, a file modification request for the file honeypot from the process, and identifying the process as a suspicious object responsive to intercepting the file modification request from the process.

Abstract: Disclosed herein are systems and method for protecting an endpoint device from malware. In one aspect, an exemplary method comprises performing, by a light analysis tool of the endpoint, a light static analysis of a sample, terminating the process and notifying the user when the process is malware, performing light dynamic analysis when the process is not malware based on the light static analysis, when the process is clean based on the light dynamic analysis, enabling the process to execute, when the process is malware, terminating the process and notifying the user, and when the process is suspicious pattern, suspending the process, setting a level of trust, sending the sample to a sandbox, terminating the process and notifying the user when the process is a malware based on received final verdict, enabling the process to resume executing when the process is determined as being clean based on the final verdict.

Abstract: Disclosed are methods and systems for upgrading a container to another version of an operating system while preserving user applications and data of the container. In a general aspect, the method comprises: copying, from a first container host to an auxiliary host, an operating system kernel of the first container host, and system files and user applications and data of the container; upgrading on the auxiliary host the operating system, including the kernel of the operating system and system files of the container, from one version of the operating system to another version of the operating system, while preserving user applications and data; and copying, from the auxiliary host to a second container host, the system files of the upgraded operating system, and the preserved user applications and data.

Abstract: Disclosed herein are systems and methods for securing cloud meetings using containers. In one aspect, an exemplary system comprises, a device comprising a processor, an OS operable in a user mode and a kernel mode, and a kernel driver for performing operations while in kernel mode, the kernel driver having a kernel driver interceptor configured to: register for a process notification callback for user applications used for web-based meetings, monitor to determine when a process notification callback is received, receive a process notification callback and a command line in the callback, and analyze and transmit the command line to a service that secures the meeting, wherein the securing is performed by: configuring a container for executing the user application in an isolated virtual environment, transferring, to the container, all resources needed to run the user application, and executing the user application in the container.

Abstract: A technique is described for protecting file data from malicious programs, in particularly, by decrypting data that has been maliciously encrypted by software such as ransomware. The described technique generates a copy of a first block of a plurality of files stored on a computing device, and also intercepts request(s) from a process executing on the computing device to obtain certain types of random data and system entropy, which are recorded. When the system detects that the plurality of files have been encrypted by a malicious program, the described system determines a cryptographic key determined based on the generated copies of the first blocks of the plurality of files and on the recorded random data, and uses that key to decrypt the plurality of files.

Abstract: Disclosed herein are systems and method for deep dynamic analysis for protecting endpoint devices from malware. In one aspect, an exemplary method comprises launching a deep analysis process, by a deep analysis tool, the launching including: injecting a dynamically loaded component into an address space of an application code and initializing, by the dynamically loaded component, to allow an execution activity, by the injected dynamically loaded component, parsing dependencies of run-time linkages, hooking system functions, creating an application memory map with separate application and system code areas, transferring control back to the application code, and performing on-sample-execution activity, obtaining control of exception handler and monitoring attempts to use the exception handler, changing an available area, logging accesses, inspecting exception reasons and applying policies, determining whether or not the application of the sample is a malware, and sending a final verdict.

Abstract: The described system provides one or more processors and memory, coupled to the one or more processors, storing thereon a first OS kernel that receives a system call to access a second OS kernel function from a subsystem of the second OS retransmits the system call to one or more drivers of the first OS, support the subsystem. The system further comprises a subsystem of the second OS, comprising one or more user space components executing natively in a non-privileged mode of the one or more processors, a set of drivers associated with the second OS, the set of support components, and the one or more drivers of the first OS. The one or more drivers of the first OS receive the system call originating from the subsystem, wherein the system call is retransmitted by the first OS kernel and process the system call.

Abstract: Disclosed herein are systems and method for correlating malware detections by endpoint devices and servers. In one aspect, an exemplary method comprises receiving, by a correlator, from one or more servers, one or more events collected without invasive techniques, one or more events collected using one or more invasive techniques, and one or more final verdicts, correlating the one or more events collected without invasive techniques with one or more events collected using the one or more invasive techniques, creating a suspicious pattern when an event of the one or more events collected without invasive techniques is correlated with an event of the one or more events collected using the one or more invasive techniques, and the event of the one or more events collected using one or more invasive techniques is used to detect a malware, and updating databases of one or more endpoint devices with created suspicious patterns.

Abstract: A system and method is provided for detecting a suspicious process in an operating system environment. In an exemplary aspect, a method comprises generating, by a hardware processor, a file honeypot in a directory in a file system and receiving a directory enumeration request from a process executing in the operating system environment. The method comprises determining whether the process is identified in a list of trusted processes and in response to determining that the process is not in the list of trusted processes, providing, to the process by the file system, a file list including the file honeypot responsive to the directory enumeration request. The method further comprises intercepting, by a file system filter driver, a file modification request for the file honeypot from the process, and identifying the process as a suspicious object responsive to intercepting the file modification request from the process.

Abstract: Disclosed herein are systems and method for detecting malwares by a server of a sandbox. In one aspect, an exemplary method comprises receiving, by a deep dynamic analysis tool of the server, a sample of a process from an endpoint device with a request for a final verdict indicative of whether the process is a malware or clean based on a deep dynamic analysis, collecting events for the sample, the collected events including events collected using at least one invasive technique, analyzing the collected events using one or more detection models of the deep dynamic analysis tool to detect malwares and issue the final verdict, and sending final verdict to the endpoint device from which the sample is received.

Abstract: A system and method is provided for detecting ransomware and malicious programs.

Abstract: Methods and systems are disclosed herein for detecting malicious software executing on a plurality of computing devices. In an exemplary aspect, a method comprises collecting, from a plurality of agents executing on a respective computing device, analysis data corresponding to executables on the respective computing device, determining a suspicious activity pattern based on the received analysis data, determining that at least one executable on a computing device is malware based on the determined suspicious activity pattern, generating a plurality of remedial actions for protecting respective computing devices of the plurality of agents based on the suspicious activity pattern, and distributing, to the plurality of agents, the plurality of remedial actions to protect the respective computing device from the malware.

Abstract: Disclosed herein are systems and method for protecting an endpoint device from malware. In one aspect, an exemplary method comprises performing, by a light analysis tool of the endpoint, a light static analysis of a sample, terminating the process and notifying the user when the process is malware, performing light dynamic analysis when the process is not malware based on the light static analysis, when the process is clean based on the light dynamic analysis, enabling the process to execute, when the process is malware, terminating the process and notifying the user, and when the process is suspicious pattern, suspending the process, setting a level of trust, sending the sample to a sandbox, terminating the process and notifying the user when the process is a malware based on received final verdict, enabling the process to resume executing when the process is determined as being clean based on the final verdict.

Abstract: Disclosed herein are systems and method for protecting an endpoint device from malware. In one aspect, an exemplary method comprises performing, by a light analysis tool of the endpoint, a light static analysis of a sample, terminating the process and notifying the user when the process is malware, performing light dynamic analysis when the process is not malware based on the light static analysis, when the process is clean based on the light dynamic analysis, enabling the process to execute, when the process is malware, terminating the process and notifying the user, and when the process is suspicious pattern, suspending the process, setting a level of trust, sending the sample to a sandbox, terminating the process and notifying the user when the process is a malware based on received final verdict, enabling the process to resume executing when the process is determined as being clean based on the final verdict.

Abstract: Disclosed herein are systems and method for performing recovery using a backup image. In one exemplary aspect, a method comprises scanning a plurality of files on one or more storage devices of a computing device. The method may determine a first set of files from the plurality of files that will be used during recovery of the one or more storage devices, and tag a second set of files that will not be used during recovery. The method may copy the second set of files that have been tagged to an external storage device, and may store the first set of files in a backup image for the computing device (excluding the tagged second set of files from the backup image). The method may add, to the backup image, a respective link to each of the tagged second set of files in the external storage device.

Abstract: Disclosed herein are systems and method for deep dynamic analysis for protecting endpoint devices from malware. In one aspect, an exemplary method comprises launching a deep analysis process, by a deep analysis tool, the launching including: injecting a dynamically loaded component into an address space of an application code and initializing, by the dynamically loaded component, to allow an execution activity, by the injected dynamically loaded component, parsing dependencies of run-time linkages, hooking system functions, creating an application memory map with separate application and system code areas, transferring control back to the application code, and performing on-sample-execution activity, obtaining control of exception handler and monitoring attempts to use the exception handler, changing an available area, logging accesses, inspecting exception reasons and applying policies, determining whether or not the application of the sample is a malware, and sending a final verdict.

Abstract: On a computer system having a processor, a single OS and a first instance of a system driver installed and performing system services, method for sharing driver pages among Containers, including instantiating a plurality of Containers that virtualize the OS, wherein the first instance is loaded from an image, and instantiating a second instance of the system driver upon request from Container for system services by: allocating virtual memory pages for the second instance and loading, from the image, the second instance into a physical memory; acquiring virtual addresses of identical pages of the first instance compared to the second instance; mapping the virtual addresses of the identical pages of the second instance to physical pages to which virtual addresses of the corresponding pages of the first instance are mapped, and protecting the physical pages from modification; and releasing physical memory occupied by the identical pages of the second instance.

Abstract: A system and method is provided for detecting ransomware and malicious programs.

Abstract: Disclosed herein are systems and method for detecting malwares by a server of a sandbox. In one aspect, an exemplary method comprises receiving, by a deep dynamic analysis tool of the server, a sample of a process from an endpoint device with a request for a final verdict indicative of whether the process is a malware or clean based on a deep dynamic analysis, collecting events for the sample, the collected events including events collected using at least one invasive technique, analyzing the collected events using one or more detection models of the deep dynamic analysis tool to detect malwares and issue the final verdict, and sending final verdict to the endpoint device from which the sample is received.