Abstract: Systems and methods for detecting a malware injection interested processes. The method includes identifying one or more trusted processes, monitoring at least one thread associated with the trusted processes using at least one control point, detecting activity at the at least one thread based on the at least one control point and determining a timestamp of the detected activity, receiving from the trusted processes at least one execution stack corresponding to the timestamp and indicating the at least one control point used to monitor the at least one thread, applying a first malware detector to the at least one execution stack to generate a first verdict, collecting the first verdict and auxiliary information corresponding to the trusted processes at the given timestamp, and applying a second malware detector to the first verdict and the auxiliary information to generate a second verdict.

Abstract: The present disclosure includes methods and systems for processing a file input/output (I/O). A method may include beginning, by a processor, copy-on-write snapshotting for a file stored in electronic storage; establishing, by the processor, a scope of authorization within a first layer using a first authorization callback function; determining, by the processor, if a read file that is being tracked is being opened for modification; and if the read file that is being tracked is not being opened for modification, ending the copy-on-write snapshotting, or if the read file that is being tracked is being opened for modification, marking the file as a subject of the copy-on-write snapshotting and then ending the copy-on-write snapshotting.

Abstract: Systems and methods of persistent file protection including determining an incident, intercepting a file operation in a kernel mode based on the incident, determining file information associated with a file to be modified by the file operation, storing the file information in a persistent file cache (PFC), tracking a file change between system shutdown and system restart, receiving a remediation action based on the incident, and performing remediation of the file using the file information stored in PFC.

Abstract: Systems and methods for management of registry data within a computing environment, for example using a dual cache mechanism. The method comprises use of a fast registry cache and a persistent registry cache to manage different aspects of the registry call information. The method further comprises integration of the registry call information with endpoint detection and response support.

Abstract: A method and system for threat detection and analysis is disclosed herein. The method includes monitoring at least one thread associated with at least one process on a computing system. The method further includes detecting specific system calls associated with at least one process at kernel level. The specific system calls are analyzed by applying a filter to the system calls sequence feature set associated with the specific system calls for detecting one or more events of interest. A full stack trace capture of at least one process is requested if the system calls sequence feature set is filtered and the one or more events of interest are detected. A first level monitoring is provided to the computing system, which includes processing and analyzing the captured full stack trace by a machine learning (ML) stack trace analyzer to generate a first verdict for threat detection and analysis.

Abstract: Systems and methods for dynamic software updating without update points. Software objects are updated at any moment during execution. Updating of object state (“upgrade”) is asynchronous with the update process. Delayed synchronization of state allows for control over timing and extent of state transitions.

Abstract: Systems and methods for ransomware protection in advanced injection-based attacks. Events from a driver are analyzed to identify a potentially malicious actor. A confidence level is calculated for the potentially malicious actor identification to weigh the probability that the actor is malware or a source of malware. Behavior associated with the potentially malicious actor can be collected, if it is likely that the potentially malicious actor is associated with malware, such as if the confidence level is over a predetermined threshold. Subsequently, one or more virtual honeypots are generated for the suspicious processes and the response to the virtual honeypots is included in anti-ransomware heuristic analysis.

Abstract: Systems and methods for management of registry data within a computing environment, for example using a dual cache mechanism. The method comprises use of a fast registry cache and a persistent registry cache to manage different aspects of the registry call information. The method further comprises integration of the registry call information with endpoint detection and response support.

Abstract: Systems and methods for firmware protection of industrial control systems. A kernel-level agent operating at a kernel mode intercepts a request to the resource, collects data associated with the intercepted request, and sends the collected data to a security service. A security service receives the collected data, analyzes the collected data to determine a verdict, and sends the verdict to the kernel-level agent. The kernel-level agent then executes a security action for the resource based on the verdict.

Abstract: Systems and methods for protecting computing systems against ransomware attacks using AI-generated virtual file honeypots. Generative AI comprising a large language model generates virtual file honeypots automatically in response to attack vectors associated with suspect actors and ransomware families.

Abstract: Systems and methods for protecting computing systems against ransomware attacks using AI-generated virtual file honeypots. Generative AI comprising a large language model generates virtual file honeypots automatically in response to attack vectors associated with suspect actors and ransomware families.

Abstract: Systems and methods for embedding into a storage stack of a UNIX based computing device. A method includes building a file storage map for a file stored in computing device data storage, intercepting a system call associated with the file, intercepting a storage stack operation, and analyzing the system call and the storage stack operation using the file storage map to determine a change to a data block of the file. The method further includes building a shadow copy of the file on backup storage. The method further includes detecting a malicious operation based on the change to the data block.

Abstract: Systems and methods for securing and managing API calls. A security dynamic link library (DLL) is a user mode component that intercepts API calls from an API client to an API server. A security kernel driver is a kernel mode component that hooks API calls from the security DLL to the API server. A protection service receives, analyzes, and processes API calls from the security DLL and the security kernel driver.

Abstract: Systems and methods for ransomware protection in advanced injection-based attacks. Events from a driver are analyzed to identify a potentially malicious actor. A confidence level is calculated for the potentially malicious actor identification to weigh the probability that the actor is malware or a source of malware. Behavior associated with the potentially malicious actor can be collected, if it is likely that the potentially malicious actor is associated with malware, such as if the confidence level is over a predetermined threshold. Subsequently, one or more virtual honeypots are generated for the suspicious processes and the response to the virtual honeypots is included in anti-ransomware heuristic analysis.

Abstract: Systems and methods for ransomware protection in advanced injection-based attacks. The call stack(s) of injected threads are analyzed and a preliminary verdict of benign or malicious can be determined. Additional sensors collect data to associate injected threads with other activities or actors to further estimate the injected thread being benign or malicious. If the threat level is high enough, such as over a given threshold, the preliminary verdict can be determined to be malicious. Subsequently, one or more virtual honeypots are generated for the suspicious threads and the injected thread's response to the virtual honeypots included in anti-ransomware heuristic analysis.

Abstract: Systems and methods for threat detection and analysis. A method includes monitoring at least one thread associated with at least one user process on a computing device. The method further includes detecting specific-system calls associated with at least one user process at user level. The specific-system calls are analyzed by applying a filter to system calls sequence feature sets associated with the specific-system calls for detecting one or more events of interest. A capture of a full stack trace of at least one user process is requested if the system calls sequence feature set is filtered and at least one event of interest is detected. A first level monitoring is provided to the computing device, which includes processing and analyzing the captured full stack trace by a machine learning (ML) stack trace analyzer to generate a first verdict for threat detection and analysis.

Abstract: Systems and methods for ransomware protection in advanced injection-based attacks. The call stack(s) of injected threads are analyzed and a preliminary verdict of benign or malicious can be determined. Additional sensors collect data to associate injected threads with other activities or actors to further estimate the injected thread being benign or malicious. If the threat level is high enough, such as over a given threshold, the preliminary verdict can be determined to be malicious. Subsequently, one or more virtual honeypots are generated for the suspicious threads and the injected thread's response to the virtual honeypots included in anti-ransomware heuristic analysis.

Abstract: Systems and methods for ransomware protection in advanced injection-based attacks. Events from a driver are analyzed to identify a potentially malicious actor. A confidence level is calculated for the potentially malicious actor identification to weigh the probability that the actor is malware or a source of malware. Behavior associated with the potentially malicious actor can be collected, if it is likely that the potentially malicious actor is associated with malware, such as if the confidence level is over a predetermined threshold. Subsequently, one or more virtual honeypots are generated for the suspicious processes and the response to the virtual honeypots is included in anti-ransomware heuristic analysis.

Abstract: System and method for detecting and curing a hollowing attack is disclosed herein. The method comprises monitoring real-time process memory parameters of a target process; retrieving real-time process memory parameters of the target process; comparing the real-time process memory parameters of the target process with reference process parameters of the target process stored in a system storage of the computing system and parameters of the process creation call-back notification; detecting a hollowing attack based on the comparison in previous step; in response to detecting the hollowing attack, determining a threat source file of malicious code; determining address space of the hollowed process on the computing system based on system log data; and curing the computing system by blocking execution of the threat source file and deleting threat resources associated therewith from the computing system.

Abstract: Systems and methods for threat detection and analysis. A method includes monitoring at least one thread associated with at least one user process on a computing device. The method further includes detecting specific-system calls associated with at least one user process at user level. The specific-system calls are analyzed by applying a filter to system calls sequence feature sets associated with the specific-system calls for detecting one or more events of interest. A capture of a full stack trace of at least one user process is requested if the system calls sequence feature set is filtered and at least one event of interest is detected. A first level monitoring is provided to the computing device, which includes processing and analyzing the captured full stack trace by a machine learning (ML) stack trace analyzer to generate a first verdict for threat detection and analysis.