Abstract: Disclosed herein are systems and method for anti-malware scanning, including identifying a plurality of objects in a backup archive that is connected to a first network comprising a plurality of computing devices; scanning the plurality of objects in the backup archive to generate a whitelist indicating a subset of the plurality of objects that do not need to be scanned at a subsequent time; performing, using the whitelist, a first malware scan in a computing device of the plurality of computing devices; detecting that the computing device has left the first network to join a second network; and performing a second malware scan on the computing device, wherein the second malware scan uses a different whitelist of the second network, and wherein the second malware scan comprises scanning a first object that is not in the different whitelist and was not scanned in the first malware scan.

Abstract: Disclosed herein are systems and method for anti-malware scanning, including identifying a plurality of objects in a backup archive that is connected to a first network comprising a plurality of computing devices; scanning the plurality of objects in the backup archive to generate a whitelist indicating a subset of the plurality of objects that do not need to be scanned at a subsequent time; performing, using the whitelist, a first malware scan in a computing device of the plurality of computing devices; detecting that the computing device has left the first network to join a second network; and performing a second malware scan on the computing device, wherein the second malware scan uses a different whitelist of the second network, and wherein the second malware scan comprises scanning a first object that is not in the different whitelist and was not scanned in the first malware scan.

Abstract: Disclosed herein are systems and method for scanning objects of a computing device, by an anti-malware, using a white list created for an organization based on data of the organization. In one aspect, an exemplary method comprises obtaining one or more objects of the organization from the computing device, and for each obtained object of the one or more objects, computing a hash value of the obtained object, determining whether the obtained object is whitelisted, and scanning the obtained object based on whether the obtained object is whitelisted, wherein the whitelist is created based on scanning of objects stored in archives of the organization, and the obtained object is determined as being whitelisted when the computed hash value of the obtained object matches a hash value of an object in a whitelist created for the organization.

Abstract: Disclosed herein are systems and method for preventing malware reoccurrence when restoring a computing device using a backup image. In one exemplary aspect, a method may identify, from a plurality of backup images for a computing device, a backup image that was created most recently before the computing device was compromised. The method may mount the backup image as a disk and scanning the disk for malicious software. The method may disable all ports and services on the computing device to prevent unauthorized network connections and service launches. The method may restore data to the computing device from the mounted disk. The method may update software on the computing device and applying latest patches, and reopen the ports and restart the services on the computing device subsequent to updating the software and applying the latest patches.

Abstract: Disclosed herein are systems and method for anti-virus scanning of backup data at a centralized storage. In an exemplary aspect, a method may receive, at the centralized storage, a backup slice from each respective computing device in a plurality of computing devices, wherein the centralized storage comprises, for each respective computing device, a respective backup archive including a plurality of backup slices. The method may mount the received backup slice as a virtual disk. The method may detect, for the respective computing device, a change between the mounted virtual disk and any number of previous backup slices and may evaluate the change against behavioral rules to identify malicious behavior. In response to determining that the change exhibits malicious behavior, the method may execute a remediation action to prevent an attack on the plurality of computing devices or the centralized storage.

Abstract: Disclosed herein are systems and methods for data remediation without data loss. In one exemplary aspect, the method comprises performing, at a first time, a first backup of a plurality of files on a file system of a computer system; tracking changes to any of the plurality of files on the file system after the first time; performing, at a second time, a second backup of the plurality of files on the file system; detecting, based on a scan of the second backup, an infection of the computer system caused by a malicious application; identifying, by the processor, a most recent backup of the file system that does not comprise the infection; in response to determining that the first backup is the most recent backup: restoring the first backup to the file system, and restoring a subset of files on the file system for which authorized changes.

Abstract: Disclosed herein are systems and method for anti-virus scanning of backup data at a centralized storage. In an exemplary aspect, a method may receive, at the centralized storage, a backup slice from each respective computing device in a plurality of computing devices, wherein the centralized storage comprises, for each respective computing device, a respective backup archive including a plurality of backup slices. The method may mount the received backup slice as a virtual disk. The method may detect, for the respective computing device, a change between the mounted virtual disk and any number of previous backup slices and may evaluate the change against behavioral rules to identify malicious behavior. In response to determining that the change exhibits malicious behavior, the method may execute a remediation action to prevent an attack on the plurality of computing devices or the centralized storage.

Abstract: Disclosed herein are systems and method for preventing malware reoccurrence when restoring a computing device using a backup image. In one exemplary aspect, a method may identify, from a plurality of backup images for a computing device, a backup image that was created most recently before the computing device was compromised. The method may mount the backup image as a disk and scanning the disk for malicious software. The method may disable all ports and services on the computing device to prevent unauthorized network connections and service launches. The method may restore data to the computing device from the mounted disk. The method may update software on the computing device and applying latest patches, and reopen the ports and restart the services on the computing device subsequent to updating the software and applying the latest patches.

Abstract: Disclosed herein are systems and method for scanning objects of a computing device, by an anti-malware, using a white list created for an organization based on data of the organization. In one aspect, an exemplary method comprises obtaining one or more objects of the organization from the computing device, and for each obtained object of the one or more objects, computing a hash value of the obtained object, determining whether the obtained object is whitelisted, and scanning the obtained object based on whether the obtained object is whitelisted, wherein the whitelist is created based on scanning of objects stored in archives of the organization, and the obtained object is determined as being whitelisted when the computed hash value of the obtained object matches a hash value of an object in a whitelist created for the organization.

Abstract: Disclosed herein are systems and methods for data remediation without data loss. In one exemplary aspect, the method comprises performing, at a first time, a first backup of a plurality of files on a file system of a computer system; tracking changes to any of the plurality of files on the file system after the first time; performing, at a second time, a second backup of the plurality of files on the file system; detecting, based on a scan of the second backup, an infection of the computer system caused by a malicious application; identifying, by the processor, a most recent backup of the file system that does not comprise the infection; in response to determining that the first backup is the most recent backup: restoring the first backup to the file system, and restoring a subset of files on the file system for which authorized changes.