Abstract: Techniques are provided for an isolated test environment for ransomware analysis. One or more enterprise applications are assigned to one or more server systems to be provisioned in an isolated test environment. An enterprise replica is generated in the isolated test environment by provisioning the one or more server systems and deploying the one or more enterprise applications on the one or more server systems. A kernel monitoring component is deployed on the one or more server systems in the isolated test environment. The kernel monitoring component is configured to generate kernel telemetry data for a plurality of system calls initiated by processes executing on the one or more server systems. A selected ransomware variant is deployed in the isolated test environment. An effect of the selected ransomware variant on the enterprise replica is determined based on analyzing the kernel telemetry data.

Abstract: Techniques are provided for ransomware defense and analysis based on kernel telemetry data. System calls initiated by processes executing on a computer system are monitored. Kernel telemetry data is generated for a plurality of system calls, the kernel telemetry data associating, for each system call of the plurality of system calls, a process invoking the system call, an operation type of the system call, and a target of the system call. The kernel telemetry data is analyzed. Based on analyzing the kernel telemetry data, it is determined that a particular process executed under control of a ransomware agent. In response to determining that the particular process executed under the control of the ransomware agent, one or more response measures are initiated.

Abstract: Systems, methods and non-transitory, tangible computer readable storage mediums encoded with processor readable instructions to scan files for malware are disclosed. An exemplary method includes writing, via a communication pathway, a first file to a storage medium that is utilized by the computer, requesting access to the first file so as to enable the first file to be scanned for malware, and delaying, when the first file resides on the storage medium, access to the first file while there is at least one I/O operation relative to the storage medium that has a higher priority level than a priority level of the request to access the first file. In addition, except to enable the first file to be scanned for malware, access to the first file is prevented until the first file has been scanned for malware.

Abstract: A system and method for analyzing executable files on a computer is described. The method in one embodiment includes initiating, with an operating system of the computer, execution of a loader-process; loading, using the loader-process, code of a first executable file into an executable-memory of the computer; and executing the code of the first executable file, wherein the code of the first executable file unpacks other packed-code to generate unpacked code. In addition, the loader-process executes the unpacked code and stops execution of the unpacked code in response to the unpacked code attempting to make a potentially dangerous system call. The unpacked code is analyzed, in response to the unpacked code attempting to make the potentially dangerous system call, to assess whether the first executable file is a pestware file.

Abstract: Systems and methods for scanning files for pestware on a protected computer are described. In one variation, when a file on a storage device is inaccessible via an operating system of the protected computer, a listing of a plurality of pointers for the file is located on the storage device. Each of the plurality of pointers in the listing points to a corresponding one of a plurality of locations on the storage device, and the storage device stores each of a plurality of portions of data for the file at a corresponding one of each of the plurality of locations. One or more of the plurality of portions for the data are accessed and analyzed, while the operating system continues to limit access to the file via the operating system, so as to determine whether the file is a pestware file.

Abstract: A system and method for defining and detecting pestware is described. In one embodiment, a pestware file is received and at least a portion of the pestware file is placed into a processor-readable memory. A plurality of execution paths within code of the pestware file are followed and for each of a plurality of selected function calls within the execution paths of the pestware file, at least one parameter from each of the function calls is retrieved so as to obtain a plurality of parameters. A representation of each of the parameters is then stored in a processor-readable pestware-definition file, which is sent to a plurality of client devices.

Abstract: A system and method for defining and detecting pestware is described. One embodiment includes receiving a file and placing at least a portion of the file into a processor-readable memory of a computer. A plurality of execution paths within code of the pestware file are followed and particular instructions within the execution paths are identified. A representation of the relative locations of each of the particular instructions within the code of the file are compared against a pestware-definition file so as to determine whether the file is a potential pestware file.

Abstract: Systems, methods and non-transitory, tangible computer readable storage mediums encoded with processor readable instructions to scan files for malware are disclosed. An exemplary method includes writing, via a communication pathway, a first file to a storage medium that is utilized by the computer, requesting access to the first file so as to enable the first file to be scanned for malware, and delaying, when the first file resides on the storage medium, access to the first file while there is at least one I/O operation relative to the storage medium that has a higher priority level than a priority level of the request to access the first file. In addition, except to enable the first file to be scanned for malware, access to the first file is prevented until the first file has been scanned for malware.

Abstract: A method and system for scanning a computer storage device for malware is described. One embodiment keeps track of which portion or portions of each of a plurality of files on a computer storage device are requested for analysis by an anti-malware engine during a first scan of the computer storage device for malware; prefetches, during a second scan of the computer storage device for malware, the portion or portions of each of at least a subset of the plurality of files that were requested by the anti-malware engine during the first scan, the prefetched data being supplied to the anti-malware engine for analysis as requested; and takes corrective action responsive to the results of at least one of the first and second scans.

Abstract: Systems and methods for scanning files for pestware on a protected computer are described. In one variation, locations of each of a plurality of files in a file storage device of the protected computer are identified while substantially circumventing an operating system of the protected computer. Information from each of the plurality of files is retrieved and analyzed so as to determine whether any of the plurality of files are potential pestware files. In variations, the operating system is circumvented while the information from each of the plurality of files is retrieved. In other variations, before information is retrieved from each of the plurality of files, a listing of the plurality of files is sorted according to the locations of the files on the storage device so as to reduce, even further, the time required to access the plurality of files.

Abstract: A method and system for efficiently scanning a computer storage volume for pestware is described. One embodiment determines whether a file on the storage device has been modified since it was last scanned for pestware; includes the file in a set of files to be scanned for pestware when it is determined that the file has been modified since it was last scanned for pestware; omits the file from the set of files to be scanned for pestware when it is determined that the file has not been modified since it was last scanned for pestware; scans the files in the set of files for pestware; and reports results of the pestware scan to a user.

Abstract: Systems and methods for managing access to a file storage device are described. One embodiment is configured to initially allow an anti-pestware process to access the file storage device, and then in response to identifying a process, other than the anti-pestware process, attempting to access the file storage device while the anti-pestware process is accessing the storage device, ceasing to allow the anti-pestware process to access the storage device during an interrupt period. In this embodiment, the interrupt period is limited so as to allow the anti-pestware process to access the storage device of the computer even if the at least one process continues to attempt to access the storage device. In variations, the interrupt period is extended one or more times in response to one or more processes other than the anti-pestware process attempting to access the file storage device.

Abstract: Systems and methods for managing multiple related pestware processes on a protected computer are described. One embodiment is configured to identify a location of each of a plurality of files in at least one file storage device of the protected computer and store a list of the location of each of the plurality of files. The list of the plurality of files is then sorted so as to generate a sorted list. Each of the plurality of files is then sequentially accessed as listed in the sorted list so as to retrieve information from each of the plurality of files. Information from the plurality of files is then analyzed to determine whether any of the plurality of files are potential pestware files. In variations, the files in the file storage device are enumerated, and information from the files is accessed, by circumventing the operating system of the protected computer.

Abstract: A system and method for defining and detecting pestware is described. One embodiment includes receiving a file and placing at least a portion of the file into a processor-readable memory of a computer. A plurality of execution paths within code of the pestware file are followed and particular instructions within the execution paths are identified. A representation of the relative locations of each of the particular instructions within the code of the file are compared against a pestware-definition file so as to determine whether the file is a potential pestware file.

Abstract: A system and method for defining and detecting pestware is described. In one embodiment, a pestware file is received and at least a portion of the pestware file is placed into a processor-readable memory. A plurality of execution paths within code of the pestware file are followed and for each of a plurality of selected function calls within the execution paths of the pestware file, at least one parameter from each of the function calls is retrieved so as to obtain a plurality of parameters. A representation of each of the parameters is then stored in a processor-readable pestware-definition file, which is sent to a plurality of client devices.

Abstract: A system and method for analyzing executable files on a computer is described. The method in one embodiment includes initiating, with an operating system of the computer, execution of a loader-process; loading, using the loader-process, code of a first executable file into an executable-memory of the computer; and executing the code of the first executable file, wherein the code of the first executable file unpacks other packed-code to generate unpacked code. In addition, the loader-process executes the unpacked code and stops execution of the unpacked code in response to the unpacked code attempting to make a potentially dangerous system call. The unpacked code is analyzed, in response to the unpacked code attempting to make the potentially dangerous system call, to assess whether the first executable file is a pestware file.

Abstract: A system and method for scanning files on a computer-readable storage medium is described. In one embodiment the method includes retrieving a first piece of information from a first file located at a first portion of the computer-readable storage medium and caching the first piece of information from the first file before retrieving information from a second stored file located at a second portion of the computer-readable storage medium. In addition, a second piece of information from the first file located at a third portion of the computer readable medium is retrieved and analyzed to determine whether the first file is a potential pestware file.

Abstract: A system and method for analyzing files on a computer is described. In one embodiment the system includes a loader module configured to sequentially receive code from a plurality of files stored on a computer-readable medium and initiate execution of the code in a process space of the loader module. In addition, the loader module is configured to stop execution of the code in response to the code attempting to carry out particular instructions while executing. The system also includes a detection module configured to analyze the code from each of the plurality of files after the code is loaded by the loader module.

Abstract: A system and method for gathering information about files stored is described. In one embodiment the method includes identifying a starting location of a file table of the data storage device. The file table includes an entry for the file table and entries for other files stored on the data storage device. The method also includes accessing a data attribute within the entry for the file table, which includes pointers to other locations where portions of the file table are stored on the data storage device. The pointers to the other locations are utilized to locate an entry in the file table for each of the other files, and attribute information for at least one attribute of each of the other files is retrieved from the entries for the other files.

Abstract: Systems and methods for scanning files for pestware on a protected computer are described. In one variation, locations of each of a plurality of files in a file storage device of the protected computer are identified while substantially circumventing an operating system of the protected computer. Information from each of the plurality of files is retrieved and analyzed so as to determine whether any of the plurality of files are potential pestware files. In variations, the operating system is circumvented while the information from each of the plurality of files is retrieved. In other variations, before information is retrieved from each of the plurality of files, a listing of the plurality of files is sorted according to the locations of the files on the storage device so as to reduce, even further, the time required to access the plurality of files.