Abstract: Disclosed are systems and methods for detecting multiple malicious processes. The described techniques identify a first process and a second process launched on a computing device. The techniques receive from the first process a first execution stack indicating at least one first control point used to monitor at least one thread associated with the first process, and receive from the second process a second execution stack indicating at least one second control point used to monitor at least one thread associated with the second process. The techniques determine that both the first process and the second process are malicious using a machine learning classifier on the at least one first control point and the at least one second control point. In response, the techniques generate an indication that an execution of the first process and the second process is malicious.

Abstract: Described herein are systems and methods for controlling access to a protected resource based on various criteria. In one exemplary aspect, a method comprises designating a plurality of program data installed on a computing system as protected program data; intercepting, by a kernel mode driver, a request from an untrusted application executing on the computing system to alter at least one of the protected program data; classifying, by a self-defense service, the untrusted application as a malicious application based on the intercepted request and information related to the untrusted application; and responsive to classifying the untrusted application as a malicious application, denying, by the kernel mode driver, access to the at least one of the protected program data.

Abstract: Disclosed herein are systems and methods for data remediation without data loss. In one exemplary aspect, the method comprises performing, at a first time, a first backup of a plurality of files on a file system of a computer system; tracking changes to any of the plurality of files on the file system after the first time; performing, at a second time, a second backup of the plurality of files on the file system; detecting, based on a scan of the second backup, an infection of the computer system caused by a malicious application; identifying, by the processor, a most recent backup of the file system that does not comprise the infection; in response to determining that the first backup is the most recent backup: restoring the first backup to the file system, and restoring a subset of files on the file system for which authorized changes.

Abstract: Disclosed herein are systems and method for protecting an endpoint device from malware. In one aspect, an exemplary method comprises performing, by a light analysis tool of the endpoint, a light static analysis of a sample, terminating the process and notifying the user when the process is malware, performing light dynamic analysis when the process is not malware based on the light static analysis, when the process is clean based on the light dynamic analysis, enabling the process to execute, when the process is malware, terminating the process and notifying the user, and when the process is suspicious pattern, suspending the process, setting a level of trust, sending the sample to a sandbox, terminating the process and notifying the user when the process is a malware based on received final verdict, enabling the process to resume executing when the process is determined as being clean based on the final verdict.

Abstract: Disclosed herein are systems and method for detecting malwares by a server of a sandbox. In one aspect, an exemplary method comprises receiving, by a deep dynamic analysis tool of the server, a sample of a process from an endpoint device with a request for a final verdict indicative of whether the process is a malware or clean based on a deep dynamic analysis, collecting events for the sample, the collected events including events collected using at least one invasive technique, analyzing the collected events using one or more detection models of the deep dynamic analysis tool to detect malwares and issue the final verdict, and sending final verdict to the endpoint device from which the sample is received.

Abstract: Disclosed herein are systems and method for correlating malware detections by endpoint devices and servers. In one aspect, an exemplary method comprises receiving, by a correlator, from one or more servers, one or more events collected without invasive techniques, one or more events collected using one or more invasive techniques, and one or more final verdicts, correlating the one or more events collected without invasive techniques with one or more events collected using the one or more invasive techniques, creating a suspicious pattern when an event of the one or more events collected without invasive techniques is correlated with an event of the one or more events collected using the one or more invasive techniques, and the event of the one or more events collected using one or more invasive techniques is used to detect a malware, and updating databases of one or more endpoint devices with created suspicious patterns.

Abstract: Disclosed are systems and methods for detecting malicious applications. The described techniques detect a first process has been launched on a computing device, and monitor at least one thread associated with the first process using one or more control points of the first process. An execution stack associated with the one or more control points of the first process is received from the first process. In response to detecting activity on the one or more control points of the first process, an indication that the execution of the first process is malicious is generated by applying a machine learning classifier to the received execution stack associated with the one or more control points of the first process.

Abstract: Methods of preserving and protecting user data from modification or loss due to malware are disclosed, as well as systems and computer program products related to the same.

Abstract: Disclosed are methods, systems and computer program products for backing up user data from a social network account. An exemplary general method includes the steps of obtaining access to a user account on a social network, by a social network application; determining, by the social network application, one or more restrictions on external requests for data imposed by the social network; generating, by a backup agent in communication with the social network application, an algorithm for requesting data from the user account based upon the one or more restrictions on external requests for data; requesting user data from the user account, by the social network application, using the algorithm; receiving the user data from the user account, by the social network application; transmitting the received user data from the social network application to the backup agent; and archiving the received user data, by the backup agent.

Abstract: Methods of preserving and protecting user data from modification or loss due to malware are disclosed, as well as systems and computer program products related to the same.

Abstract: Analysis of authenticity digital certificates includes. Initial information pertaining to digital certificates is collected from diverse information sources. For each of the digital certificates the initial information includes intrinsic parameter data from among contents of the digital certificate and extrinsic parameter data pertaining to the digital certificate and comprising static data not contained in the contents of the digital certificate. Selected parameter data is stored and analyzed to determine a measure of suspiciousness for each of the digital certificates. If necessary, circumstantial data based on actual usage of one or more of the digital certificates are collected. The initial data and supplemental data are compared against a set of decision criteria that define fraudulent activity, and a determination of authenticity of each of the digital certificates is made.

Abstract: Analysis of authenticity digital certificates includes. Initial information pertaining to digital certificates is collected from diverse information sources. For each of the digital certificates the initial information includes intrinsic parameter data from among contents of the digital certificate and extrinsic parameter data pertaining to the digital certificate and comprising static data not contained in the contents of the digital certificate. Selected parameter data is stored and analyzed to determine a measure of suspiciousness for each of the digital certificates. If necessary, circumstantial data based on actual usage of one or more of the digital certificates are collected. The initial data and supplemental data are compared against a set of decision criteria that define fraudulent activity, and a determination of authenticity of each of the digital certificates is made.

Abstract: A system, method, and computer program product for secure rating of processes in an executable file for malware presence comprising: (a) detecting an attempt to execute a file on a computer; (b) performing an initial risk assessment of the file; (c) starting a process from code in the file; (d) analyzing an initial risk pertaining to the process and assigning an initial security rating to the process; (e) monitoring the process for the suspicious activities; (f) updating the security rating of the process when the process attempts to perform the suspicious activity; (g) if the updated security rating exceeds a first threshold, notifying a user and continuing execution of the process; and (h) if the updated security rating exceeds a second threshold, blocking the action and terminating the process.