Abstract: An information management system can detect instances in which data is being stored in a non-standard file path and can alert the user of the client computing device, modify the storage policy to include the non-standard file path, and/or initiate a secondary copy operation to prevent data loss of the data stored in the non-standard file path. For example, a client computing device may execute a filter driver that monitors interactions with files in the file system. The filter driver can identify any non-standard file paths not subject to a storage policy that include files in which interactions occurred. For a non-standard file path, the filter driver can determine whether the frequency of interaction with files in the non-standard file path satisfies a threshold frequency. If the threshold is satisfied, then the filter driver may determine that the files should be subject to the storage policy and take appropriate action.

Abstract: An information management system can detect instances in which data is being stored in a non-standard file path and can alert the user of the client computing device, modify the storage policy to include the non-standard file path, and/or initiate a secondary copy operation to prevent data loss of the data stored in the non-standard file path. For example, a client computing device may execute a filter driver that monitors interactions with files in the file system. The filter driver can identify any non-standard file paths not subject to a storage policy that include files in which interactions occurred. For a non-standard file path, the filter driver can determine whether the frequency of interaction with files in the non-standard file path satisfies a threshold frequency. If the threshold is satisfied, then the filter driver may determine that the files should be subject to the storage policy and take appropriate action.

Abstract: A client computing device includes an entropy driver and a volume driver for protecting the client computing device against potential ransomware. The entropy driver is configured to determine one or more entropy values for a file in response to a determination that the file has been modified or changed. The determined entropy value may then be compared with a known entropy value for a filetype of the changed or modified file. Where the known entropy value and the determined entropy value differ, the volume driver may engage one or more protection operations to secure the client computing device from further corruption and/or modifications by potential ransomware and/or malware. The protection operations may include revoking and/or restricting one or more permissions on one or more storage volumes of the client computing device and backing up one or more files of the client computing device to secondary storage.

Abstract: An information management system includes one or more client computing devices in communication with a storage manager and a secondary storage computing device. The storage manager manages the primary data of the one or more client computing devices and the secondary storage computing device manages secondary copies of the primary data of the one or more client computing devices. Each client computing device may be configured with a ransomware protection monitoring application that monitors for changes in their primary data. The ransomware protection monitoring application may input the changes detected in the primary data into a machine-learning classifier, where the classifier generates an output indicative of whether a client computing device has been affected by malware and/or ransomware. Using a virtual machine host, a virtual machine copy of an affected client computing device may be instantiated using a secondary copy of primary data of the affected client computing device.

Abstract: An information management system includes one or more client computing devices in communication with a storage manager and a secondary storage computing device. The storage manager manages the primary data of the one or more client computing devices and the secondary storage computing device manages secondary copies of the primary data of the one or more client computing devices. Each client computing device may be configured with a ransomware protection monitoring application that monitors for changes in their primary data. The ransomware protection monitoring application may input the changes detected in the primary data into a machine-learning classifier, where the classifier generates an output indicative of whether a client computing device has been affected by malware and/or ransomware. Using a virtual machine host, a virtual machine copy of an affected client computing device may be instantiated using a secondary copy of primary data of the affected client computing device.

Abstract: An information management system can detect instances in which data is being stored in a non-standard file path and can alert the user of the client computing device, modify the storage policy to include the non-standard file path, and/or initiate a secondary copy operation to prevent data loss of the data stored in the non-standard file path. For example, a client computing device may execute a filter driver that monitors interactions with files in the file system. The filter driver can identify any non-standard file paths not subject to a storage policy that include files in which interactions occurred. For a non-standard file path, the filter driver can determine whether the frequency of interaction with files in the non-standard file path satisfies a threshold frequency. If the threshold is satisfied, then the filter driver may determine that the files should be subject to the storage policy and take appropriate action.

Abstract: This application relates to ransomware detection and data pruning management. Ransomware typically involves an I/O heavy process of encrypting data files and/or deleting or renaming the original files. Thus, ransomware attacks may be detected by analyzing the I/O activity in a given file system. In some embodiments, a software module running on a client machine manages copying, archiving, migrating, and/or replicating of primary data and restoring and/or pruning secondary data (e.g., backup copies of the primary data). When a potential ransomware attack is detected, the software module is immediately stopped so that the software module does not prune any data that may need to be restored. Upon receiving user input that indicates that the client machine is not under a ransomware attack, the software module is allowed to resume its operations, including pruning of the secondary data.

Abstract: This application relates to ransomware detection and intelligent restore. Ransomware typically involves an I/O heavy process of encrypting data files and/or deleting or renaming the original files. Thus, ransomware attacks may be detected by analyzing the I/O activity in a given file system. When a potential ransomware attack is detected, a timestamp is recorded. If the client machine is indeed taken over by the ransomware attack, an intelligent restore operation can be performed such that the file system is automatically restored to a point in time prior to the infection by the ransomware attack using the recorded timestamp.

Abstract: This application relates to ransomware detection. Ransomware typically involves an I/O heavy process of encrypting data files and/or deleting or renaming the original files. Thus, ransomware attacks may be detected by analyzing the I/O activity in a given file system. In some embodiments, a software module running on a client machine monitors the I/O activity in a file system. The software module records the number of times the files in the file system are modified, created, deleted, and renamed. The recorded number is compared against a threshold. If the number exceeds the threshold, the software module provides an alert to the user of the client machine that the client machine may be under a ransomware attack. In some embodiments, index data gathered as part of backup operations is utilized, either alone or in combination with the continuously monitored I/O activity data, to detect ransomware attacks.

Abstract: This application relates to ransomware detection and data pruning management. Ransomware typically involves an I/O heavy process of encrypting data files and/or deleting or renaming the original files. Thus, ransomware attacks may be detected by analyzing the I/O activity in a given file system. In some embodiments, a software module running on a client machine manages copying, archiving, migrating, and/or replicating of primary data and restoring and/or pruning secondary data (e.g., backup copies of the primary data). When a potential ransomware attack is detected, the software module is immediately stopped so that the software module does not prune any data that may need to be restored. Upon receiving user input that indicates that the client machine is not under a ransomware attack, the software module is allowed to resume its operations, including pruning of the secondary data.