Abstract: Information characterizing a security event is received from an agent executing on an endpoint computing device. The received information identifies a plurality of files encrypted as part of a ransomware attack and key material used when encrypting each of the files. Based on the received information, a surveyor package is generated which includes decryptor logic to decrypt at least a portion of the files. The surveyor package is deployed to the agent so that it can be unpacked and executed to decrypt at least a portion of the files. Once these files are decrypted, then can be transported to a safe computing environment Related apparatus, systems, techniques and articles are also described.

Abstract: A notification message is received indicating an upload of a file to a cloud service. An analysis engine (which can execute one or more machine learning models or other analysis operations) can generate information that characterizes the file which can be indicative of a level of trustworthiness for the file. In response to the generated information, each of a plurality of judges are notified to commence or revisit a judging process. In response to the notifications, the judges (which can execute one or more machine learning models or other analysis operations) retrieve the generated information and determine a respective trustworthiness score for the file. These scores can be stored in a corresponding judge database and/or data can be provided which characterizes the determined trustworthiness scores to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: A program identity of an unknown binary is inferred in response to a trigger (e.g., a request to access or execute the unknown binary, etc.). One or more authentication factors are then executed to authenticate the inferred program identity of the unknown binary as being one of a plurality of different programs. The program can be selectively provided with access to system resources and/or sensitive operations can be limited based on a program nature of the authenticated program identity. In some variations, the authentication factors cause a modified authentication workflow in which a human user provides input as to whether or not to authenticate the inferred program identity.

Abstract: Applications and processes executing on an endpoint are monitored to identify behavior indicative of malicious activity such as a ransomware attack. Messages generated from this monitoring as well as messages derived from external sources are stored in a queue for routing. A router selects some messages from the queue based on a routing policy and sends them to a cloud-based platform that can initiate various actions based on received messages. The router also sends some messages from the queue to a module that analyzes the messages and reduces their size by aggregating, correlating, and detecting relevant information. The module puts the modified messages back into the queue for further routing by the router according to the policy. Related apparatus, systems, techniques and articles are also described.

Abstract: A program identity of an unknown binary is inferred in response to a trigger (e.g., a request to access or execute the unknown binary, etc.). One or more authentication factors are then executed to authenticate the inferred program identity of the unknown binary as being one of a plurality of different programs. The program can be selectively provided with access to system resources and/or sensitive operations can be limited based on a program nature of the authenticated program identity. In some variations, the authentication factors cause a modified authentication workflow in which a human user provides input as to whether or not to authenticate the inferred program identity.

Abstract: Under one aspect, a computer-implemented method includes receiving a query at a query interface about whether a computer file comprises malicious code. It is determined, using at least one machine learning sub model corresponding to a type of the computer file, whether the computer file comprises malicious code. Data characterizing the determination are provided to the query interface. Generating the sub model includes receiving computer files at a collection interface. Multiple sub populations of the computer files are generated based on respective types of the computer files, and random training and testing sets are generated from each of the sub populations. At least one sub model for each random training set is generated.

Abstract: Under one aspect, a computer-implemented method includes receiving a query at a query interface about whether a computer file comprises malicious code. It is determined, using at least one machine learning sub model corresponding to a type of the computer file, whether the computer file comprises malicious code. Data characterizing the determination are provided to the query interface. Generating the sub model includes receiving computer files at a collection interface. Multiple sub populations of the computer files are generated based on respective types of the computer files, and random training and testing sets are generated from each of the sub populations. At least one sub model for each random training set is generated.

Abstract: A sample of data is placed within a directed graph that comprises a plurality of hierarchical nodes that form a queue of work items for a particular worker class that are used to process the sample of data. Subsequently, work items are scheduled within the queue for each of a plurality of workers by traversing the nodes of the directed graph. The work items are then served to the workers according to the queue. Results can later be received from the workers for the work items (the nodes of the directed graph are traversed based on the received results). In addition, in some variations, the results can be classified so that one or models can be generated. Related systems, methods, and computer program products are also described.