Abstract: A system and method of anti-malware analysis including iterative techniques that combine static and dynamic analysis of untrusted programs or files. These techniques are used to identify malicious files by iteratively collecting new data for static analysis through dynamic run-time analysis.

Abstract: A method of continuous development of an internal threat scan engine based on an iterative quality assessment includes iteratively performing a dynamic assessment of a quality of a threat detection with a frequency defined for each of objects in an object collection, wherein a result of the dynamic assessment includes internal and external scan results of the objects and a consistency verdict of the internal and external scan results of the objects, changing a frequency of scanning iteration of the objects based on the consistency verdict of the external and internal scan results of the objects, classifying the objects based on the result of the dynamic assessment, and creating a development task including the internal and external scan results of the objects, meta-data of the objects, and automated test results to provide details for developing a software to fix inconsistency of the internal and external scan results.

Abstract: A system and method are disclosed for performing non-invasive scan of a target device. The system is configured for: i) loading an endpoint protection agent to a target device; ii) providing a remote direct memory access of the target device to the remote security server for reading a memory of the target device; iii) scanning, by a second memory scan engine of the remote security server, the memory of the target device upon the violation of the security policy; iv) identifying, by the second memory scan engine of the remote security server, a threat on the target device; and v) sending, by the remote security server, a security response action to the endpoint protection agent on the target device in accordance with the security policy.

Abstract: Disclosed herein are systems and method for adjusting data protection levels based on system metadata. A method may include monitoring a computing device for a cyberattack, wherein a kernel driver of the computing device is configured to allow access to kernel control paths and hash tables in accordance with a first protection level, and detecting that the cyberattack is in progress. While the cyberattack is in progress, the method may include identifying kernel control paths and hashes of software objects that will be affected by the cyberattack, and configuring the kernel driver to disable access to the identified kernel control paths and hashes of the software objects in accordance with a second protection level, wherein the second protection level includes greater access restrictions to the computing device than the first protection level.

Abstract: Disclosed herein are systems and methods for indexing and searching an encrypted archive. In one exemplary aspect, a method comprises generating, by a hardware processor, an encrypted data archive based on a user backup performed using a backup plan with an encryption flag enabled and a user key; generating, by the hardware processor, an index key for the encrypted data archive; encrypting, by the hardware processor, the index key using the user key; storing, by the hardware processor, the index key in a secure data storage; creating and mounting, by the hardware processor, an encrypted file system folder for the encrypted data archive using the index key; decrypting, by the hardware processor, data in the encrypted data archive using the user key; and indexing, by the hardware processor, the decrypted data.

Abstract: Disclosed are systems and methods for managing computing resources for a remote session that has been established between a client and a remote server via a communication channel. Such a remote session is configured to automatically adapt image quality of the remote session based on a network status of the communication channel. The described technique includes detecting an inactive state of the remote session, and in turn, modifying at least one network setting of the client using a network shaping rule specified to artificially reduce a network quality of the communication channel used by the client for traffic of the remote session, so as to cause the client to reduce image quality of the remote session and reduce an amount of data exchanged between the remote server and the client.

Abstract: Disclosed herein are systems and method for determining a backup schedule on a computer system. In one exemplary aspect, a method may comprise collecting user behavior data on the computer system. The method may comprise analyzing the user behavior data to determine an optimal time of a backup session to create backup copies of modified data stored on a volume of the computer system and determining an optimal duration of the backup session based on the analyzed user behavior. The method may comprise determining a portion of the modified data that can be saved during the backup session within the optimal duration at the optimal time of backup, and performing the backup session comprising the portion.

Abstract: Disclosed herein are systems and methods for preventing malicious injections. In one aspect, a method includes monitoring active processes that are running in suspended mode. For each active process being monitored, the method includes injecting a dynamic link library (DLL) into the active process to hook an application programming interface (API) of an application corresponding to the active process, wherein the DLL is injected for tracking commands for suspension and resumption of the active process. The method includes monitoring file inputs and outputs of the application for anomalies while the active process is in the suspended mode, and when a command for resuming the active process is detected using the DLL, determining, based on the monitoring, whether a malicious process is inserted into the active process. The method includes allowing the suspended process to resume execution in response to determining that no malicious process is inserted in the active process.

Abstract: A processing device in a host computer system receives an instruction to write data to a storage device coupled to the host computer system and store a copy of the data in a cache of the host computer system. The processing device initiates a write operation to write the data from the cache to the storage device and detects that the storage device is disconnected from the host computer system during execution of the write operation. In response to detecting that the storage device is disconnected, the processing device may suspend execution of at least one of a virtual machine or a process that issued the first instruction. After determining that the storage device is reconnected to the host computer system, the processing device can resume the write operation to continue writing the data from the cache to the storage device.

Abstract: A system and method of anti-malware analysis including iterative techniques. These techniques are used to create a file attribute tree used by a machine learning analyzer to identify malicious files.

Abstract: Disclosed herein are systems and method for anti-malware scanning, including identifying a plurality of objects in a backup archive that is connected to a first network comprising a plurality of computing devices; scanning the plurality of objects in the backup archive to generate a whitelist indicating a subset of the plurality of objects that do not need to be scanned at a subsequent time; performing, using the whitelist, a first malware scan in a computing device of the plurality of computing devices; detecting that the computing device has left the first network to join a second network; and performing a second malware scan on the computing device, wherein the second malware scan uses a different whitelist of the second network, and wherein the second malware scan comprises scanning a first object that is not in the different whitelist and was not scanned in the first malware scan.

Abstract: Disclosed herein are systems and method for selectively restoring a computer system to an operational state. In an exemplary aspect, the method may include creating a backup image of the computer system comprising a set of data blocks, detecting that the computer system has begun an initial startup, identifying a subset of the data blocks read from a disk of the computer system during the initial startup. In response to determining that the computer system should be restored, the method may include restoring the subset of the data blocks such that the computer system is operational during startup, and restoring a remaining set of the data blocks from the backup image after the startup of the computer system.

Abstract: A data storage system uses erasure coding in combination with hashgraph to organize stored data and recover that data in a computing environment.

Abstract: The IOC Infrastructure management system (100) and method is disclosed for building an IOC infrastructure and its management thereof. The system mainly includes a IOC processing unit and an endpoint engine. The IOC processing unit is configured to i) source raw IOCs from a plurality of external sources, ii) convert format of the raw IOCs into a predetermined format of an IOC database using a parser unit, where each parser of the parser unit corresponds to at least one IOC format, iii) build and apply syntax tree to the parsed IOCs, where the syntax tree supports complex expression-based toolsets, such as YARA, and sort the IOCs lexicographically to avoid duplication of IOC entry and render the malware detection scanning process faster and efficient.

Abstract: The present disclosure relates to a system and method for rootkit detection based on a system dump sequence analysis. The system includes a security system in communication with one or more applications of a computing system. The security system includes a system event monitor to monitor events occurring at the applications, a system dump capture driver to capture differential system dumps corresponding to each event, and a rootkit detection engine to determine if a system state is infected. The rootkit detection engine is based on a machine learning model, where the machine learning model is trained on collection of clean system dumps and infectious system dumps. Based on analysis carried out by the machine learning model, the rootkit detection engine can classify the system state as suspicious, infectious, or clean state.

Abstract: The invention relates to data recovery technology. Each created backup is checked for the integrity of the placed files, while calculating the checksums of each block of data that can be restored from the backup. The computer system is restored from a backup copy by connecting it using the archive copy connection driver, which creates a virtual disk that is readable by standard means of the operating system of the computer system being restored. The booting of the operating system is performed from the virtual disk and, after restoring the functioning of the computer system, the system volume that has been damaged is restored from the backup copy to the local storage medium.

Abstract: The present disclosure relates to a system and method for creating a backup and restoring the exact clean system state prior to malware detection. The system includes a security system, in communication with one or more applications of a computing system, and a backup unit. The security system detects malware during execution of the applications or events based on a memory dump analysis. The backup unit creates a backup copy of the system state corresponding to each event, labels each copy and creates an index. When the security system detects presence of the malware at a particular event, the backup system parses the index, and with use of the labels, retrieves the exact backup copy that belongs to the event preceding the other event that caused the malware attack.

Abstract: A method for creating a collection with optimized family-specific signatures for protecting from malware includes collecting statistics of potential signatures for chosen sample attribute vectors, the statistics of potential signatures being collected for clean files and malware files, estimating a probability to find a potential signature in the clean files, grouping malware files with the same signature in clusters (families), choosing the most optimal signature for the malware family files based on a predefined target function, and exporting a collection with optimized family-specific signatures configured to be implemented by scan engines.

Abstract: Disclosed are systems and methods restoring a computing system. The described method includes emulating a virtual disk using a backup of the computing device and generating an ancillary virtual machine (VM). The method includes determining and writing, to a delta disk linked to the virtual disk, configuration modifications to the ancillary VM that enable booting of the ancillary VM using the virtual disk on a different device with dissimilar hardware as the computing device. Responsive to receiving a request to perform recovery of the computing device, the method comprises restoring the backup by creating on the different device a recovery virtual machine (VM) having a base virtual disk emulated from the backup, and modifying the recovery VM by attaching the delta disk having the configuration modifications.

Abstract: Disclosed herein are systems and method for inspecting archived slices for malware. In one exemplary aspect, the method comprises identifying a first slice in a plurality of slices in a backup archive, wherein the first slice is an image of user data at a first time. The method comprises scanning the first slice of the plurality of slices in the backup archive and detecting at least one infected file in the first slice. The method comprises identifying a block of the first slice that corresponds to the at least one infected file. The method comprises mounting, to a disk, a second slice of the plurality of slices. The method comprises tracking the block and determining that the at least one infected file exists on the second slice and removing the infected file from the second slice by generating a respective cured slice of the second slice.