Abstract: Disclosed herein are systems and method for scanning objects of a computing device, by an anti-malware, using a white list created for an organization based on data of the organization. In one aspect, an exemplary method comprises obtaining one or more objects of the organization from the computing device, and for each obtained object of the one or more objects, computing a hash value of the obtained object, determining whether the obtained object is whitelisted, and scanning the obtained object based on whether the obtained object is whitelisted, wherein the whitelist is created based on scanning of objects stored in archives of the organization, and the obtained object is determined as being whitelisted when the computed hash value of the obtained object matches a hash value of an object in a whitelist created for the organization.

Abstract: Disclosed herein are systems and methods for preserving data using a replication and blockchain notarization. In one aspect, an exemplary method comprises, by a hardware processor, receiving, from a user, a request for a legal hold of data and criteria for controlling access to the data, creating a legal hold object and establishing an access control criteria, creating, in the cloud storage, a cloud storage space that corresponds to the created legal hold object, and defining the access control for reading from the created cloud storage space, searching, in a backup data storage of a client data system, to identify all relevant data corresponding to the created legal hold object, and storing the identified relevant data and the search queries used for the identification of the relevant data, replicating the identified relevant data in the created cloud storage space, and notarizing the replicated relevant data using a blockchain notarization service.

Abstract: Disclosed herein are systems and method for performing recovery using a backup image. In one exemplary aspect, a method comprises scanning a plurality of files on one or more storage devices of a computing device. The method may determine a first set of files from the plurality of files that will be used during recovery of the one or more storage devices, and tag a second set of files that will not be used during recovery. The method may copy the second set of files that have been tagged to an external storage device, and may store the first set of files in a backup image for the computing device (excluding the tagged second set of files from the backup image). The method may add, to the backup image, a respective link to each of the tagged second set of files in the external storage device.

Abstract: Disclosed herein are systems and method for deep dynamic analysis for protecting endpoint devices from malware. In one aspect, an exemplary method comprises launching a deep analysis process, by a deep analysis tool, the launching including: injecting a dynamically loaded component into an address space of an application code and initializing, by the dynamically loaded component, to allow an execution activity, by the injected dynamically loaded component, parsing dependencies of run-time linkages, hooking system functions, creating an application memory map with separate application and system code areas, transferring control back to the application code, and performing on-sample-execution activity, obtaining control of exception handler and monitoring attempts to use the exception handler, changing an available area, logging accesses, inspecting exception reasons and applying policies, determining whether or not the application of the sample is a malware, and sending a final verdict.

Abstract: Aspects of the disclosure describe methods and systems for performing an antivirus scan using file level deduplication. In an exemplary aspect, prior to performing an antivirus scan on files stored on at least two storage devices, a deduplication module calculates a respective hash for each respective file stored on the storage devices. The deduplication module identifies a first file stored the storage devices and determines whether at least one other copy of the first file exists on the storage devices. In response to determining that another copy exists, the deduplication module stores the first file in a shared database, replaces all copies of the first file on the storage devices with a link to the first file in the shared database, and performs the antivirus scan on (1) the first file in the shared database and (2) the files stored on the storage devices.

Abstract: A method and system for dynamic redundancy in storage systems is described. The method may include receiving a data fragment from a data stream of user data to be archived. The method may further include splitting the data fragment into a first number of data chunks. The method may also include, in response to determining that the data fragment is not a last data fragment in the data stream, generating a second number of additional data chunks based upon, at least in part, the first number of data chunks. The method may additionally include, in response to determining that the data fragment is the last data fragment in the data stream, generating a third number of additional data chunks based upon, at least in part, the first number of data chunks.

Abstract: Various examples are directed to systems and methods for backing up data. A tracking utility may receive a start request and then enter a holding mode until a first modifiable or writable snapshot is created. The tracking utility can track such a first snapshot and determine if any modifications such as writes have been made to the first snapshot. If the first snapshot has not been modified it can be backed up using a read only snapshot scheme. If the first snapshot has been modified, a record of the modifications thereto are used to update the frozen changes and the current changes. The resulting or finalized snapshot is generated and includes all of the modifications, modifications 1 to N made to the first snapshot. This process can be repeated for one or more or all of the modifiable or writable snapshots.

Abstract: Systems and methods for remediating vulnerabilities on a plurality of computing devices is disclosed herein. In one exemplary aspect, a method comprises classifying monitored data into a plurality of categories using a machine learning algorithm. For each respective data file of the monitored data, the method comprises retrieving one or more policies associated with a classified category of the respective data file and determining whether respective data file complies with the one or more policies. The method further comprises generating a compliance map based on compliance with policies for each respective data file of the monitored data, wherein the compliance map indicates vulnerabilities in the plurality of computing devices, determining whether the vulnerabilities are actionable, and in response to determining the vulnerabilities are actionable, requesting actions to be performed on the plurality of devices to remediate the vulnerabilities and non-compliance.

Abstract: A system and method is disclosed for using data blocks to optimize file storage in electronic data storage. An example method includes storing data objects in a storage service that correspond to a main block and multiple secondary blocks. The main block is stored in a first bucket and the secondary blocks are stored in one or more second buckets, with the main block including metadata indicating a unique identifier of the second bucket. The method further includes receiving a request to delete the data file to free storage; marking the main block of the data file for deletion that prevents a reading operation or a writing operation of additional data to the data file; deleting the secondary blocks of the data file; and after the secondary blocks are deleted, deleting the marked main block of the data file.

Abstract: A system and method is disclosed for scheduling and allocating data storage. An example method comprises generating a scheduling problem based at least on states of each of the plurality of storage nodes, a received plurality of storage tasks and received constraints, wherein the scheduling problem is a constraint satisfaction problem, selecting one or more approaches to solving the scheduling problem based on metadata associated with the storage tasks and constraints, solving the scheduling problem to generate a scheduling solution based on the one or more approaches, determining whether the given constraints are satisfied by the scheduling solution, executing, by the processor, the scheduling solution by assigning storage of data to each of the plurality of storage nodes when the constraints are satisfied by the scheduling solution and determining another scheduling solution based on the one or more approaches when the constraints are not satisfied by the scheduling solution.

Abstract: Disclosed are systems and methods for protecting a computer system from ransomware and malware by copying and backing up files using a volume filter. A storage stack of the computer system includes a file protector driver and a volume filter driver. The file protector driver monitors for potentially dangerous actions to the system's files. The volume filter driver tracks any requested changes to files on a block level, and makes backup copies of the modified blocks when the blocks change on a block level of the storage device.

Abstract: Disclosed are methods, systems and computer program products for backing up user data from a social network account. An exemplary general method includes the steps of obtaining access to a user account on a social network, by a social network application; determining, by the social network application, one or more restrictions on external requests for data imposed by the social network; generating, by a backup agent in communication with the social network application, an algorithm for requesting data from the user account based upon the one or more restrictions on external requests for data; requesting user data from the user account, by the social network application, using the algorithm; receiving the user data from the user account, by the social network application; transmitting the received user data from the social network application to the backup agent; and archiving the received user data, by the backup agent.

Abstract: Disclosed are systems and methods for detecting multiple malicious processes. The described techniques identify a first process and a second process launched on a computing device. The techniques receive from the first process a first execution stack indicating at least one first control point used to monitor at least one thread associated with the first process, and receive from the second process a second execution stack indicating at least one second control point used to monitor at least one thread associated with the second process. The techniques determine that both the first process and the second process are malicious using a machine learning classifier on the at least one first control point and the at least one second control point. In response, the techniques generate an indication that an execution of the first process and the second process is malicious.

Abstract: Described herein are systems and methods for controlling access to a protected resource based on various criteria. In one exemplary aspect, a method comprises designating a plurality of program data installed on a computing system as protected program data; intercepting, by a kernel mode driver, a request from an untrusted application executing on the computing system to alter at least one of the protected program data; classifying, by a self-defense service, the untrusted application as a malicious application based on the intercepted request and information related to the untrusted application; and responsive to classifying the untrusted application as a malicious application, denying, by the kernel mode driver, access to the at least one of the protected program data.

Abstract: A system and method is provided for detecting ransomware and malicious programs.

Abstract: Disclosed herein are systems and methods for indexing and searching an encrypted archive. In one exemplary aspect, a method comprises generating, by a hardware processor, an encrypted data archive based on a user backup performed using a backup plan with an encryption flag enabled and a user key; generating, by the hardware processor, an index key for the encrypted data archive; encrypting, by the hardware processor, the index key using the user key; storing, by the hardware processor, the index key in a secure data storage; creating and mounting, by the hardware processor, an encrypted file system folder for the encrypted data archive using the index key; decrypting, by the hardware processor, data in the encrypted data archive using the user key; and indexing, by the hardware processor, the decrypted data.

Abstract: Disclosed herein are systems and methods for data remediation without data loss. In one exemplary aspect, the method comprises performing, at a first time, a first backup of a plurality of files on a file system of a computer system; tracking changes to any of the plurality of files on the file system after the first time; performing, at a second time, a second backup of the plurality of files on the file system; detecting, based on a scan of the second backup, an infection of the computer system caused by a malicious application; identifying, by the processor, a most recent backup of the file system that does not comprise the infection; in response to determining that the first backup is the most recent backup: restoring the first backup to the file system, and restoring a subset of files on the file system for which authorized changes.

Abstract: The present disclosure includes methods and systems for protecting network resources. An exemplary method comprises starting, by a processor, copy-on-write snapshotting for modifications to a plurality of files in storage, the modification initiated by a suspicious application, detecting, by the processor, a modification of a file of the plurality of files, determining, by the processor, whether the file is stored on a shared network resource or a local resource, in response to determining that the file is stored on a shared network resource, determining, by the processor, that a current region being modified is not already saved in a snapshot, and if the current region is not saved, saving the current region to a snapshot, marking, by the processor, the current region as being saved and analyzing all saved regions that were modified for malicious activity to determine that the suspicious application modifying the saved regions is malicious.

Abstract: Disclosed herein are system and method for driving organization and subsequent analysis of an autonomous vehicle. In an exemplary aspect, the system and method comprise dividing a path of a vehicle into a plurality of segments based on predetermined conditions; monitoring both behavior of the vehicle and driving conditions during each of the plurality of segments; storing the behavior and the driving conditions in a plurality of records of an immutable storage; determining whether an accident has occurred involving the vehicle; in response to determining that the accident has occurred, retrieving for the plurality of segments the behavior and the driving conditions from the immutable storage; reconstructing the path using the retrieved behavior and the driving conditions and the plurality of segments; and analyzing the reconstructed path to determine a cause of the accident.

Abstract: Disclosed are methods and systems for performing data backup which implement data binning using log-structured merge (LSM) trees during deduplication. An exemplary method includes: calculating a reduced hash value (RHV) associated with each of a plurality of data blocks; partitioning the plurality of reduced hash values into groups; selecting a representative hash value for each group; determining whether the representative hash value occurs in a first LSM tree, the first LSM tree stored in a volatile memory; and when the representative hash value occurs in the first LSM tree: loading the RHVs in the representative hash value's group into volatile memory; comparing each of the RHVs to one or more hash values in a second LSM tree to identify a matching hash value; and writing a segment identifier (ID) corresponding to the matching hash value in an archive, which references a data block in a segment store.