Abstract: Disclosed herein are systems and method for adjusting data protection levels based on system metadata. A method may include monitoring a computing device for a cyberattack, wherein a kernel driver of the computing device is configured to allow access to kernel control paths and hash tables in accordance with a first protection level, and detecting that the cyberattack is in progress. While the cyberattack is in progress, the method may include identifying kernel control paths and hashes of software objects that will be affected by the cyberattack, and configuring the kernel driver to disable access to the identified kernel control paths and hashes of the software objects in accordance with a second protection level, wherein the second protection level includes greater access restrictions to the computing device than the first protection level.

Abstract: A system and method are disclosed for performing non-invasive scan of a target device. The system is configured for: i) loading an endpoint protection agent to a target device; ii) providing a remote direct memory access of the target device to the remote security server for reading a memory of the target device; iii) scanning, by a second memory scan engine of the remote security server, the memory of the target device upon the violation of the security policy; iv) identifying, by the second memory scan engine of the remote security server, a threat on the target device; and v) sending, by the remote security server, a security response action to the endpoint protection agent on the target device in accordance with the security policy.

Abstract: Disclosed herein are systems and method for managing software item access. A method may include: monitoring usage of a plurality of software items distributed over a network of computing devices; identifying a first software item that is being actively used on a first computing device; identifying a contract for the network governing the usage of the plurality of software items, wherein the contract includes at least one usage condition that the first computing device has to comply with to access the first software item of the plurality of software items; determining whether a discrepancy between the at least one usage condition in the contract and the active usage of the first software item exists; and in response to determining that the discrepancy exists, adjusting parameters of the active usage of the first software item on the first computing device to comply with the at least one usage condition.

Abstract: A method for verifying a set of computer-executable instructions using at least one failing test generated by a test-case generator is disclosed herein. The method comprises verifying the set of computer-executable instructions by a verification module using a plurality of predefined verification conditions; determining if the verification is successful; in response to successful verification, label the set of computer-executable instructions as successful; and in response to unsuccessful verification, generate at least one counterexample, with respect to a proof failure and corresponding to at least one failed verification condition of the plurality of the predefined verification conditions, and generate a failing test, by a test-case generator, based on at least one counterexample. A program verification tool for testing the set of computer-executable instructions is also disclosed.

Abstract: Disclosed herein are systems and methods for indexing and searching an encrypted archive. In one exemplary aspect, a method comprises generating, by a hardware processor, an encrypted data archive based on a user backup performed using a backup plan with an encryption flag enabled and a user key; generating, by the hardware processor, an index key for the encrypted data archive; encrypting, by the hardware processor, the index key using the user key; storing, by the hardware processor, the index key in a secure data storage; creating and mounting, by the hardware processor, an encrypted file system folder for the encrypted data archive using the index key; decrypting, by the hardware processor, data in the encrypted data archive using the user key; and indexing, by the hardware processor, the decrypted data.

Abstract: Disclosed herein are systems and methods for preventing malicious injections. In one aspect, a method includes monitoring active processes that are running in suspended mode. For each active process being monitored, the method includes injecting a dynamic link library (DLL) into the active process to hook an application programming interface (API) of an application corresponding to the active process, wherein the DLL is injected for tracking commands for suspension and resumption of the active process. The method includes monitoring file inputs and outputs of the application for anomalies while the active process is in the suspended mode, and when a command for resuming the active process is detected using the DLL, determining, based on the monitoring, whether a malicious process is inserted into the active process. The method includes allowing the suspended process to resume execution in response to determining that no malicious process is inserted in the active process.

Abstract: Disclosed herein are systems and method for determining a backup schedule on a computer system. In one exemplary aspect, a method may comprise collecting user behavior data on the computer system. The method may comprise analyzing the user behavior data to determine an optimal time of a backup session to create backup copies of modified data stored on a volume of the computer system and determining an optimal duration of the backup session based on the analyzed user behavior. The method may comprise determining a portion of the modified data that can be saved during the backup session within the optimal duration at the optimal time of backup, and performing the backup session comprising the portion.

Abstract: Disclosed herein are systems and method for providing nested frontend applications in a user interface of a management application. An exemplary method may include: generating a graphical user interface (GUI) for the management application, wherein the GUI includes a first extension point that includes a plurality of extensions, wherein each extension of the plurality of extensions is a standalone frontend application; injecting, during runtime of the management application, a first extension into the first extension point based on a personal configuration file, wherein the first extension is included in the plurality of extensions after injection; in response to receiving, via the GUI, a selection of the first extension, generating, on the GUI, a second extension point corresponding to the first extension, wherein the second extension point includes an additional plurality of extensions; and injecting, during the runtime, a second extension into the second extension point.

Abstract: Disclosed herein are systems and method for providing nested frontend applications in a user interface of a management application. An exemplary method may include: generating a graphical user interface (GUI) for the management application, wherein the GUI includes a first extension point that includes a plurality of extensions, wherein each extension of the plurality of extensions is a standalone frontend application; injecting, during runtime of the management application, a first extension into the first extension point based on a personal configuration file, wherein the first extension is included in the plurality of extensions after injection; in response to receiving, via the GUI, a selection of the first extension, generating, on the GUI, a second extension point corresponding to the first extension, wherein the second extension point includes an additional plurality of extensions; and injecting, during the runtime, a second extension into the second extension point.

Abstract: A system and method of anti-malware analysis including iterative techniques. These techniques are used to create a file attribute tree used by a machine learning analyzer to identify malicious files.

Abstract: A system for detection of binary files containing a known malware code fragment includes a processor coupled to a memory storing instructions, the processor being configured to implement the instructions to process an unknown binary file (UBF) and a known malicious source code file (KMSCF) to decompile the UBF into a text-based unknown source code (USC) and identify whether the KMSCF is contained within the USC.

Abstract: A system for automatic recognition of security incidents includes a processor coupled to a memory storing instructions, the processor being configured to implement the instructions for an automatic incident generator (AIG) with at least one type of events related to the system, and access to a repository of information about previously recorded incidents with the events related to these previously recorded incidents, to monitor a plurality of events, identify sequences of events including suspected signatures that are capable of constituting an incident, calculate a degree of variance (DoV) of the suspected signatures and at least one signature related to a previously recorded incident, compare the DoV to at least one threshold and, if the DoV is less (or less or equal) to the threshold, identify the incident and optionally initiate the workflow related to the identified incident.

Abstract: An automatic incident dispatcher calculates an incident signature of a new incident, calculates a degree of variance (DoV) of the new incident from an incident signature of the previously classified incident, compares the calculated DoV to a predetermined threshold, and determines that the new incident belongs to a same class as a class of the previously classified the new incident if the calculated DoV is less than or equal to the threshold.

Abstract: A system to create an initial list of DLP policies and adjust a DLP policies list overtime includes a processor coupled to a memory storing instructions, the processor implementing the instructions to process a plurality of agents running at an endpoint to intercept a data transfer in a network traffic, intercept the data transfer in a device access, extract textual data from intercepted objects, analyze content for detection of sensitive data in an intercepted data, record justification of the data transfer, prevent the data transfer in case the data transfer is not allowed by rules, and create new data flow/DLP policy rule, and through cloud server side, storing a database of the DLP policy and logs, processing data received from endpoints, storing data classifier database and functions to update data classifier database, and managing and applying DLP policy rules and make system setup.

Abstract: A system to optimize required resources at an endpoint needed to monitor a user behavior for abnormalities with the endpoint includes a processor processing a plurality of agents running at the endpoint to intercept network traffic metrics, intercept device access metrics, intercept app-specific user-mode metrics, parse intercepted data, and submit the intercepted data to a backend component at a server to collect the intercepted data from the endpoint, predict deviation from a normal profile, in which the backend component assesses available characteristics of a particular endpoint, calculates an endpoint user profile, calculates a degree of variance (DoV) between the user profile and the normal profile, compares the calculated DoV to a predetermined Variance Threshold (VT), and predicts, based on machine learning algorithms, a movement of a trend of the DoV within the VT, creates an adjusted metrics list, and distributes adjusted metrics to a related endpoint.

Abstract: A system for identifying of presence of protected data in an unknown file includes a processor coupled to a memory storing instructions, the processor being configured to implement the instructions to apply a sliding window process to generate one or more fragments of length, for each generated fragment, check whether information about the generated fragment exists in a library of known fragments of protected data, and if the information about the generated fragment from the unknown file exists in the library of known fragments of protected data, perform steps to reflect an existence of the information about the generated fragment.

Abstract: A system of automatically managing assignments of users to user groups comprises a processor to implement instructions for an automatic user group manage (AUGM) to access to two or more users and the assignments of the users to the user groups, observe activity of the users, calculate user behavior signatures for one of at least two users of the users, at least one user of the users and one group of the user groups, or at least two groups of the user groups, calculate a numeric degree of variance between at least two of the user behavior signatures, compare the calculated degree of variance to at least one threshold, and determine if a behavior of one of the at least two users, the at least one user and the one group, or the at least two groups are similar or different.

Abstract: A system of monitoring a user behavior for abnormalities compared to a group behavior includes a processor configured to implement instructions for a user to group behavior signature monitor (UGBSM) with at least one user, as a monitored user, and a group of one or more users, as baseline users, to access to certain characteristics of the monitored user and certain characteristics of the baseline users, calculate a user behavioral signature of the monitored user, calculate a group behavioral signature of the baseline users, calculate a degree of variance (DoV) between the user behavioral signature of the monitored user and the group behavioral signature of baseline users, and compare the calculated DoV to a variance threshold to determine whether the user behavioral signature of the monitored user is similar or is different from the group behavioral signature of the baseline users.

Abstract: Disclosed herein are systems and method for anti-malware scanning, including identifying a plurality of objects in a backup archive that is connected to a first network comprising a plurality of computing devices; scanning the plurality of objects in the backup archive to generate a whitelist indicating a subset of the plurality of objects that do not need to be scanned at a subsequent time; performing, using the whitelist, a first malware scan in a computing device of the plurality of computing devices; detecting that the computing device has left the first network to join a second network; and performing a second malware scan on the computing device, wherein the second malware scan uses a different whitelist of the second network, and wherein the second malware scan comprises scanning a first object that is not in the different whitelist and was not scanned in the first malware scan.

Abstract: Disclosed herein are systems and method for selectively restoring a computer system to an operational state. In an exemplary aspect, the method may include creating a backup image of the computer system comprising a set of data blocks, detecting that the computer system has begun an initial startup, identifying a subset of the data blocks read from a disk of the computer system during the initial startup. In response to determining that the computer system should be restored, the method may include restoring the subset of the data blocks such that the computer system is operational during startup, and restoring a remaining set of the data blocks from the backup image after the startup of the computer system.