Abstract: In a system and method for processing computer system events asynchronously for software security operations, a computer memory is configured for a read operation by a computer process. The computer process loads, based on a first event occurring during the read operation, at least one file in the computer memory. At least one thread of the computer process is generated. An execution of the at least one thread of the computer process is delayed based on a second event occurring after the first event. A security operation is performed on the process contemporaneously with the loading of the file in the computer memory and the blocking of the execution of the at least one thread of the computer process. The process is either un-delayed on completion of the previous security operation or other security operations performed on that process.

Abstract: Malware attacks seek to exploit target computing systems and avoid detection by terminating security, antivirus, or other application process threads in the operating system. Methods and systems for detecting kernel-based thread termination activity enable the detection of thread termination events occurring at the kernel level, in order to identify and mitigate known or suspected malware activity.

Abstract: In a system and method for processing computer system events asynchronously for software security operations, a computer memory is configured for a read operation by a computer process. The computer process loads, based on a first event occurring during the read operation, at least one file in the computer memory. At least one thread of the computer process is generated. An execution of the at least one thread of the computer process is delayed based on a second event occurring after the first event. A security operation is performed on the process contemporaneously with the loading of the file in the computer memory and the blocking of the execution of the at least one thread of the computer process. The process is either un-delayed on completion of the previous security operation or other security operations performed on that process.

Abstract: A method for detecting malicious activity of a computing device comprises detecting, by a software driver executing within a kernel mode of an operating system being executed by the computing device, an operation performed at the computing device; intercepting the operation; receiving, by a security application executing within a user mode of the operating system, a request from the software driver for an instruction for the software driver for an action to block or allow the operation according to a first timeout value; generating a second timeout value based on an amount of time determined by the security application; transmitting a reply to the request that includes the second timeout value to the software driver; transmitting the instruction to the software driver in compliance with the second timeout value; and executing, by the software driver, the action in response to the instruction.