Abstract: Disclosed are systems and methods for detecting malicious applications. An exemplary method may comprise detecting that a first process has been launched on a computing device. The method may comprise receiving, from the first process, an execution stack associated with one or more control points of the first process. The method may comprise applying a machine learning classifier on the execution stack, wherein the machine learning classifier is configured to classify whether a process is malicious based on activity on control points captured on a given execution stack, and wherein a feature of a malicious process is detection of a system call to create a remote thread that runs in a virtual address space of a shared-service process configured to import third-party processes to be embedded as separate threads. The method may comprise generating an indication that the execution of the first process is malicious/non-malicious.

Abstract: Disclosed are systems and methods for detecting malicious applications. An exemplary method may comprise detecting that a first process has been launched on a computing device. The method may comprise receiving, from the first process, an execution stack associated with one or more control points of the first process. The method may comprise applying a machine learning classifier on the execution stack, wherein the machine learning classifier is configured to classify whether a process is malicious based on activity on control points captured on a given execution stack, and wherein a feature of a malicious process is detection of a system call to create a remote thread that runs in a virtual address space of a shared-service process configured to import third-party processes to be embedded in the shared-service process as separate threads. The method may comprise generating an indication that the execution of the first process is malicious/non-malicious.

Abstract: Disclosed are systems and methods for detecting malicious applications. The described techniques detect a first process has been launched on a computing device, and monitor at least one thread associated with the first process using one or more control points of the first process. An execution stack associated with the one or more control points of the first process is received from the first process. In response to detecting activity on the one or more control points of the first process, an indication that the execution of the first process is malicious is generated by applying a machine learning classifier to the received execution stack associated with the one or more control points of the first process.

Abstract: A method is provided for protecting a file server from a ransomware attack. An exemplary method comprises assigning a session identifier to a remote session initiated with the file server, monitoring operations associated with the session identifier, determining whether the operations are suspicious according to a policy, creating a volume-level snapshot of files on the file server, determining that encryption of the data is occurring when entropy of the monitored data is growing faster than the predetermined threshold rate, classifying the remote session as having a calculated degree of danger when the operations match operations contained in previously observed suspicious behavior patterns, interrupting the remote session when a combination of the degree of danger and the entropy is greater than a predetermined threshold value and restoring the data on the file server using the volume-level snapshot to a state prior to the encryption and dangerous activity.

Abstract: Disclosed are systems and methods for detecting multiple malicious processes. The described techniques identify a first process and a second process launched on a computing device. The techniques receive from the first process a first execution stack indicating at least one first control point used to monitor at least one thread associated with the first process, and receive from the second process a second execution stack indicating at least one second control point used to monitor at least one thread associated with the second process. The techniques determine that both the first process and the second process are malicious using a machine learning classifier on the at least one first control point and the at least one second control point. In response, the techniques generate an indication that an execution of the first process and the second process is malicious.

Abstract: A method is provided for protecting a file server from a ransomware attack. An exemplary method comprises assigning a session identifier to a remote session initiated with the file server, monitoring operations associated with the session identifier, determining whether the operations are suspicious according to a policy, creating a volume-level snapshot of files on the file server, determining that encryption of the data is occurring when entropy of the monitored data is growing faster than the predetermined threshold rate, classifying the remote session as having a calculated degree of danger when the operations match operations contained in previously observed suspicious behavior patterns, interrupting the remote session when a combination of the degree of danger and the entropy is greater than a predetermined threshold value and restoring the data on the file server using the volume-level snapshot to a state prior to the encryption and dangerous activity.

Abstract: Disclosed are systems and methods for detecting malicious applications. The described techniques detect a first process has been launched on a computing device, and monitor at least one thread associated with the first process using one or more control points of the first process. An execution stack associated with the one or more control points of the first process is received from the first process. In response to detecting activity on the one or more control points of the first process, an indication that the execution of the first process is malicious is generated by applying a machine learning classifier to the received execution stack associated with the one or more control points of the first process.