Abstract: Described herein are systems and methods for controlling access to a protected resource based on various criteria. In one exemplary aspect, a method comprises designating a plurality of program data installed on a computing system as protected program data; intercepting, by a kernel mode driver, a request from an untrusted application executing on the computing system to alter at least one of the protected program data; classifying, by a self-defense service, the untrusted application as a malicious application based on the intercepted request and information related to the untrusted application; and responsive to classifying the untrusted application as a malicious application, denying, by the kernel mode driver, access to the at least one of the protected program data.

Abstract: System and method for detecting and curing a hollowing attack is disclosed herein. The method comprises monitoring real-time process memory parameters of a target process; retrieving real-time process memory parameters of the target process; comparing the real-time process memory parameters of the target process with reference process parameters of the target process stored in a system storage of the computing system and parameters of the process creation call-back notification; detecting a hollowing attack based on the comparison in previous step; in response to detecting the hollowing attack, determining a threat source file of malicious code; determining address space of the hollowed process on the computing system based on system log data; and curing the computing system by blocking execution of the threat source file and deleting threat resources associated therewith from the computing system.

Abstract: Disclosed herein are systems and method for generating file systems of data sources incompatible with anti-virus scanners. In one exemplary aspect, the method includes: receiving, from an AV scanner, a request to scan a data source for malicious activity, wherein the data source includes a plurality of files, and wherein the AV scanner has a plurality of compatible file types that the AV scanner is capable of scanning; determining that the plurality of files are inaccessible to the AV scanner; generating a file system corresponding to the data source by parsing contents of the data source; generating a virtual volume including a plurality of sparse files corresponding to the plurality of files in the data source; populating at least one sparse file in the virtual volume with respective parsed content of a corresponding file in the data source; and instructing the AV scanner to scan the virtual volume.

Abstract: A system and method of anti-malware analysis including iterative techniques that combine static and dynamic analysis of untrusted programs or files. These techniques are used to identify malicious files by iteratively collecting new data for static analysis through dynamic run-time analysis.

Abstract: Disclosed herein are systems and methods for preventing malicious injections. In one aspect, a method includes monitoring active processes that are running in suspended mode. For each active process being monitored, the method includes injecting a dynamic link library (DLL) into the active process to hook an application programming interface (API) of an application corresponding to the active process, wherein the DLL is injected for tracking commands for suspension and resumption of the active process. The method includes monitoring file inputs and outputs of the application for anomalies while the active process is in the suspended mode, and when a command for resuming the active process is detected using the DLL, determining, based on the monitoring, whether a malicious process is inserted into the active process. The method includes allowing the suspended process to resume execution in response to determining that no malicious process is inserted in the active process.

Abstract: A system and method of anti-malware analysis including iterative techniques. These techniques are used to create a file attribute tree used by a machine learning analyzer to identify malicious files.

Abstract: Disclosed herein are systems and method for anti-malware scanning, including identifying a plurality of objects in a backup archive that is connected to a first network comprising a plurality of computing devices; scanning the plurality of objects in the backup archive to generate a whitelist indicating a subset of the plurality of objects that do not need to be scanned at a subsequent time; performing, using the whitelist, a first malware scan in a computing device of the plurality of computing devices; detecting that the computing device has left the first network to join a second network; and performing a second malware scan on the computing device, wherein the second malware scan uses a different whitelist of the second network, and wherein the second malware scan comprises scanning a first object that is not in the different whitelist and was not scanned in the first malware scan.

Abstract: Disclosed herein are systems and method for selectively restoring a computer system to an operational state. In an exemplary aspect, the method may include creating a backup image of the computer system comprising a set of data blocks, detecting that the computer system has begun an initial startup, identifying a subset of the data blocks read from a disk of the computer system during the initial startup. In response to determining that the computer system should be restored, the method may include restoring the subset of the data blocks such that the computer system is operational during startup, and restoring a remaining set of the data blocks from the backup image after the startup of the computer system.

Abstract: The present disclosure relates to a system and method for rootkit detection based on a system dump sequence analysis. The system includes a security system in communication with one or more applications of a computing system. The security system includes a system event monitor to monitor events occurring at the applications, a system dump capture driver to capture differential system dumps corresponding to each event, and a rootkit detection engine to determine if a system state is infected. The rootkit detection engine is based on a machine learning model, where the machine learning model is trained on collection of clean system dumps and infectious system dumps. Based on analysis carried out by the machine learning model, the rootkit detection engine can classify the system state as suspicious, infectious, or clean state.

Abstract: Forensic analysis on consistent system footprints relates to a system and method for rootkit detection based on forensic analysis performed on consistent system footprints, such as application events, application network communications and application files. The system includes a security system periodically monitoring one or more applications of a computing system. The security system includes a threat detection unit for collecting and storing system memory dumps, a machine learning module trained on clean and infectious memory dump, a similarity scanner to identify similarity between suspicious memory block and consistent system footprints, and a forensic analyzer to perform forensic analysis and detect infection, if any, based on the similarity found. The suspicious memory block is identified by the threat detection unit based on the analysis performed by the machine learning model. Upon rootkit detection an alert and forensic analysis report are generated.

Abstract: The present disclosure relates to a system and method for creating a backup and restoring the exact clean system state prior to malware detection. The system includes a security system, in communication with one or more applications of a computing system, and a backup unit. The security system detects malware during execution of the applications or events based on a memory dump analysis. The backup unit creates a backup copy of the system state corresponding to each event, labels each copy and creates an index. When the security system detects presence of the malware at a particular event, the backup system parses the index, and with use of the labels, retrieves the exact backup copy that belongs to the event preceding the other event that caused the malware attack.

Abstract: The invention relates to data recovery technology. Each created backup is checked for the integrity of the placed files, while calculating the checksums of each block of data that can be restored from the backup. The computer system is restored from a backup copy by connecting it using the archive copy connection driver, which creates a virtual disk that is readable by standard means of the operating system of the computer system being restored. The booting of the operating system is performed from the virtual disk and, after restoring the functioning of the computer system, the system volume that has been damaged is restored from the backup copy to the local storage medium.

Abstract: Disclosed herein are systems and method for inspecting archived slices for malware. In one exemplary aspect, the method comprises identifying a first slice in a plurality of slices in a backup archive, wherein the first slice is an image of user data at a first time. The method comprises scanning the first slice of the plurality of slices in the backup archive and detecting at least one infected file in the first slice. The method comprises identifying a block of the first slice that corresponds to the at least one infected file. The method comprises mounting, to a disk, a second slice of the plurality of slices. The method comprises tracking the block and determining that the at least one infected file exists on the second slice and removing the infected file from the second slice by generating a respective cured slice of the second slice.

Abstract: Disclosed herein are systems and method for selectively restoring a computer system to an operational state. In an exemplary aspect, the method may create a backup image of the computer system comprising a set of data blocks, and create and start a virtual machine based on the backup image. The method may identify a subset of the data blocks accessed from the backup image during startup of the virtual machine. In response to determining that the computer system should be restored, the method may restore the subset of the data blocks such that the computer system is operational during startup, and restore a remaining set of the data blocks from the backup image after the startup of the computer system.

Abstract: The invention relates to data recovery technology. An archive connection driver creates a virtual storage medium that is readable by an operating system, with the operating system running antivirus scanning algorithms on the connected virtual storage medium. Corrupted data and malware are deleted and the relevant data blocks repaired in a connected backup. Corrupted data and infected files are restored in marked invalid data in the backup.

Abstract: A rootkit detection system and method analyzes memory dumps to determine connections between intercepted system driver operations requested by unknown files and changes in system memory before and after those operations. Memory dump differences and I/O buffers are analyzed with machine learning models to identify clustered features associated with rootkits.

Abstract: Described herein are systems and methods for controlling access to a protected resource based on various criteria. In one exemplary aspect, a method comprises designating a plurality of program data installed on a computing system as protected program data; intercepting, by a kernel mode driver, a request from an untrusted application executing on the computing system to alter at least one of the protected program data; classifying, by a self-defense service, the untrusted application as a malicious application based on the intercepted request and information related to the untrusted application; and responsive to classifying the untrusted application as a malicious application, denying, by the kernel mode driver, access to the at least one of the protected program data.

Abstract: A system and method for malware classification using machine learning models trained using synthesized feature sets based on features extracted from samples of known malicious objects and known safe objects. The synthesized feature sets act as virtual samples for training a machine learning classifier to recognize new objects in the wild that are likely to be malicious.

Abstract: A system and method for malware detection uses static and dynamic analysis to augment a machine learning model. At the training step, static and dynamic features are extracted from training datasets and used to train a malware classification model. The malware classification model is used to classify unknown files based on verdicts from both static and dynamic models.

Abstract: A system and method for malware detection uses static and dynamic analysis to train a machine learning model. At the training step, static and dynamic features are extracted from training datasets and used to train a malware classification model. The malware classification model is used to classify unknown files based on verdicts from both static and dynamic models.