Abstract: A system and method of anti-malware analysis including iterative techniques that combine static and dynamic analysis of untrusted programs or files. These techniques are used to identify malicious files by iteratively collecting new data for static analysis through dynamic run-time analysis.

Abstract: A system and method of anti-malware analysis including iterative techniques. These techniques are used to create a file attribute tree used by a machine learning analyzer to identify malicious files.

Abstract: Described herein are systems and methods for controlling access to a protected resource based on various criteria. In one exemplary aspect, a method comprises designating a plurality of program data installed on a computing system as protected program data; intercepting, by a kernel mode driver, a request from an untrusted application executing on the computing system to alter at least one of the protected program data; classifying, by a self-defense service, the untrusted application as a malicious application based on the intercepted request and information related to the untrusted application; and responsive to classifying the untrusted application as a malicious application, denying, by the kernel mode driver, access to the at least one of the protected program data.

Abstract: Disclosed herein are systems and method for malicious behavior detection in processing chains comprising identifying and monitoring events generated by a first process executing on a computing device; storing snapshots of data modified by any of the events; determining a level of suspicion for the first process, wherein the level of suspicion is a likelihood of the first process being attributed to malware based on the data modified by any of the events; in response to determining that the first process is not trusted based on the determined level of suspicion, identifying at least one sub-process of the first process; and restoring, from the snapshots, objects affected by the first process and the at least one sub-process.

Abstract: Disclosed are systems and methods for detecting malicious applications. An exemplary method may comprise detecting that a first process has been launched on a computing device. The method may comprise receiving, from the first process, an execution stack associated with one or more control points of the first process. The method may comprise applying a machine learning classifier on the execution stack, wherein the machine learning classifier is configured to classify whether a process is malicious based on activity on control points captured on a given execution stack, and wherein a feature of a malicious process is detection of a system call to create a remote thread that runs in a virtual address space of a shared-service process configured to import third-party processes to be embedded as separate threads. The method may comprise generating an indication that the execution of the first process is malicious/non-malicious.

Abstract: Methods for file archiving using machine learning are disclosed herein. An exemplary method comprises archiving a first file of a plurality of files from a storage server to a tiered storage system, training a machine learning module based on file access operations for the plurality of files, determining one or more rules for predicting access to the archived files using the machine learning module, determining a prediction of access of the archived file based on the one or more rules and retrieving the archived file from the tiered storage system into a file cache in the storage server based on the prediction of access.

Abstract: A system and method of anti-malware analysis including iterative techniques that combine static and dynamic analysis of untrusted programs or files. These techniques are used to identify malicious files by iteratively collecting new data for static analysis through dynamic run-time analysis.

Abstract: A system and method of anti-malware analysis including iterative techniques. These techniques are used to create a file attribute tree used by a machine learning analyzer to identify malicious files.

Abstract: Disclosed are systems and methods for detecting multiple malicious processes. The described techniques identify a first process and a second process launched on a computing device. The techniques receive from the first process a first execution stack indicating at least one first control point used to monitor at least one thread associated with the first process, and receive from the second process a second execution stack indicating at least one second control point used to monitor at least one thread associated with the second process. The techniques determine that both the first process and the second process are malicious using a machine learning classifier on the at least one first control point and the at least one second control point. In response, the techniques generate an indication that an execution of the first process and the second process is malicious.

Abstract: Disclosed are systems and methods for detecting malicious applications. An exemplary method may comprise detecting that a first process has been launched on a computing device. The method may comprise receiving, from the first process, an execution stack associated with one or more control points of the first process. The method may comprise applying a machine learning classifier on the execution stack, wherein the machine learning classifier is configured to classify whether a process is malicious based on activity on control points captured on a given execution stack, and wherein a feature of a malicious process is detection of a system call to create a remote thread that runs in a virtual address space of a shared-service process configured to import third-party processes to be embedded in the shared-service process as separate threads. The method may comprise generating an indication that the execution of the first process is malicious/non-malicious.

Abstract: Disclosed are systems and methods for detecting malicious applications. The described techniques detect a first process has been launched on a computing device, and monitor at least one thread associated with the first process using one or more control points of the first process. An execution stack associated with the one or more control points of the first process is received from the first process. In response to detecting activity on the one or more control points of the first process, an indication that the execution of the first process is malicious is generated by applying a machine learning classifier to the received execution stack associated with the one or more control points of the first process.

Abstract: Disclosed herein are systems and method for malicious behavior detection in processing chains comprising identifying and monitoring events generated by a first process executing on a computing device; storing snapshots of data modified by any of the events; determining a level of suspicion for the first process, wherein the level of suspicion is a likelihood of the first process being attributed to malware based on the data modified by any of the events; in response to determining that the first process is not trusted based on the determined level of suspicion, identifying at least one sub-process of the first process; and restoring, from the snapshots, objects affected by the first process and the at least one sub-process.

Abstract: Disclosed herein are systems and method for malicious behavior detection in processing chains comprising identifying a chain of related processes executing on a computing device; for each respective process in the chain of related processes: monitoring events generated by the respective process; storing snapshots of data modified by any of the events; determining a level of suspicion for the respective process by applying an artificial intelligence (AI) model to the snapshots of data; determining whether the chain of related processes is trusted based on the determined levels of suspicion; and in response to determining that the chain of related processes is not trusted, restoring objects affected by the chain from the snapshots.

Abstract: A method is provided for protecting a file server from a ransomware attack. An exemplary method comprises assigning a session identifier to a remote session initiated with the file server, monitoring operations associated with the session identifier, determining whether the operations are suspicious according to a policy, creating a volume-level snapshot of files on the file server, determining that encryption of the data is occurring when entropy of the monitored data is growing faster than the predetermined threshold rate, classifying the remote session as having a calculated degree of danger when the operations match operations contained in previously observed suspicious behavior patterns, interrupting the remote session when a combination of the degree of danger and the entropy is greater than a predetermined threshold value and restoring the data on the file server using the volume-level snapshot to a state prior to the encryption and dangerous activity.

Abstract: Disclosed are systems and methods for protecting a computer system from ransomware and malware by copying and backing up files using a volume filter. A storage stack of the computer system includes a file protector driver and a volume filter driver. The file protector driver monitors for potentially dangerous actions to the system's files. The volume filter driver tracks any requested changes to files on a block level, and makes backup copies of the modified blocks when the blocks change on a block level of the storage device.

Abstract: Described herein are systems and methods for controlling access to a protected resource based on various criteria. In one exemplary aspect, a method comprises designating a plurality of program data installed on a computing system as protected program data; intercepting, by a kernel mode driver, a request from an untrusted application executing on the computing system to alter at least one of the protected program data; classifying, by a self-defense service, the untrusted application as a malicious application based on the intercepted request and information related to the untrusted application; and responsive to classifying the untrusted application as a malicious application, denying, by the kernel mode driver, access to the at least one of the protected program data.

Abstract: Disclosed are systems and methods for detecting multiple malicious processes. The described techniques identify a first process and a second process launched on a computing device. The techniques receive from the first process a first execution stack indicating at least one first control point used to monitor at least one thread associated with the first process, and receive from the second process a second execution stack indicating at least one second control point used to monitor at least one thread associated with the second process. The techniques determine that both the first process and the second process are malicious using a machine learning classifier on the at least one first control point and the at least one second control point. In response, the techniques generate an indication that an execution of the first process and the second process is malicious.

Abstract: Disclosed herein are systems and method for malicious behavior detection in processing chains comprising identifying a chain of related processes executing on a computing device; for each respective process in the chain of related processes: monitoring events generated by the respective process; storing snapshots of data modified by any of the events; determining a level of suspicion for the respective process by applying an artificial intelligence (AI) model to the snapshots of data; determining whether the chain of related processes is trusted based on the determined levels of suspicion; and in response to determining that the chain of related processes is not trusted, restoring objects affected by the chain from the snapshots.

Abstract: A method is provided for protecting a file server from a ransomware attack. An exemplary method comprises assigning a session identifier to a remote session initiated with the file server, monitoring operations associated with the session identifier, determining whether the operations are suspicious according to a policy, creating a volume-level snapshot of files on the file server, determining that encryption of the data is occurring when entropy of the monitored data is growing faster than the predetermined threshold rate, classifying the remote session as having a calculated degree of danger when the operations match operations contained in previously observed suspicious behavior patterns, interrupting the remote session when a combination of the degree of danger and the entropy is greater than a predetermined threshold value and restoring the data on the file server using the volume-level snapshot to a state prior to the encryption and dangerous activity.

Abstract: Disclosed are systems and methods for detecting malicious applications. The described techniques detect a first process has been launched on a computing device, and monitor at least one thread associated with the first process using one or more control points of the first process. An execution stack associated with the one or more control points of the first process is received from the first process. In response to detecting activity on the one or more control points of the first process, an indication that the execution of the first process is malicious is generated by applying a machine learning classifier to the received execution stack associated with the one or more control points of the first process.