Provided herein are systems and methods for determining a likelihood that an executable comprises malware. A learning engine may determine a plurality of attributes of an executable identified in a computing environment, and a corresponding weight to assign to each of the plurality of attributes. Each of the plurality of attributes may be indicative of a level of risk for the computing environment. The learning engine may generate, according to the determined plurality of attributes and the corresponding weights, one or more scores indicative of a likelihood that the executable comprises malware. A rule engine may perform an action to manage operation of the executable, according to the generated one or more scores.

A method performed by a Cloud Access Security Broker (CASB) service includes scanning data stored in one of a cloud provider and a Software-as-a-Service (SaaS) application, wherein the data is for a user associated with a company of a plurality of companies; detecting an incident in a file or email in the data during the scanning; maintaining details of the incident in an in-memory data store, including a current snapshot of the file or email; and providing a notification to the tenant of the incident. The method can further include, subsequent to the incident and while the file or email is being updated, updating the details of the incident in the in-memory data store.

An Information Handling System (IHS) includes multiple hardware devices, and a baseboard Management Controller (BMC) in communication with the plurality of hardware devices. The BMC includes executable instructions for monitoring the operating characteristics a hardware device that is operating in a fixed pass-through configuration with a workspace in which the workspace has been instantiated by a workspace orchestration service executed on the IHS. The executable instructions may determine that the operating characteristics are indicative of a security breach of the fixed pass-through configuration, and as such, may perform an operation to quarantine the one hardware device when the fixed pass-through configuration is determined to possess the security breach.

A method of preventing exploitation of a vulnerability of a computing system includes generating a deprivation token to cause disabling of a selected one or more features of a component of the computing system to prevent an exploit of a vulnerability affecting the selected one or more features; and publishing the derivation token to at least one of a computing system manufacturer computing system and an enterprise information technology (IT) computing system for distribution to affected computing systems.

Aspects of the disclosure describe methods and systems for performing an antivirus scan using file level deduplication. In an exemplary aspect, prior to performing an antivirus scan on files stored on at least two storage devices, a deduplication module calculates a respective hash for each respective file stored on the storage devices. The deduplication module identifies a first file stored the storage devices and determines whether at least one other copy of the first file exists on the storage devices. In response to determining that another copy exists, the deduplication module stores the first file in a shared database, replaces all copies of the first file on the storage devices with a link to the first file in the shared database, and performs the antivirus scan on (1) the first file in the shared database and (2) the files stored on the storage devices.

The invention relates to data recovery technology. An archive connection driver creates a virtual storage medium that is readable by an operating system, with the operating system running antivirus scanning algorithms on the connected virtual storage medium. Corrupted data and malware are deleted and the relevant data blocks repaired in a connected backup. Corrupted data and infected files are restored in marked invalid data in the backup.

Data is received that comprises or characterizes an executable and dynamic linked library (DLL). Features are then extracted from the executable and DLL. The extracted features are input into at least one machine learning model to generate a suspiciousness score. The machine learning model can be trained to determine whether the executable file comprises ransomware. An execution chain of trust score for the executable and DLL can later be determined based on the extracted features and the suspiciousness score. This execution chain of trust score for the executable and DLL characterizes one or more associated parent processes. This suspiciousness score and the execution chain of trust score can be used to determine whether or not to initiate one or more ransomware countermeasures. Related apparatus, systems, techniques and articles are also described.

Disclosed are systems and methods for countering a cyber-attack on computing devices by means of which users are interacting with services, which store personal data on the users. Data is collected about the services with which the users are interacting by means of the devices, as well as data about the devices themselves. The collected data is analyzed to detect when a cyber-attack on the devices is occurring as a result of a data breach of personal data on users from the online service. A cluster of the computing devices of different users of the online service experiencing the same cyber attack is identified. Attack vectors are identified based on the characteristics of the cyber attack experienced by the computing devices in the cluster. Actions are selected for countering the cyber-attack based on the identified attack vector and are sent to the devices of all users of the corresponding cluster.

File events are correlated with intrusion detection alerts for corrective action. A monitoring component receives file events from a thin agent. An analysis component analyzes the file events and metadata obtained from the intrusion detection alerts, such as attack type or file name, to correlate a set of file events to at least one detected action (intrusion) described in the alert. A recommendation component identifies one or more options, including one or more corrective actions, which are applicable for remediating the alert. The set of options includes a recommended action from two or more possible corrective actions. The set of options are output or displayed to the user. The user selects which option/action to perform in response to the alert. In some examples, an automatic response is performed without user selection with respect to selected types of alerts, detected action(s), selected file(s) or other user-generated criteria.

A method of application integrity verification and remediation includes scanning an appliance to identify installed program files associated with an application under analysis deployed at the appliance. The method includes computing a hash value of a first installed file of the installed program files. The method includes determining whether the first installed file exists in vendor program files of the application that are maintained separate from the installed program files. The method includes fetching a hash value of a first vendor file of the vendor program files. The first vendor file corresponds to the first installed file. Responsive to the fetched hash value differing from the computed hash value, the method includes classifying the first installed program file as a compromised file and remediating the compromised file at the network appliance.