Implementations of the present application propose a method and apparatus for preventing rollback of firmware of a data processing device, and a data processing device. The method includes: enabling a boot loader (BootLoader) to read a current value of a predetermined bit in a one-time programmable memory (eFuse); determining whether the current value and a legal value written into the one-time programmable memory after the latest updating of the firmware of the data processing device satisfy a preset relationship; in response to determining that the current value and the legal value satisfy the preset relationship, enabling the boot loader to call an operating system kernel of the data processing device, and in response to determining that the current value and the legal value do not satisfy the preset relationship, enabling the boot loader not to call the operating system kernel of the data processing device. According to the implementations of the present application, rollback of the firmware can be prevented based on a variety of ways in a link-by-link mode.

In the face of ransomware attacks, which can be increasingly difficult to effectively prevent, a solution can be considered to be the minimization of the cost and time taken to recover data and, hence business activities. Embodiments perform a restore operation that include automatically identifying the most recent healthy backup, from which data should be restored, and the prioritizing of the order in which data should be restored.

A method of controlling an electronic device is provided. The method includes: identifying a first instruction for an encryption operation on a file using an encryption key; based on the first instruction being identified, obtaining the encryption key and metadata for the encryption operation and storing the obtained encryption key and the metadata in a non-volatile memory; and based on a user command for an access operation to the file being obtained, identifying the encryption key used for the encryption operation based on the metadata.

There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a system profile store; and a ransomware detection engine including instructions encoded within the memory to instruct the processor to: detect an operation, by a process, that results in an operation on a file, wherein the operation includes newly creating the file including a file type identifier, or where the file is an existing file, changing a file type identifier for the file; querying the system profile store with a combination of the file type identifier and metadata about the file; based at least in part on the querying, determining that the process is a suspected ransomware attack; and taking a remedial action.

In some examples, a method for data management, the method comprises booting a trusted diskless operating system image via a device firmware component, accessing a non-volatile storage of the device using the trusted diskless operating system image; and retrieving user data from the non-volatile storage of the device, and/or writing user data received from a remote location to the non-volatile storage of the device.

According to certain embodiments, a network security device comprises a memory operable to store testing options for testing malware behavior and a processor operably coupled to the memory. The processor is configured to intercept probes sent by a malware application and to test a set of test responses, each test response corresponds to a respective one of the testing options that comprises information that the probe seeks to obtain. For each test response, the test determines a test result indicating whether the test response resulted in stopping detonation of the malware application. Information indicating the test result and the test response that yielded the test result is input into a machine learning model configured to determine a malware defense profile based on the test information and to output the malware defense profile.

Exemplary security applications and systems are described herein. Such embodiments may be configured to provide backup functionality and ransomware protection for cloud storage systems. The described embodiments may monitor cloud storage systems to detect and classify various events. And the embodiments may perform any number of actions based on classified events, such as transmitting notifications to users, preventing a user or application from accessing the cloud storage system, and/or restoring infected files.

A computer implemented method for persistent security configuration monitoring of a persistent configuration record defining a configurable software and/or hardware system over a plurality of lifecycle stages of the system. The method includes during a first lifecycle phase of the system, automatically performing a first security task using a first automation engine according to a first configuration of the automation engine, wherein the first configuration defines a target action to be performed by the first automation engine, and an event detectable by the first automation engine that triggers the target action, detecting, using the first automation engine, the event, updating, using the first automation engine, a portion of the persistent configuration record relating to the first lifecycle phase, and triggering, via the first automation engine, at least one security task in response to the detection of the event.

One example method includes receiving a request to restore a backed up dataset, checking a tracking catalogue to identify any content of the dataset that is prohibited from being restored, preventing restoration of the content, and restoring all of the dataset, except the content, to a restore target. The prohibited content may be one or more files, or portions of files, and may include malware, confidential information, and personal information.

According to examples, an apparatus may include machine-readable instructions that may cause the processor to determine that a first malware was detected on a first computing device and to determine whether a second malware was detected on a second computing device within a predefined period of time of when the first malware was detected on the first computing device, in which the first computing device and the second computing device are associated with a shared data storage that is remote from the first and second computing devices. The instructions may also cause the processor to, based on a determination that the second malware was detected within the predefined period of time, output a notification that the first malware was likely spread to the first computing device and/or that the second malware was likely spread to the second computing device through the shared data storage.