This invention provides systems and methods for data processing by means of an ongoing background process on an end-user's computer. As a user receives and generates data, files are analyzed. A container file is opened into the volatile memory and its contents (including data and metadata) are extracted, without requiring an index to be created. The extracted components are analyzed based on predefined characteristics.

Examples relate generally to systems and methods for orchestrating a recovery in the event of a ransomware attack on a compute infrastructure. More specifically, some examples include techniques for application migration in cloud data management, ransomware recovery, and mitigation of lost data.

A non-transitory computer readable medium stores a program causing a computer to execute a process, the process executing an application program corresponding to a sequence of a first phase updating a definition file of a virus, a second phase diagnosing with the definition file used and controlling the virus, a third phase assessing vulnerability, and a fourth phase applying a correction program.

A system, method and computer program product for computer based open innovation, includes an asset valuation device receiving asset information regarding one or more tangible or non-tangible assets, and generating a valuation signal, based on the asset information; a self-executing code device receiving the valuation signal, and generating a self-executing code signal, based on the valuation signal; an air router device having both a low band radio channel, and an internet router channel for redundant internet communications, and a malicious code removal device for scrubbing malicious code from data received, receiving the valuation signal, and generating a node voting request signal, based on the valuation signal; and a mesh network having a plurality of node devices receiving the node voting request signal, and generating vote confirmation signals, based on the node voting request signal.

There is provided a method for generating a representation for behavior similarity comparison by generating a program-level stateful model of one or more entities in a computer operating system operating on a computer system, the program-level stateful model having a data structure representing a state of a program; generating an updated representation of the program based on the program-level stateful model; searching for at least one other representation of another program-level stateful model similar to the updated representation of the program; and comparing the updated representation of the program to the at least one other representation of another program-level stateful model.

There is disclosed in one example a computing apparatus, including: a hardware platform, including a processor, a memory, and a network interface; a bucketized reputation modifier table; and instructions encoded within the memory to instruct the processor to: perform a feature-based malware analysis of an object; assign the object a malware reputation according to the feature-based malware analysis; query and receive via the network interface a complementary score for a complementary property of the object; query the bucketized reputation modifier table according to the complementary score to receive a reputation modifier for the object; adjust the object's reputation according to the reputation modifier; and take a security action according to the adjusted reputation.

Embodiments provide automated security scanning of incoming images for use in creating containers such as a Virtual Machines. Based upon attribute(s) of metadata of the incoming image, a security engine chooses from amongst stored scripts for mounting and execution by installation logic. Such scripts can relate to the scanning itself, and/or pre-scanning considerations (such as scan frequency). In one example, the meta data attribute identifies a relevant Operating System (OS) of the incoming image. Other meta data attributes such •as scan frequency, •most recent passed scan, •log information, and •contact information (for issuance of a possible alert), may also be considered as part of the processing of an incoming image. Embodiments may enhance security by avoiding introduction of vulnerabilities through image instantiation. Embodiments may also impart flexibility to conserve resources by selectively scanning according to a frequency and/or date of last successful passage of the image.

Disclosed herein are systems and method for detecting malware signatures in databases. In one exemplary aspect, a method may comprise identifying a plurality of entries of the database, wherein each entry represents a record stored on a computing device and selecting at least one suspicious entry in the plurality of entries. The method may comprise retrieving a record associated with the suspicious entry and applying a transformation to original contents of the record. The method may comprise scanning the transformed contents of the record for a malware signature. In response to detecting a portion of the transformed contents that matches the malware signature, the method may comprise executing a remediation action that removes a corresponding portion from the original contents of the record and updating the database by replacing the at least one suspicious entry with an entry of the record on which the remediation action was executed.

Examples associated with ransomware attack monitoring are described herein. One example includes a monitor module to monitor files stored on the system for sequences of file accesses that match a predefined pattern of file accesses. An investigation module is activated based on a sequence of file accesses that match the predefined pattern. The investigation module logs actions taken by processes to modify files. A reaction module pauses a set of processes operating on the system based on the logging performed by the investigation module, and resumes legitimate processes.

Disclosed are systems and methods for detecting malicious applications. An exemplary method may comprise detecting that a first process has been launched on a computing device. The method may comprise receiving, from the first process, an execution stack associated with one or more control points of the first process. The method may comprise applying a machine learning classifier on the execution stack, wherein the machine learning classifier is configured to classify whether a process is malicious based on activity on control points captured on a given execution stack, and wherein a feature of a malicious process is detection of a system call to create a remote thread that runs in a virtual address space of a shared-service process configured to import third-party processes to be embedded as separate threads. The method may comprise generating an indication that the execution of the first process is malicious/non-malicious.