Described are methods and systems that prevent malicious software from deleting shadow copies of computer files that might be required to restore user data in the event of a ransomware attack. A user layer includes a volume snapshot service that makes shadow copies and includes a hook to intercept delete requests. A kernel layer includes a filter to disallow shadow-copy deletion requests directed from the user layer to the operating-system.

In an embodiment, a computer-implemented method includes receiving, from a pre-processor, an output file; where the output file is created by the pre-processor in response to input of an electronic file to the pre-processor; where the electronic file is an attachment to a message that is in-transit to a recipient computer on a network; where the output file contains features that are created by the pre-processor analyzing one or more sub-features of the electronic file; receiving, from a machine learning-based classifier, malware classification data that indicates whether the electronic file does or does not contain malware; where the malware classification data is output by the machine learning-based classifier in response to the machine learning-based classifier determining that the features are or are not indicators of obfuscation; where data used to create the machine learning-based classifier includes output files previously created by the pre-processor; in response to the malware classification data matching a criterion, causing the network to modify, delay, or block transmission of the electronic file to the recipient computer.

An ML (machine learning) training logs are parsed for generating a set of heterogenous graphs having embedded nodes connected with edges determined with link prediction and denoting a hierarchical relationship between nodes. Each graph represents benign behavior from executing one of the files of a training database in the sandbox, wherein the nodes are embedded in the graph using GCN (graph convolution network) to calculate a real-valued vector with fixed dimension. A runtime module to receive an untagged file in real-time for analysis from a network component, and generates a graph of runtime behavior from sandbox of the suspicious file for comparison against the training graphs.

A computer-implemented method for detecting a code injection threat may include: performing a search process on a memory of a computer system to identify property list files; in response to an identification of a property list file, retrieving the property list file; performing an analysis process on the property list file to identify a target identifier; in response to an identification of the target identifier in the property list file, determining whether the target identifier corresponds to an electronic application stored in the memory of the computer system; in response to determining that the target identifier corresponds to the electronic application, determining that the property list file is indicative of a code injection threat to the electronic application; and in response to the determination that the property list file is indicative of a code injection threat to the electronic application, performing a security action based on the property list.

A computer-implemented method includes monitoring file access activity and generating an audit log based on the file access activity. The method also includes collecting samples of file usage activity, running a pattern recognition algorithm on the samples of the file usage activity for detecting malware activity, and, in response to detecting malware activity, restoring at least one file based on the audit log. A computer program product includes one or more computer readable storage media and program instructions collectively stored on the one or more computer readable storage media. The program instructions include program instructions to perform the foregoing method. A system includes a processor and logic integrated with the processor, executable by the processor, or integrated with and executable by the processor. The logic is configured to perform the foregoing method.

Aspects of the disclosure describe methods and systems for performing an antivirus scan using file level deduplication. In an exemplary aspect, prior to performing an antivirus scan on files stored on at least two storage devices, a deduplication module calculates a respective hash for each respective file stored on the storage devices. The deduplication module identifies a first file stored the storage devices and determines whether at least one other copy of the first file exists on the storage devices. In response to determining that another copy exists, the deduplication module stores the first file in a shared database, replaces all copies of the first file on the storage devices with a link to the first file in the shared database, and performs the antivirus scan on (1) the first file in the shared database and (2) the files stored on the storage devices.

A system and method for securing virtual cloud assets in a cloud computing environment against cyber threats. The method includes: determining a location of a snapshot of at least one virtual disk of a protected virtual cloud asset, wherein the virtual cloud asset is instantiated in the cloud computing environment; accessing the snapshot of the virtual disk based on the determined location; analyzing the snapshot of the protected virtual cloud asset to detect potential cyber threats risking the protected virtual cloud asset; and alerting detected potential cyber threats based on a determined priority.

A method and system for detecting ransomware and repairing data following an attack. The method includes, collecting file statistics for files in a file system, identifying an affected file based on collected file statistics, locking down of access to the file system in response to identifying the affected file, undoing of reconcile processing, repairing the affected files, and unlocking access to the file system. The system includes a computer node, a file system, a plurality of disc storage components, a backup client, a backup client, and a hierarchical storage client. The hierarchical storage client is configured to collect file statistics for files in file system, identify affected files based on collected file statistics for the file, lock down of access to the file system in response to an identified affected file, undo reconcile processing, repair the affected file; and unlock access to the file system.

A malware detection method that uses federated learning includes receiving a first malware detection model and a database of known malicious files, labeling each file of a training data set as either malicious or clean by comparing each file of the training data set to the database, where a match causes the file to be labeled as malicious. If a match cannot be found, the file is evaluated using the first malware detection model to predict maliciousness and the file is labeled based on the prediction. The method further includes training the first malware detection model using the labeled training data set; transmitting parameters of the trained first malware detection model to the remote device; and receiving a second malware detection model that is trained by federated learning using the parameters of the trained first malware detection model and additional parameters provided by one or more additional remote devices.

A process includes obtaining update history information that includes respective update histories of a plurality of versions of software, the plurality of versions including a first version immediately previous to a second version, identifying, from the update history information, second version that corresponds to the update history that includes a predetermined keyword, identifying, based on development history information that includes a change location in a source code of the software between the first version and the second version, a code block deleted from the source code when the first version is upgraded to the second version, as the code block that includes a possibility of including vulnerability, and detecting, out of the plurality of versions, a third version that includes the identified code block in the source code.