A system and method for detecting malware using hierarchical clustering analysis. Unknown files classified by clustering and in view of known malicious and known safe files. Machine learning models and detection rules are used to enhance classification accuracy.

Systems, methods, and computer program products are provided for identifying a potential malicious event. The method includes receiving one or more user actions over a user session associated with a user. The method also includes comparing the one or more user actions with one or more previous user actions over at least one previous user session associated with the user. The method further includes determining an occurrence of a potential malicious event based on the comparison of the one or more user actions with one or more previous user actions over at least one previous user session associated with the user. The method still further includes determining a remedial action based on the determination of the occurrence of the potential malicious event.

A first computing device on a first network establishes a secure communications channel with a second computing device on a second network. The first computing device receives, via the secure communications channel from the second computing device, a first software product and a first software product identifier that identifies a previously manufactured first software product. The first computing device obtains first validation information that uniquely identifies the previously manufactured first software product. The first computing device analyzes the first validation information and the first software product to determine whether the first software product is different from the previously manufactured first software product. The first computing device, in response to determining that the first software product is different from the previously manufactured first software product, sends a first message to the second computing device indicating that the first software product is not validated.

A system and method for securing virtual cloud assets in a cloud computing environment against cyber threats. The method includes: determining a location of a snapshot of at least one virtual disk of a protected virtual cloud asset, wherein the virtual cloud asset is instantiated in the cloud computing environment; accessing the snapshot of the virtual disk based on the determined location; analyzing the snapshot of the protected virtual cloud asset to detect potential cyber threats risking the protected virtual cloud asset; and alerting detected potential cyber threats based on a determined priority.

Arrangements for dynamic evaluation of remotely located content are provided. In some aspects, a connection may be established between an external storage receiving device and a computing platform. The connection may include an IP secure tunnel to ensure secure transmission of data. The external storage receiving device may receive an external storage device, such as a USB drive. The computing platform may generate one or more commands configured to cause data from the USB drive to be replicated, encrypted and transmitted to the computing platform. The commands may be transmitted by the computing platform to the external storage receiving device and executed. The data may be received by the computing platform and scanned to generate a status decision. Based on the generated status decision, each file may be transferred to an output folder and transmitted to other systems or devices for further evaluation use in business, or the like.

In some embodiments, a method includes processing at least a portion of a received file into a first set of fragments and analyzing each fragment from the first set of fragments using a machine learning model to identify within each fragment first information potentially relevant to whether the file is malicious. The method includes forming a second set of fragments by combining adjacent fragments from the first set of fragments and analyzing each fragment from the second set of fragments using the machine learning model to identify second information potentially relevant to whether the file is malicious. The method includes identifying the file as malicious based on the first information within at least one fragment from the first set of fragments and the second information within at least one fragment from the second set of fragments. The method includes performing a remedial action based on identifying the file as malicious.

Disclosed herein are systems and method for scanning objects of a computing device, by an anti-malware, using a white list created for an organization based on data of the organization. In one aspect, an exemplary method comprises obtaining one or more objects of the organization from the computing device, and for each obtained object of the one or more objects, computing a hash value of the obtained object, determining whether the obtained object is whitelisted, and scanning the obtained object based on whether the obtained object is whitelisted, wherein the whitelist is created based on scanning of objects stored in archives of the organization, and the obtained object is determined as being whitelisted when the computed hash value of the obtained object matches a hash value of an object in a whitelist created for the organization.

In one embodiment, a malware analysis method includes receiving a file on a virtual machine (VM). The VM includes, a web debugging proxy, a system resource monitor, and a file analysis tool. The method also includes performing, with the file analysis tool, a static analysis on the file. The static analysis includes determining a set of file properties of the file, and storing the determined file properties in a repository. The method further includes performing, with the web debugging proxy and the system resource monitor, a dynamic analysis on the file, the dynamic analysis. The dynamic analysis includes running the file on the VM, determining, with the web debugging proxy, web traffic of the virtual machine, determining, with the system resource monitor, executed commands and modifications to system resources of the VM originating from the file, and storing the determined traffic and executed commands in the repository.

Methods, apparatuses and computer program products implement embodiments of the present invention that include protecting a computer system coupled to a storage device by detecting an executing process that performed a specific type of modification to a number of files stored on the storage device. A processor compares the detected number to a specified threshold and initiates, on the executing process, a preventive action in response to determining that the detected number exceeds the specified threshold.

A device may receive data identifying applications, wherein each application includes files and each file includes functions and lines of code. The device may generate file hashes for the files, line hashes for the lines of code, and function hashes for the functions. The device may store, in a data structure, data identifying one or more of the applications, the files, the lines of code, the functions, the file hashes, the line hashes, and the function hashes. When scanning a new application, the device may generate a hash associated with one of the files of the new application, and may determine that the hash associated with the file of the new application matches one of the file hashes. The device may refrain from performing a scan of the file of the new application based on determining that the hash of the file matches one of the file hashes.