Search

EP-4430497-B1 - SNAPSHOT-BASED MALWARE MANAGEMENT

EP4430497B1EP 4430497 B1EP4430497 B1EP 4430497B1EP-4430497-B1

Inventors

  • GEE, ADAM
  • DRAPER, Andrew, William
  • HE, Haijin
  • ZHAO, XIAOYANG
  • AGRAWAL, Shivanshu
  • XU, Jonathan
  • CHANDRA, SURENDAR
  • JOHNSTON, Gregory, Robert
  • SANG, Ishaan
  • MUNSHANI, Kunal, Sean
  • MEADOWCROFT, Benjamin, Travis
  • VALE FERREIRA MENEZES, GUILHERME
  • RAVICHANDRAN, Karthick Raja
  • DAVIS, WILLIAM, MICHAEL

Dates

Publication Date
20260506
Application Date
20221107

Claims (11)

  1. A method, comprising: identifying, in respective snapshot chains for respective computing objects of a plurality of computing objects, respective most recent, non-infected snapshots, wherein the identifying comprises mounting snapshots in the respective snapshot chains and determining whether the mounted snapshots are infected by malware, and wherein a first computing object of the plurality of computing objects is a first virtual machine, a first file system, a first database, or a first network attached storage system, and a second computing object of the plurality of computing objects is a second virtual machine, a second file system, a second database, or a second network attached storage system; displaying a graphical user interface showing: at least a portion of the respective snapshot chains, wherein the respective snapshot chains are represented as one or more individual snapshots, and wherein a representation of an individual snapshot indicates whether the individual snapshot is infected with malware, and across the respective snapshot chains, a cut line delineating infected snapshots from non-infected snapshots, wherein snapshots above the cut line are restricted from being recovered; receiving, at the graphical user interface, a command to recover, for the respective computing objects, non-infected data; and recovering, in the response to the command, for the respective computing objects, a non-infected snapshot from the respective snapshot chains in accordance with the cut line.
  2. The method of claim 1, wherein the identifying comprises: mounting the snapshots in the respective snapshot chains in reverse chronological order.
  3. The method of any one of claims 1 to 2, wherein the mounting and the determining is repeated until a non-infected snapshot in the respective snapshot chains is identified.
  4. The method of any one of claims 1 to 2, wherein the mounting and the determining is repeated past a non-infected snapshot in the respective snapshot chains is identified.
  5. The method of any one of claims 1 to 4, further comprising: repeating the identifying for all computing objects in a system.
  6. The method of any one of claims 1 to 5, wherein the determining comprises: applying YARA rules and hash matching to a mounted snapshot.
  7. The method of any one of claim 1 to 6, wherein mounting the snapshots comprises mounting the snapshots in a sandboxed virtual machine.
  8. The method of any one of claims 1 to 7, further comprising: hydrating data in a mounted snapshot before the determining.
  9. An apparatus, comprising means for performing a method according to one of claims 1 to 8.
  10. One or more computer readable media having one or more programs stored thereon wherein execution of the one or more programs causes a computer or a plurality of computers to perform a method according to one of claims 1 to 8.
  11. One or more programs suitable to be executed on one or more computers, wherein the execution of the one or more programs causes a computer or a plurality of computers to perform a method according to one of claims 1 to 9.

Description

CROSS REFERENCE The Present Application for Patent claims priority to U.S. Patent Application No. 17/980,930 by Munshani et al., entitled "BULK SNAPSHOT RECOVERY" and filed November 4, 2022; U.S. Patent Application No. 17/980,752 by Gee et al., entitled "RECOVERING QUARANTINED INFORMATION FROM BACKUP LOCATIONS" and filed November 4, 2022; U.S. Patent Application No. 17/980,676 by Gee et al., entitled "QUARANTING INFORMATION IN BACKUP LOCATIONS" and filed November 4, 2022; U.S. Patent Application No. 17/980,652 by Gee et al., entitled "RECOVERING INFECTED SNAPSHOTS IN A SNAPSHOT CHAIN" and filed November 4, 2022; and U.S. Patent Application No. 17/980,645 by Gee et al., entitled "INDICATING INFECTED SNAPSHOTS IN A SNAPSHOT CHAIN" and filed November 4, 2022; U.S. Provisional Application No. 63/421,536 by Chandra et al., entitled "BULK SNAPSHOT RECOVERY" and filed November 1, 2022; U.S. Provisional Application No. 63/319,953 by Chandra et al., entitled "QUARANTINING INFORMATION IN BACKUP LOCATIONS" and filed March 15, 2022; and U.S. Provisional Application No. 63/276,822 by Gee et al., entitled "MALWARE DETECTION IN SNAPSHOTS" and filed November 8, 2021, each of which is assigned to the assignee hereof. US2020/319979A1 in an abstract states that "Disclosed herein are systems and method for restoring a clean backup after a malware attack. In one aspect, a method forms a list of files that are of a plurality of designated file types that can be infected by malicious software. The method performs one or more snapshots of the files according to a predetermined schedule over a predetermined period of time and performs one or more backups. The method determines that a malware attack is being carried out on the computing device and generates a list of dangerous objects that spread the malware attack. The method compares the list of dangerous objects with the one or more snapshots to determine when the malware attack occurred. The method identifies a clean backup that was created most recently before the malware attack as compared to other backups and recovers data for the computing device from the clean backup." US2019/235973A1 in an abstract states that "A method for automated ransomware identification includes receiving a first series of data items for backup from a host system, identifying, using a heuristic, a first characteristic of the first series of data items, receiving a second series of data items for backup from the host system, identifying, using the heuristic, a second characteristic of the second series of data items, detecting that the second characteristic differs from the first characteristic in a manner consistent with a ransomware infection, and invoking a recovery procedure responsive to the detecting." US2021/240828A1 in an abstract states that "An amount of data change associated with a version of a content file with respect to one or more previous versions of the content file is determined. The amount of change associated with the version of the content file is determined using a tree data structure associated with the content file that is stored on a storage cluster. One or more statistics associated with backup snapshot are provided to a server. The server is configured to determine that the amount of data change associated with the version of the content file is anomalous based in part on the one or more statistics associated with the backup snapshot. A notification that data associated with the backup snapshot is potentially infected by malicious software is received from the server. The version of the content file is indicated as being potentially infected by malicious software." TECHNICAL FIELD The present disclosure relates generally to data management including techniques for snapshot-based malware management. SUMMARY OF THE INVENTION The present invention is set out in the independent claims, with some optional features set out in the claims dependent thereto. BACKGROUND The volume and complexity of data that is collected, analyzed and stored is increasing rapidly over time. The computer infrastructure used to handle this data is also becoming more complex, with more processing power and more portability. As a result, data management and storage is becoming increasingly important. Significant issues of these processes include access to reliable data backup and storage, and fast data recovery in cases of failure. Other aspects include data portability across locations and platforms. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 depicts one embodiment of a networked computing environment in which the disclosed technology may be practiced, according to an example embodiment.FIG. 2 depicts one embodiment of the server of FIG. 1, according to an example embodiment.FIG. 3 depicts one embodiment of the storage appliance of FIG. 1, according to an example embodiment.FIG. 4 shows an example cluster of a distributed decentralized database, according to some example embodiments.FIG. 5 depicts a block