EP-4742043-A2 - SNAPSHOT-BASED MALWARE MANAGEMENT

EP4742043A2EP 4742043 A2EP4742043 A2EP 4742043A2EP-4742043-A2

Abstract

Subject matter related to snapshot-based malware management is discussed. A most recent snapshot in a snapshot chain that is not infected by malware may be identified based on mounting snapshots in the snapshot chain and determining whether the snapshots are infected. A graphical user interface showing individual snapshots in the snapshot change and indicating whether the snapshot is infected with malware may be displayed. The graphical user interface may provide a recover function for non-infected snapshots and may not enable the recover function for infected snapshots. A command to recover a non-infected snapshot in the snapshot chain may be received. Based on receiving the commend, one or more non-infected snapshot may be recovered or suggested for recovery.

Inventors

GEE, ADAM
DRAPER, ANDREW WILLIAM
HE, Haijin
ZHAO, XIAOYANG
AGRAWAL, Shivanshu
XU, Jonathan
CHANDRA, SURENDAR
JOHNSTON, Gregory, Robert
SANG, Ishaan
MUNSHANI, Kunal Sean
Meadowcroft, Benjamin Travis
VALE FERREIRA MENEZES, GUILHERME
RAVICHANDRAN, Karthick, Raja
DAVIS, WILLIAM MICHAEL

Assignees

Rubrik, Inc.

Dates

Publication Date: 20260513
Application Date: 20221107

Claims (13)

A method, comprising: displaying a graphical user interface showing: at least a portion of respective snapshot chains for respective computing objects of a plurality of computing objects in a computing system, wherein the respective snapshot chains are represented as one or more individual snapshots, wherein a representation of an individual snapshot indicates whether the individual snapshot is infected with malware, and wherein the plurality of computing objects comprises at least two computing objects from among the following computing objects: a physical machine, a virtual machine, a file system, a database, or a network attached storage system, and a cut line extending across the respective snapshot chains, wherein respective snapshots in the respective snapshot chains that are positioned on a first side of the cut line are indicated for recovery by the cut line; receiving a selection of an infected snapshot in a snapshot chain of the respective snapshot chains, wherein the infected snapshot is more recent than a most recent non-infected snapshot identified in the snapshot chain and is positioned on a second side of the cut line; and recovering, based at least in part on receiving the selection, for the respective computing objects, respective non-infected snapshots from the respective snapshot chains in accordance with the cut line and non-infected content in the infected snapshot.
The method of claim 1, wherein the cut line delineates infected snapshots from non-infected snapshots, and wherein snapshots that are positioned on the second side of the cut line are restricted from being recovered.
The method of any one of claims 1 to 2, further comprising: mounting, in response to the selection, the infected snapshot; and determining, based at least in part on mounting the infected snapshot, which content in the infected snapshot is not infected.
The method of any one of claims 1 to 3, further comprising: receiving, based at least in part on the selection, a command to recover non-infected content for the respective computing objects.
The method of any one of claims 1 to 4, further comprising: identifying respective most recent snapshots in the respective snapshot chains that are not infected by malware, wherein the cut line is based at least in part on the respective most recent snapshots in each of the respective snapshot chains.
The method of claim 5, wherein identifying the respective most recent snapshots comprises: mounting snapshots in the respective snapshot chains in reverse chronological order; and determining, for each of the mounted snapshots, whether the mounted snapshot is infected by malware.
The method of claim 6, further comprising: refraining from mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain.
The method of claim 6, further comprising: mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain.
The method of any one of claims 6 to 8, wherein determining whether the mounted snapshots are infected comprises: applying YARA rules and hash matching to the mounted snapshots.
The method of any one of claims 6 to 9, further comprising: hydrating data in a mounted snapshot before determining whether the mounted snapshots are infected.
An apparatus, comprising means for performing a method according to one of claims 1 to 10.
One or more computer readable media having one or more programs stored thereon wherein execution of the one or more programs causes a computer or a plurality of computers to perform a method according to one of claims 1 to 10.
One or more programs suitable to be executed on one or more computers, wherein the execution of the one or more programs causes a computer or a plurality of computers to perform a method according to one of claims 1 to 10.

Description

CROSS REFERENCE The Present Application for Patent claims priority to U.S. Patent Application No. 17/980,930 by Munshani et al., entitled "BULK SNAPSHOT RECOVERY" and filed November 4, 2022; U.S. Patent Application No. 17/980,752 by Gee et al., entitled "RECOVERING QUARANTINED INFORMATION FROM BACKUP LOCATIONS" and filed November 4, 2022, U.S. Patent Application No. 17/980,676 by Gee et al., entitled "QUARANTING INFORMATION IN BACKUP LOCATIONS" and filed November 4, 2022, U.S. Patent Application No. 17/980,652 by Gee et al., entitled "RECOVERING INFECTED SNAPSHOTS IN A SNAPSHOT CHAIN" and filed November 4, 2022; and U.S. Patent Application No. 17/980,645 by Gee et al., entitled "INDICATING INFECTED SNAPSHOTS IN A SNAPSHOT CHAIN" and filed November 4, 2022; U.S. Provisional Application No. 63/421,536 by Chandra et al., entitled "BULK SNAPSHOT RECOVERY" and filed November 1, 2022; U.S. Provisional Application No. 63/319,953 by Chandra et al., entitled "QUARANTINING INFORMATION IN BACKUP LOCATIONS" and filed March 15, 2022; and U.S. Provisional Application No. 63/276,822 by Gee et al., entitled "MALWARE DETECTION IN SNAPSHOTS" and filed November 8, 2021, TECHNICAL FIELD The present disclosure relates generally to data management including techniques for snapshot-based malware management. BACKGROUND The volume and complexity of data that is collected, analyzed and stored is increasing rapidly over time. The computer infrastructure used to handle this data is also becoming more complex, with more processing power and more portability. As a result, data management and storage is becoming increasingly important. Significant issues of these processes include access to reliable data backup and storage, and fast data recovery in cases of failure. Other aspects include data portability across locations and platforms. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 depicts one embodiment of a networked computing environment in which the disclosed technology may be practiced, according to an example embodiment.FIG. 2 depicts one embodiment of the server of FIG. 1, according to an example embodiment.FIG. 3 depicts one embodiment of the storage appliance of FIG. 1, according to an example embodiment.FIG. 4 shows an example cluster of a distributed decentralized database, according to some example embodiments.FIG. 5 depicts a block diagram of a malware engine according to an example embodiment.FIG. 6 depicts a flowchart illustrating a method of scanning a snapshot for malware according to an example embodiment.FIG. 7 depicts an example interface according to an example embodiment.FIG. 8 depicts a flowchart illustrating a method of recovering a non-infected file in an infected snapshot according to an example embodiment.FIG. 9 depicts a flowchart illustrating a method of recovering an infected snapshot according to an example embodiment.FIG. 10 depicts a flowchart illustrating a method of recovering non-infected content within an infected snapshot according to an example embodiment.FIG. 11 depicts a flowchart illustrating a method of quarantining information in a snapshot according to an example embodiment.FIGs. 12 and 13 depict example ledgers that support recording quarantining and release operations according to an example embodiment.FIG. 14 depicts a flowchart illustrating a method of restoring a requested snapshot in accordance with quarantine information according to an example embodiment.FIG. 15 depicts an example ledger that supports recording quarantining and release operations according to an example embodiment.FIG. 16 depicts an example recovery timeline that supports recording quarantining and release operations according to an example embodiment.FIG. 17 depicts a flowchart illustrating a method for bulk snapshot recovery according to an example embodiment.FIG. 18 depicts a schema that supports bulk snapshot recovery according to an example embodiment.FIG. 19 depicts a block diagram that supports bulk snapshot recovery according to an example embodiment. DETAILED DESCRIPTION The description that follows includes systems, methods, techniques, instruction sequences, and computing machine program products that embody illustrative embodiments of the present disclosure. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of example embodiments. It will be evident, however, to one skilled in the art that the present inventive subject matter may be practiced without these specific details. A portion of the disclosure of this patent document contains material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all copyright rights whatsoever. The following notice applies to the software and data as described below and in the dra