RU2622630C2 - System and method of modified data recovery - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: modified data recovery system contains an activity tracking tool to intercept requests from process to modify data, determine parameters of process whose interrogation was intercepted, determine the parameters of intercepted requests; an analysis tool for generating and transmitting backup request to backup database to be modified by the intercepted request from the process, based on results of intercepted requests parameters analysis; a detection tool for analysing process parameters received from activity tracking tool to determine level of threat to the integrity process of data it modifies; a backup tool for backing up data to backup database upon analysis tool request, restoring earlier copied data from backup database upon request of detection tool; a backup database for storage of data copied by backup tool.

EFFECT: increasing the security of data storage.

2 cl, 3 dwg

Description

Technical field

The invention relates to antivirus technologies, and more particularly to systems and methods for recovering data modified by malware.

State of the art

The rapid development of computer technology in recent years, as well as the widespread dissemination of various computing devices (personal computers, laptops, tablets, smartphones, etc.) have become a powerful incentive for using these devices in various fields of activity and for a huge number of tasks (from processing and storage of personal photos before bank transfers and electronic document management). In parallel with the increase in the number of computing devices and software (software) running on these devices, the number of malicious programs has grown rapidly.

Currently, there are a huge number of varieties of malicious applications, and the vast majority of them are intended to bring profit to their creators. Some of them steal personal and confidential data from users' devices (for example, logins and passwords, bank details, electronic documents, etc.). Others form so-called botnets from user devices for attacks (such as DDOS or brute-force) against other computers or computer networks. Still others offer paid content to users through intrusive ads, paid subscriptions, sending CMC to paid numbers, etc.

Another type of malware is ransomware. After penetrating users' devices, they disrupt their performance (for example, by blocking input devices, damaging data, restricting access to interface elements, etc.), after which they require payment for the ability to eliminate the negative consequences of their work. The most dangerous ransomware programs are cryptors. Their malicious activity is to damage data of value to users (for example, databases, Microsoft Office documents, photos, videos, etc.). Data corruption occurs by encrypting, renaming, or hiding files.

Since not only data confidentiality, but also their integrity are often of great value, data protection is an important task. As ways to combat the threat described above, it is possible to identify the timely detection of a malicious application on the user's device with its subsequent deactivation, which allows you to protect data from unauthorized modifications, as well as regular creation of data backups, which allows even in case of unauthorized data modification to be restored.

For example, US20050267916 A1 describes backing up and restoring data when predetermined operating system states or data stored in it are reached. Those. describes the technology for monitoring the state of the operating system, making decisions on the need for backup or data recovery, and methods for recovering previously backed up data. The disadvantage of this technology is that all data is backed up, without sorting them into modifiable and not, as well as without any threat assessment for the modified data, which in turn leads to a large expenditure of computer system resources, such as free space on hard drives, the computer time required to back up the entire data set, or load the processor during backup and recovery operations, which may lead to some problems nnye can not be saved on time and will be modified and be lost (for example, in the case where there is no room for his excessive spending for backup).

Another publication, US 7716743 B2, describes how an anti-virus application works with malicious files, namely, tracking, blocking and moving malicious files to quarantine, in the event that it is impossible to decide on their correct removal from the system. In this case, it is processing of malicious files, and not files that have been modified by malicious files, thus protecting the computer system, but not the data that is in this computer system and could be modified by a blocked malicious application.

Although the methods described above do a good job of tracking file activity, backing up user data, and blocking malware, they do not help protect legitimate user data from being modified by malware because they are not able to (effectively, on time, before data modification has begun) make a decision on their backup, or, in the case of a successful backup of the modified data, they are not able to assess the level of threat to this data from the data otsessa, which in turn leads to a significant load on the computer resources, such as free space on the hard disk, CPU, etc.

The present invention allows to solve the problem of recovering data modified by malware.

Disclosure of invention

The invention is intended to protect data from unauthorized modifications.

The technical result of the present invention is to increase the security of data storage due to the backup of the modified data and the subsequent restoration of previously modified data.

This result is achieved by using the modified data recovery system, which contains an activity tracking tool designed to intercept requests from a process for modifying data, determine the parameters of the process whose request was intercepted, determine the parameters of intercepted requests, transfer certain parameters of the process to the detection tool and parameters of intercepted queries to the analysis tool; analysis tool designed to generate and transmit to the backup tool a request for backup to the backup database of process-modified data based on the results of the analysis of parameters of intercepted requests using rules; detection tool designed to analyze the process parameters received from the activity tracking means to determine the threat level of the integrity of the data it modifies, generate and transmit to the backup tool a request to restore the process-modified data from the backup database based on the results of the analysis, blocking the process based on the results analysis performed; backup means for backing up data to a backup database at the request of an analysis tool, restoring previously copied data from a backup database at the request of an analysis tool; a backup database for storing data backed up by the backup tool.

In another particular case of the system implementation, at least files, memory areas act as modifiable data.

In another particular case of system implementation, at least the API function of the operating system acts as a request for data modification.

In another particular case of system implementation, the process parameters are at least the path to the application that launched the process, the process descriptor, and a log of operations performed by the process.

In another particular case of the system implementation, at least a unique data identifier, a method of working with data, type of data operations, data modification parameters act as parameters of intercepted requests.

In another particular case of the system implementation, the threat level of the integrity process of the data modified by it is calculated at least by analyzing the possibility of an irretrievable loss of data modified by the process.

In another particular case of the implementation of the system, the process is blocked at least by deleting the process from memory and stopping the process.

A method for recovering modified data, in which at least one data modification request is intercepted from a process; determine the parameters of the intercepted request; perform data backup to the backup database based on certain parameters of intercepted requests; determine the parameters of the process whose request has been intercepted; analyze process parameters in order to determine the threat level of the process for the integrity of the data it modifies; block the process on the basis of the results of the analysis of the process parameters, which determines the threat level of the process for the integrity of the data it modifies, perform the above steps at least until the process is blocked; perform restoration from the backup database of previously copied data.

In another particular case of the implementation of the method, at least files, memory areas act as modifiable data.

In another particular case of implementing the method, at least an API function of the operating system acts as a request for data modification.

In another particular case of implementing the method, at least the path to the application that launched the process, the process descriptor, and the log of operations performed by the process act as process parameters.

In another particular case of the method implementation, at least a unique data identifier, a method of working with data, type of data operations, data modification parameters act as parameters of intercepted requests.

In another particular case of the method, the threat level of the integrity process of the data modified by it is calculated at least through an analysis of the possibility of irretrievable loss of the data modified by the process.

In another particular case of the method, the process is blocked at least by deleting the process from memory, and stopping the process.

Brief Description of the Drawings

FIG. 1 is a block diagram of a modified data recovery system.

FIG. 2 is a structural diagram of a method for recovering modified data.

FIG. 3 represents an example of a general purpose computer system, a personal computer, or a server.

Although the invention may have various modifications and alternative forms, the characteristic features shown by way of example in the drawings will be described in detail. It should be understood, however, that the purpose of the description is not to limit the invention to its specific embodiment. On the contrary, the purpose of the description is to cover all changes, modifications that are within the scope of this invention, as defined in the attached formula.

Description of Embodiments

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, it can be embodied in various forms. The essence described in the description is nothing more than the specific details necessary to assist the specialist in the field of technology in a comprehensive understanding of the invention, and the present invention is defined in the scope of the attached claims.

FIG. 1 is a block diagram of a modified data recovery system.

The modified data recovery system consists of data storage means 110, activity tracking means 120, analysis means 130, backup means 140, backup database 150 and detection means 160.

The data storage means 110 is designed to receive data from the process, store them and then provide them at the request of the process.

As the storage medium 110 may be:

- file manager for working with the file system;

- memory manager for working with RAM.

The data provided by the data storage medium 110 may include:

- files;

- areas of memory.

The activity tracking tool 120 is designed to intercept requests from the process for storing data 110 of requests responsible for modifying the data stored there, determining process parameters and transmitting them to the detection means 160, as well as determining parameters of intercepted requests and transmitting them to the analysis tool 130.

The interception of requests from the process to the data storage device 110 can be carried out through the interception of API functions (by substituting the address of a real function, directly changing functions (for example, by splicing, interception in kernel mode with modifying the body of a function), directly replacing the entire component of the application / system).

As the process requests to the storage medium 110 may be:

- API functions of the operating system (for example, WinAPI functions for Microsoft Windows);

- kernel functions of the operating system.

The parameters of intercepted requests can be:

- a unique data identifier (for example, a file descriptor or a file path, address of the modified memory, etc.);

- a way of working with data (for example, reading, overwriting, deleting data, etc.);

- type of operations with data (for example, writing a buffer to the memory area occupied by data, reading a file header, etc.);

- data modification parameters (for example, sizes and contents of the buffer written to the memory area, new access rights to the file being modified, etc.).

The process parameters may include:

- path to the application that launched the process;

- process descriptor;

- a log of operations performed by the process.

The analysis tool 130 is designed to generate and transmit to the backup tool 140 a backup request to the backup database 150 of process-modified data based on the analysis of parameters intercepted by the activity tracking tool 120 of the request data using rules.

The rules used to analyze the parameters of intercepted requests can be:

- a rule that determines the need for further backup of the data by the type of data the request was sent to (for example, if data integrity is important for the operating system to work, as in the case of executable files * .exe, * .dll, etc. ) or for the user (as in the case of databases, Microsoft Office documents, mail files, images, etc.);

- a rule that determines whether the work can lead to data modification by the method of working with data (for example, opening a file with write permissions);

- a rule that determines whether operations can lead to data modification by the type of data operations (for example, writing a data buffer to a file);

- a rule that determines whether the data will be modified or the data will not be affected by the recorded data (for example, add to the video stream file).

The backup tool 140 is designed to back up data from the storage medium 110 to the backup database 150 at the request of the analysis tool 130 and restore data from the backup database 150 to the storage tool 110 at the request of the detection tool 160.

The backup database 150 is intended to store data transmitted by the backup means 140 and provide them to the backup means 140.

The detection tool 160 is designed to analyze the process parameters received from the activity monitoring tool 120 to determine the level of threat to the integrity of the process of data modified by it using the rules, generate and transmit to the backup tool 140 a request for restoration from the backup database 150 to the data storage device 110 of the process-modified data on based on the results of the analysis, blocking the process based on the results of the analysis.

As the rules for determining the level of threat to the integrity of the process with the modified data, the possibility of the irretrievable loss of the data modified by the process can be used, namely:

- data encryption without the possibility of decryption (for example, due to the inability to obtain the necessary decryption key);

- overwriting data, i.e. write new data to old without the possibility of restoring the latter;

- data deletion.

Blocking the process can be done through:

- deleting a process from memory;

- stopping the process;

- adding the file that started the process to quarantine.

Consider the operation of the modified data recovery system using the example of recovering Microsoft Office documents ("* .docx", "* .xlsx", etc.) after they have been encrypted with an encryption program. The encryption program is malware that encrypts user files, such as databases, Microsoft Office documents, photos, videos, and others, and offers the user the ability to decrypt them using a special paid decryptor program.

The encryption program searches Microsoft Office files on the hard drives of the infected computer, after which it encrypts and renames them (for example, changes the * .docx extensions to * .docx_crypted so that only files previously encrypted before can be found and decrypted). When the encryption program accesses the storage medium 110, which is the file manager of the operating system, with a request to access the Microsoft Office document file for the purpose of making changes, the WinAPI functions “:: CreateFile”, “:: WriteFile” are called "And" :: MoveFile ". Activity Tracker 120 intercepts these requests and determines their parameters, i.e. unique identifier of the file being accessed, what operations are going to be performed on the file, etc. The activity tracking tool 120 transmits the obtained information to the analysis tool 130. The activity tracking tool 120 also intercepts process parameters of the encryption program, such as a process identifier, a log of operations performed by a process, etc. and passes 160 to the detection means.

The analysis tool 130 based on the received from the activity tracking means 120 parameters of intercepted process requests to the data storage means 110 calculates the following criteria:

- the file type “* .docx” (one of the files of the Microsoft Office document) for which the request was sent;

- a way to work with a file (request to open an existing file by passing the flag "OPEN_EXISTING");

- type of operations with the file (request for the ability to write to the file by passing the GENERIC_WRITE flag);

- file modification parameters (overwriting the entire file with new data);

- new file name (different from the old one).

Further, the analysis tool 130 analyzes the calculated criteria based on the rules determining the need to perform data backup:

- by the type of file with which the request was sent, the need for further processing is determined whether the integrity of the file is important for the operation of the operating system (for example, executable files “* .exe”, “* .dll”, etc.) or for the user (databases, Microsoft Office documents, mail files, photos, etc.);

- the method of working with the file determines whether working with it can lead to its modification (for example, opening an existing file, but creating a new one);

- by the type of operations on the file, it is determined whether working with the file will lead to its modification (for example, opening a file for writing, but opening a file for reading only);

- according to the recorded data, it is determined whether this will lead to a modification or whether the data will not be affected (for example, when re-recording to a streaming video file).

If at least one of the rules worked on the calculated criteria (for example, by file type and type of operation on this file, i.e. in the current example, this means that the encryption program will write to the Microsoft Office document), then analysis tool 130 generates and sends a request to backup tool 140 to back up a Microsoft Office document to backup database 150.

The backup tool 140, upon receipt of a request from the analysis tool 130, backs up a Microsoft Office document modified by the encryption program from the storage medium 110 to the backup database 150.

Tracking the file activity of the encryption program process does not stop there. As he turns to a new Microsoft Office document to make changes to them, the activity tracker 120 transfers the new query parameters of the encryption program to the analysis tool 130, and the analysis tool 130 generates and transfers requests to the backup tool 140 for backing up modified Microsoft Office documents . Tracking the file activity of the cryptographic program process can continue until the cryptographic program process is blocked by the detection tool 160.

The detection tool 160, based on the parameters of the process of the encryption program received from the activity tracking tool 120 (such as the path to the application that launched the process, the process descriptor, the log of operations performed by the process, etc.) modifying the Microsoft Office document, determines the threat level of the process the integrity of the document being modified. The threat level is calculated through analysis of the possibility of irretrievable loss of the contents of the modified Microsoft Office document. For example, files can be permanently deleted or renamed, attributes and rights can change for files, the contents of files can be encrypted without the possibility of decryption on the user's computer due to the lack of a corresponding key, etc. Since the process, not being trusted from the point of view of detection tool 160 (for example, a system file signed by a trusted digital signature, etc.), performs operations of writing to a file and renaming a file, such actions are recognized by detection tool 160, which is a threat to document data Microsoft Office In addition, the results of the analysis of the received log of operations performed by the process (numerous requests to write and rename Microsoft Office documents in different folders, including temporary ones), indicate that the encryption program that launched the analyzed process is malicious and carries potential damage to the user's files .

After the detection tool 160 rendered a verdict on the possibility of the irretrievable loss of the contents of the Microsoft Office document modified by the process being analyzed, the detection tool 160 blocks the process (for example, deletes the process from memory, stops the process, quarantines the process, etc.) , generates and sends a request to the backup tool 140 for restoration from the backup database 150 to the storage medium 110 of Microsoft Office documents modified by the locked process.

The backup tool 140, having received a request from the detection tool 150, restores the modified Microsoft Office document by the encryption program from the backup database 150 to the storage medium 110.

Therefore, all Microsoft Office documents modified by the encryption program were not affected.

Another example of a modified data recovery system is recovering an Internet Explorer process after it has been modified by an injector. An injector program is malware that injects its data (for example, code for execution or resources, such as images, to replace the original resources) in the memory area of processes running in the system.

The injector program searches for the Internet Explorer process, and then embeds its data, which is an image of advertising banners, into the memory of the found process, replacing them with the original images displayed in Internet Explorer (for example, graphical interface elements such as icons or images contained in in displayed pages). When the injector program accesses the storage medium 110, which is the operating system memory manager, with a request to gain access to the Internet Explorer memory area for the purpose of making changes, the WinAPI functions “:: VirtualAllocEx” and “:: WriteProcessMemory” are called ". Activity Tracker 120 intercepts these requests and determines their parameters, i.e. what memory area is being accessed, what operations are going to be performed on the memory, etc. The activity tracking tool 120 passes certain parameters to the analysis tool 130. Also, the activity tracking tool 120 intercepts the process parameters of the injector program, such as a process identifier, a log of operations performed by a process, etc. and passes them to the detection tool 160.

The analysis tool 130 based on the received from the activity tracking means 120 parameters of intercepted process requests to the data storage means 110 calculates the following criteria:

- who owns the requested memory area (in the current Internet Explorer example), to which the request was sent;

- a method of working with memory (a request for the ability to write to memory by passing the flags "MEM_COMMIT", "MEM_RESERVE", "PAGE_EXECUTE_READWRITE");

- memory modification parameters (memory address where the recording will be made, memory address where the recording will be made from, size of the data to be recorded, etc.).

Further, the analysis tool 130 analyzes the calculated criteria based on the rules determining the need to perform data backup:

- by the type of process for which memory the request was sent, the need for further processing is determined whether the integrity of the file is important for the operation of the operating system (for example, the application of the operating system, etc.);

- the method of working with memory determines whether the work can lead to data modification;

- the type of operations with memory determines whether the work with memory will lead to its modification;

- according to the recorded data, it is determined whether this will lead to a modification of the data in the process memory, or whether the data will not be affected.

If at least one of the rules worked on the calculated criteria (for example, by the type of process and the type of operation on this process, i.e. in the current example, this means that the injector program will write to the Internet Explorer process memory), that analysis tool 130 generates and sends a request to the backup tool 140 to back up the selected memory portion of the Internet Explorer process to the backup database 150.

The backup tool 140, upon receipt of a request from the analysis tool 130, backs up the Internet Explorer process memory area modified by the injector program from the storage tool 110 to the backup database 150.

The detection tool 160, based on the parameters of the injector program process received from the activity tracking tool 120 (such as the path to the application that started the process, the process descriptor, the log of operations performed by the process, etc.) modifying the Internet Explorer memory area, determines the threat level the process of integrity of data located in the modified memory area. The threat level is calculated through analysis of the possibility of irretrievable loss of the contents of the modified memory area of the Internet Explorer process. Because the process is writing to the memory area of another process, such actions are recognized by 160 as a threat to Internet Explorer process data. In addition, the results of the analysis of the received log of operations performed by the process (numerous requests to write to other processes) indicate that the injector program that launched the analyzed process is malicious and carries potential damage to user data.

After the detection tool 160 has issued a verdict about the possibility of irretrievable loss of data located in the area modified by the process being analyzed, the detection tool 160 blocks the operation of this process (for example, deletes a process from memory, stops the process, quarantines the process, etc. ), generates and sends a request to the backup tool 140 for restoration from the backup database 150 to the data storage tool 110 of the Internet Explorer process data modified by the blocked process.

The backup means 140, having received a request from the detection means 150, restores the data modified by the injector program from the backup database 150 to the data storage means 110.

Thus, the Internet Explorer process modified by the injector document was not affected.

Figure 2 is an example of a structural diagram of a method for recovering modified data.

A method for recovering modified data comprises the steps of: intercepting data modification requests 210, determining parameters of intercepted requests 220, performing data backup 230, determining process parameters 240, analyzing process parameters 250, blocking process 260, and performing data recovery 270.

At step 210, at least one data modification request is intercepted from the process.

The data for the modification of which the request was intercepted can be:

- files;

- areas of memory.

The process requests for data modification may include:

- API functions of the operating system, in particular, WinAPI functions for Microsoft Windows;

- kernel functions of the operating system.

At step 220, the parameters of the intercepted requests are determined.

The parameters of intercepted requests can be:

- unique data identifier;

- a way to work with data;

- type of operation with data;

- data modification parameters.

At step 230, data is backed up to the backup database 150 as a result of the analysis of certain parameters of the intercepted requests.

Analysis of the parameters of intercepted requests is carried out in determining the possibility of data modification (for example, opening a file with write permissions, calling functions that delete the file, etc.), etc.

At step 240, the process parameters that send the request for data modification are determined.

The process parameters may include:

- path to the application that launched the process;

- process descriptor;

- a log of operations performed by the process.

At 250, process parameters are analyzed using rules to determine the threat level of a process for the integrity of the data it modifies. Steps 210-250 continue to be performed at least until the operation of the process is blocked at step 260.

As the rules for determining the level of threat to the integrity of the process with the modified data, the possibility of the irretrievable loss of the data modified by the process can be used, namely:

- data encryption without the possibility of decryption (for example, due to the inability to obtain the necessary decryption key);

- overwriting data, i.e. write new data to old without the possibility of restoring the latter;

- data deletion.

At step 260, the process is blocked based on the results of the analysis performed at step 250.

Blocking the process can be done through:

- deleting a process from memory;

- stopping the process;

- adding the file that started the process to quarantine.

At step 270, recovery from the backup database 150 of the process-modified data is performed.

Let us consider the operation of the method for recovering modified data using the example of recovering image files (“* .jpeg”, “* .tiff”, etc.) after the file names have been renamed and the file permissions have been changed by the ransomware. The ransomware program is a malware that restricts access to files, such as images, videos, etc. by renaming them, changing the location in the file system, changing access rights, etc., and offering the user the option to recover modified files using a special paid programs.

The ransomware program searches for image files on the hard drives of the infected computer, after which it changes their location in the file system, and also changes access rights, making the files inaccessible to users who do not have administrator rights. When the ransomware sends a request to modify the processed image file, consisting of calls to the WinAPI functions “:: MoveFile” and “:: SetNamedSecurityInfo”, the request is intercepted at step 210. After the request was intercepted at step 220, the parameters are determined request. In this case, the query parameters are the old and new file paths, file type (structure "SE_OBJECT_TYPE"), security information (structure "SECURITY_INFORMATION"), etc. Since the requests are aimed at changing the file parameters, at step 230 a decision is made to back up the modified parameters to the backup database 150. At step 240, the process parameters launched by the ransomware are determined, such as the process identifier, the log of operations performed by the process, etc. .d. At step 250, an analysis is made of the parameters of the process launched by the ransomware program. Since the process is not trusted from the point of view of the detection tool 160 performing step 250 (for example, a system file signed with a trusted digital signature, etc.), the results of the analysis of the obtained log of operations performed by the process, such as numerous requests for changing image files in different folders, including temporary ones, indicate that the ransomware that launched the analyzed process is malicious and carries potential damage to the user's files (the actions described above are typical for malicious software and is not peculiar to trusted applications). After the ransomware has been recognized as malicious, at block 260, its process is blocked. To this end, the process is stopped and deleted from memory, after which the files of the ransomware are added to quarantine in order to avoid subsequent repeated calls to the malicious program. Then, at step 270, the file attributes and access rights changed by the ransomware are restored.

Thus, all image files modified by the ransomware were not affected.

FIG. 3 represents an example of a general purpose computer system, a personal computer or server 20 comprising a central processor 21, a system memory 22, and a system bus 23 that contains various system components, including memory associated with the central processor 21. The system bus 23 is implemented as any prior art bus structure comprising, in turn, a bus memory or a bus memory controller, a peripheral bus and a local bus that is capable of interacting with any other bus architecture. The system memory contains read-only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26 contains the basic procedures that ensure the transfer of information between the elements of the personal computer 20, for example, at the time of loading the operating system using ROM 24.

The personal computer 20 in turn contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29, and an optical drive 30 for reading and writing to removable optical disks 31, such as a CD-ROM, DVD -ROM and other optical information carriers. The hard disk 27, the magnetic disk drive 28, the optical drive 30 are connected to the system bus 23 through the interface of the hard disk 32, the interface of the magnetic disks 33 and the interface of the optical drive 34, respectively. Drives and associated computer storage media are non-volatile means of storing computer instructions, data structures, software modules and other data of a personal computer 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29, and a removable optical disk 31, but it should be understood that other types of computer storage media 56 that can store data in a form readable by a computer (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.) that are connected to the system bus 23 through the controller 55.

Computer 20 has a file system 36 where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38, and program data 39. The user is able to enter commands and information into personal computer 20 via input devices (keyboard 40, keypad “ the mouse "42). Other input devices (not displayed) can be used: microphone, joystick, game console, scanner, etc. Such input devices are, as usual, connected to the computer system 20 via a serial port 46, which in turn is connected to the system bus, but can be connected in another way, for example, using a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor 47, the personal computer may be equipped with other peripheral output devices (not displayed), such as speakers, a printer, and the like.

The personal computer 20 is capable of operating in a networked environment, using a network connection with another or more remote computers 49. The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the creature the personal computer 20 of FIG. 3. Other devices, such as routers, network stations, peer-to-peer devices, or other network nodes may also be present on the computer network.

Network connections can form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local area network 50 via a network adapter or network interface 51. When using the networks, the personal computer 20 may use a modem 54 or other means of providing communication with a global computer network such as the Internet. The modem 54, which is an internal or external device, is connected to the system bus 23 via the serial port 46. It should be clarified that the network connections are only exemplary and are not required to display the exact network configuration, i.e. in reality, there are other ways to establish a technical connection between one computer and another.

In conclusion, it should be noted that the information provided in the description are examples that do not limit the scope of the present invention defined by the claims.

Claims (27)

1. The modified data recovery system, which contains: a) activity tracking tool for: - interception of requests from the process for data modification; - determining the parameters of the process whose request has been intercepted; - definitions of parameters of intercepted requests; - transferring certain process parameters to the detection means and parameters of intercepted requests to the analysis means; b) analysis tool intended for: - generation and transfer to the backup tool of the backup request to the backup database of data that will be modified by the intercepted request from the process, based on the results of the analysis of the parameters of intercepted requests; - determining the need for backing up data that will be modified by a request from the process intercepted by the activity tracking tool; c) a means of detection intended for: - analysis of the process parameters received from the means of tracking activity to determine the level of threat to the integrity of the data modified by it; - the formation and transmission to the backup tool of a request for recovery from the backup database of process-modified data based on the results of the analysis; - blocking the process based on the results of the analysis; g) a backup tool intended for: - backing up data to the backup database at the request of an analysis tool; - recovery from the backup database of previously copied data at the request of the detection tool; e) a backup database for storing data backed up by the backup tool. 2. A method of recovering modified data, in which: a) intercept from the process at least one request for data modification; b) determine the parameters of the intercepted request; c) determine the need for backing up data that will be modified by a request from the process intercepted in step a); d) if necessary, determined at stage c), back up the data that will be modified by a request from the process intercepted at stage a) to a backup database based on certain parameters of intercepted requests; e) determine the parameters of the process whose request has been intercepted; f) analyze the process parameters in order to determine the threat level of the process for the integrity of the data it modifies; g) block the operation of the process mentioned in step a) on the basis of the results of the analysis of process parameters that determine the level of process threat for the integrity of the data it modifies; h) in the case when the operation of the process mentioned in step a) has not been blocked, perform steps a) to e); i) perform restoration from the backup database of previously copied data.

Images