Method and system for antivirus scanning of backup data at a centralized storage

The invention claimed is: 1. A method for anti-virus scanning of backup data at a centralized storage, the method comprising: receiving, at the centralized storage, a backup slice from each respective computing device in a plurality of computing devices, wherein the centralized storage comprises, for each respective computing device, a respective backup archive including a plurality of backup slices; determining when the received backup slice is created for backing up the respective computing device, wherein backup slices are received in accordance to an execution cycle that is periodic; in response to determining that the received backup slice is created during a current execution cycle, mounting the received backup slice as a virtual disk; detecting, for the respective computing device, a change between the mounted virtual disk and any number of previous backup slices, in the respective backup archive, created during previous execution cycles; determining whether the change has occurred in at least a threshold amount of remaining computing devices in the plurality of computing devices backing up to the centralized storage; in response to determining that the change has not occurred in at least the threshold amount of the remaining computing devices, evaluating the change against behavioral rules to identify malicious behavior; and in response to determining that the change exhibits malicious behavior, executing a remediation action to prevent an attack on the plurality of computing devices or the centralized storage. 2. The method of claim 1 , wherein the plurality of computing devices are all connected to a network of an organization. 3. The method of claim 2 , further comprising: in response to determining that the change has occurred in at least the threshold amount of the remaining computing devices, determining whether the change has been authorized by the organization; and in response to determining that the change has been authorized by the organization, adding to the behavior rules a rule that whitelists the change. 4. The method of claim 3 , further comprising in response to determining that the changed not been authorized by the organization, determining that the change exhibits malicious behavior. 5. The method of claim 2 , further comprising: determining, for each respective computing device, a respective likelihood of the respective computing device to be targeted by a malicious attack; identifying, as part of a subset of computing devices, each respective computing device with a respective likelihood greater than a threshold likelihood. 6. The method of claim 5 , further comprising: determining whether the change is detected in more than a threshold amount of the subset of computing devices; and in response to determining that the change is detected in more than the threshold amount of the subset, determining that the change exhibits malicious behavior. 7. The method of claim 2 , wherein the centralized storage comprises an additional plurality of backup archives of an additional plurality of computing devices that are connected to a different network of a different organization. 8. The method of claim 7 , further comprising subsequent to determining that the change exhibits malicious behavior, executing the remediation action to prevent the attack on the additional plurality of computing devices. 9. The method of claim 1 , wherein evaluating the change against the behavioral rules to identify malicious behavior comprises: identifying an object in the received backup slice that was changed; determining whether the change is in a whitelist of approved changes to the object; and in response to determining that the change is not in the whitelist, determining that the change exhibits malicious behavior. 10. The method of claim 1 , wherein evaluating the change against the behavioral rules to identify malicious behavior comprises: identifying an object in the received backup slice that was changed; determining whether the change is in a blacklist of changes prohibited for the object; and in response to determining that the change is in the blacklist, determining that the change exhibits malicious behavior. 11. The method of claim 1 , wherein the behavioral rules are based on a heuristic model that is applied by: establishing respective weights on a decision-making scale based on types and quantities of changes; establishing thresholds for taking remediation actions; and taking at least one remediation action when a threshold is reached or exceeded. 12. The method of claim 1 , wherein detecting the change comprises detecting at least one of: a new file in a directory, a new directory, a change in size of an existing file, a change in location of the existing file, deletion of the existing file, and a change in metadata of the existing file. 13. A system for anti-virus scanning of backup data at a centralized storage, the system comprising: a hardware processor configured to: receive, at the centralized storage, a backup slice from each respective computing device in a plurality of computing devices, wherein the centralized storage comprises, for each respective computing device, a respective backup archive including a plurality of backup slices; determine when the received backup slice is created for backing up the respective computing device, wherein backup slices are received in accordance to an execution cycle that is periodic; in response to determining that the received backup slice is created during a current execution cycle, mount the received backup slice as a virtual disk; detect, for the respective computing device, a change between the mounted virtual disk and any number of previous backup slices, in the respective backup archive, created during previous execution cycles; determine whether the change has occurred in at least a threshold amount of remaining computing devices in the plurality of computing devices backing up to the centralized storage; in response to determining that the change has not occurred in at least the threshold amount of the remaining computing devices, evaluate the change against behavioral rules to identify malicious behavior; and in response to determining that the change exhibits malicious behavior, execute a remediation action to prevent an attack on the plurality of computing devices or the centralized storage. 14. The system of claim 13 , wherein the plurality of computing devices are all connected to a network of an organization. 15. The system of claim 14 , wherein the hardware processor is further configured to: in response to determining that the change has occurred in at least the threshold amount of the remaining computing devices, determine whether the change has been authorized by the organization; and in response to determining that the change has been authorized by the organization, add to the behavior rules a rule that whitelists the change. 16. The system of claim 15 , wherein the hardware processor is further configured to in response to determining that the changed not been authorized by the organization, determine that the change exhibits malicious behavior. 17. The system of claim 14 , wherein the hardware processor is further configured to: determine, for each respective computing device, a respective likelihood of the respective computing device to be targeted by a malicious attack; identify, as part of a subset of computing devices, each respective computing device with a respective likelihood greater than a threshold likelihood. 18. T