Abstract: The current document is directed to automated methods and systems that monitor system-call execution by operating systems in order to detect operating-system corruption. A disclosed implementation of the currently disclosed automated system-call-integrity monitor generate operational system-call fingerprints for randomly selected system calls executed by guest operating systems of randomly selected virtual machines and compares the operational system-call fingerprints to reference system-call fingerprints in order to detect operational anomalies of guest operating systems that are likely to represent guest-operating-system corruption. In disclosed implementations, a system-call fingerprint includes a system-call execution time, the number of instructions executed during execution of the system call, and a snapshot of the call stack taken during execution of the system call.

Abstract: Computer-implemented methods, media, and systems for inter-cluster automated failover and migration of containerized workloads across edges devices are disclosed. One example method includes monitoring telemetry data received from a first software defined wide area network (SD-WAN) edge device that has a workload scheduled, where the telemetry data includes at least one of a health status of the workload or multiple runtime context elements at the first SD-WAN edge device. It is determined that a failure associated with either the first SD-WAN edge device or the workload occurs. A mode of the failure is determined. A remediation process based on the determined mode of the failure and a current state of the workload is performed.

Abstract: Disclosed are various examples of intelligent provisioning management. In some examples, device configuration signatures are received for a group of client devices. A user interface shows at least one of a recommended configuration with a recommended set of hardware components, a recommended hardware specification, a recommended set of applications, and a recommended set of firmware based on a superset of firmware identified from the device configuration signatures. A request to configure a client device according to the recommendation is transmitted.

Abstract: Resource watermarking and management actions on electronic resources are described. In one example, a process for resource watermarking and management actions includes receiving, from a client device, a request to perform an action on an electronic resource and a device profile for the client device. The device profile can include at least one attribute of the client device. The process also includes identifying a watermark template for the electronic resource, determining descriptive data of the watermark template based on the request to perform the action and whether the device profile complies with a compliance rule, overlaying the watermark template and the descriptive data onto the electronic resource, and determining that the client device is authorized to perform the action on the electronic resource in response to the electronic resource being united with the watermark template.

Abstract: The efficiency of segment cleaning for a log-structured file system (LFS) is enhanced at least by storing additional information in a segment usage table (SUT). Live blocks (representing portions of stored objects) in an LFS are determined based at least on the SUT. Chunk identifiers associated with the live blocks are read. The live blocks are coalesced at least by writing at least a portion of the live blocks into at least one new segment. A blind update of at least a portion of the chunk identifiers in a chunk map is performed to indicate the new segment. The blind update includes writing to the chunk map without reading from the chunk map. In some examples, the objects comprise virtual machine disks (VMDKs) and the SUT changes between a list format and a bitmap format, to minimize size.

Abstract: Systems and methods are provided for optimizing and securing an enterprise voice service accessed by an external voice assistant device. An enterprise voice assistant installed on a client device acts as an enterprise voice service for an external voice assistant device. The enterprise voice assistant receives a voice query from the external voice assistant device. The voice query is processed using a machine learning model to extract an intent and at least one slot. The extracted intent and at least one slot are used to determine whether a response to the voice query can be generated using local enterprise data that was previously received and stored by the client device from a management server. The response is generated based on the determination by using the local enterprise data or by sending the extracted intent and at least one slot to and receiving the response from the management server.

Abstract: User profiles of remote desktops are managed in a crash-consistent manner. When a user logs into a remote desktop, metadata of the user profile is loaded from persistent storage while registry settings and files of the user profile are loaded asynchronously with respect to the login. During the remote desktop session, snapshots of the remote desktop image in persistent storage are generated periodically, and a change log that indicates changes to the user profile is created therefrom. The user profile stored in persistent storage is updated lazily using the change log at opportunistic times after snapshot generation. When the user logs out of the remote desktop, the user profile stored in the persistent storage is updated with any additional changes to the user profile by extracting the changes from the copy-on-write cache associated with the most recent snapshot.

Abstract: The capability to print to a portable document format (PDF) file is provided in a virtualized computing environment that supports a virtual desktop infrastructure (VDI). Printing-related properties, of local printers coupled to a client device, are provided to a host, so that virtual printers at the host can be configured with the printing-related properties. A simulator may be provided at the host to receive the printing-related properties from the client device and to receive a query from a virtualized computing instance for the printing-related properties, instead of the query being directly sent to the client device.

Abstract: In an embodiment, a computer-implemented method for enabling multitenancy for service machines is disclosed. In an embodiment, the method comprises detecting a packet by a service insertion module implemented in a hypervisor. Based on metadata received along with the packet, the service insertion module determines a tenant identifier of a tenant that sent the packet. The service insertion module also determines a plurality of attributes of the packet. Based on the tenant identifier and the plurality of attributes of the packet, an action for the packet is retrieved from a rule table. Based on the action, the service insertion module determines whether at least one service is to be applied to the packet. In response to determining that at least one service is to be applied to the packet, an encapsulated packet is generated by encapsulating the packet with the tenant identifier, and the encapsulated packet is redirected to a service machine that is configured to provide the at least one service to the packet.

Abstract: Systems and methods are described for removing unused encryption key files from a computing device. In an example, a key removal tool can identify three sets of keys to preserve. For the first set, the key removal tool can append a device identifier to known key names and add the resulting key file names to a whitelist. For the second set, the key removal tool can identify keys associated with certificates on the computing device and add their corresponding file names to the whitelist. The third set can correspond to keys created after a cutoff timestamp. The key removal tool can delete all key files with key file names not on the whitelist that were created before the cutoff timestamp.

Abstract: Disclosed herein are systems and methods for dynamically switching between synchronous and asynchronous communication channels. A communication request can be received from an application, and a request identifier can be generated for the communication request. The communication request can be transmitted to an edge server application via a first communication channel. The first communication channel can be selected from a plurality of communication channels based at least in part on a policy. In an instance in which a condition specified by the policy is detected in the transmission of the communication request, a second communication channel can be selected from the plurality of communication channels. The communication request can be transmitted to the edge server application using the second communication channel.

Abstract: Examples can include (1) identifying, on a network, a source node and a destination node, the source node including at least one source node virtual machine (“VM”) to be replicated as a destination node VM on the destination node, (2) performing a full synchronization by copying disks used by the source node VM in a current operational state to the destination node VM, (3) scheduling start times for multiple update synchronizations of changed data between the source node VM and the destination node VM, the start times being scheduled at different time intervals, wherein a first time interval is greater than a second time interval, and (4) performing, at a switch-over time, a shutdown of the source node VM and transmitting data changes that are pending on the disk to the destination node. Various corresponding systems, methods, and non-transitory computer-readable media are also disclosed.

Abstract: System and method for creating and managing trusted execution environments (TEEs) using different underlying hardware TEE mechanisms use a virtual secure enclave device which runs in a virtualized environment in a computer system. The device enables an enclave command transmitted to the virtual secure enclave device to be retrieved and parsed to extract an enclave operation to be executed. A TEE backend module is used to interact with a particular hardware TEE mechanism among those available in the computer system. The module ensures the enclave operation for the software process is executed by the particular hardware TEE mechanism, or the TEE scheme based on a particular hardware TEE mechanism.

Abstract: Disclosed are various embodiments for resolving conflicts between workflows in a workflow processing system. A plurality of workflows stored in a workflow queue are evaluated to identify a common dependency of the plurality of workflows. Then, a version hierarchy is created for the common dependency of the plurality of workflows, the version hierarchy identifying multiple versions of the common dependency. In response to execution of a first one of the plurality of workflows stored in the workflow queue, the version hierarchy can be evaluated to identify the most recent version of the common dependency. Then, installation of the most recent version of the common dependency can be initiated.

Abstract: Techniques are provided to prevent or allow the execution of a file from a copy device, such as a shadow copy device, depending on whether the file includes malicious code or trusted code. Redirection techniques may be used to cause a file (stored in the copy device) to be analyzed for malicious code at an original volume, rather than being analyzed at or executed from the copy device.

Abstract: The current document is directed to event-message collection, processing, and storage systems and, in particular, to event-message collection, processing, and storage computing systems that are configurable to facilitate scaling, load balancing, and selection of a centralizing/decentralizing level which, in turn, provide a variety of operational efficiencies and advantages. Decentralization combined with event-record filtering, in a described implementation, provides for a significant reduction in data-transmission, processing, and data-storage overheads. Dynamic reconfiguration of the components of the event-message collection, processing, and storage systems allows for increased precision in scaling and load balancing to adapt the event-message collection, processing, and storage systems to dynamically reconfigured distributed computer systems in which the event-message collection, processing, and storage systems run.

Abstract: Methods and systems are described for intelligently managing hero cards generated for a user profile. In an example, a server can collect user interaction data that measures how a user interacts with system components. The system components can include emails, hero cards, and software applications. The server can analyze the user interaction data to determine whether a new hero card type should be enabled for a user profile, whether an active hero card type should be disabled for the user profile, and whether parameters for action options on hero cards should be changed for the user profile. The server can make changes to hero cards for the user profile so that the user can receive customized hero cards based on the user's behavior.

Abstract: In an embodiment, a computer-implemented method for enabling enhanced firewall rules via ARP-based annotations is described. In an embodiment, a method comprises detecting, by a hypervisor implemented in a first host, that a first process is executing on the first host. The hypervisor determines first context information for the first process, generates a first request, encapsulates the first request and the first context information in a first packet, and transmits the first packet to a central controller to cause the central controller to update the controller's table to indicate that the first process is executing on the first host. In response to receiving a second packet from the central controller and determining that the second packet comprises a first response, the hypervisor extracts second context information from the second packet and, based on the second context information, determines that a second process is executing on a second host.

Abstract: Disclosed are various approaches for providing touchless visitor management. A visitor can complete a visitor registration process using a client device of the visitor and obtain a virtual badge credential to a visitor's device. A physical access control system credential as well as a visitor badge can also be obtained to the visitor's device.

Abstract: A device is connected via a coherence interconnect to a CPU with a cache. The device monitors cache coherence events via the coherence interconnect, where the cache coherence events relate to the cache of the CPU. The device also includes a buffer that can contain representations, such as addresses, of cache lines. If a coherence event occurs on the coherence interconnect indicating that a cache line in the CPU's cache is dirty, then the device is configured to add an entry to the buffer to record the dirty cache line.