Abstract: In some embodiments, a method stores domain name system (DNS) resolution mappings from a domain name to an address in a first table. The DNS resolution mappings are intercepted from DNS responses being sent by a DNS server. The first table is sent to a manager for validation of the DNS resolution mappings. Then, a second table is received from the manager that contains validated DNS resolution mappings. The method intercepts a DNS response that includes a domain name to address resolution mapping from the DNS server and validates the domain name to address resolution mapping using a validated DNS resolution mapping in the second table.

Abstract: Network-efficient isolation environment redistribution is described. In one example, network communications are surveyed among isolation environments, such as virtual machines (VMs) and containers, hosted on a cluster. An affinity for network communications between the isolation environments can be identified based on the survey. Pairs or groups of the isolation environments can be examined to identify ones which have an affinity for network communications between them but are also hosted on different host machines in the cluster. The identification of the affinity for network communications provides network-level context for migration decisions by a distributed resource scheduler. Certain VMs and/or containers can then be migrated by the distributed resource scheduler to reduce the network communications in the cluster based on the network-level context information.

Abstract: Various systems and methods are provided for using various in-core and on-disk data structures to improve the file creation process through the use of previously-occupied inodes. For example, one method involves updating an in-core data structure in response to receiving a command to delete a first file, such that a first node is assigned to the first file, the in-core data structure is stored in a non-persistent computer-readable storage medium, the in-core data structure comprises a plurality of entries, each of the entries comprises information identifying a respective inode of a plurality of inodes as being available, and the updating the in-core data structure comprises storing information regarding the first inode in a first entry of the plurality of entries; and creating a second file, where the creating comprises assigning the first inode to the second file using the information regarding the first inode stored in the first entry.

Abstract: Example methods and systems for attribute-based firewall rule enforcement are described. One example method may comprise a computer system obtaining, from a management entity, one or more first firewall rules configured based on first attribute information. The computer system may detect a login event associated with a user operating a user device to log onto a virtualized computing instance. In response to determination that the user is associated with the first attribute information, the one or more first firewall rules may be applied. Otherwise, in response to determination that the user is associated with second attribute information that is different from the first attribute information, the computer system may obtain and apply one or more second firewall rules configured based on the second attribute information.

Abstract: In an example, a behavioural characteristic of a workload running on a first host computing device in a data center may be monitored. Further, a security requirement of the workload may be determined based on the behavioural characteristic of the workload. Furthermore, a second host computing device that supports the security requirement of the workload may be determined. Further, a recommendation may be generated to migrate the workload running on the first host computing device to the second host computing device in the data center.

Abstract: Network-efficient isolation environment redistribution is described. In one example, network communications are surveyed among isolation environments, such as virtual machines (VMs) and containers, hosted on a cluster. An affinity for network communications between the isolation environments can be identified based on the survey. Pairs or groups of the isolation environments can be examined to identify ones which have an affinity for network communications between them but are also hosted on different host machines in the cluster. The identification of the affinity for network communications provides network-level context for migration decisions by a distributed resource scheduler. Certain VMs and containers can then be migrated by the distributed resource scheduler to reduce the network communications in the cluster based on the network-level context information.

Abstract: Embodiments of the present disclosure relate to a method for preventing a service executing on a host machine from overrunning. The method receives, by the service running on the host machine, one or more packets via a data path. The method determines that the service is in or approaching an overrun state. Upon the determining, the method identifies a set of one or more virtual computing instances (VCIs) running on the host machine, and sends, via a first path different than the data path, a set of one or more signals to the set of VCIs, the one or more signals indicating to the set of VCIs to slow down transmitting network traffic via the data path.

Abstract: A system and method for automatically adjusting a learning mode duration on a virtual computing instance for an application security system extends a minimum duration of time for the learning mode duration for a guest agent running in the virtual computing instance based on a condition with respect to suspicious activities and deviations from normal behaviors detected during a fixed time interval. The guest agent is switched to a protected mode when the condition with respect to the suspicious activities and the deviations from the normal behaviors is satisfied for any fixed time interval after the minimum duration of time.

Abstract: In some embodiments, a method receives a first address resolution mapping from a workload and verifies the first address resolution mapping. When the first address resolution mapping is verified, the method adds the first address resolution mapping to a list of address resolution mappings. The list of address resolution mappings includes verified address resolution mappings. The list of address resolution mappings is sent to the workload to allow the workload to verify a second address resolution mapping using the list of verified address resolution mappings.

Abstract: A process monitoring methodology is disclosed. In a computer-implemented method, a selection of a process to be monitored is received. The process is to be at least partially performed using a component of a computing environment. An expected operating parameter of the process is determined. The process is also monitored to determine an actual operating parameter of the process. The actual operating parameter of the process is compared with the expected operating parameter of the process to generate a comparison result. An operation is then automatically performed based upon the comparison result.

Abstract: Techniques for implementing a secure enclave-based guest firewall are provided. In one set of embodiments, a host system can load a policy enforcer for a firewall into a secure enclave of a virtual machine (VM) running on the host system, where the secure enclave corresponds to a region of memory in the VM's guest memory address space that is inaccessible by processes running in other regions of the guest memory address space (including privileged processes that are part of the VM's guest operating system (OS) kernel). The policy enforcer can then, while running within the secure enclave: (1) obtain one or more security policies from a policy manager for the firewall, (2) determine that an event has occurred pertaining to a new or existing network connection between the VM and another machine, and (3) apply the one or more security policies to the network connection.

Abstract: Example methods and systems for a computer system to perform security threat detection during service query handling are described. In one example, a process running on a virtualized computing instance supported by the computer system may generate and send a first service query specifying a query input according to a service protocol. The first service query may be detected by a security agent configured to operate in a secure enclave that is isolated from the process. Next, the security agent may generate and send a second service query specifying the query input in the first service query. It is then determined whether there is a potential security threat based on a comparison between (a) a first reply received responsive to the first service query and (b) a second reply received responsive to the second service query.

Abstract: A next generation antivirus (NGAV) security solution in a virtualized computing environment includes a security sensor at a virtual machine that runs on a host and a security engine remote from the host. The integrity of the NGAV security solution is increased, by providing a verification as to whether a verdict issued by the security engine has been successfully enforced by the security sensor to prevent execution of malicious code at the virtual machine.

Abstract: In some embodiments, a method stores domain name system (DNS) resolution mappings from a domain name to an address in a first table. The DNS resolution mappings are intercepted from DNS responses being sent by a DNS server. The first table is sent to a manager for validation of the DNS resolution mappings. Then, a second table is received from the manager that contains validated DNS resolution mappings. The method intercepts a DNS response that includes a domain name to address resolution mapping from the DNS server and validates the domain name to address resolution mapping using a validated DNS resolution mapping in the second table.

Abstract: Example methods are provided for adaptive file access authorization using process access patterns. In a learning mode, attributes and other information, which are associated with applications or with processes that are related to the applications and that attempt to access a file system, are collected and used to generate a policy. In a protected mode, file access requests are examined against the policy, and are granted access to the file system or are denied access to the file system based on the contents of the policy. The policy may be updated so as to adapt to changes in the access patterns and to changes in the application or processes.

Abstract: An in-guest agent in a virtual machine (VM) operates in conjunction with a replication module. The replication module performs continuous data protection (CDP) by saving images of the VM as checkpoints at a disaster recovery site over time. Concurrently, the in-guest agent monitors for behavior in the VM that may be indicative of the presence of malicious code. If the in-guest agent identifies behavior (at a particular point in time) at the VM that may be indicative of the presence of malicious code, the replication module can tag a checkpoint that corresponds to the same particular point in time as a security risk. One or more checkpoints generated prior to the particular time may be determined to be secure checkpoints that are usable for restoration of the VM.

Abstract: The present disclosure describes secured interprocess communication (IPC). The operating system traps application-level IPC calls to an IPC agent, which handles the IPC call. The IPC agent executes in a trusted execution environment so that communications between the applications involved in the IPC are secure. Since processing of IPC by the IPC agent bypasses the operating system, IPC remains secure despite any attacks against the operating system code.

Abstract: A process monitoring methodology is disclosed. In a computer-implemented method, a selection of a process to be monitored is received. The process is to be at least partially performed using a component of a computing environment. An expected operating parameter of the process is determined. The process is also monitored to determine an actual operating parameter of the process. The actual operating parameter of the process is compared with the expected operating parameter of the process to generate a comparison result. An operation is then automatically performed based upon the comparison result.

Abstract: In some embodiments, a method receives a first address resolution mapping from a workload and verifies the first address resolution mapping. When the first address resolution mapping is verified, the method adds the first address resolution mapping to a list of address resolution mappings. The list of address resolution mappings includes verified address resolution mappings. The list of address resolution mappings is sent to the workload to allow the workload to verify a second address resolution mapping using the list of verified address resolution mappings.

Abstract: A system and method for automatically adjusting a learning mode duration on a virtual computing instance for an application security system extends a minimum duration of time for the learning mode duration for a guest agent running in the virtual computing instance based on a condition with respect to suspicious activities and deviations from normal behaviors detected during a fixed time interval. The guest agent is switched to a protected mode when the condition with respect to the suspicious activities and the deviations from the normal behaviors is satisfied for any fixed time interval after the minimum duration of time.