Abstract: Malware with fake or misleading anti-malware user interfaces (UIs) are detected. Processes running on a computer system are monitored and their window creation events are detected. The structures of the created windows are retrieved to detect presence of UI features that are commonly presented in known fake or misleading anti-malware UIs (“fakeAVUIs”). If a window includes a UI feature commonly presented in known fakeAVUIs, that window is determined suspicious and additional tests are applied to determine the validity of information in the window. If the information in the window is determined invalid, then the process that created the window is determined to be malware and a remediating action is applied to the process.

Abstract: Security policy changes can be implemented for a user or a user group based on behaviorally-derived risk information. A behavior-receiving module receives information about user behaviors for the user across various clients with which the user interacts. An attribute-receiving module receives one or more user attributes identified for a user. A profile-generating module generates a user risk profile for the user based on the received information about the user behaviors and the received user attributes. A user scoring module assigns the user a user risk score based on an evaluation of the user risk profile for the user. Similarly, groups of users can be given group risk scores, or users can have combined group/user scores. Finally, a remediation module automatically establishes a security policy requiring remediative actions for the user (or user group) based on the user risk score or combined score (or group score).

Abstract: A computer-implemented method for defragmenting virtual machine prefetch data. The method may include obtaining prefetch information associated with prefetch data of a virtual machine. The method may also include defragmenting, based on the prefetch information, the prefetch data on physical storage. The prefetch information may include a starting location and length of the prefetch data on a virtual disk. The prefetch information may include a geometry specification of the virtual disk. Defragmenting on physical storage may include placing the prefetch data contiguously on physical storage, placing the prefetch data in a fast-access segment of physical storage, and/or ordering the prefetch data according to the order in which it is accessed at system or application startup.

Abstract: A computer-implemented method for generating a threat classifier is described. A parameter collection module is distributed to a plurality of client processing systems. The module comprises a set of rules to detect a behavior in the client processing systems. If one or more of the set of rules are satisfied, input data indicative of a plurality of client processing parameters is received. The input data is scaled to provide a plurality of parameter vectors. Each of the parameter vectors are classified as a threat or a non-threat. A machine learning process is performed on at least one of the classified parameter vectors. The threat classifier is generated from the machine learning process. The threat classifier is transferred to at least one client processing system. The threat classifier is configured to automatically determine if a process to be performed in a client processing system is malicious.

Abstract: Embodiments of the present invention are directed to a method and system for automated risk analysis. The method includes accessing host configuration information of a host and querying a vulnerability database based on the host configuration information. The method further includes receiving a list of vulnerabilities and accessing a plurality of vulnerability scores. The list of vulnerabilities corresponds to vulnerabilities of the host. Vulnerabilities can be removed from the list based on checking for installed fixes corresponding to vulnerability. A composite risk score can then be determined for the host and each software product of the host based on the plurality of vulnerability scores. An aggregate risk score can then be determined for the host and each software product of the host based on the plurality of vulnerability scores.

Abstract: A computer-implemented method for enforcing data-loss-prevention policies using mobile sensors may include (1) detecting an attempt by a user to access sensitive data on a mobile computing device, (2) collecting, via at least one sensor of the mobile computing device, sensor data that indicates an environment in which the user is attempting to access the sensitive data, (3) determining, based at least in part on the sensor data, a privacy level of the environment, and (4) restricting, based at least in part on the privacy level of the environment, the attempt by the user to access the sensitive data according to a DLP policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for identifying suspicious applications are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for identifying suspicious applications comprising determining one or more clusters of applications in an identified category of applications based on requested permissions of each of two or more applications in each of the one or more clusters of applications, determining a center application of each of the one or more clusters, and determining, using at least one computer processor, a similarity score for an application being evaluated based at least in part on a distance between the application being evaluated and the center application of a closest cluster of the one or more clusters.

Abstract: A system and method for identifying properties of virtual resources to efficiently perform backups and restores of cluster data. A cluster of nodes is coupled to a data storage medium. A node receives a request for a backup or a restore of cluster data. In response to this request, the node queries a cluster subsystem and a virtual subsystem of all other cluster nodes for identification of VMs, a subset of corresponding stored data, and an identification of VMs which are highly available (HA). In response to receiving query responses, the node aggregates the results and sends them to a backup server. These to aggregated results may then be used to schedule subsequent backup and restore operations. In addition, the node may use the results to complete the current backup or restore operation.

Abstract: A method, system, computer program product, and/or a computer readable medium of instructions for detecting a malicious message for an instant messaging service. In one form, the method comprises: receiving a message in a first processing system; analyzing the message to determine if the message is malicious; and in response to detecting that the message is malicious, restricting the message from threatening: the first processing system; and a second processing system in data communication with the first processing system. In another form, the method comprises receiving, in a first processing system, input data indicative of an instruction to transfer a message to a second processing system; analyzing the message to be transferred to determine if the message is malicious; and in response to detecting that the message is malicious, restricting the message from being transferred to the second processing system.

Abstract: A computer-implemented method for validating ownership of deduplicated data may include (1) identifying a request from a remote client to store a data object in a data store that already includes an instance of the data object, (2) in response to the request, verifying that the remote client possesses the data object by (i) issuing a randomized challenge to the remote client, the randomized challenge including a random value which, when combined with at least a portion of the data object, produces an authentication token demonstrating possession of the data object and, in response to the randomized challenge, (ii) receiving the authentication token from the remote client; and, in response to receiving the authentication token from the remote client, (3) storing the data object in the data store on behalf of the remote client. Various other methods and systems are also disclosed.

Abstract: A method and apparatus for mitigating the performance impact of background or idle time processing during interactive computing sessions. One embodiment of the present invention is a method for mitigating performance impact of background or idle time processing on interactive applications comprising identifying executable and data pages in physical memory that are associated with an interactive application that is temporarily unused and preventing any of the identified executable and data pages from paging out.

Abstract: A virtual tape library management system provides multiple, simultaneous accesses to the content stored on a single virtual tape. The virtual tape library management system receives a first request to access the content of a virtual tape. Responsive to the first request, the virtual tape library management system provides access to the virtual tape. While the virtual tape is being accessed, the virtual tape library management system receives a second request to read the same virtual tape. In response, the virtual tape library management system creates a shadow virtual tape corresponding to the virtual tape, maps the shadow virtual tape to the content of the virtual tape, and provides access to the shadow virtual tape.

Abstract: Various embodiments of a system and method for performing a backup operation are disclosed. Backup operation information may be stored, where the backup operation information specifies a backup operation to be performed using at least a first device. Subsequent to storing the backup operation information, state information for the first device may be stored, where the state information indicates whether the first device is eligible for use in backup operations. Before the backup operation is performed, the state information for the first device may be accessed. If the state information for the first device indicates that the first device is eligible for use in backup operations then the backup operation may be performed using the first device (as well as possibly other devices). If the state information for the first device indicates that the first device is ineligible for use in backup operations then the backup operation may be prevented from using the first device.

Abstract: Techniques for providing instant disaster recovery are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for providing instant disaster recovery comprising, maintaining, in a data store, data associated with a first host system, wherein the data comprises a first data portion and a second data portion, storing, in the first data portion, a disaster recovery agent, and exposing, to a second host system, the first data portion and the second data portion, wherein the disaster recovery agent is configured to initiate, on the second host system, a disaster recovery process, boot the second host system using the first data portion, and copy, from the data store, the second data portion in accordance with a first copy procedure and a second copy procedure.

Abstract: A computer-implemented method for using file paths to identify potentially malicious computer files may include: 1) identifying a file, 2) identifying a file path associated with the file, 3) determining, by applying a heuristic to the file, that at least a portion of the file path is likely to have been randomly generated, 4) determining, based at least in part on the determination that at least portion of the file path has likely been randomly generated, that the file is potentially malicious, and 5) performing a security operation on the file. Corresponding systems and computer-readable instructions embodied on computer-readable media are also disclosed.

Abstract: A method, computer program product and system for preventing code injection in an operating system. The method 300 includes a checking module 340 hooking a kernel mode OS system call 330 and a request 315 sent to the kernel mode OS system call 330 being directed to the checking module 340. The checking module 340 queries 345 a process database 350 and the checking module 340 then allows or denies the request 315 based on a response from the process database 350.

Abstract: Multiple versions of a sequential dataset are maintained without storing the full file set for each version. A full file set for the current version is stored, as well as a chain of forward and/or reverse patches between adjacent versions. New content for the dataset is received, and a new current version is built that includes this new content. Patches between the new and immediately previous versions are built and stored. When a request is received from a client for an update to the current version, multiple patches of the chain are merged, from the client version of the dataset to the current version. This merging of patches creates a single direct delta, which comprises all operations for updating the client version to the current version. The direct delta is then transmitted to the client.

Abstract: A computer-implemented method for determining whether an application impacts the health of a system may comprise detecting an application, performing a first system-health evaluation, allowing the application to install on the system, performing a second system-health evaluation after the application is installed on the system, and comparing the second system-health evaluation with the first system-health evaluation to determine whether the application impacted the health of the system. Exemplary methods for determining the potential impact of an application on the health of a system and for calculating a system-health-impact score for an application based on information gathered from a plurality of systems are also disclosed. Corresponding systems and computer-readable media are also disclosed.

Abstract: A method and apparatus for detecting violations of data loss prevention (DLP) policies based on reputation scores. Using a DLP agent, monitors outbound data transfers performed by the computing system, and determines a reputation score for at least one of the data transfers to a destination entity specified to receive the at least one data transfer based on a data type of the data being transferred to the destination entity.

Abstract: A computing system identifies shared cloud accounts of a cloud that are created for an entity. The computing system resides outside of the cloud. The number of shared cloud accounts is less than a number of entity users that use the cloud. The computing system determines that one of the users is authorized to use any of the shared cloud accounts in response to a determination that identity information of the user is valid. The computing system receives a request from the user to access the cloud and determines whether one of the shared cloud accounts is available to be assigned to the user. The computing system adds the request to a queue based on a determination that none of the shared cloud accounts is available and assigns one of the cloud accounts to the user based on a determination that one of the shared cloud accounts is available.