Abstract: Various embodiments of a computer system and methods are disclosed. In one embodiment, a computer system includes a backup application coupled to interconnected storage resources. The backup application creates a database of storage resources, wherein each database entry corresponds to one or more storage resources and is associated with one or more user-defined attributes describing the suitability of the associated resources for a backup operation. The backup application creates and stores a configuration of storage resources for a backup operation. Each storage resource is selected based on a value of an associated attribute. The storage resources may include logical unit numbers (LUNs), mount points providing access to LUNs, and hosts having physical access or network access through other hosts to mount points. An attribute specifies that the associated storage resources are either required or preferred for a backup operation. The database and configuration are created at backup application run time.

Abstract: A computer-implemented method may include (1) identifying a plurality of specific categories of sensitive information to be protected by a DLP system, (2) obtaining a training data set for each specific category of sensitive information that includes a plurality of positive and a plurality of negative examples of the specific category of sensitive information, (3) using machine learning to train, based on an analysis of the training data sets, at least one machine learning-based classifier that is capable of detecting items of data that contain one or more of the plurality of specific categories of sensitive information, and then (4) deploying the machine learning-based classifier within the DLP system to enable the DLP system to detect and protect items of data that contain one or more of the plurality of specific categories of sensitive information in accordance with at least one DLP policy of the DLP system.

Abstract: A candidate signature for a known malware entity is selected for analysis. A set of malware entities that contain the candidate signature is identified. A diversity measurement for the candidate signature is determined. The diversity measurement describes the diversity of the set of malware entities that contain the candidate signature. A determination is made whether to use the candidate signature to identify the known malware entity based at least in part on the diversity measurement. Responsive to the determination, the candidate malware signature is stored as a signature for the known malware entity.

Abstract: A distress signal sender and a distress signal receiver receive beacon-name generation parameters and generate a beacon name based at least in part on the received parameters, the beacon name representing a network location. Responsive to detecting an unexpected lack of access to network communications, the distress signal sender sends a beacon message to the generated beacon name, the beacon message describing a security state of the client. The distress signal receiver detects the beacon message sent by the distress signal sender, and responsive to receiving the beacon message, performs a remedial action.

Abstract: A computer-implemented method for detecting data-stealing malware may include: 1) detecting an attempt by an untrusted application to access a storage location that is known to be used by a legitimate application when storing potentially sensitive information, 2) determining that the legitimate application is not installed on the computing device, 3) determining that the untrusted application represents a potential security risk, and then 4) performing a security operation on the untrusted application. Corresponding systems and computer-readable instructions embodied on computer-readable media are also disclosed.

Abstract: A DNS security system collects and uses aggregated DNS information originating from a plurality of client computers to detect anomalous DNS name resolutions. A server DNS security component receives multiple transmissions of DNS information from a plurality of client computers, each transmission of DNS information concerning a specific instance of a resolution of a specific DNS name. The server component aggregates the DNS information from the multiple client computers. The server component compares DNS information received from a specific client computer concerning a specific DNS name to aggregated DNS information received from multiple client computers concerning the same DNS name to identify anomalous DNS name resolutions. Where an anomaly concerning received DNS information is identified, a warning can be transmitted to the specific client computer from which the anomalous DNS information was received.

Abstract: A method of computing a similarity between a first transaction having a set of properties and a second transaction having the set of properties includes computing an initial weight for each of the properties of the set of properties and computing a similarity between each of the properties of the first transaction and the properties of the second transaction. The method also includes adjusting the initial weight for each of the properties based on a measure of the commonness of each of the properties of the set of properties, normalizing the adjusted weights, and computing the similarity by summing the products of the normalized adjusted weights and the computed similarities.

Abstract: Various techniques for software license inventory and asset management are disclosed. A fingerprint may be generated and associated with various copies of software applications installed on a software licensee's computer systems. Upon generation, each fingerprint may be stored in a license information database system along with relevant license information for that copy of the software application. A software inventory tool may then be used to collect fingerprints on installed copies of software applications and provide these fingerprints to the license information database system to obtain the corresponding license information. The output of the software inventory tool may be used by a licensee to comply with software license agreements and/or efficiently allocate information technology resources. Methods and systems that provide and process secured, dynamic and persistent tagging of software deployments and usage are also disclosed.

Abstract: A malware analysis component receives information concerning malware infections on a large plurality of client computers, as detected by an anti-malware product or submitted directly by users. The malware analysis component analyzes this wide array of information, and identifies suspicious malware detection and submission activity associated with specific sources. Where identified suspicious patterns of malware detection and submission activity associated with a specific source meet a given threshold over time, the malware analysis component determines that the source is an originator of malware.

Abstract: A computer-implemented method for data loss prevention may include intercepting a packet sent by an application of an endpoint. The computer-implemented method may also include extracting file-identification information from the packet. The computer-implemented method may further include identifying a list of opened files and matching the file-identification information to a file in the list of opened files. The computer-implemented method may additionally include identifying a data-loss-prevention policy that applies to the file. The computer-implemented method may moreover include filtering the packet based on the data-loss-prevention policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Websites used for phishing are detected by analyzing end user confidential data submission statistics. A central process receives data indicating confidential information submitted to websites from a plurality of user computers. The received data is aggregated and analyzed, for example through statistical profiling. Through the analysis of the aggregated data, anomalous behavior concerning submission of confidential information to websites is detected, such is an unexpected, rapid increase in the amount of confidential information submitted to a given website. Responsive to detecting the anomalous behavior, further action is taken to protect users from submitting confidential information to that website. For example, an alert can be sent, a protective measure against the site can be published, the site can be added to a blacklist or a procedure to have the site shut down can be initiated.

Abstract: Systems and methods described herein may separate one or more enhancement layers of a multimedia file from a base layer of the multimedia file and treat the base layer and the enhancement layer differently when backing up and/or archiving the multimedia file (e.g., by giving the enhancement layer a lower priority than the base layer). By separating enhancement layers from multimedia files and treating the enhancement layers with a lower priority, these systems and methods may reduce the strain that large multimedia files put on data repositories and associated computing resources (e.g., storage space, network bandwidth, etc.) while still preserving and protecting enough of the multimedia file to keep important information that the multimedia file may contain intact.

Abstract: An application registration module executes on a client, extracting metadata from a local application designed for an operating system of the client, formulating installation instructions, and providing the application, metadata, and installation instructions to a distribution server. The distribution server can then be used to facilitate installation of the application on other clients having the same operating system as the source client.

Abstract: The disclosure is directed to dynamic insertion and removal of virtual software sub-layers. In one example, a virtual layer associated with a software application is virtually installed and activated in a computing device. A virtual sub-layer associated with a component of the software application is dynamically inserted in the virtual layer. The virtual layer remains active during the dynamic insertion of the virtual sub-layer. In certain embodiments, a process is executed from the virtual layer, a determination is made as to whether the process launched before or after the insertion of the virtual sub-layer, and the inserted virtual sub-layer is selectively made visible or invisible to the process based on the determination.

Abstract: A method and apparatus for performing granular restoration from machine images stored on sequential backup media is disclosed. In one embodiment, the method for performing granular restoration from machine images stored on sequential backup media includes processing at least one machine image file to identify at least one database file and at least one data object that is arranged within the at least one database file and generating mapping information regarding the at least one data object within the at least one machine image file, wherein the at least one machine image is to be stored on the sequential backup media.

Abstract: Systems, methods, apparatus and software can implement clusterizing processes on existing standalone server application installations. A server computer system on which a server application resides is renamed from its original name. Cluster software is installed on the server computer system. A virtual server is created to represent the server application to client applications and users. The virtual server is given the original server computer system name and can also be given the server computer system's network address. Cluster functionality can further be extended to allow a virtual server to failover to any other node available in a cluster.

Abstract: A method and apparatus for optimizing a de-duplication rate for backup streams is described. In one embodiment, the method for optimizing data de-duplication using an extent mapping of a backup stream includes processing a backup stream to access an extent mapping associated with a plurality of data files, wherein the plurality of the data files are arranged within the backup stream and examining the extent mapping to identify at least one extent group within the backup stream, wherein the plurality of the data files are de-duplicated using at least one location of the at least one extent group.

Abstract: A method, apparatus, and computer program product for implementing affinity based allocation for storage implementations employing deduplicated data stores is disclosed. According to an embodiment of the present invention, a backup manager determines if information associating a data source with a first data target of a plurality of data targets has been established. The first data target is a deduplication data store and the information associating the data source with the first data target indicates an increased likelihood of at least some information stored on the data source is already being stored on the first data target prior to performing a backup. If information associating the data source with the first data target has been established, the backup manager stores a set of data on the data target.

Abstract: Techniques for storage lifecycle policy management. In one particular exemplary embodiment, the techniques may be realized as a method for storage lifecycle policy management comprising creating a version of a storage lifecycle policy, associating a unique version ID with the created version of the storage lifecycle policy, associating the unique version ID with one or more portions of backup data created during a storage management job instantiated under the created version of the storage lifecycle policy, and ensuring that one or more storage management actions performed on the one or more portions of backup data comply with the created version of the storage lifecycle policy associated with unique version ID.

Abstract: A computer-implemented method for identifying spam mailing lists may include identifying a plurality of clients that receive e-mail messages. The computer-implemented method may also include, for each client in the plurality of clients, receiving, from the client, information identifying at least one e-mail message received by the client. The computer-implemented method may further include, for each client in the plurality of clients, recording the identifying information in a database. The computer-implemented method may additionally include identifying at least one mailing list by identifying at least one group of clients within the plurality of clients with similar patterns of identifying information. Various other methods, systems, and computer-readable media are also disclosed.