Abstract: Methods, apparati, and computer-readable media for detecting the presence of malicious computer code in a computer. In a method embodiment, persistence points in an operating system of the computer are examined (31). When a pointer to a temporary directory is found (32) at a persistence point, a declaration is made (34) of a suspicion of malicious code being present in the computer. Second and third method embodiments are used when the computer has a native operating system (14) controlling hardware (11) functions and a user-interface operating system (12) built on top of the native operating system (14). A fourth method embodiment is used when the computer has an operating system comprising a kernel (20) and a user interface (21).

Abstract: A method for replicating a virtual file system of a virtual machine. The method includes accessing a host file system usage map of a host machine that indicates active blocks out of a plurality of blocks of the host file system, and accessing a virtual file system usage map of a virtual machine that indicates active blocks out of a plurality of blocks of the virtual file system. A merged usage map is generated from information of the host file system usage map and the virtual file system usage map that identifies active blocks of the host file system associated with the virtual file system. The virtual file system is then replicated at a replication destination in accordance with the merged usage map.

Abstract: Various embodiments of a system and method for backing up files used by a virtual machine are described herein. The files may be stored within a virtual disk image file. A full backup of the virtual disk image file may first be created. After creating the full backup, one or more incremental or differential backups of the virtual disk image file may be created. In some embodiments, fingerprints of the sectors of the virtual disk image file may be stored and used to identify which sectors should be included in the incremental or differential backups.

Abstract: To evade heuristic detection, malware is often designed to trick users into installing the malware by being packaged in a standard installer known to the user's computer for typically installing legitimate software. To prevent removal of the malware, the malware modifies or removes its uninstaller. A security module manages this type of evasion technique by monitoring and detecting installations performed on a computer. The module detects attempts to remove or modify the uninstaller for the application to render the uninstaller incapable of uninstalling the application. The module can intercept and block such attempts, and then analyze the application for malicious code. Where the application is determined to be malware, the module prevents malicious activity. The module can also use the malware's own uninstaller to uninstall the malware from the computer.

Abstract: A method, system, computer system, and computer-readable medium that enable quick recovery from failure of one or more nodes, applications, and/or communication links in a distributed computing environment, such as a cluster. Recovery is facilitated by regularly saving persistent images of the in-memory checkpoint data and/or of distributed shared memory segments. The persistent checkpoint images are written asynchronously so that applications can continue to write data even during creation and/or updating the persistent image and with minimal effect on application performance. Furthermore, multiple updater nodes can simultaneously update the persistent checkpoint image using normal synchronization operations. When one or more nodes fail, the persistent checkpoint image can be read and used to restart the application in the most recently-saved state prior to the failure.

Abstract: Systems and methods for permission maintenance are presented. In one embodiment, a permission maintenance method includes: gathering permission indication information including permission indications associated with various stored information; analyzing the permission indication information including analyzing potential permission indication origination; and creating interface presentation information based upon results of the analyzing the permission indications, wherein the interface presentation information includes information related to potential origination of a permission indication. The gathering can include scanning a file system and collecting active directory information. The analyzing can include determining the type of access a principal is given to a file. The analyzing can also include determining if a principal is associated with a group and the type of permissions given to the group.

Abstract: Techniques for inter-virtual machine communication are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for interaction with a guest virtual machine comprising monitoring image loads into electronic memory of a guest virtual machine using a secure virtual machine, identifying a memory structure having a specified format, and performing, using the secure virtual machine, at least one of reading one or more portions of the identified memory structure and setting a value in the identified memory structure.

Abstract: Techniques are disclosed relating to storing a log of write operations made to a first storage device by one of a plurality of host computers running an instance of a distributed application. The log of write operations is stored at a second storage device. The plurality of host computers communicate status information to the second storage device over respective communication paths. Upon a failure to communicate status information between one of the host computers and the second storage device, the second storage device reads from a predetermined location in the first storage device to determine whether the host computer is still performing write operations. If the second storage device reads an expected signature value written by the host computer, the host computer is deemed to have written data, which indicates that the host computer is operational but that the write operations have not been recorded by the second storage device.

Abstract: Systems, methods, and computer-readable storage media are disclosed for a computer system determining a transport path for a data duplication job. A data duplication job request, being a request that data stored on a source device be duplicated, may be received. A plurality of possible transport path components may be enumerated. The plurality of possible transport path components may include one or more possible destination devices, one or more possible means of transport, and one or more possible media servers. A ranking may be determined for at least a subset of the possible transport path components. An availability may be determined for at least a subset of the possible transport path components. A transport path may be selected based on the determined rankings and the determined availabilities. The data duplication job may be performed using the selected transport path.

Abstract: Identities of owners of electronic communication aliases are collected from a plurality of client computers across a parental control system. Each collected identity corresponds to an electronic communication aliases used by at least one child associated with the originating client computer. The collected identities and the corresponding electronic communication aliases are stored. Response to receiving a collected identity, previously stored identities corresponding to the same electronic communication alias are retrieved, and compared to the received identity. The more previously stored identities match the received identity, the more likely the received identity is to be accurate. Therefore, based upon the comparison results, it can be determined whether the received identity is accurate or not. If it is determined that the received identity is false, the relevant parents are automatically notified.

Abstract: Systems, methods, and computer-readable storage media are disclosed for a computer system determining database containers that include references to one or more specified data items. The computer system may determine, from a plurality of containers in a database, a candidate set of containers, where the database includes a plurality of data items that includes the one or more data items. The computer system, for each of the containers in the candidate set, queries the database to determine whether the container includes a reference to any of the specified one or more data items. The computer system uses results of the querying to determine any containers in the candidate set of containers that include such references. These results may be used, for example, to set storage retention policies.

Abstract: A threat detection event indicating a detection of a malware entity is identified at a client. Threat information associated with the malware entity is identified responsive to the threat detection event, the threat information for detecting the malware entity, wherein at least some of the threat information is unaffected by variance associated with the malware entity. The threat information is reported to a peer client of the client. Peer threat information describing a peer malware entity detected at the peer client is received at the client from the peer client via a network and used to examine the client for the peer malware entity.

Abstract: A method and apparatus for managing configurations of computer resources in a datacenter is described. In one embodiment, a method comprises analyzing multiple configurations using rule information to produce an analysis result where each configuration in the multiple configurations defines a configuration of a resource that is managed by the data center, training a Bayesian classifier using the analysis result, and classifying a second configuration using the trained Bayesian classifier.

Abstract: The performance and hence the user experience of just-in-time application streaming is significantly enhanced by predicting which sections of an application are likely to execute next, and transmitting those sections from the server to the endpoint. A control flow graph of the application is created and analyzed against the execution state of the application such that it can be predicated which code pages the application is likely to utilize next. This analysis can be performed on the server, endpoint or any combination of the two. The predicted code pages are proactively pushed and/or pulled such that the application can continue executing without delay. This significantly enhances the performance of application streaming and network file system technologies, and is especially beneficial for very performance sensitive applications.

Abstract: A method and apparatus for performing in-memory checkpoint services as a callable resource within a distributed transaction. As such, in-memory checkpoint processes can be utilized by an application as the application would use any resource available to the computer network via a distributed transaction.

Abstract: A computer-implemented method for creating customized confidence bands for use in malware detection may include 1) identifying a portal for receiving executable content, 2) identifying metadata relating to the portal, 3) analyzing the metadata to determine what risk executable content received via the portal poses, and then 4) creating, based on the analysis, a confidence band to apply during at least one disposition of executable content received via the portal. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Systems and methods for cluster maintenance are presented. In one embodiment a cluster configuration method includes: maintaining configuration information associated with a first node and a second node, including cluster configuration version information; evaluating the first node as a potential configuration update node for the second node, including evaluating an indication of potential partial snapshot update availability based upon the configuration information associated with the first node and configuration information associated with the second node; performing an update type selection, including continued analysis of partial snapshot update availability; and performing an update for the second node in accordance with results of the update type selection.

Abstract: A computer-implemented method for alternating malware classifiers in an attempt to frustrate brute-force malware testing may include (1) providing a group of heuristic-based classifiers for detecting malware, wherein each classifier within the group differs from all other classifiers within the group but has an accuracy rate that is substantially similar to all other classifiers within the group, (2) including the group of classifiers within a security-software product, and (3) alternating the security-software product's use of the classifiers within the group in an attempt to frustrate brute-force malware testing by (a) randomly selecting and activating an initial classifier from within the group and then, upon completion of a select interval, (b) replacing the initial classifier with an additional classifier randomly selected from within the group. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Method and apparatus for processing electronically stored information (ESI) for electronic discovery are described. In some examples, an electronic analysis of documents in the ESI indicated as being responsive to a search query of the ESI is performed. Results of the electronic analysis are stored in a database to provide a repository of case knowledge. Search parameters for at least one additional search query are generated automatically based on the case knowledge. The search parameters are provided as output.

Abstract: A method is provided for migrating a connection between two computing nodes of a computing center. The method includes establishing the connection between a remote application and a local application on a first computing node, pausing the local application, restoring the local application to a second computing node, and reestablishing the connection between the remote application and the local application on the second computing node. A connection filter on the first computing node can maintain connections while the local application is paused. An application scheduler routine can cause the application to be restored on the second computing node where a second connection filter obtains connection information and reestablishes the connection to the remote application.