Abstract: To prevent gaming of a reputation system, a security token is generated for a security module using metadata about the client observed during the registration of the security module. The registration server selects metadata for use in generating the security token. The generated security token is provided to identify the client in later transactions. A security server may conduct a transaction with the client and observe metadata about the client during the transaction. The security server also extracts metadata from the security token. The security server correlates the observed metadata during the transaction with the extracted metadata from the security token. Based on the result of the correlation, a security policy is applied. As a result, the metadata in the security token enables stateless verification of the client.

Abstract: An individualized time-to-live (TTL) is determined for a reputation score of a computer file. The TTL is determined based on the reputation score and the confidence in the reputation score. The confidence can be determined based on attributes such as the reputation score, an age of the file, and a prevalence of the file. The reputation score is used to determine whether the file is malicious during a validity period defined by the TTL, and discarded thereafter.

Abstract: Detecting a variant of a known threat is disclosed. A portion of network traffic is matched with at least a portion of a signature associated with the known threat. If the portion of network traffic being matched with the signature does not exactly match the signature, the extent of match between the portion of network traffic and the signature is determined. If the extent of match satisfies a threshold, a security response is triggered based upon the extent of match.

Abstract: The performance of a remotely originated application is improved by determining the most popular application features, and proactively making the corresponding application content available to local computers on which the application runs. An application streaming or network file system transmits an application to a plurality of endpoints for execution. The server determines the relative popularity of the application features, and maps the features to corresponding application content. The server proactively pushes the application content corresponding to the most popular features to the endpoints. The popularity of application features is dynamically updated on a regular, ongoing basis. The proactive pushing of code pages is kept current with the updated popularity determinations.

Abstract: A method, computer program product, and apparatus providing a means to split files and to merge files without the need for duplicating all of the data of the original files is disclosed.

Abstract: An access control system (200) enables a computer network (1) to prevent execution of computer code that may contain computer viruses. An access control console (201) generates an access control message (260) including control parameters such as a time limit (255). Said time limit (255) is disseminated to computers (2, 3) on the network (1). Said computers (2, 3) use the time limit (255) to determine the executability of computer code. Access control system (200) also enables blocking data communications with suspicious or susceptible programs in network (1) during virus outbreaks.

Abstract: Identification of spam honeypot domains is performed automatically by a system. The system searches sources of Internet domains based on user input to identify Internet domains which are candidates for acting as a honeypot domain. The list of domains is refined by a determination unit to exclude domains which are unlikely to be useful. A domain indexer ranks the domains on the basis of a plurality of criteria which are indicative of the likelihood of a domain receiving spam communications.

Abstract: Configuring a device operating in a network environment comprises receiving a network policy from a policy authority, classifying the network policy based on the identity of the policy authority, determining a local policy according to the classification, and determining a device configuration change to comply with the network policy in accordance with the local policy. Configuring a device joining a network environment includes detecting that a device has joined the network environment, sending a network policy from a policy authority to the device, the network policy including authentication information for the policy authority, and notifying the presence of the device to a policy monitor.

Abstract: Binary files of one or more applications are scanned to identify database command templates contained therein, wherein each DB command template comprises a sequence of elements including one or more input markers. Once the DB command templates are identified, they are copied to a memory. While in the memory, the command templates can be used to identify abnormal DB commands. In one embodiment of a method, a first template is generated in response to receiving a first DB command from a computer system, wherein the first DB command comprises a sequence of elements including one or more user input values. The first template can be generated by replacing all user input values in the received first DB command with input markers. Thereafter the first template is compared to one or more of the DB command templates copied to the memory.

Abstract: A storage management device records write requests that are directed to a data store. In one embodiment, the storage management device records a plurality of write request entries, each one of which includes information relating to a write request, in at least one first database table, and maintains, for each first database table, at least one record in a second database table. The one or more records in the second database table include data representing the effects of the write requests on a state of at least one portion of the data store. In one such embodiment, each time that one write request entry is recorded in one first database table, the storage management device updates at least one record in the second database table.

Abstract: Disclosed is a method implementable by a computer system for maintaining consistency between mirrors of a mirrored data volume. In one embodiment, the method includes the computer system generating first and second write transactions in response to the generation of transaction to write data to a mirrored data volume. The first and second write transactions comprise first and second tags, respectively. The first and second tags relate the first write transaction to the second write transaction. In one embodiment, the first and second tags are identical. After the first and second write transactions are generated, the computer system transmits the first and second write transactions to first and second storage subsystems, respectively. In one embodiment, the first and second storage subsystems store or are configured to store respective mirrors of the data volume.

Abstract: An exemplary method for using multiple in-line heuristics to reduce false positives may include: 1) training a first heuristic using a set of training data, 2) deploying the first heuristic, 3) identifying false positives produced by the first heuristic during deployment, 4) modifying the training data to include the false positives produced by the first heuristic, 5) creating a second heuristic using the modified training data, 6) deploying both the first heuristic and the second heuristic, and then 7) applying both the first heuristic and the second heuristic, in sequence, to a set of field data.

Abstract: A method and system for filtering email spam using email noise reduction are described. In one embodiment, the method includes detecting, in an email message, data indicative of noise added to the email message to avoid spam filtering. The method further includes modifying the content of the email message to reduce the noise, and comparing the modified content of the email message with the content of a spam message.

Abstract: A method, system, computer system, and computer program product that use application requirements, business priorities, and compatibility and dependency among applications to allocate resources among those applications in a clustering environment. A workload policy engine is aware of the resources available within each cluster, as well as the capacities of those resources. Multiple instances of the workload policy engine can be run in different clusters. The workload policy engine can be used in conjunction with disaster recovery products as well as with provisioning software so that new machines can be provisioned in and out of a cluster dynamically, such as in a blade environment. Furthermore, the workload policy engine can be used in conjunction with dynamic repartitioning capabilities provided by different hardware platforms for large computer systems, as well as with performance monitoring software.

Abstract: A system and method for handling un-partitioning of a computer network are disclosed. Routing information may be stored on a first node in the network when the network is partitioned into a first group of nodes and a second group of nodes, where the first node is in the first group of nodes. Storing the routing information on the first node may include storing information usable to route messages to nodes in the first group of nodes. A technique for determining when the second group of nodes has become un-partitioned from the first group of nodes (i.e., for determining when the partition has been repaired) may be employed. In response to determining that the second group of nodes has become un-partitioned from the first group of nodes, the routing information on the first node may be modified. Modifying the routing information on the first node may include storing information useable to route messages to nodes in the second group of nodes.

Abstract: A technique for providing computer security is provided. Providing computer security comprises providing an executable associated with a static state, determining whether the executable meets a predetermined criterion, and associating a risk level with the criterion if it is determined that the executable meets the predetermined criterion. Determining whether the executable meets a predetermined criterion does not compare the executable with a virus signature.

Abstract: A technique allows for the automatic configuration of anti-malware programs so as to prevent such programs from scanning particular domains. Upon automatic detection of a predetermined type of program, a configuration of that program is determined. Based on the configuration of the predetermined type of program, a domain of the predetermined type of program is excluded from a domain of the anti-malware program. Accordingly, the domain of the anti-malware program is ensured not to overlap with that of the predetermined type of program.

Abstract: A scanning optimization manager efficiently scans files for malicious code. The scanning optimization manager maintains a non-tamperable record of modifications to files on a volume. The scanning optimization manager receives at least one malicious code signature. Responsive to the receipt of the at least one malicious code signature, the scanning optimization manager scans at least some files on the volume for the at least one malicious code signature at a priority corresponding to an associated modification status.

Abstract: Instant messages are sent to and from a device. For example, one embodiment of a method involves detecting an instant message on a port associated with a device and performing an action corresponding to an administrative command, where the instant message includes information indicative of the administrative command. Another embodiment of a method involves detecting a trigger condition during operation of a device and sending an instant message to an administrator, where the instant message includes information indicative of the trigger condition.

Abstract: A system allowing a target machine to be booted up from a disk image stored in memory. Instead of reading the boot-up information from a disk drive or other physical device the data is read from memory. No modification is necessary to native operating system, input/output subsystem, bootstrap code, etc., since the invention modifies characteristics, such as vectors used by the operating system, to make the disk image in memory appear to be the same as a standard external device.