Abstract: A malicious e-mail manager provides protection from malicious e-mail attacks. A malicious e-mail manager examines an e-mail stream, and identifies suspicious e-mail messages therein. The malicious e-mail manager inverts responses to addresses from which identified suspicious e-mail originated. Where the target address of a suspicious e-mail message points to an existing recipient, the malicious e-mail manager returns an error code to the originating address indicating that the recipient does not exist. On the other hand, where the target address of a suspicious e-mail message points to a non-existent recipient, the malicious email manager returns a success code to the originating address, indicating that the e-mail message was delivered. Thus, senders of malicious e-mail believe that existing users are non-existent and vice versa. E-mail from legitimate senders is handled normally.

Abstract: Virus detection modules (120) execute virus detection techniques on clients (110) to check for the presence of computer viruses in data and also communicate with a software server (116). A constraints module (320) specifies constraints on the application of certain virus detection techniques. An administrator uses the software server (116) to release (514) a virus detection technique and an associated constraint to the clients (110). The clients (110) execute the technique subject to the constraint, and report the results to the software server (116). The administrator uses the constraint and reported results to determine (518) whether the technique is causing false positive virus detections. If necessary, the administrator modifies (520) the technique to reduce the false positives and/or modifies (524) the constraint to cause the technique to execute more frequently. The constraints allow the administrator to detect false positives without inconveniencing most clients (110).

Abstract: A system for automated concurrency configuration of multi-threaded programs comprises one or more processors and memory coupled to the processors. The memory stores program instructions executable by the processors to implement a resource management tool. The resource management tool is configured to determine respective target values for one or more concurrency configuration parameters to be set in a deployment of an application using an analytic model and a set of performance metrics obtained from the application (e.g., values of throughput, response times, and corresponding resource utilization measurements), and to deploy the application with the concurrency configuration parameters set to the target values.

Abstract: An anti-spyware manager uses domain name service resolution queries to combat spyware. The anti-spyware manager maintains a list of domain names associated with spyware, monitors domain name service queries, and detects queries on domain names on the list. Responsive to detecting a domain name service query on a domain name associated with spyware, the anti-spyware manager forces the domain name service query to resolve to an address not associated with the domain name. Because attempts by spyware to communicate with its home server are now routed to the forced address, the spyware is unable to communicate with its homer server, and thus can neither steal information nor download updates of itself. Additionally, the anti-spyware manager can identify computers that are infected with spyware and clean or quarantine them.

Abstract: Information identifying the inode of the parent directory of a file may be stored in that file's inode. A reverse pathname lookup from the file's inode identifier may be performed by reading a parent directory inode identifier of the file's parent directory from the file's inode and using the parent directory inode identifier to generate a pathname for the file. Generating the pathname may involve identifying the filename of the file by searching the parent directory identified by the parent inode identifier for the file's filename. A file's inode may include more than one parent directory inode identifier.

Abstract: A method and apparatus for accessing a virtualized storage volume are described. At least one volume map is copied to a virtualization switch prior to an application requesting access to a storage volume via the virtualization switch, where the volume map facilitates mapping the storage volume access request to an appropriate physical storage device and is copied from a source external to the virtualization switch.

Abstract: A legacy application program contains unmanaged code. Application definitions for common unmanaged applications are established. An application definition includes a manifest that describes the unmanaged code and an execution wrapper that projects the unmanaged code as a managed assembly to the execution environment. An application definition can also specify other modifications to the unmanaged code, such as modifications to cause the unmanaged code to call managed application programming interfaces (APIs). The application definition is utilized to transform the unmanaged code into a managed assembly. The manifest and wrapper are added to the managed assembly and the unmanaged code is maintained as a resource. The managed execution environment uses the manifest to compute a permissions set for the unmanaged code, and the wrapper invokes the unmanaged code. The unmanaged code uses the managed APIs, and the managed execution environment can therefore manage execution of the code.

Abstract: A method and system of providing access to a virtual storage device is disclosed. According to one embodiment, access is provided to a virtual storage device comprising a file system storage object to store data to be written to the virtual storage device and a storage device. According to another embodiment, the virtual storage device further comprises a file system storage object to represent the virtual storage device.

Abstract: A method for detecting malicious code on an information handling system includes executing malicious code detection code (MCDC) on the information handling system. The malicious code detection code includes detection routines. The detection routines are applied to executable code under investigation running on the information handling system during the execution of the MCDC. The detection routines associate weights to respective executable code under investigation in response to detections of a valid program or malicious code as a function of respective detection routines. Lastly, executable code under investigation is determined a valid program or malicious code as a function of the weights associated by the detection routines. Computer-readable media and an information handling system are also disclosed.

Abstract: A method for detecting malware is disclosed. The method may include examining a plurality of metadata fields of a plurality of known-clean-executable files. The method may also include examining a plurality of metadata fields of a plurality of known-malicious-executable files. The method may further include deducing, based on information obtained from examining the plurality of metadata fields of the plurality of known-clean- and known-malicious-executable files, metadata-field attributes indicative of malware. Corresponding systems and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting man-in-the-browser attacks may include identifying a transaction fingerprint associated with a web site. The method may also include tracking a user's input to the web site. The user's input may be received through a web browser. The method may further include intercepting an outgoing submission to the web site. The method may additionally include determining whether, in light of the transaction fingerprint, the user's input generated the outgoing submission. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In a process to restore a data volume in a first memory, a virtual point-in-time (PIT) copy of the data volume is created. Creating the virtual PIT copy includes creating first, second and third maps in memory. Each of the first, second, and third maps includes a plurality of multi-bit entries. Each of the entries of the first and second maps corresponds to a respective memory region of the first memory, while each of the entries of the third map corresponds to a respective memory region of a second memory for storing data of the virtual PIT copy.

Abstract: A system and method for mail server backup. In one embodiment, the method may comprise storing one or more messages on a mail server, where each message is associated with an index time. The method may then perform a full backup by storing each message and a backup time associated with the full backup on a backup medium, and perform a partial backup by storing selected messages on the backup medium dependent upon a difference between the index time associated with each message and the backup time. In one embodiment the partial backup may be performed by backing up each message that includes an index time that is dated after the backup time. In a further embodiment, each message on the mail server is contained in a mail folder object, and storing the backup time may comprise modifying a data member of the mail folder object.

Abstract: A data center control system includes a storage configured to maintain an emission usage value indicative of an estimated amount of greenhouse gas emission caused by consumption of power by resources within one or more data centers. The control system also includes a controller that may provide a signal to control an operation of at least one of the resources depending upon the indication of the estimated amount of greenhouse gas emission.

Abstract: Mechanisms for generating an incremental backup of a set of data blocks while excluding certain files that are less desired to be backed up. Examples of such files include temporary Internet files and the recycle bin. This allows the size of the incremental backup to be reduced significantly since such undesired files are often changed between backups. The incremental backup is constructed by first calculating which data blocks should be included in the incremental backup. The calculation is a function of at least the identity of which if any of the data blocks in a prior snapshot have been or would have been altered as a result of potential file alterations in the prior snapshot, and/or which if any of the data blocks in the subsequent snapshot have been or would have been altered as a result of potential file alterations in the subsequent snapshot.

Abstract: A computer accessible medium may be encoded with instructions which, when executed: replicate a checkpoint segment from a first local storage of a first node to at least one other node; and load a copy of the checkpoint segment from the other node to a second local storage of a second node. The checkpoint segment is stored into the first local storage by an application, and comprises a state of the application. The copy of the checkpoint segment is loaded into a second local storage responsive to a request from the second node to load the copy. The second node is to execute the application. In some embodiments, the copy of the checkpoint segment may also be loaded into a global storage.

Abstract: A computer-implemented method for determining, in response to an event of interest, whether to perform a real-time file scan by examining the full context of the event of interest may comprise: 1) detecting an event of interest, 2) identifying at least one file associated with the event of interest, 3) accessing contextual metadata associated with the event of interest, 4) accessing at least one rule that comprises criteria for determining, based on the event of interest and the contextual metadata, whether to perform a security scan on the file, and then 5) determining, by applying the rule, whether to perform the security scan on the file. Corresponding systems and computer-readable media are also disclosed.

Abstract: A computer-implemented method for enabling community-tested security features for legacy applications may include: 1) identifying a plurality of client systems, 2) identifying a legacy application on a client system within the plurality of client systems, 3) identifying a security-feature-enablement rule for the legacy application, 4) enabling at least one security feature for the legacy application by executing the security-feature-enablement rule, 5) determining the impact of the security-feature-enablement rule on the health of the legacy application, and then 6) relaying the impact of the security-feature-enablement rule on the health of the legacy application to a server. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A spam manager (101) receives (201) at least one e-mail (106) addressed to a domain (103). The spam manager (101) performs (203) a signature based analysis of received e-mail (106) to determine whether received e-mail (106) includes at least one signature indicative of spam. Responsive to the spam manager (101) identifying e-mail (106) that does not include at least one signature indicative of spam and to a timeout period not having transpired from a time of receipt of the e-mail (106) by the spam manager (101), the spam manager (101) performs (205) at least one secondary analysis of the identified e-mail (106).

Abstract: Computer-implemented methods, apparati, and computer-readable media for thwarting computer attacks. A method embodiment of the present invention comprises the steps of examining (52) a digital certificate (20) presented by a server computer (2); compiling (53) a set of suspicion indications (31) gleaned from said examining step (52); feeding (54) said suspicion indications (31) to a trustworthiness calculation engine (30); and outputting from said engine (30) a trustworthiness factor (32) that determines whether SSL stripping is to be used (57) on communications with said server computer (2).