Abstract: A method and a system for controlling terminal access, and a terminal for controlling access are provided. The method includes: receiving a policy configuration sent by a server on a network side; modifying local setting according to the policy configuration; and controlling an access authority of the terminal according to the modified local setting. Thus, when terminal access control is needed for a terminal connected to the network, the policy configuration can be delivered to the agent of the terminal, so that the agent controls an access authority of the terminal according to the policy configuration. Thereby, the convenient and flexible separation of the pre-authentication domain and the post-authentication domain is realized for different terminals, so as to meet the requirements for access control of multiple terminals.

Abstract: An exemplary computerized method is disclosed, comprising booting a destination computer in a pre-boot mode after a disk image comprising a first operating system is downloaded to the destination computer, initiating an identification module in the pre-boot mode to identify a device of the destination computer, receiving a device identifier of the device of the destination computer, identifying, using the device identifier, a driver compatible with the device, and downloading the driver to the destination computer before the destination computer is booted into the first operating system of the disk image for the first time. The method may also comprise receiving a hardware-abstraction-layer identifier of a hardware-abstraction layer of the destination computer, identifying a hardware-abstraction-layer file compatible with the hardware-abstraction layer of the destination computer, and downloading the hardware-abstraction-layer file to the destination computer.

Abstract: A method, a device, and a system for network interception are provided. The method for network interception includes the following steps. A matching rule obtained by parsing an interception policy. Received data are selected by adopting a deep packet inspection (DPI) according to the matching rule so as to obtain an interception result, in which the received data are obtained by adopting data preprocessing to filter packet data according to a service customizing rule obtained by parsing the interception policy. The system for network interception includes a service probe server (SPS) and a service analyze server (SAS). Thus, various packet data services transmitted over an Internet protocol (IP) network can be intercepted.

Abstract: A reputation server is coupled to multiple clients via a network. A security module in each client monitors client encounters with entities such as files, programs, and websites, and then computes a hygiene score based on the monitoring. The hygiene scores are then provided to the reputation server, which computes reputation scores for the entities based on the clients' hygiene scores and the interactions between the clients and the entity. When a particular client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The reputation score may comprises a statistical measure based on a number of other trustworthy or “good hygiene” clients that have a hygiene score above a threshold. The client communicates this reputation score to a user with a message indicating that the reputation score is based on other clients deemed trustworthy.

Abstract: Embodiments of the present invention provide a method and a system for detecting a malicious code. The method includes obtaining first system information and second system information, and detecting the malicious code by identifying difference between the first system information and the second system information, which thus can detect an unknown malicious code, improve the system security, and can be easily implemented.

Abstract: A method and apparatus for prioritizing provisioning data within a provisioning server. The prioritized provisioning data may be used to provision a target server in accordance with the prioritization.

Abstract: A risk assessment module identifies information regarding a source. The risk assessment module submits the identified information regarding the source to a server. A compilation module of the server accesses one or more services to determine one or more characteristics of the source. The compilation module provides the determined one or more characteristics of the source to the client. A presentation module of the client presents the one or more characteristics of the source to a user.

Abstract: An application uses a set of resources, where the set of resources may include a variety of software and hardware resources, such as database management software, file systems, logical volumes, and physical disks. Configuration information, including various attributes of individual resources and dependencies among resources, is used to manage the set of resources. For example, tuning parameters for a database management system and information describing the dependency of the database management software on a set of logical volumes may be maintained as part of the configuration information. A subset of this configuration information is dynamically maintained in volatile storage. Recovery software is configured to retain a previous state of the dynamically maintained configuration information by storing the previous state in persistent storage.

Abstract: A method, system and apparatus for acquiring an interface are provided. The method includes: acquiring, by an interface requester, an interface identification and an interface generation parameter in response to a request from a client, transmitting the interface identification and the interface generation parameter to an interface arranger, the interface identification being used to identify an interface generator that may generate an interface; generating, by an interface arranger, an interface instance at the interface generator based on the received interface identification and interface generation parameter; and delivering, by the interface arranger, the interface instance to the client through a communication mechanism between the interface requester and the interface arranger. According to the disclosure, the software extensibility may be improved, the software development cycle may be shortened, and the software maintainability may be enhanced.

Abstract: A method, a system for managing port status of a network device, and a relay device are provided in the field of network management. The method includes the following steps. A relay device detects working status of ports in a logic group, and the ports are mounted on the relay device and connected to an upstream/downstream device. When it is detected that the working status of a port in the logic group is Down, the relay device sets the working status of the other ports in the logic group as Down, so that the upstream/downstream device of the relay device switches a terminal service to a standby link according to the ports' Down status in the logic group being detected. The relay device includes a detecting module and a setting module. The system includes a relay device and an upstream/downstream device of the relay device. The technical solution provided in the embodiments of the present disclosure guarantees that the terminal service is transmitted uninterruptedly.

Abstract: A snapshot manager switches the roles of a production storage device and a corresponding snapshot device by modifying read and write requests to the devices. Thus, translation mapping information concerning the acting snapshot device does not change, so a remote computing device can perform a backup from the acting snapshot without having to restart every time content is written to the production device. After the backup operation, the snapshot manager can update the underlying data source from the acting production device to capture writes to production that occurred during the backup. The snapshot manager then reverts the roles of the storage device and the snapshot to normal.

Abstract: A system and method for efficient file content searching within a file system. In one embodiment, the system may include a storage device configured to store data and a file system configured to manage access to the storage device. The file system may be configured to detect a search operation to determine the presence of a given data pattern within a first file stored on the storage device, and to store an indication of the given data pattern and an indication of result data of the search operation in a first record associated with the first file.

Abstract: A system for asynchronous reads of old data blocks updated through a write-back cache includes a storage device, a write-back cache, a storage consumer, a storage processing node, and device management software. The device management software may be configured to store a new version of a data block in the write-back cache in response to an update request from the first storage consumer and to then send an update completion notification to the first storage consumer. Some time after the update completion notification has been sent, the device management software may be configured to send a previous version of the updated data block to the storage processing node, where it may be required to perform an operation such as a copy-on write operation or a snapshot update.

Abstract: A method, system, computer system, and computer program product to allocate storage resources among multiple logical volumes. In response to a request to perform a set of operations on multiple logical volumes, a set of allocations of available storage space for performing the set of operations is made. At the time of identifying the storage regions to use for each allocation, the remaining operations and the storage regions that would be available for performing the remaining operations are examined. The rules for implementing each of the logical volumes can be evaluated as part of this examination. If it is apparent that one of the remaining operations will fail based upon a particular set of allocations, space allocated for a previous operation can be de-allocated and alternative allocations can be examined to find a set of allocations that enable the request to be performed successfully.

Abstract: A method and apparatus for creating and using a policy-based file access/change log. Using the policy-based techniques, specific objects within the file system are selected for logging within an access/change log. These selected objects are then processed to identify attributes of the selected objects that are to be logged such that a policy is created regarding the objects to be logged and the attributes of those objects. Lastly, the policy is applied to the object either by having a separate object (file) created that is related to the object to be logged that identifies the policy for logging, or by attaching certain attributes directly to the object such that access to the object identifies the logging policy for that object. When an object that uses policy-based logging is changed, the object access/change log policy is utilized to log only the information that is identified in the policy.

Abstract: A system for coordination for quality of service in multi-layer storage virtualization environments includes a first, second and third storage entity at a respective first, second and third layer of virtualized storage. The first storage entity sends a request for an I/O task to the second storage entity. In response to the request, the second storage entity may be configured to cooperate with the third storage entity to perform one or more I/O operations to satisfy one or more quality of service requirements associated with the I/O task.

Abstract: Parameters of DNS transactions associated with DNS MX record queries, which may be performed by mass-mailing worms from a host computer system, are detected at a DNS proxy and collected. An outbound SMTP transaction, such as an e-mail message, received at an SMTP proxy is stalled at the SMTP proxy and a determination is made whether malicious code activity is detected on the host computer system by correlating the parameters associated with the DNS MX record queries and the e-mail message. In one embodiment, above a specified threshold rate of DNS MX record queries to resolve SMTP server IP addresses, followed by the use of a resolved SMTP server IP address to send the e-mail message, an assumption is made that the e-mail message is generated by a worm, such as a mass-mailing worm, and protective action is taken thus preventing propagation of the worm, or other malicious code, via the outbound e-mail message.

Abstract: A method involves generating a block-level write operation, which causes a value to be written to a primary volume, and generating information indicative of whether any of the block-level write operation should be transferred to a secondary site during replication of data in the primary volume. The information can indicate that all, part, or none of the block-level write operation should be transferred to the secondary site. If the information indicates that less than all of the block-level write operation should be transferred to a secondary site, the information can also indicate that logical information associated with the block-level write operation should be transferred to the secondary site instead of transferring the value being written by the block-level write operation.

Abstract: Various methods and systems for presenting a logical view of a database backup are disclosed. One method involves querying a database recovery manager for logical identifiers that correspond to physical backup pieces generated during a backup. The method uses the logical identifiers to display a backup view to a user. The backup view identifies logical database components that are available to be restored.

Abstract: A filter driver for implementing disk space quotas is described. Quota limits on disk space taken up by files in the file system are established for users and directories, and an internal database is established to track quotas against actual disk space utilization. A driver in accordance with the invention uses kernel resources of the operating system to prevent execution of file system I/O operations which would violate any established quota. In doing so, the driver executes a logic in kernel mode which serializes file allocation operations and also serializes access to the internal database. The first step in this logic is to intercept file system I/O requests before they reach the file system driver. Then the driver determines prospectively—before the I/O request is completed—whether any quota would be exceeded by completion of the I/O request. If a quota would be exceeded, completion of the I/O request is blocked and an error status is issued.