Abstract: Methods are provided for detecting the processing status of data blocks. A hash value is used at times in place of a block's data content, thereby reducing processing of the block. Superblocks and superblock hash values are used to manage collisions between hash values of individual blocks, in order to reduce or eliminate the risk that blocks having different content will be treated as though they have the same content merely because they have the same hash value. Systems and configured storage media are also provided.

Abstract: A copy of the raw data on physical disk of an inaccessible source file is automatically generated in an accessible target file. When accessed, the copy of the raw data of the inaccessible source file in the accessible target file can be read allowing a user or application to evaluate the data of the accessible target file, and thus indirectly the raw data of the inaccessible source file. In some embodiments, the copy of the raw data is evaluated for malicious code, allowing a user or application to take protective actions, such as deleting the inaccessible source file. Where the raw data of the inaccessible source file is encrypted, the copy of the raw data is automatically decrypted by the operating system when read yielding unencrypted data. Where the raw data of the inaccessible source file is compressed, the copy of the raw data is automatically decompressed by the operating system when read yielding uncompressed data.

Abstract: An enterprise network can have sanctioned and unsanctioned servers on it. Sanctioned servers are approved by an administrator and perform tasks such as web page serving and mail routing. Unsanctioned servers are not approved by the administrator and represent possible security risks. A service monitor accesses one or more metadata sources having information describing the enterprise network, such as domain name system (DNS) records on the Internet. The service monitor analyzes the metadata and creates a security profile for the enterprise network. The security profile identifies the sanctioned servers. The service monitor monitors network traffic for compliance with the security profile, and detects unsanctioned servers on the network. The service monitor reports violations of the profile and informs the administrator of the unsanctioned servers.

Abstract: The system and method for correlating, predicting and diagnosing system component performance data includes capturing knowledge about system behavior, deploying the captured knowledge as baseline system behavior files, evaluating system performance data against the baseline system behavior files, performing predictive and diagnostic analysis when received system performance data exceeds thresholds in the baseline system behavior files, and notifying a user when an analysis result is generated. The method of capturing knowledge about system behavior includes defining problems to be solved, creating datasets that correspond to defined problems, constructing problem scenarios, associating data patterns modules with the problem scenarios, and generating XML definition files that characterize system behavior in terms of the scenarios, modules, and datasets. The system has the capability to activate corrective scripts in the target system and to reconfigure the target system.

Abstract: Computer-implemented methods, apparati, and computer-readable media for thwarting computer attacks. A method embodiment of the present invention comprises the steps of examining (52) a digital certificate (20) presented by a server computer (2); compiling (53) a set of suspicion indications (31) gleaned from said examining step (52); and feeding (54) said suspicion indications (31) to a consequence engine (30).

Abstract: A computer implemented method includes intercepting transfer of an IM attachment, providing a comforting message that the IM attachment is being delayed, and evaluating the IM attachment for malicious code. Upon a determination that the IM attachment is non-malicious, the IM attachment is transferred to the recipient IM user. By explaining the delay in receipt of the IM attachment, the recipient IM user is prevented from becoming disconcerted about the delay.

Abstract: A technique for improving scalability and portability of a storage management system is disclosed. In one particular exemplary embodiment, the technique may be realized as a storage management system operatively coupled to a storage system. The storage management system may comprise a plurality of processor modules, wherein each processor module is capable of intercepting write commands directed to the storage system, backing up data associated with the write commands, and generating metadata having timestamps for the backup data. The storage management system may also comprise one or more indexing modules that create one or more indexing tables for the backup data based on the metadata, wherein the one or more indexing modules are in communication with the processor modules and the storage system.

Abstract: A method for controlling distribution of network communications (messages). An incoming message either carries priority information, or is assigned priority information based on a shared characteristic with other messages. The priority information is used to determine how and/or when to deliver the message, e.g. by delaying the message for a fixed time. Preferences for receipt of messages by priority level may be communication to upstream hosts along a network path. Accordingly, an intermediary host may reject and/or delay messages that the intended recipient does not wish to receive. This pushes the burden of low-priority messages back to the sender, thereby reducing or eliminating burdens on network/system resources of the recipient and/or intermediaries between the recipient and the sender. Accordingly, it can “squelch” spam messages at or close to their source. Trusted senders complying with prescribed practices may include priority information allowing for delivery of their messages with higher priority.

Abstract: Various methods and systems for performing extent-level backups that support single file restores are disclosed. For example, one a method involves accessing a list, which identifies several extents of a first storage device in a non-contiguous order. The non-contiguous order is non-contiguous with respect to an order in which the extents are arranged on the first storage device. The method then involves reading information from the extents of the first storage device, in the non-contiguous order identified by the list, and the writing the information to backup media. The information is written to the backup media in the non-contiguous order identified by the list. As a result, a first portion of the information, which is included in a first data object, may be less fragmented on the backup media than on the first storage device.

Abstract: Systems, methods, apparatus and software can provide visualization of the topology of a data protection system. Various devices making up the data protection system are displayed using graphical user interface elements such as icons. The display of the devices making up the data protection system illustrates the topology of the data protection system, connections among various system devices, device status information, device activity information, and/or device configuration information.

Abstract: A computer network, system and computer-readable medium for completing a backup job that was interrupted during a backup process is described. The computer-readable medium causes a processor to perform the steps of retrieving an object from one or more volumes stored in a client computer, determining whether the object is listed in a catalog, where the catalog comprises a partially backed up volume from a list of one or more volumes that still need to be backed up, determining whether the object is partially backed up if the object is listed in the catalog and writing the data contained in the object to one or more storage devices if the object is partially backed up or is not listed in the catalog.

Abstract: A computing system configured to detect and/or remove a rootkit. For detection, a snapshot component takes a snapshot of a storage unit. A rootkit detection component accesses an enumeration of individual files stored on the storage unit using an alternative file system I/O to detect the presence of a rootkit. For removal, the location of a rootkit is identified and a computing system shutdown is initiated. A snapshot component pauses the shutdown operation prior to the completion of the shut down and takes a snapshot of a file storage unit. A rootkit repair component accesses the identified location of the portion of the file storage unit containing the rootkit and modifies the portion of the snapshot of the file storage unit so as remove the rootkit.

Abstract: Systems, methods, apparatus and software can make use of coordinator resources and SCSI-3 persistent reservation commands to determine which nodes of a cluster should be ejected from the cluster, thereby preventing them from corrupting data on a shared data resource. Fencing software operating on the cluster nodes monitors the cluster for a cluster partition (split-brain) event. When such an event occurs, software on at least two of the nodes attempts to unregister other nodes from a majority of coordinator resources. The node that succeeds in gaining control of the majority of coordinator resources survives. Nodes failing to gain control of a majority of coordinator resources remove themselves from the cluster. The winning node can also proceed to unregister ejected nodes from shared data resources. These operations can be performed in parallel to decrease failover time. The software can continue to execute on all nodes to prevent additional problems should a node erroneously attempt to reenter the cluster.

Abstract: The present invention provides an exemplary system and method for event driven recovery management. One or more data blocks that are generated from a computing device are continually copied. At least one event marker is associated with the copies of the one or more data blocks. Access to the copies of the one or more data blocks according to the at least one event marker is allowed in order to provide event driven recovery.

Abstract: A method and system of generating a proxy for a database is disclosed. According to one embodiment, a method is provided wherein an image creation technique used to create a point-in-time image of a database is identified, a logical copy of the point-in-time image of the database is created using the image creation technique, and the logical copy of the point-in-time image of the database is presented as a proxy for the database. In another embodiment, one or more updates applied to the database following the creation of the point-in-time image are applied to the logical copy of the point-in-time image of the database.

Abstract: An apparatus and method for faster recovery of validated continuous data protection time images. In one embodiment of the method, an image validation process is initiated. In response, a first write transaction is generated for writing first new data to a first image of a data object that existed at prior time T1. The first new data is written to a first storage. Thereafter data contents of the first storage are copied to a first memory object. Finally, the first memory object is linked with the first image.

Abstract: A file system may employ an enhanced or performance-adjusted allocation scheme when storing data to multiple storage devices. A file system may monitor one or more performance characteristics of storage devices. The file system may, in response to storage requests, select one or more of the storage devices for storing data associated storage requests based on differences among the respective monitored performance characteristics for the storage devices. Additionally, the file system may determine an allocation pattern for storing data to the storage devices and may modify the determined allocation pattern based on a detected change in the monitored performance characteristics of the storage devices. Further, the file system may store data based on both the allocation pattern and on data characteristics associated with a data storage request. The file system may also incorporate input specifying either new performance characteristics or a new allocation pattern.

Abstract: A system and method for determining a storage configuration for an application, where the storage configuration specifies a storage layout for data objects associated with the application. A Storage Configurator program may display a graphical user interface (GUI) for guiding the user through creation of the storage configuration. User input to specify properties of the storage configuration and/or properties of the application may be received to the graphical user interface. The Storage Configurator program may determine a storage configuration for the application, based on the user input received to the graphical user interface.

Abstract: A storage management device can receive a write operation that includes a data payload, store a first instance of the data payload at a first storage buffer in the storage management device, and evaluate a first cost equation to identify a second storage buffer in the storage management device, different from the first storage buffer, at which to optimally store a second instance of the data payload.

Abstract: Computer-implemented methods, apparati, and computer-readable media for blocking the replication of computer worms in a computer. A method of the present invention comprises the steps of: for an e-mail program installed on the computer, finding the location of a temporary holding area used by the e-mail program for storing and opening e-mail attachments; monitoring the temporary holding area for openings of target programs stored within the temporary holding area; and upon the opening of a target program for execution, implementing a worm mitigation procedure.