Abstract: An electronic message manager (100) examines (210) incoming electronic messages and determines (220) whether an incoming electronic message comprises at least one suspect link associated with a remote system. In response to the determination (220) that the incoming message comprises at least one suspect link, the electronic message manager (100) replaces (230) each suspect link with a redirection link. In response to a user attempting (240) to connect to the remote system by clicking on the redirection link, the electronic message manager directs the user to a remote analysis site for deciding (260) whether that incoming message comprises a phishing message.

Abstract: Techniques for file system recovery are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for file system recovery comprising starting a recovery process for a failed node, utilizing the recovery process to read one or more committed but un-applied transactions from storage associated with the failed node, and recreating the one or more committed but un-applied transactions in memory associated with the recovery process.

Abstract: Techniques for virtual archiving are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for performing virtual archiving comprising applying archiving rules to a backup catalog, generating a virtual archive catalog based at least in part on a result of applying archiving rules to the backup catalog, determining a backup image associated with the virtual archive catalog becoming expired and converting the backup image into an archive image.

Abstract: The inventions relate generally to protection of computing systems by isolating intrusive attacks into layers, those layers containing at least file objects and being accessible to applications, those layers further maintaining potentially intrusive file objects separately from regular file system objects such that the regular objects are protected and undisturbed. Also disclosed herein are computing systems which use layers and/or isolation layers, and various systems and methods for using those systems. Detailed information on various example embodiments of the inventions are provided in the Detailed Description below, and the inventions are defined by the appended claims.

Abstract: An embodiment of the invention includes a secure server. A user at a terminal, communicatively coupled to the secure server by a secure link, can obtain web pages from web sites in a network, in encrypted form, via the secure link. Addresses associated with the web pages are altered to make it appear as if the web pages come from the secure server rather than from the web sites. Spoofing units may be used as alternative access points to the secure server, with the secure server sending the requested web pages directly to the terminal. In general, address rewriting and other manipulation can be performed on the requested web pages, such that the true sources of the web pages are disguised and such that subsequent communications from the terminal are directed to the secure server and/or spoofing unit, rather than to the true source of the web pages. Components of the user's privacy may be sold, or advertisements may be provided, in exchange for protection of the user's identity.

Abstract: A worm detection manager detects computer worms when they arrive at target computers via open network shares. The worm detection manager monitors incoming file system traffic, and determines the source of incoming files. The worm detection manager determines that an incoming file is infected with a worm, responsive to circumstances such as substantially the same file being written to the target computer by a requisite plurality of computers; substantially the same file being written to the target computer a requisite number of times by the same computer; substantially the same file being written to the target computer a requisite number of times within a requisite time period; and substantially the same file being written to the target computer through a requisite number of open shares.

Abstract: A system and method for an election and data majority mechanism that solves problems such as bit flipping, mistracking, miscaching, and I/O status errors during real-time operations. Multiple copies of data are stored on various storage media of a data processing system. Errors that occur on the storage media or on other components of the data processing system are resolved by selecting the data with the highest frequency as the data majority. The data majority is propagated throughout the storage media to correct errors.

Abstract: A method, system, computer system, and computer-readable medium to trigger protection of a set of data based upon the type or class of the data in the set and/or an amount of data that has changed since some prior point in time. Types of protection that can be triggered include full backup, incremental backup, switching to a different type of continuous replication, intermittent replication, and virus detection. Using the type of the data as a basis for triggering protection enables the operational significance of different sets of data to be taken into account when allocating protection resources. Data sets may be pre-classified, or an automated determination of the type of a data set may be determined by variables measured at run-time. The amount of the changed data in a set that triggers protection may vary in accordance with the type of the set of data.

Abstract: From a first information handling system (“IHS”) to a second IHS, in response to a request for initiating an online transaction, a program is downloaded for detecting malicious code on the second IHS.

Abstract: System and method for providing a common data model for SAN discovery and/or SAN monitoring information collected from heterogeneous SAN components. In one embodiment, a SAN management server may execute on a host computer and may translate data in one or more vendor-specific languages obtained from a heterogeneous vendor population into canonical data in a uniform language. In one embodiment, the SAN management server may execute a set of rules to convert heterogeneous SAN data obtained from heterogeneous interfaces into canonical data conforming to the common data model. In one embodiment, the canonical data may be stored in a persistent store, which may be queried for information that may be provided to the requester in the canonical form of the common data model.

Abstract: A method, apparatus, and computer program product for setting and implementing a policy to compress the history of data on a temporal volume is described.

Abstract: A system for managing boot-up of target machines. In a preferred embodiment, a server computer acts as a managing computer. A target machine notifies the server that the target machine has been powered-up. The server allocates an IP address and sends a response to the target machine. The target machine download boot-up software from the server computer. The target machine then downloads discovery software from the server computer for purposes of determining information about the configuration and resources of the target machine. Standard protocols and mechanisms such as DHCP, BOOTP, TFTP and others can be used. The system works with different types of manufacturers' processors and platforms.

Abstract: File allocations on a disk are defragmented. Determinations are made concerning pages to be swapped among various allocations made by an operating system (OS). Determined pages are swapped by performing a step from a group of steps consisting of: a) manipulating data structures so as to indicate swapping of pages without actually swapping data between physical locations on a medium; and b) moving data on a medium where OS visible data is read and written. An OS file system mapping is updated to reflect the swapped pages; and program code for logging indications of the swapped pages so that an image of the OS visible data prior to the swapping can be reconstructed, without requiring that each read operation and each write operation be written to a history log.

Abstract: Various embodiments of a method for detecting a trend in a computer network comprising a plurality of nodes are described. According to one embodiment of the method, network admission control is performed for each node in the network. One or more configuration fingerprints may be created for each node in response to the network admission control for the node, e.g., where the configuration fingerprints for a given node identify selected aspects of the configuration of the node. The method further comprises detecting a trend based on at least a subset of the configuration fingerprints for the nodes. For example, the configuration fingerprints may be analyzed in order to detect trends that indicate security threats.

Abstract: A technique is disclosed for identifying network traffic. The traffic data is converted into a wave vector. The wave vector is compared with a wave template. It is then determined whether the wave vector is substantially similar to the wave template.

Abstract: A plurality of data objects may be replicated across a plurality of computing nodes coupled to a network. The network may include a first node operable to initiate an update operation to update a plurality of replicas of a first object. If one or more of the replicas are not reachable then the update operation may update a subset (e.g., a quorum) but not all of the replicas. For each node on which one of the replicas was updated in the update operation, the node may add the object to a list of incoherent objects. The list of incoherent objects may subsequently be used to bring the lagging replicas in sync with the replicas that were updated. In another embodiment, a plurality of replicas of an object may be stored on a plurality of nodes, similarly as described above. A first node that stores a replica of the object may store a first timestamp associated with the replica on the first node.

Abstract: Embodiments of a system and method for making an archival copy of business data by performing a third party copy of backup data across a SAN are described. A SAN may include a SAN fabric, multiple host/servers and multiple storage devices including archival storage devices. The SAN fabric may include the switches, hubs, bridges, routers, etc. necessary to allow any host/server to access any storage device. The host/servers may allow applications access to primary data stored in the SAN. At least one of the host/servers may run a backup server that is responsible for making backup and archival copies of the primary data stored on the storage devices by the applications. The backup server may initiate a server-free copy of the backup data through the SAN fabric to the archival storage devices.

Abstract: A message manager monitors incoming e-mail messages. The message manager determines whether the from field of each incoming e-mail message indicates that the e-mail message originates from a recognized domain. Responsive to determining that the from field indicates that the e-mail originates from a recognized domain, the message manager compares at least one domain associated with at least one link found embedded in the text of the e-mail message to a list of authorized domains. Based on the results of the comparison, the message manager determines whether the e-mail message originates from a recognized domain.

Abstract: A security server distributes security polices to the client computers. Each security policy includes an identifier identifying the process to which the policy pertains, and security rules for use with that process. The identifier includes a version hash and a code hash. The version hash of a process is likely to remain unchanged if the process is modified by a legitimate agent, such as by a software update. The code hash of a process is likely to change if the process is modified by a malicious agent. When a process executing on the client computer requests access to a resource, the client computer generates a version hash of the process and uses it to identify the security policy pertaining to the process. If the version hash matches a version hash in a security policy, but the code hash does not match, the client computer declares the process potentially malicious.

Abstract: A system and a method of providing a dynamic computing environment to a user, in which the dynamic computing environment is configured to communicate and to operate under the control of the user. The dynamic computing environment has one or more virtual resources including at least one virtual computing device and one or more computer programs associated with the at least one virtual computing device. According to the present invention, the user has access, for example, to interact with, to modify, and to use the dynamic computing environment including the at least one virtual resource and the at least one physical resource.