Abstract: A cloning manager preserves in-place file system objects during a clone operation. The cloning manager determines boundaries on a target storage medium to contain a resultant file system to be created by the clone operation, and identifies at least one protected area within the boundaries to be overwritten by the clone operation. The cloning manager also identifies at least one in-place file system object at least partially within the boundaries not to be overwritten during the clone operation. The cloning manager ensures that each in-place file system object is not located in a protected area, shifting the objects as necessary. The cloning manager performs the clone operation, creating the resultant file system only in locations within the boundaries in which no in-place file system object is located.

Abstract: One or more mobility token managers (101) track movement of files (105) within a network. A mobility token manager (101) on a source computer (113) detects an attempt to write a file (105) to a target computer (117). Responsive to the detection, the mobility token manager (101) writes a mobility token (103) containing data concerning at least the file (105) and the write operation to the target computer (117). A mobility token manager (101) on the target computer (117) detects that the mobility token (103) is being written to the target computer (117). The mobility token manager (101) on the target computer (117) reads the mobility token (103), and determines relevant information concerning the file (105) associated with the mobility token (103).

Abstract: A scan-on-read manager efficiently scans received data. The scan-on-read manager detects attempts by applications to read received data. The scan-on-read manager scans received data only responsive to an application attempting to read it. The scan-on-read manager only allows the application to read received data that has been scanned.

Abstract: Disclosed is a method and apparatus for refreshing a copy of a data volume. In one embodiment of the method first and second data portions of a data volume are copied to first and second memory blocks, respectively, of a memory coupled to a computer system. First and second bits of a first map stored in memory are then set, wherein the first and second bits correspond to the first and second memory blocks, respectively. The first data portion of the data volume is modified after the first data portion is copied to the first memory block. A first bit in a second map stored in memory is set after data of the first data portion is modified. An instruction is generated to refresh the data contents of the first and second memory blocks. The first bit of the first map is cleared in response to generation of the refresh instruction.

Abstract: System, methods, and computer readable media for determining whether a computer file (340) has been infected by an attacking agent. A scanning engine (205) generates a new hash of a critical viral target region of the file (340) and compares it to a stored hash of the critical viral target region. The scanning engine (205) determines whether the file (340) has been scanned by the most recent version of a detection module (425) associated with the attacking agent. If the hashes are identical and the file (340) has been scanned by the most recent version of the detection module (425), the scanning engine (205) determines that the file (340) is free of infection by the attacking agent.

Abstract: A source process duplicates handles owned by a target process, without the source process having debug privileges. A handle duplication manager running in kernel space receives requests from source processes for duplicates of handles owned by remote target processes. In response to a request, the handle duplication manager accesses address space of a target process, and calls a system object duplication function with a request to duplicate the requested handle(s) of the target process. The handle duplication manager running in kernel space calls the system function so as to simulate the origin of the call as being the target process running in user space. The duplication manager receives the requested duplicate handle(s) from the system function, and returns them to the requesting source process.

Abstract: A method includes establishing a SMTP proxy, defining an application that forms a connection with the SMTP proxy as a SMTP client application, emulating the SMTP client application including generating at least one SMTP client application dirty page, intercepting an executable application sent from the SMTP client application with the SMTP proxy, emulating the executable application including generating at least one executable application dirty page. If a determination is made that the at least one SMTP client application dirty page is a match of the at least one executable application dirty page, a determination is made that the SMTP client application is polymorphic malicious code that is attempting to send itself and protective action is taken.

Abstract: A method and mechanism for modifying computing resources in response to application behavior. A computing system includes a replication component configured to replicate data storage from a first data volume to a second data volume. In addition, the replication component is configured to monitor application I/O characteristics and store related statistics. I/O characteristics may include size, concurrency, locality, and frequency. I/O characteristics which are stored, and guidelines for modifying system resources based on those characteristics, may be displayed for use by an administrator in tuning system resources. Periodically, or in response to detecting an event, the replication component may automatically access the statistics and modify the system resources used by the replication system to better accommodate the application's behavior.

Abstract: In some embodiments, a computer accessible medium comprises a plurality of instructions which, when executed: cause a modification of an image of files created from a computer system having first hardware; and cause the image to be copied to a computer system having second hardware different from the first hardware. A difference between the first hardware and the second hardware necessitates that the modification of the image be performed. For example, the difference may indicate that a different device driver is to be included in the image, or that HAL or kernel code is to be changed. A similar method of modifying the image and copying the image is also contemplated.

Abstract: The risk of inadvertent introduction of software bugs to a large number of users during a software update is minimized by controlling updates using a uniform mechanism of sending updates to seed users. A value-generating module generates a value for a computer, the value falling within a population range of values. A sampling range-generating module generates a sampling range of values as a proper subset of the population range, the probability of the random value falling within the sampling range being predetermined. An eligibility determination module determines whether the computer is eligible to receive a software update, the computer being determined eligible when the random value for the computer falls within the sampling range, and an update module provides the software update to the computer based on the eligibility determination. In some embodiments, a problem review module determines whether the update has caused a problem for computers receiving the update.

Abstract: A register signature specifies an initial state of a virtual machine (422) and changes to the initial state made by a block of viral code. A virus detection system (VDS) The VDS (400) selects (810) a file that might contain a computer virus, identifies (812) potential entry points in the file, and identifies (814) possible viral code at or near the entry point. The VDS (400) uses a virtual machine (422) having the initial state specified by the register signature to emulate (820) the possible viral code. While emulating, the VDS (400) builds (822) a register table that tracks the state of the virtual registers (428). Once the VDS (400) reaches an emulation breakpoint, it analyzes the register table in view of the register signature to determine if the new state of the virtual machine is evidence that the emulated instructions are part of a virus.

Abstract: A method for implementing an online transaction security product includes downloading an online transaction security product program from a web site to an information handling system. The security product program includes an anti-malicious code program configured to detect malicious code on the information handling system. Lastly, the security product program is executed, wherein the anti-malicious code program of the security product program operates to detect malicious code on the information handling system.

Abstract: A system for injecting drivers and setup information into pre-created images for image-based provisioning includes a disk image, a software driver configured to allow access to a specific hardware device (such as a disk or a network interface card), and a provisioning tool. The provisioning tool may be configured to insert the software driver and customized system setup information (e.g., a host name and network information) into the disk image after the creation of the disk image and prior to a boot from the disk image of an uninstalled host including the specific hardware device.

Abstract: A method and mechanism for inter-node communication. A first node is coupled to a second node via a communication link. The first node is configured to convey a heartbeat or similar data packet to the second node on a periodic or other scheduled basis. A message manager within the first node is configured to detect an inter-node message is available for transmission to the second node. If the detected message exceeds a predetermined size, the message is partitioned into blocks which are less than or equal in size to the predetermined size. The blocks are then encoded pursuant to a forward error correcting algorithm, such as an erasure code algorithm, and stored as payload in the periodically conveyed data packets. Pseudo-header information may also be included with each block to indicate a message type, message identifier, message length, or block sequence number.

Abstract: Various systems and methods for performing coordinated distributed write logging are provided. A method may involve one of several hosts, each of which has an associated log, requesting permission to perform a write to data in a storage volume from a coordinator. The coordinator coordinates access to the storage volume between the hosts. Prior to receipt of a response from the coordinator granting permission to perform the write to the storage volume, the host may initiate logging the write data for the write to a respective log. The host may signal completion of the write to an application that initiated the write in response to both logging the write data to the respective log and receiving the response from the coordinator. The host may perform one or more underlying block operations to update the storage volume according to the write subsequent to signaling completion of the write to the application that initiated the write.

Abstract: A system and method for detecting and storing file identity change information within a file system. In one embodiment, the system may include a storage device configured to store a plurality of files and a file system configured to manage access to the storage device. The file system may be configured to detect an operation to modify an identity of a first file stored on the storage device and, subsequent to detecting the operation, store a record of the operation associated with the first file, where the record includes a signature corresponding to the first file.

Abstract: A file system event including a file name having at least a last file name extension is intercepted and stalled. The file name is parsed to obtain at least the last file name extension and a next to last file name extension, when present. A determination is made whether the last file name extension is the only file name extension of the file name. Upon a determination that the last file name extension is not the only file name extension of the file name, e.g., there are multiple file name extensions, a determination is made whether the last file name extension is a dangerous file name extension based upon the next to last file name extension. Upon a determination that the last file name extension is a dangerous file name extension, a notification is generated. Optionally, protective actions are implemented, such as terminating the file system event.

Abstract: A mapping tool for hierarchical storage mapping may include a storage hierarchy representation interface, a command interface and remapping software. The storage hierarchy representation interface may be configured to provide a user with representations of a source storage hierarchy and target storage devices, where the source storage hierarchy may include a source storage device with one or more contained storage devices. The command interface may allow the user to request a hierarchical mapping of the source storage device to one or more target storage devices. The remapping software may be configured to create a mapping of the source storage device and the contained storage devices to storage within the target storage devices.

Abstract: Various embodiments of a system and method related to a computer network capable of detecting and breaking cycles are disclosed. First routing information usable to send messages to a first address may be created. The first address may be associated with multiple nodes in the network. When sending a message from a first node to the first address according to the first routing information, a cycle may be detected. The first routing information may be changed to break the cycle.

Abstract: A method includes stalling a call to a heap allocation function originating from a request by an application for a block of heap buffer, predicting a block of the heap buffer to fulfill the request, and determining if a forward link (F-link) and a backward link (B-link) of the predicted block are addresses within a heap segment associated with the predicted block. If a determination is made that the F-link or the B-link point outside the associated heap segment, e.g., have been overwritten by a heap buffer overflow attack, corrective action is taken to correct the stray F-link or B-link. After the corrective action is taken, the heap allocation function call is released and the block of heap buffer is allocated. In this manner, a heap buffer overflow attack is defeated.