Abstract: Reputation-based automatic remediation is applied for enforcing good network hygiene of a client. A scanning module scans the client to detect files on the client in response to an attempt by the client to connect to a secure network. A reputation score module retrieves onto the client a reputation score for each of the files detected. The reputation scores can be retrieved from a reputation database of a reputation server storing reputation data for files. A hygiene score module calculates on the client a hygiene score for the client based on the reputation scores for the files on the client. The hygiene score indicates a likelihood of the client to engage in risky behavior. The threshold determination module determines whether the hygiene score exceeds a threshold for bad client hygiene. The policy module applies a policy to the client that restricts network access in response to the hygiene score for the client exceeding the threshold.

Abstract: Method and apparatus for identifying a web server is described. In some examples, an initial request by a client to an intended web server is identified. A fingerprint for the intended web server is determined responsive to the initial request. A subsequent request by the client to the intended web server is detected. A response to the subsequent request is received from a responding web server. Verification of the responding web server as the intended web server is performed using the fingerprint.

Abstract: A method and system for ensuring compliance in public clouds using fine-grained encryption based on data ownership that includes a process for ensuring compliance in public clouds using fine-grained encryption based on data ownership that is implemented, at least in part, at a gateway computing system through which data passes from the enterprise, and/or one or more end users, prior to being sent to the public cloud. In one embodiment, the data is classified, the ownership of the data is determined, the associated encryption keys are obtained, and the data is encrypted, automatically at the gateway computing system before the data is transferred to the public cloud, and in a manner that is transparent to end-users.

Abstract: Storage locations in a first tier of a multi-tier storage system are allocated to a first set of data structures (e.g., inodes) in a first file set. A file that is stored in the first tier is associated with a first data structure of the first set. In response to determining that data in the file should be moved to a second tier of the multi-tier storage system, the file is associated with a second data structure in a second file set. The second data structure is allocated a storage location in the second tier. Consequently, two data structures are associated with the file. The data is copied from the first tier to the storage location in the second tier, and can be subsequently accessed using the second data structure.

Abstract: A method and apparatus for encrypted universal resource identifier (URI) based messaging is described. In one embodiment of the method, a computing system receives an encrypted message from a first client computing system over a network, stores the received message in a message data store, generates a shortened uniform resource locator (URL) for subsequent retrieval of the stored message, and sends the shortened URL to the first client computing system. Subsequently, the computing system receives a request, including the shortened URL, from a second client computing system to retrieve the stored message. The computing system encrypts the stored message in a URI and sends the URI to the second client computing system.

Abstract: A method, system and computer-readable medium for providing rapid failback of a computer system is described. The method, which operates during failback of a secondary computer to a primary computer, accesses a map to determine a location of a latest version of data corresponding to a read request, where the location may be within either a primary data storage or a secondary data storage. The system comprises a primary computer coupled to a primary data storage and a secondary computer coupled to a secondary data storage. The primary computer maintains a write log and the secondary computer maintains a map. The computer-readable medium contains instructions, which, when executed by a processor, performs the steps embodied by the method.

Abstract: A plurality of computing devices used to access backend computing resources of an enterprise by a specific user are identified, and geo-locations of the devices at specific times are tracked. A trusted authentication is received from a specific one of the devices. Responsive to the trusted authentication, the specific device is classified as the primary node of a trusted cluster, and the current geo-location of the user is defined as the geo-location of the specific device, as of the time of the trusted authentication. Devices are assigned to a logical trusted device cluster or to a logical non-trusted device cluster, based on distances between the device geo-locations and the current geo-location of the user, and based on differences between establishment times of the device geo-locations and the establishment time of the user's geo-location.

Abstract: A computer-implemented method for analyzing malware may include: 1) identifying a set of malware samples, 2) identifying, for each malware sample in the set of malware samples, a set of static strings present in the malware sample, and then 3) clustering the set of malware samples based on the set of static strings present in each malware sample. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Various systems and methods for performing tiering-aware data defragmentation. One method can involve receiving tiering information from a storage device that comprises multiple tiers. The information specifies a tiering attribute and tiering attribute value for the tiers. The method involves establishing zones that have zone attribute values corresponding to the received tiering attribute values. The method then involves storing a given block in a particular zone in response to detecting that a block attribute value of the block corresponds to a zone attribute value for the zone.

Abstract: A computer-implemented method for providing users with customized renewal policies may include 1) determining that a license for a software product installed on a user's computing system has expired or will expire within a predetermined amount of time, 2) in response to determining that the license for the software product has expired or will expire, monitoring, via a local module installed on the computing system, computing activities of the user, 3) evaluating the user's computing activities to determine that the user is investigating a competitor's software product that is capable of performing one or more functions performed by the installed software product, 4) creating, based on the user's investigation of the competitor's software product, a customized renewal policy for renewing the license to the installed software product, 5) inviting the user to renew the license under the customized renewal policy.

Abstract: Methods and systems for aiding in the detection of false positives generated by security systems are disclosed. One exemplary server-side method may comprise: 1) building a database containing a copy of, and metadata for, each file within an enterprise that is capable of posing a security risk, 2) identifying a determination by a security system that at least one of the files within the enterprise poses a security risk, and then 3) assisting a user to evaluate whether the security system has generated any false positives by presenting to the user both a list of each file within the enterprise that the security system determined poses a security risk and metadata for each file on the list. Corresponding client-side methods and systems are also disclosed.

Abstract: A method, system and apparatus for assembling and publishing frequent malware signature definition updates through the use of additive or “streaming” definition packages is provided. Embodiments of the present invention provide such functionality by publishing not only full malware signature definition updates on a long periodicity but also streaming malware signature definition updates containing newly certified signature definitions on a short periodicity. As newly-certified malware signature definitions are received, those newly-certified signature definitions are incorporated not only in the full signature definition file but also in a streaming signature definition update that contains only newly-certified signature definitions received during a streaming update period. At the end of the streaming update period, a streaming signature definition file is made available by publication to anti-malware clients.

Abstract: Techniques for providing multiple levels of security for backups are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for providing multiple levels of security for a backup medium comprising protecting a data portion of the backup medium with a first security mechanism, and protecting a metadata portion of the backup medium with a second security mechanism.

Abstract: Malware is identified based on its use of a folder shortcut. Files are analyzed, in order to indentify files used to implement folder shortcuts. This can take the form of monitoring the creation of new files, or searching for existing files used to implement folder shortcuts. In response to detecting such a file, it can be determined that a folder shortcut exists. The contents of the file can also be analyzed, and the determination can be made in response to finding specific content indicative of a folder shortcut. The file analysis can also involve monitoring edits made to existing files indicative of folder shortcuts. In response to detecting such edits, the content being written can be analyzed, and in response to specific content being written, it can be determined that a folder shortcut exists.

Abstract: A page list comprising a list of transitions between network resources is established. Subsequently, a transition is detected between a first network resource and a second network resource. An expected security level associated with the transition is identified based on the page list. Responsive to the detected security level being determined to be lower than the expected security level, a remedial action is performed.

Abstract: A method and system for LPAR migration including creating a profile for a logical partition on a host system comprising one or more LPARs, wherein the profile is associated with a first name. Also, within the profile, a port of a client virtual small computer system interface (SCSI) adapter of the LPAR is mapped to a port of a server virtual SCSI adapter of a virtual input/output server (VIOS) of the host system. The server port of the VIOS is set to accept any port of virtual client SCSI adapters of the one or more LPARS of the host system. Within the VIOS, the server port of the VIOS is mapped to a device name (i.e., LPAR) and to a target device (i.e., a disk of shared storage), for purposes of proper failover implementation of the LPAR, wherein the target device comprises an operating system for the LPAR.

Abstract: A method and apparatus for enabling and managing application input/output activity in memory to restore a data store using one or more processors is disclosed. In one embodiments, the method includes processing a restoration request for a data store, wherein the data store is mirrored by another data store, controlling communication of application input/output activity associated with at least one host computer and directed to at least one of the data store or the other data store, restoring various portions of the data store, in accordance with the restoration request, using at least one of at least one prior point in time image or the other data store and servicing the application input/output activity using the data store.

Abstract: A method for migrating a selected set of virtual machines from a first volume to a second volume. The method includes receiving a list of virtual machines which are not migrating from a first volume to a second volume, accessing a host file system usage map of a host machine that indicates active blocks of the host file system, and accessing virtual file system usage maps of a plurality of virtual machines that indicate active blocks. A filter usage map that identifies the active blocks of the virtual machines which are not migrating is generated. The plurality of virtual machines are migrated from the first volume to the second volume, wherein the active blocks of the virtual file systems which are not migrating are skipped in accordance with the filter usage map. Subsequently, the metadata at the second volume is processed to reflect the virtual machines which were not migrated.

Abstract: Two factor LDAP authentication systems and methods are presented. In one embodiment, implementation of a method for authenticating a user through a two factor process includes: at an LDAP proxy server, receiving a BIND request from a client, wherein the BIND request is for authenticating a user associated with a username to an LDAP server, and wherein the BIND request comprises a password comprising a first factor security code and a second factor security code; stripping the second factor security code from the password; reconfiguring the BIND request with the password that is stripped of the second factor security code; forwarding the reconfigured BIND request to the LDAP server for authentication of the username using the first factor security code; performing authentication of the second factor security code; and positively authenticating the username to the LDAP server when the first factor security code and the second factor security code are authenticated in connection with the username.

Abstract: A method and apparatus for monitoring communications from a communications device comprising monitoring communications from a communications device by storing a data acquisition address in a contact list of the communications device that identifies a location of a monitoring device. Further, when malicious software uses the contact list to send messages, a message is sent using the malicious software to the monitoring device using the data acquisition address.