Abstract: Aspects of the disclosure accelerate recovery using a combination of local and remote backups. A backup selector identifies a latest unencrypted remote backup (e.g., created prior to an encrypted backup), a latest unencrypted local backup created prior to the latest unencrypted remote backup, and a penultimate unencrypted remote backup created prior to the latest unencrypted local backup. A restoration manager restores a local computing asset to the state of the latest unencrypted local backup. In a disaster recovery (DR) environment, two differences are generated: one between the latest unencrypted remote backup and the penultimate unencrypted remote backup and another between a newly-generated failback backup and the latest unencrypted remote backup. The two differences are sent to the restoration manager to roll the state of the local computing asset forward in two stages. This approach is faster and reduces egress charges in cloud-based DR environments.

Abstract: Aspects of the disclosure provide continual backup verification for ransomware detection and recovery of fileless malicious logic. On an ongoing basis, even prior to detecting an attack within a production environment, each of a plurality of backup virtual machines (VMs) is executed in an isolation environment and subject to behavior monitoring to detect malicious logic (e.g., ransomware). If malicious logic is detected in a backup VM, an alert is generated and/or that backup VM is marked as unavailable for use as a restoration backup, in order to avoid re-infecting the production environment. In some examples, a backup VM with malicious logic is cleaned and returned to the pool of available backups that are suitable for use. Because the production environment is not burdened, in some examples, the probability of detection for finding malicious logic in the isolation environment is set higher than what is used in the production environment.

Abstract: The disclosure herein describes scanning a snapshot of a virtualized computing instance (VCI) for malware. A VCI snapshot associated with a version of a malware infected VCI is scanned for malware. The malware scanning includes selecting a first file of the VCI snapshot and determining that a file, in a previously scanned VCI snapshot associated with another version of the malware infected VCI, which corresponds to the selected first file has a clean reputation indicator. Further, it is determined that the metadata of the selected first file matches metadata of the corresponding file. Based on these determinations, the malware scanning proceeds to scan the next file for malware without scanning the selected first file for malware.

Abstract: A method for virtual computing instance remediation is provided. Some embodiments include retrieving a first backup of a virtual machine from storage, the first backup comprising configuration information and data of the virtual machine, the configuration information comprising network connectivity information in a first software defined data center (SDDC) running on a first set of host machines. Some embodiments include configuring a second SDDC running on a second set of host machines based on the configuration information, where the second SDDC is network isolated from the first SDDC and powering on the virtual machine from the first backup in the second SDDC. Some embodiments include sending, from the virtual machine to a security platform, behavior information of the virtual machine running in the second SDDC and determining, based on the behavior information, whether the virtual machine running in the second SDDC is infected with malware.

Abstract: In one set of embodiments, an enhanced next generation anti-virus (NGAV) system is provided. In certain embodiments, this system includes a hypervisor-level agent that backs up VM data only when an instance of a guest application running in the VM has been flagged by the NGAV system as being potentially malicious (rather than on a constant, proactive basis). Further, the hypervisor-level agent performs this backup only with respect to data modified by that specific guest application instance (rather than backing up all data modified by the VM) and writes the backed-up data to a secure storage location which is inaccessible to the guest. The combination of these features addresses many of the problems and inefficiencies of existing NGAV systems.

Abstract: System and method for providing fault tolerance in virtualized computer systems use a first guest and a second guest running on virtualization software to produce outputs, which are produced when a workload is executed on the first and second guests. An output of the second guest is compared with an output of the first guest to determine if there is an output match. If there is no output match, the first guest is paused and a resynchronization of the second guest is executed to restore a checkpointed state of the first guest on the second guest. After the resynchronization of the second guest, the paused first guest is caused to resume operation.

Abstract: Techniques for replicating virtual machine data is provided. A plurality of compute nodes running on a primary cluster determine the amount of virtual machine data cached within each compute node. Based on the amount of virtual machine data for a particular virtual machine, a particular compute node is assigned to replicate the data to a secondary cluster. The amount of particular virtual machine data copied to the secondary cluster is based on updated virtual machine data that belongs to a particular state of the virtual machine. The destination of the particular virtual machine data is based on available cache space and prior replication statistics for target compute nodes on the secondary cluster.

Abstract: Techniques for scheduling replication events may be based upon establishing a plurality of policy groups. Each policy group has a replication schedule that defines when to initiate replication events and a membership selection pattern used to determine which virtual machines belong to which policy group. The policy groups may contain a first policy group and a second policy group, where each policy group has a unique replication schedule and a unique selection pattern. The system may assign a first set of virtual machines to the first policy group based upon the first selection pattern. A second set of virtual machines may be assigned to a second policy group based upon the second selection pattern. Each of the virtual machines in the first policy group may be assigned a first replication schedule and each of the virtual machines in the second policy group may be assigned a second replication schedule.

Abstract: A data storage system includes a plurality of hosts, each of which includes at least one processor and communicates over a network with a plurality of storage nodes, at least one of which has at least one storage device, at least one storage controller, and at least one non-volatile memory. At least one process within a host issues data storage read/write requests. At least one of the hosts has a cache for caching data stored in at least one of the plurality of storage nodes. The host writes data corresponding to a write request to at least one remote non-volatile memory and carries out at least one storage processing function; data in the written-to node may then be made available for subsequent reading by a different one of the hosts. Examples of the storage processing function include compression, ECC computation, deduplicating, garbage collection, write logging, reconstruction, rebalancing, and scrubbing.

Abstract: A request is received to access at least one data unit of a larger data object by an entity within a local host, which is then queried to determine if the requested data unit is present. If the requested data unit is present in the local cache, it is fetched from the local cache. If the requested data unit is not present in the local cache, however, a respective cache within at least one target host, which is different from the local host, is queried to determine if the requested data unit is present remotely and, if so, the data unit is fetched from there instead. If the requested data unit is not present in the local cache or the cache of the target host, the data unit is fetched from a common data storage pool.

Abstract: System and method for providing fault tolerance in virtualized computer systems use a first guest and a second guest running on virtualization software to produce outputs, which are produced when a workload is executed on the first and second guests. An output of the second guest is compared with an output of the first guest to determine if there is an output match. If there is no output match, the first guest is paused and a resynchronization of the second guest is executed to restore a checkpointed state of the first guest on the second guest. After the resynchronization of the second guest, the paused first guest is caused to resume operation.

Abstract: In a computer system running at least a first virtual machine (VM) and a second VM on virtualization software, a computer implemented method for the second VM to provide quasi-lockstep fault tolerance for the first VM includes executing a workload on the first VM and the second VM that involves producing at least one externally visible output and comparing an externally visible output of the second VM with an externally visible output of the first VM to determine if there is an output match. In response to a determination that the externally visible output of the second VM does not match the externally visible output of the first VM, a resynchronization of the second VM is executed. The externally visible output of the first VM is kept from being output externally until completion of the resynchronization.

Abstract: Techniques for scheduling replication events may be based upon establishing a plurality of policy groups. Each policy group has a replication schedule that defines when to initiate replication events and a membership selection pattern used to determine which virtual machines belong to which policy group. The policy groups may contain a first policy group and a second policy group, where each policy group has a unique replication schedule and a unique selection pattern. The system may assign a first set of virtual machines to the first policy group based upon the first selection pattern. A second set of virtual machines may be assigned to a second policy group based upon the second selection pattern. Each of the virtual machines in the first policy group may be assigned a first replication schedule and each of the virtual machines in the second policy group may be assigned a second replication schedule.

Abstract: Techniques for replicating virtual machine data is provided. A plurality of compute nodes running on a primary cluster determine the amount of virtual machine data cached within each compute node. Based on the amount of virtual machine data for a particular virtual machine, a particular compute node is assigned to replicate the data to a secondary cluster. The amount of particular virtual machine data copied to the secondary cluster is based on updated virtual machine data that belongs to a particular state of the virtual machine. The destination of the particular virtual machine data is based on available cache space and prior replication statistics for target compute nodes on the secondary cluster.

Abstract: The output of a non-deterministic instruction is handled during record and replay in a virtual machine. An output of a non-deterministic instruction is stored to a buffer during record mode and retrieved from a buffer during replay mode without exiting to the hypervisor. At least part of the contents of the buffer can be stored to a log when the buffer is full during record mode, and the buffer can be replenished from a log when the buffer is empty during replay mode.

Abstract: A data storage system includes a plurality of hosts, each of which includes at least one processor and communicates over a network with a plurality of storage nodes, at least one of which has at least one storage device, at least one storage controller, and at least one non-volatile memory. At least one process within a host issues data storage read/write requests. At least one of the hosts has a cache for caching data stored in at least one of the plurality of storage nodes. The host writes data corresponding to a write request to at least one remote non-volatile memory and carries out at least one storage processing function; data in the written-to node may then be made available for subsequent reading by a different one of the hosts. Examples of the storage processing function include compression, ECC computation, deduplicating, garbage collection, write logging, reconstruction, rebalancing, and scrubbing.

Abstract: A data storage system includes a plurality of hosts, each of which includes at least one processor and communicates over a network with a plurality of storage nodes, at least one of which has at least one storage device, at least one storage controller, and at least one non-volatile memory. At least one process within a host issues data storage read/write requests. At least one of the hosts has a cache for caching data stored in at least one of the storage nodes. The host writes data corresponding to a write request to at least one remote non-volatile memory and carries out at least one storage processing function; data in the written-to node may then be made available for subsequent reading by a different one of the hosts. Examples of the storage processing function include compression, ECC computation, deduplicating, garbage collection, write logging, reconstruction, rebalancing, and scrubbing.

Abstract: Embodiments of a distributed virtual array data storage system and method are disclosed. Storage nodes made up of relatively unsophisticated disks with associated processors are scalable to store very large amounts of data. The storage nodes communicate with servers directly over a network through, for example, an Ethernet connection. Control of the storage nodes and access to the storage nodes is handled entirely on the server side of the system by distributed virtual array (DVA) software running on the server side and employing a particular protocol over the standard network connection. In an embodiment, server-side virtual machine (VM) hosts host application VMs that are associated with vDisks. The DVA software distributes data for the vDisk over the storage nodes. In the case of failure of one or more of the storage nodes, the DVA software reconstructs the data, for example by reading redundant data from surviving storage nodes.

Abstract: In a processing system in which at least one entity issues data read and write requests to at least one storage system that stores data as data units, pluralities of data units are grouped. Each group is written as a respective cache line in a cache, which is deduplicated. Before evicting a selected one of the cache lines, a caching component determines whether at least one of the data units in the selected cache line is still active; if so, then the still active data unit(s) in the selected cache line is read and written to a different cache line.

Abstract: The translation lookaside buffer (TLB) of a processor is kept in synchronization with a guest page table by use of an indicator referred to as a “T” bit. The T bit of the NPT/EPT entries mapping the guest page table are set when a page walk is performed on the NPT/EPT. When modifications are made to pages mapped by NPT/EPT entries with their T bit set, changes to the TLB are made so that the TLB remains in synchronization with the guest page table. Accordingly, record/replay of virtual machines of virtualized computer systems may be performed reliably with no non-determinism introduced by stale TLBs that fall out of synchronization with the guest page table.