Abstract: A method includes accessing a group that comprises a group of PITs, replaying the PITs according to respective times at which the snapshots were taken, analyzing the PITs as they are being replayed, and based on the analyzing, identifying an event that has occurred within a time frame spanned collectively by the PITs. Replaying the PITs includes presenting the PITs, in order from oldest to newest, as a continuous stream of events.

Abstract: Redistributing disks based on disk wear patterns is disclosed. The wear patterns of disk drives in a storage system are learned or determined. When a restore operation is performed, the volumes to disk drive mappings are changed to balance the overall wear pattern of the storage system. This insures that, after the restore operation, disks that had comparatively lower wear levels are used more heavily while disks that had comparatively higher wear levels are used less heavily.

Abstract: Disk drive reallocation or replacement is disclosed. When performing a data protection operation, a health score is determined for each of the disk drives associated with the data protection operation. Replacement is recommended for each of the disk drives with an unfavorable health score. The recommendation may also identify a drive class based in part on the write or wear pattern. This allows unhealthy drives to be replaced prior to performing the data protection operation.

Abstract: Opportunistically transmitting backups through a time-limited air gap. A data protection system may predict rates of changes for one or more applications. The predicted rate of change allows a size of corresponding backups to be estimated. If there is time during which an air gap is available (closed), at least of the backups is selected and opportunistically transmitted to a vault through the air gap.

Abstract: One example method includes receiving, at a remote site from a production site, copies of production site assets, storing, at the remote site, the copies of the production site assets, using, at the remote site, the copies of the production site assets to restore a temporary production site, running the temporary production site at the remote site, and restoring, from the remote site to the production site, the copies of the production site assets.

Abstract: A forensic kit with a granular infected backup. A forensic engine may evaluate a production system that is infected with malware or other corruption and generate a forensic kit. The forensic kit may include copies of components of the production system that are infected or that are sufficiently related to infected components. The forensic kit may be provided to investigators.

Abstract: A method includes searching a group of PITs, identifying one of the PITs as having an indicator of an occurrence of an event involving data associated with the identified PIT, restoring the data, running a production system copy using the data, and while the production system copy is running, taking increasingly granular backups of the data until the event is located. The event may be a corruption of the data, or other problem.

Abstract: One method includes receiving a request to restore data to a particular point in time, scanning a snapshot that corresponds to the point in time, based on the scanning, identifying any invalid data segments pointed to by the snapshot, for each of the invalid data segments, identifying a most recent, valid, version of that segment, and based on the request, restoring a set of valid data segments. In this method, no invalid segments are restored.

Abstract: A system receives a request from a user to execute a command on an air-gapped computer system. If a role-based access control system permits the user to execute the command, the system prompts a number of approvers to determine whether to approve of the user executing the command. If a required number of approvers have approved of the user executing the command, the system encodes the command and incorporates the encoded command in an encoded message. The system uses a simplex communication output device to communicate the encoded message to a simplex communication input device for the air-gapped computer system. The system enables execution of the command by requesting the air-gapped computer system to execute the command, or by providing the user with an access token, received from the air-gapped computer system, which enables the user to physically access the air-gapped computer system and execute the command.

Abstract: A system can comprise a communications antenna comprising a material that is configured to change shape in response to being stimulated with an external stimulus. The system can comprise an antenna performance detector that is configured to detect a measure of performance of the communications antenna. The system can comprise a distortion correction component that is configured to receive an indication of the measure of performance, determine an amount of distortion of the shape of the communications antenna based on the indication of the measure of performance, based on the amount of distortion, determine an amount of the external stimulus with which to stimulate the communications antenna, and selectively apply the amount of the external stimulus to the communications antenna to change the shape of the communications antenna.

Abstract: One example method includes optimizing client-side deduplication. When backing up a client, a cadence and a change log resolution are determined. These values are evaluated alone or in combination with respect to various thresholds. Client-side deduplication is enabled or disabled based on whether any one or more of the thresholds are satisfied.

Abstract: One method includes listening, by a storage vault, to a port that is specific to a particular data structure in the storage vault, determining that an air gap between the storage vault and an entity external to the storage vault, is closed, such that communication between the storage vault and the external entity, by way of the port, is enabled, signaling, by the storage vault to the external entity, that the air gap is closed, and receiving, at the storage vault by way of the port, data from the external entity.

Abstract: Data protection including malware response operations are disclosed. When a production system is attacked, the malware is allowed to run in a forensic environment in order to learn its operational characteristics. Once learned, a return malware can be placed in the data. The return malware is transmitted to a malware host system by the malware itself and executed.

Abstract: Automated research experimentation on malware is disclosed. When malware is detected, an infected backup is generated. The infected backup is deployed to multiple working environments as recovered production systems, starting from the same state. Different scenarios are performed on the recovered production systems to learn the operational characteristics of the malware operating in the recovered production systems. The insights may be used to protect against the malware and/or other malware.

Abstract: One example method includes assigning, at a production site, a priority to a portion of a dataset to be backed up, checking to determine if the priority meets or exceeds a threshold priority; and, when the priority meets or exceeds the threshold priority, and when an air gap between the production site and a storage vault is closed, backing up, by way of the closed air gap, the portion of the dataset to the storage vault.

Abstract: Data protection including malware response operations are disclosed. When a production system is attacked, the malware is allowed to run in a forensic environment in order to learn its operational characteristics. The forensic environment includes a working scenario that may be prepared in advance with false data that allows the malware to communicate with a malware host system. Once the operational characteristics are learned, a return malware can be placed in the data. The return malware is transmitted to a malware host system by the malware itself and executed.

Abstract: A system can determine complexity data representative of a complexity of changes to computer code that is executable to operate at least one microservice that is part of a group of microservices, wherein a portion of the changes corresponds to a library on which the computer code depends. The system can generate a progressive deployment plan for the at least one microservice based on the complexity of changes. The system can progressively direct traffic to the at least one microservice based on the progressive deployment plan.

Abstract: A system can determine complexity data representative of a complexity of changes to computer code that is executable to operate at least one updated microservice that is part of a group of microservices, wherein at least one current microservice is deployed, and wherein the at least one updated microservice corresponds to an update of the at least one current microservice. The system can determine a rate at which invocations of the at least one current microservice are made. The system can determine a threshold number of calls to be processed to proceed from a first stage of a progressive deployment plan to a second stage of the progressive deployment plan based on the complexity data and the rate. The system can progressively direct traffic to the at least one updated microservice based on the progressive deployment plan.

Abstract: A system can identify that computer code that is executable to operate at least one microservice that is part of a group of microservices has been modified. The system can determine complexity data representative of a complexity of changes to the computer code. The system can determine conditions under which the changes to the computer code are invoked based on at least one of performing a static analysis of the computer code or instrumenting the computer code. The system can generate a progressive deployment plan for the at least one microservice based on the complexity of changes. The system can progressively direct traffic to the at least one microservice based on the progressive deployment plan, and the conditions under which the changes to the computer code are invoked.

Abstract: Data protection operations including replication operations are disclosed. Virtual machines, applications, and/or application data are replicated according to at least one strategy. The replication strategy can improve performance of the recovery operation.