Abstract: Example methods and systems for implementing an process-aware identity firewall are described. In one example, a computer system may detect a request for a virtualized computing instance to access a resource. The computer system may obtain (a) identity information identifying a user or a user device associated with the virtualized computing instance and (b) process information associated with a process that initiates the request to access the resource. The computer system may map the identity information, the network event information and the process information to an identity firewall rule that includes at least (a) a first parameter that is mappable to the identity information, (b) a second parameter that is mappable to the network event information and (c) a third parameter that is mappable to the process information. The identity firewall rule may be applied to allow or block the request to access the resource.

Abstract: Securely persisting transient data between virtual machine restarts or VM migrations involves terminating, by a first virtual machine (VM) during a shutdown process for the first VM, execution of user-space processes on the first VM, writing, by a first agent executing on the first VM, protected data from transient memory of the first VM to a virtual disk accessible by the first VM and shutting down the first VM. The process also involves initiating a startup process of a second VM, the second VM mounting the virtual disk; and executing, at the second VM and prior to execution of user-space processes, a second agent, the second agent being configured to: read the protected data from the virtual disk into transient memory of the second VM; and delete the protected data from the virtual disk.

Abstract: The disclosure herein describes the processing of malware scan requests from VCIs by an anti-malware scanner (AMS) on a host device. A malware scan request is received by the AMS from a VCI, the malware scan request including script data of a script from a memory buffer of the VCI. The AMS scans the script data of the malware scan request, outside of the VCI, and determines that the script includes malware. The AMS notifies the VCI that the script includes malware, whereby the VCI is configured to prevent execution of the script or take other mitigating action. The AMS provides scanning for fileless malware to VCIs on a host device without consuming or otherwise affecting resources of the VCIs.

Abstract: The disclosure herein describes executing unknown processes while preventing sandbox-evading malware therein from performing malicious behavior. A process execution event associated with an executable is detected, wherein the executable is to be executed in a production environment. The executable is determined to be an unknown executable (e.g., an executable that has not been analyzed for malware) using signature data in the process execution event. A function call hook interface of a sandbox simulator is activated, and a process of the executable is executed in the production environment. Any function calls from the executing process are intercepted by the activated function call hook interface, and sandbox-style responses to the intercepted function call are generated using sandbox response data of the sandbox simulator. The generated sandbox responses are provided to the executing process, whereby malware included in the executable behaves as if the executing process is executing in a sandbox environment.

Abstract: The disclosure herein describes the processing of malware scan requests from VCIs by an anti-malware scanner (AMS) on a host device. A malware scan request is received by the AMS from a VCI, the malware scan request including script data of a script from a memory buffer of the VCI. The AMS scans the script data of the malware scan request, outside of the VCI, and determines that the script includes malware. The AMS notifies the VCI that the script includes malware, whereby the VCI is configured to prevent execution of the script or take other mitigating action. The AMS provides scanning for fileless malware to VCIs on a host device without consuming or otherwise affecting resources of the VCIs.

Abstract: A method for opening unknown files in a malware detection system, is provided. The method generally includes receiving a request to open a file classified as an unknown file, opening the file in a container, collecting at least one of a log of events carried out by the file or observed behavior traces of the file while open in the container, transmitting, to a file analyzer, at least one of the file, the log of events, or the behavior traces for static analysis, determining, a final verdict for the file, based on at least one of the file, the log of events, or the behavior traces, wherein the final verdict for the file is based on the static analysis or dynamic analysis of the file, and taking one or more actions based on a policy configured for the first endpoint and the final verdict.

Abstract: A method for assigning permissions to files in a malware detection system, is provided. The method generally includes assigning a first subset of permissions to a first file classified as an unknown file, opening the first file in accordance with the first subset of permissions, determining a first verdict for the first file, the first verdict indicating the first file is benign, assigning a second subset of permissions to the first file based on determining the first verdict indicating the first file is benign, and executing the first file in accordance with the second subset of permissions.

Abstract: Described herein are systems, methods, and software to manage packet reconstruction and error correction. In one implementation, a method for operating an error correction service includes receiving a packet and identifying one or more errors in the header or payload of the packet. The method further includes determining one or more corrections for the one or more errors based on predictive modeling for the packet and forwarding the packet with the one or more corrections.