Abstract: A method of protecting an endpoint against a security threat detected at the endpoint, wherein the endpoint includes, in memory pages of the endpoint, an operating system (OS), a separate software entity, and remediation code, includes the steps of: transferring control of virtual CPUs (vCPUs) of the endpoint from the OS to the separate software entity; and while the separate software entity controls the vCPUs, storing, in an interrupt dispatch table, an instruction address corresponding to an interrupt, wherein the remediation code is stored at the instruction address, and replacing a next instruction to be executed by the OS, with an interrupt instruction, wherein the interrupt is raised when the OS executes the interrupt instruction, and the remediation code is executed as a result of handling of the interrupt that is raised.

Abstract: Systems and methods are provided for efficiently registering cloned VMs while preventing unnecessary subsequent registrations. Two independent threads can execute on a cloned VM and control different variables indicating whether registration is needed or has already been performed. A first thread can set a first variable based on an internal identifier of the cloned VM relative to the parent VM. It can also check a second variable, set by a second thread, based on an external identifier of the cloned VM not being updated at a backend cloud service. It can then set a third variable indicating whether registration has been triggered or not, based on the other variables. To avoid duplication, the second thread sets the second variable based on both the external identifier as well as a status of the first variable. The variables can be atomic variables to avoid multi-thread interference and undesirable thread locks.

Abstract: System and method for executing scan operations on computing systems use a sparse file that represents a storage device of a computing system to scan a file stored in the storage device. The sparse file is created and mounted to a scanner appliance such that the sparse file appears to a scan engine of the scanner appliance as a local storage device. When a read request for the file stored in the storage device is issued from the scan engine that results in an implicit read request to the sparse file, the implicit read request is trapped. While the implicit read request is trapped, data of the file is retrieved from the storage device of the computing system to the scanner appliance using a communication transport. The retrieved data of the file is then scanned using the scan engine at the scanner appliance.

Abstract: Virtual computing instance (VCI) agent authentication in a public cloud can include running a periodic task by an agent on a VCI created from a VCI base image on a public cloud backend, where the VCI base image includes the agent. The periodic task can include querying a basic input/output system (BIOS) identifier of the VCI and calculating a hash of a string of media access control (MAC) addresses associated with the VCI. In response to the BIOS identifier and/or the hash not being stored in association with the agent, the periodic task can include authenticating the agent with the public cloud backend.

Abstract: A method of protecting an endpoint against a security threat, wherein the endpoint includes an OS and a separate software entity included in memory pages of the endpoint, includes the steps of: preventing the OS from scheduling any tasks on vCPUs of the endpoint by transferring control of the vCPUs from the OS to the separate software entity; while the OS is prevented from scheduling any tasks on the vCPUs, scanning, by the separate software entity, at least one of a list of processes of the endpoint and a subset of the memory pages of the endpoint, and upon receiving an identification of a malicious process, terminating, by the separate software entity, the malicious process; and after the separate software entity terminates the malicious process, allowing the OS to schedule tasks on the vCPUs by transferring control of the vCPUs from the separate software entity to the OS.

Abstract: The disclosure provides an approach for network security. Embodiments include receiving, by a kernel of a first machine, via a hook in a protocol stack of the first machine, one or more packets of a connection between the first machine and a second machine Embodiments include generating a metadata object for the connection based on at least a subset of the one or more packets. Embodiments include adding the one or more packets to a queue accessible by a security component of the first machine. Embodiments include determining, based on the metadata object, whether to continue capturing additional packets of the connection. Embodiments include receiving, from the security component, a security determination regarding the connection based on the one or more packets. Embodiments include performing an action with respect to the connection based on the security determination.

Abstract: System and method for executing scan operations on computing systems use a sparse file that represents a storage device of a computing system to scan a file stored in the storage device. The sparse file is created and mounted to a scanner appliance such that the sparse file appears to a scan engine of the scanner appliance as a local storage device. When a read request for the file stored in the storage device is issued from the scan engine that results in an implicit read request to the sparse file, the implicit read request is trapped. While the implicit read request is trapped, data of the file is retrieved from the storage device of the computing system to the scanner appliance using a communication transport. The retrieved data of the file is then scanned using the scan engine at the scanner appliance.

Abstract: The disclosure provides an approach for network security. Embodiments include receiving, by a kernel of a first machine, via a hook in a protocol stack of the first machine, one or more packets of a connection between the first machine and a second machine Embodiments include generating a metadata object for the connection based on at least a subset of the one or more packets. Embodiments include adding the one or more packets to a queue accessible by a security component of the first machine. Embodiments include determining, based on the metadata object, whether to continue capturing additional packets of the connection. Embodiments include receiving, from the security component, a security determination regarding the connection based on the one or more packets. Embodiments include performing an action with respect to the connection based on the security determination.

Abstract: Examples provided herein describe a system and method for satisfying recovery service level agreements (SLAs). For example, a first entity may determine that a first recovery operation is to be performed at a first storage device. The first entity may then determine that the first storage device is available. Responsive to determining that the first storage device is available, the first entity may establish a data connection with a first storage device and may perform a first recovery operation at the first storage device. The first entity may receive a second storage device availability message from a second entity that requests a second recovery operation at the first storage device and may facilitate communication with the second entity. The first entity may then perform the second recovery operation at the first storage device and communicate the recovered data to the second entity.

Abstract: Techniques for selecting a resource to be used in a data backup or restore operation are described in various implementations. An example method that implements the techniques may include determining, using a computing system, diagnostic information associated with a plurality of candidate resources that are available for use in a data backup or restore operation. The method may also include selecting, using the computing system, a recommended resource from among the plurality of candidate resources, the recommended resource being selected based at least in part on the diagnostic information. The method may also include causing the data backup or restore operation to be performed using the recommended resource.

Abstract: Virtual machine (VM) data protection includes receiving a data stream comprising data and metadata corresponding to VM data to be backed-up and storing the data at a first location in a storage medium as a thinly distributed file. The thinly distributed file comprises a thin distribution entry between each of a plurality of data blocks to move a pointer from an end of a data block to an offset byte of a next data block. The metadata may be stored at a second location in the storage medium and may be linked to the thinly distributed file.

Abstract: A computer-implemented system or method for selecting a backup process for backing up a file system. The selection of a backup process can be based on multiple criteria, including an estimated completion time for each of multiple available backup processes.

Abstract: A technique includes creating a proxy file that is associated with a recovery request, which is associated with the recovery of data associated with a virtual machine file from a secondary storage. The technique includes using metadata that is extracted from the proxy file to access the data. Using the metadata includes, in response to an input/output (I/O) request associated with the recovery request, storing an association of an identifier of the proxy file with metadata representing a parameter associated with the secondary storage. The metadata is stored outside the proxy file. The metadata is used to identify an I/O processing unit; and the technique includes communicating with the I/O processing unit to notify the I/O processing unit to process the I/O request.

Abstract: Examples disclosed herein relate to container-based backups. Some of the examples may enable analyzing a source host to be backed up, wherein the source host is not a container instance, and determining a portion of the source host for which a container representation is to be created. The container representation may comprise a source host image that is captured at the time of backup. Some of the examples may enable creating the container representation.

Abstract: A technique includes creating a proxy file that is associated with a recovery request, which is associated with the recovery of data associated with a virtual machine file from a secondary storage. The technique includes using metadata that is extracted from the proxy file to access the data. Using the metadata includes, in response to an input/output (I/O) request associated with the recovery request, storing an association of an identifier of the proxy file with metadata representing a parameter associated with the secondary storage. The metadata is stored outside the proxy file. The metadata is used to identify an I/O processing unit; and the technique includes communicating with the I/O processing unit to notify the I/O processing unit to process the I/O request.

Abstract: Examples provided herein describe a system and method for satisfying recovery service level agreements (SLAs). For example, a first entity may determine that a first recovery operation is to be performed at a first storage device. The first entity may then determine that the first storage device is available. Responsive to determining that the first storage device is available, the first entity may establish a data connection with a first storage device and may perform a first recovery operation at the first storage device. The first entity may receive a second storage device availability message from a second entity that requests a second recovery operation at the first storage device and may facilitate communication with the second entity. The first entity may then perform the second recovery operation at the first storage device and communicate the recovered data to the second entity.

Abstract: Virtual machine (VM) data protection includes receiving a data stream comprising data and metadata corresponding to VM data to be backed-up and storing the data at a first location in a storage medium as a thinly distributed file. The thinly distributed file comprises a thin distribution entry between each of a plurality of data blocks to move a pointer from an end of a data block to an offset byte of a next data block. The metadata may be stored at a second location in the storage medium and may be linked to the thinly distributed file.

Abstract: Methods for creating backup of data of a virtual environment to allow non-staged recovery are described. The described method may include receiving data of a virtual environment through one or more data streams for backup. The method also includes generating metadata corresponding to the received data and storing the received data at a first location of a backup storage unit. Further, the method includes storing the generated metadata at a second location of the backup storage unit, where the second location is different from the first location of the backup storage unit. The method further includes mapping the at least one predefined file to the stored data to create a mapping table to allow direct access to the stored data for non-staged recovery.

Abstract: A computer-implemented system or method for selecting a backup process for backing up a file system. The selection of a backup process can be based on multiple criteria, including an estimated completion time for each of multiple available backup processes.

Abstract: Techniques associated with excluding file system objects from raw image backups are described in various implementations. In one example, a method may include generating a virtual volume that comprises a replica of a source volume to be backed up, and providing file system access to the virtual volume. The method may also include receiving file system commands to remove specified file system objects from the virtual volume, and storing modified blocks that result from the file system commands to remove the specified file system objects. The method may also include performing a raw image backup to back up the source volume using unmodified blocks from the source volume and the stored modified blocks, such that the raw image backup excludes the specified file system objects.