Abstract: Example methods and systems for identity firewall with context information tracking are described. In one example, a first computer system may detect establishment of a connection with a virtualized computing instance, and track context information associated with the connection. The context information may include (a) first identity information that is associated with a prior connection between the client device and a second computer system, and (b) second identity information that is associated with the connection with the virtualized computing instance. Further, the first computer system may obtain a first identity firewall policy associated with the first identity information. In response to detecting a packet associated with a flow originating from, or destined for, the virtualized computing instance, the first computer system may allow or block forwarding of the packet based on the first identity firewall policy.

Abstract: Network-efficient isolation environment redistribution is described. In one example, network communications are surveyed among isolation environments, such as virtual machines (VMs) and containers, hosted on a cluster. An affinity for network communications between the isolation environments can be identified based on the survey. Pairs or groups of the isolation environments can be examined to identify ones which have an affinity for network communications between them but are also hosted on different host machines in the cluster. The identification of the affinity for network communications provides network-level context for migration decisions by a distributed resource scheduler. Certain VMs and/or containers can then be migrated by the distributed resource scheduler to reduce the network communications in the cluster based on the network-level context information.

Abstract: The disclosure herein describes executing unknown processes while preventing sandbox-evading malware therein from performing malicious behavior. A process execution event associated with an executable is detected, wherein the executable is to be executed in a production environment. The executable is determined to be an unknown executable (e.g., an executable that has not been analyzed for malware) using signature data in the process execution event. A function call hook interface of a sandbox simulator is activated, and a process of the executable is executed in the production environment. Any function calls from the executing process are intercepted by the activated function call hook interface, and sandbox-style responses to the intercepted function call are generated using sandbox response data of the sandbox simulator. The generated sandbox responses are provided to the executing process, whereby malware included in the executable behaves as if the executing process is executing in a sandbox environment.

Abstract: A method for opening unknown files in a malware detection system, is provided. The method generally includes receiving a request to open a file classified as an unknown file, opening the file in a container, collecting at least one of a log of events carried out by the file or observed behavior traces of the file while open in the container, transmitting, to a file analyzer, at least one of the file, the log of events, or the behavior traces for static analysis, determining, a final verdict for the file, based on at least one of the file, the log of events, or the behavior traces, wherein the final verdict for the file is based on the static analysis or dynamic analysis of the file, and taking one or more actions based on a policy configured for the first endpoint and the final verdict.

Abstract: A method for locating malware in a malware detection system, is provided. The method generally includes storing, at a first endpoint, a mapping of a first file hash and a first file path for a first file classified as an unknown file, opening, at the first endpoint, the first file prior to determining whether the first file is benign or malicious, determining, at the first endpoint, a first verdict for the first file, the first verdict indicating the first file is benign or malicious, locating the first file using the mapping of the first file hash and the first file path, and taking one or more actions based on a policy configured for the first endpoint and the first verdict indicating the first file is benign or malicious.

Abstract: A next generation antivirus (NGAV) security solution in a virtualized computing environment includes a security sensor at a virtual machine that runs on a host and a security engine remote from the host. The integrity of the NGAV security solution is increased, by providing a verification as to whether a verdict issued by the security engine has been successfully enforced by the security sensor to prevent execution of malicious code at the virtual machine.

Abstract: Network-efficient isolation environment redistribution is described. In one example, network communications are surveyed among isolation environments, such as virtual machines (VMs) and containers, hosted on a cluster. An affinity for network communications between the isolation environments can be identified based on the survey. Pairs or groups of the isolation environments can be examined to identify ones which have an affinity for network communications between them but are also hosted on different host machines in the cluster. The identification of the affinity for network communications provides network-level context for migration decisions by a distributed resource scheduler. Certain VMs and/or containers can then be migrated by the distributed resource scheduler to reduce the network communications in the cluster based on the network-level context information.

Abstract: Example methods and systems for attribute-based firewall rule enforcement are described. One example method may comprise a computer system obtaining, from a management entity, one or more first firewall rules configured based on first attribute information. The computer system may detect a login event associated with a user operating a user device to log onto a virtualized computing instance. In response to determination that the user is associated with the first attribute information, the one or more first firewall rules may be applied. Otherwise, in response to determination that the user is associated with second attribute information that is different from the first attribute information, the computer system may obtain and apply one or more second firewall rules configured based on the second attribute information.

Abstract: Network-efficient isolation environment redistribution is described. In one example, network communications are surveyed among isolation environments, such as virtual machines (VMs) and containers, hosted on a cluster. An affinity for network communications between the isolation environments can be identified based on the survey. Pairs or groups of the isolation environments can be examined to identify ones which have an affinity for network communications between them but are also hosted on different host machines in the cluster. The identification of the affinity for network communications provides network-level context for migration decisions by a distributed resource scheduler. Certain VMs and containers can then be migrated by the distributed resource scheduler to reduce the network communications in the cluster based on the network-level context information.

Abstract: Example methods and systems for score-based dynamic firewall rule enforcement in a software-defined networking (SDN) environment. One example method may comprise in response to detecting a first request to access a first resource, identifying a first score associated with the user, and a firewall rule that is applicable to the user based on information associated with the user. The firewall rule may be applied to allow access to the first resource. The method may further comprise adjusting the first score to a second score that represents a more restrictive access level compared to the first score. In response to detecting a second request to access the first resource, applying the firewall rule to block the second request based on the second score.

Abstract: A next generation antivirus (NGAV) security solution in a virtualized computing environment includes a security sensor at a virtual machine that runs on a host and a security engine remote from the host. The integrity of the NGAV security solution is increased, by providing a verification as to whether a verdict issued by the security engine has been successfully enforced by the security sensor to prevent execution of malicious code at the virtual machine.

Abstract: Described herein are systems, methods, and software to manage resources for networking operations on a host computing system. In one implementation, a hypervisor on a host computing system, may monitor computing resources used by a networking process provided by the hypervisor. The hypervisor further determines that the one or more computing resources used by the networking process satisfy at least one criterion and, in response to determining that the computing resources satisfy at least one criterion, notifies one or more virtual machines supported by the hypervisor to modify one or more execution parameters associated with at least one application in each of the one or more virtual machines.

Abstract: Certain embodiments described herein are generally directed to systems and methods for preventing access to files on a virtual machine. One example method involves receiving network information associated with a network connection opened at the virtual machine and determining a process that opened the network connection. The method further involves receiving information indicative of a file access event attempted at the virtual machine and determining the process that opened the network connection initiated the file access event. The method further involves transmitting information indicative of the file access event and the network connection to a security virtual machine and receiving an enforcement decision for the file access event from the security virtual machine based on the information indicative of the file access event and the network connection. The method further involves applying the enforcement decision to either allow or prevent the file access event by the process.

Abstract: Embodiments of the present disclosure relate to container-level monitoring. Embodiments include detecting, by an agent of a virtual machine, an event. Embodiments include determining, by the agent of the virtual machine, an address related to the event. Embodiments include accessing, by the agent of the virtual machine, container mapping information. Embodiments include locating, by the agent of the virtual machine, the address in the container mapping information. Embodiments include determining, by the agent of the virtual machine, based on the locating, that the event is associated with a container. Embodiments include determining, by the agent of the virtual machine, one or more attributes of the container. Embodiments include determining, by the agent of the virtual machine, based on information related to the event and the one or more attributes of the container, whether to block or allow an action related to the event.

Abstract: A system and method of communicating between a hypervisor and virtual machines using object agents within the hypervisor and the virtual machines. Further, the hypervisor and virtual machines include similar datastore mappings that allow the hypervisor and virtual machines to communicate with each other. The object agent of a virtual machine communicates information corresponding to a first object to the object agent of the hypervisor, and the object agent of the hypervisor updates a datastore mapping of the hypervisor. The hypervisor then communicates the information corresponding to the first object to an object agent of another virtual machine.

Abstract: Example methods and systems for score-based dynamic firewall rule enforcement in a software-defined networking (SDN) environment. One example method may comprise in response to detecting a first request to access a first resource, identifying a first score associated with the user, and a firewall rule that is applicable to the user based on information associated with the user. The firewall rule may be applied to allow access to the first resource. The method may further comprise adjusting the first score to a second score that represents a more restrictive access level compared to the first score. In response to detecting a second request to access the first resource, applying the firewall rule to block the second request based on the second score.

Abstract: Network-efficient isolation environment redistribution is described. In one example, network communications are surveyed among isolation environments, such as virtual machines (VMs) and containers, hosted on a cluster. An affinity for network communications between the isolation environments can be identified based on the survey. Pairs or groups of the isolation environments can be examined to identify ones which have an affinity for network communications between them but are also hosted on different host machines in the cluster. The identification of the affinity for network communications provides network-level context for migration decisions by a distributed resource scheduler. Certain VMs and containers can then be migrated by the distributed resource scheduler to reduce the network communications in the cluster based on the network-level context information.

Abstract: Techniques for smart service catalogs based deployment of applications in a cloud computing environment are disclosed. In one embodiment, resource information required to deploy an instance of an application is retrieved from a blueprint associated with a client. Further, available resource information may be obtained from a resource reservation associated with the client. A maximum number of instances of the application that can be deployed corresponding to the client is determined based on the resource information required to deploy the instance of the application and the available resource information. A service catalog including the maximum number of instances of the application that can be deployed based on the blueprint is generated. The service catalog is used to enable deployment of at least one instance of the application corresponding to the client.

Abstract: Certain embodiments described herein are generally directed to systems and methods for preventing access to files on a virtual machine. One example method involves receiving network information associated with a network connection opened at the virtual machine and determining a process that opened the network connection. The method further involves receiving information indicative of a file access event attempted at the virtual machine and determining the process that opened the network connection initiated the file access event . The method further involves transmitting information indicative of the file access event and the network connection to a security virtual machine and receiving an enforcement decision for the file access event from the security virtual machine based on the information indicative of the file access event and the network connection. The method further involves applying the enforcement decision to either allow or prevent the file access event by the process.

Abstract: A system and method of communicating between a hypervisor and virtual machines using object agents within the hypervisor and the virtual machines. Further, the hypervisor and virtual machines include similar datastore mappings that allow the hypervisor and virtual machines to communicate with each other. The object agent of a virtual machine communicates information corresponding to a first object to the object agent of the hypervisor, and the object agent of the hypervisor updates a datastore mapping of the hypervisor. The hypervisor then communicates the information corresponding to the first object to an object agent of another virtual machine.