Abstract: Containers that store data objects that were written to those containers during a particular backup are accessed. Then, a subset of the containers is identified; the containers in the subset have less than a threshold number of data objects associated with the particular backup. Data objects that are in containers in that subset and that are associated with the backup are copied to one or more other containers. Those other containers are subsequently used to restore data objects associated with the backup.

Abstract: A computer-implemented method for data loss prevention on mobile computing systems may include (1) identifying a mobile computing system configured to execute only one application at a time as a foreground application, (2) determining that the mobile computing system has begun executing a sensitive application as the foreground application, (3) identifying a first enumeration of screenshots stored on the mobile computing system when the mobile computing system began executing the sensitive application as the foreground application, (4) identifying a second enumeration of screenshots stored on the mobile computing system, (5) determining that at least one new screenshot was taken on the mobile computing system while the sensitive application was the foreground application by detecting a difference between the first enumeration and the second enumeration, and (6) performing a security action upon detecting the difference. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system and method for efficient security protocols in a virtualized datacenter environment are contemplated. In one embodiment, a system is provided comprising a hypervisor coupled to one or more protected virtual machines (VMs) and a security VM. Within a private communication channel, a split kernel loader provides an end-to-end communication between a paravirtualized security device driver, or symbiont, and the security VM. The symbiont monitors kernel-level activities of a corresponding guest OS, and conveys kernel-level metadata to the security VM via the private communication channel. Therefore, the well-known semantic gap problem is solved. The security VM is able to read all of the memory of a protected VM, detect locations of memory compromised by a malicious rootkit, and remediate any detected problems.

Abstract: A computer-implemented method for using cloud-based storage to optimize data-storage operations may include: 1) receiving a request from a client device for instructions or directions for storing a data object, 2) accessing a data-placement policy that contains criteria for identifying storage systems suitable for storing the data object, 3) identifying, based at least in part on the data-placement policy, a plurality of storage systems for storing the data object, at least one of the storage systems including a third-party Internet-based storage system, and then 4) directing the client device to store the data object on the identified storage systems.

Abstract: A system and method for storing a data object in a single-instance storage system are described. The data object may be deconstructed into a template and one or more values. If the template is not already stored in the single-instance storage system then it may be stored. Otherwise an existing copy of the template may be referenced. Similarly, existing copies of the values may be referenced if they are already present, or otherwise the values may be stored. Reconstruction information useable to reconstruct the data object may also be stored. The reconstruction information may reference the template and the one or more values stored in the single-instance storage system.

Abstract: A computer-implemented method for monitoring a mobile-computing device using geo-location information is disclosed. The method may include a learning phase. During the learning phase, a user may be located within a first range of physical locations during a recurring time period. The method may include generating a location profile for a mobile-computing device of the user and receiving a device-monitoring policy for the mobile-computing device from an administrator. The location profile may correlate the first range of physical locations with the recurring time period. The method may further include detecting, after the learning phase, that the mobile-computing device is outside the first range of physical locations during a first instance of the recurring time period. The method may also include implementing the device-monitoring policy after detecting that the mobile-computing device is outside the first range of physical locations during the first instance of the recurring time period.

Abstract: A computer-implemented method for providing network access control in virtual environments. The method may include: 1) injecting a transient security agent into a virtual machine that is running on a host machine; 2) receiving, from the transient security agent, an indication of whether the virtual machine complies with one or more network access control policies; and 3) controlling network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies. Various other methods, systems, and computer-readable media are also disclosed herein.

Abstract: A method processing one or more files using a security application. The method includes a method processing one or more files using a security application. The method includes connecting the client to a proxy server, which is coupled to one or more NAS servers. The method includes requesting for a file from a client to the proxy server and authenticating a requesting user of the client. The method also includes authorizing the requesting user for the file requested; requesting for the file from the one or more NAS servers after authenticating and authorizing; and requesting for the file from the one or more storage elements. The file is transferred from the one or more storage elements through the NAS server to the proxy server. The method determines header information on the file at the proxy server and identifies a policy based upon the header information at the proxy server. The method also includes processing (e.g.

Abstract: An apparatus for security applications, e.g., encryption. The apparatus has an interface (e.g., MAC) coupled to a fiber channel. The interface is adapted to receive a frame from the fiber channel. The apparatus also has a classifier coupled to the interface, which is adapted to determine an information type associated with the frame. The type is selected from at least an initiator, data, or terminator. The classifier is adapted to determine header information associated with the frame. A content addressable memory is coupled to the classifier.

Abstract: A system (and methods) for performing a service operation on a Fibre Channel or other like channels. The system has an interface coupled to a Fibre Channel. A classifier is coupled to the interface. The classifier is adapted to receive an initiator frame from the interface. The classifier is adapted to determine header information from the initiator frame and is also adapted to determine source information, destination information, and exchange information from the header information. A flow content addressable memory is coupled to the classifier. The flow content addressable memory is configured to store one or more header information. Each of the one or more header information is associated with a state. The system has a rule content addressable memory coupled to the classifier. The rule content addressable memory is configured to store one of a plurality of policies. A processing module is coupled to the classifier.

Abstract: A method processing one or more files using a security application. The method includes a method processing one or more files using a security application. The method includes connecting the client to a proxy server, which is coupled to one or more NAS servers. The method includes requesting for a file from a client to the proxy server and authenticating a requesting user of the client. The method also includes authorizing the requesting user for the file requested; requesting for the file from the one or more NAS servers after authenticating and authorizing; and requesting for the file from the one or more storage elements. The file is transferred from the one or more storage elements through the NAS server to the proxy server. The method determines header information on the file at the proxy server and identifies a policy based upon the header information at the proxy server. The method also includes processing (e.g.

Abstract: A novel system for a network of computers to improve quality of services using a combination of a bandwidth mangement tool in a firewall. The present system includes, among other elements, a plurality of computers, which are each coupled to each other to form an internal network of computers (e.g., local area network or LAN). The system also includes a server, which has a memory sufficient to store a firewall program. The server is coupled to at least one of the plurality of computers, where the server is also coupled to an outgoing line to a wide area network of computers, which can be, for example, the Intenet. A bandwidth management tool is coupled to or stored in the server, where the bandwidth management tool is capable of monitoring incoming and outgoing information to and from the server.

Abstract: A method for reconfiguring network security devices coupled to a network directory services server, the network directory services server providing network directory services to the network security devices, includes the steps of storing configuration data for a first network security device at a pre-determined directory location, copying the configuration data from the predetermined directory location to a directory used by the first network security device using the network directory services in response to a first reconfigure request, and updating configuration of the first network security device according to the configuration data in the directory used by the first network security device.

Abstract: A method for configuring a plurality of network security devices, includes the steps of providing a network directory services server providing network directory services to a plurality of network servers, each of the plurality of network servers coupled to one of the plurality of network security devices, implementing a security policy for the plurality of network security devices on the network directory services server, and using the network directory services to provide configuration information for the plurality of network security devices, in response to the security policy.

Abstract: A method for managing quality of service in a firewall server (110), the firewall server (11) coupling a data source to a data receiver, includes the steps of estimating a bit rate over a round-trip-time between the data source and the data receiver, receiving a receive acknowlegment signal from the data receiver, thereafter delaying transmission of a receive acknowlegment signal when the bit rate is greater than a bit rate limit, and transmitting the receive acknowlegment signal to the data source when the bit rate is not greater than the bit

Abstract: A novel method for a network of computers to improve quality of services using a combination of a bandwidth management tool in a firewall. The method includes the steps of providing a network directory services server providing network directory services to a plurality of network servers, each of the plurality of network servers coupled to one of the plurality of network quality of service devices, implementing a quality of service policy for the plurality of network quality of service devices on the network directory services server, and using the network directory services to provide configuration information for the plurality of network quality of service devices, in response to the quality of service policy.