Abstract: The current document is directed to automated methods and systems that monitor system-call execution by operating systems in order to detect operating-system corruption. A disclosed implementation of the currently disclosed automated system-call-integrity monitor generate operational system-call fingerprints for randomly selected system calls executed by guest operating systems of randomly selected virtual machines and compares the operational system-call fingerprints to reference system-call fingerprints in order to detect operational anomalies of guest operating systems that are likely to represent guest-operating-system corruption. In disclosed implementations, a system-call fingerprint includes a system-call execution time, the number of instructions executed during execution of the system call, and a snapshot of the call stack taken during execution of the system call.

Abstract: In some embodiments, a method stores domain name system (DNS) resolution mappings from a domain name to an address in a first table. The DNS resolution mappings are intercepted from DNS responses being sent by a DNS server. The first table is sent to a manager for validation of the DNS resolution mappings. Then, a second table is received from the manager that contains validated DNS resolution mappings. The method intercepts a DNS response that includes a domain name to address resolution mapping from the DNS server and validates the domain name to address resolution mapping using a validated DNS resolution mapping in the second table.

Abstract: In one set of embodiments, an enhanced next generation anti-virus (NGAV) system is provided. In certain embodiments, this system includes a hypervisor-level agent that backs up VM data only when an instance of a guest application running in the VM has been flagged by the NGAV system as being potentially malicious (rather than on a constant, proactive basis). Further, the hypervisor-level agent performs this backup only with respect to data modified by that specific guest application instance (rather than backing up all data modified by the VM) and writes the backed-up data to a secure storage location which is inaccessible to the guest. The combination of these features addresses many of the problems and inefficiencies of existing NGAV systems.

Abstract: An in-guest agent in a virtual machine (VM) operates in conjunction with a replication module. The replication module performs continuous data protection (CDP) by saving images of the VM as checkpoints at a disaster recovery site over time. Concurrently, the in-guest agent monitors for behavior in the VM that may be indicative of the presence of malicious code. If the in-guest agent identifies behavior (at a particular point in time) at the VM that may be indicative of the presence of malicious code, the replication module can tag a checkpoint that corresponds to the same particular point in time as a security risk. One or more checkpoints generated prior to the particular time may be determined to be secure checkpoints that are usable for restoration of the VM.

Abstract: Computer-implemented methods, media, and systems for providing container visibility and observability are disclosed. In one computer-implemented method, a host device connected to a cloud server detects a plurality of events comprising a first event, wherein the host device hosts a plurality of containers that generate the plurality of events. The host device identifies a first container identifier of the first event, checks a container tracking database to determine if the container tracking database includes the first container identifier. In response to determining that the container tracking database does not include the first container identifier, the host device creates a container start event indicating a start of a first container identified by the first container identifier, and sends the container start event to the cloud server for providing a container inventory that reflects statuses of the plurality of events and the plurality of containers in the host device.

Abstract: Computer-implemented methods, media, and systems for providing container security manageability are disclosed. In one computer-implemented method, a host device connected to a cloud server detects an event of a plurality of events generated by a plurality of containers hosted in the host device. The host device identifies container context data of the event, associates the container context data with the event, sends the container context data to the cloud server for security analysis. The host device receives, from the cloud server, security rules based on the security analysis and implements the security rules.

Abstract: An example method of securing communication between a client and a security agent executing in a host includes: receiving, at the security agent, a connection request from the client; obtaining, by the security agent from an operating system executing in the host, a process identifier for the client; identifying, by the security agent, a file path for a process binary from which the client executed; verifying at least a portion of the file path against an expected value known by the security agent; validating a signature of the process binary; and accepting, at the security agent, the connection request from the client in response to successful verification of the file path and successful validation of the signature.

Abstract: A method of applying a security policy to a virtual computing instance, according to an embodiment, includes: determining that a universally unique identifier (UUID) of the virtual computing instance does not match an identifier stored in a configuration file of the virtual computing instance; transmitting a request to register the virtual computing instance with a cloud platform for managing security policies of a virtual infrastructure that includes the virtual computing instance, the request including the UUID of the virtual computing instance and the identifier stored in the configuration file of the virtual computing instance; in response to the request, receiving an identifier of a security policy to be applied; and retrieving the security policy and applying the security policy to the virtual computing instance.

Abstract: Network-efficient isolation environment redistribution is described. In one example, network communications are surveyed among isolation environments, such as virtual machines (VMs) and containers, hosted on a cluster. An affinity for network communications between the isolation environments can be identified based on the survey. Pairs or groups of the isolation environments can be examined to identify ones which have an affinity for network communications between them but are also hosted on different host machines in the cluster. The identification of the affinity for network communications provides network-level context for migration decisions by a distributed resource scheduler. Certain VMs and/or containers can then be migrated by the distributed resource scheduler to reduce the network communications in the cluster based on the network-level context information.

Abstract: The disclosure provides an approach for content based read cache (CBRC) digest file creation. Embodiments include determining a mapping between entries in a CBRC and physical block addresses (PBAs) associated with a source virtual machine (VM). Embodiments include creating a clone VM based on the source VM. Embodiments include, for each data block associated with the clone VM: determining a PBA associated with a logical block address (LBA) of the data block, determining, based on the mapping, whether data associated with the PBA is cached in the CBRC, and, if the data associated with the PBA is cached in the CBRC, copying a hash of the data from a first digest file of the source VM to a second digest file of the clone VM and associating the hash with the LBA in the second digest file.

Abstract: The disclosure provides an approach for content based read cache (CBRC) digest file creation. Embodiments include determining a mapping between entries in a CBRC and physical block addresses (PBAs) associated with a source virtual machine (VM). Embodiments include creating a clone VM based on the source VM. Embodiments include, for each data block associated with the clone VM: determining a PBA associated with a logical block address (LBA) of the data block, determining, based on the mapping, whether data associated with the PBA is cached in the CBRC, and, if the data associated with the PBA is cached in the CBRC, copying a hash of the data from a first digest file of the source VM to a second digest file of the clone VM and associating the hash with the LBA in the second digest file.

Abstract: In an example, a management node includes a processor and a memory communicatively coupled to the processor. The memory may include an advisory module to receive data related to a login pattern of a user over a period of time and predict a time to launch a virtual desktop session for the user based on the received data. Further, the advisory module may fetch, via a network, a security policy from a cloud-based endpoint protection platform prior to the predicted time. Furthermore, the advisory module may populate a virtual machine with the security policy before the user logs into the virtual desktop session. Then, the advisory module may create the virtual desktop session using the virtual machine populated with the security policy in response to a determination that the user logged into the virtual desktop session prior to an expiration of a timer.

Abstract: Rapid launch of secure executables in a virtualized environment includes using a persisted security cache in a virtualized component (VC), such as a virtual machine. The VC generates a cache integrity value (IV), such as a hash value, for the security cache and sends it to a remote validator, which returns an indication of security cache validity or invalidity. Upon receiving a request to execute applications, the VC analyzes whether the applications have been determined to be safe to execute and have not been altered. The VC retrieves application IVs from the security cache, rather than hashing each of the applications, thereby saving compute time, and sends the application IVs to a remote validator, which returns an indication of application validity or invalidity.

Abstract: Some embodiments of the invention provide a method for deploying machines for users in a software-defined datacenter (SDDC). The method in some embodiments is performed by a host computer that executes one or more machines. The method formulates a prediction regarding a particular user that is likely to log into a particular machine (e.g., virtual machine (VM), Pod, container, etc.) executing on a host computer of the SDDC in a future time period. Before the user logs into the particular machine, the method pre-fetches from a server a set of rules for a set of network elements that will process data messages associated with the machine after the particular user starts using the particular machine. The method uses the pre-fetched set of rules to configure the set of network elements to process data messages from the particular machine when the particular user logs into the machine during the time period.

Abstract: A method for automatically reregistering a clone virtual machine with a cloud security monitoring service is provided. The method generally includes detecting a connection between a cloud agent running in a virtual machine on a host and a hypervisor module on the host. In response to detecting the connection, the cloud agent queries the hypervisor module for one or more first identifiers of the virtual machine. The method generally includes checking a database, by the cloud agent, for one or more second identifiers stored in the database matching the one or more first identifiers received from the hypervisor module and, based on finding no second identifiers stored in the database matching the one or more first identifiers, sending a request to the cloud security monitoring service to register the virtual machine with the cloud security monitoring service.

Abstract: Example methods and systems for a computer system to perform context-aware service query filtering are described. One example may involve a computer system intercepting a service query from a virtualized computing instance to pause forwarding of the service query towards a destination; and obtaining context information associated with an application running on the virtualized computing instance. In response to determination that the service query is a potential security threat based on the context information, service query filtering may be performed to inspect the service query for malicious activity. Otherwise, in response to determination that the service query is not a potential security threat based on the context information, the service query filtering may be skipped and the service query forwarded towards the destination.

Abstract: In some embodiments, a method stores domain name system (DNS) resolution mappings from a domain name to an address in a first table. The DNS resolution mappings are intercepted from DNS responses being sent by a DNS server. The first table is sent to a manager for validation of the DNS resolution mappings. Then, a second table is received from the manager that contains validated DNS resolution mappings. The method intercepts a DNS response that includes a domain name to address resolution mapping from the DNS server and validates the domain name to address resolution mapping using a validated DNS resolution mapping in the second table.

Abstract: A next generation antivirus (NGAV) security solution in a virtualized computing environment includes a security sensor at a virtual machine that runs on a host and a security engine remote from the host. The integrity of the NGAV security solution is increased, by providing a verification as to whether a verdict issued by the security engine has been successfully enforced by the security sensor to prevent execution of malicious code at the virtual machine.

Abstract: The present disclosure describes secured interprocess communication (IPC). The operating system traps application-level IPC calls to an IPC agent, which handles the IPC call. The IPC agent executes in a trusted execution environment so that communications between the applications involved in the IPC are secure. Since processing of IPC by the IPC agent bypasses the operating system, IPC remains secure despite any attacks against the operating system code.

Abstract: System and method for checking reputations of executable files in an endpoint device use an integrity verification on an executable file being scanned to determine whether the executable file has been unaltered since being installed in the endpoint device. When the executable file has been determined to be unaltered since being installed in the endpoint device, a file origin analysis is executed on the executable file based on a vendor identifier for the executable file to determine whether the executable file is from an approved source. When the executable file is determined to be from an approved source, an output is produced that indicates that the executable file has an approved reputation.