Abstract: The disclosure provides an approach for implementing a distributed firewall within a data center. The firewall is implemented as a kernel space filter driver within the operating system of virtual machines. Each virtual machine hosts several user sessions. The firewall may be dynamically updated with new security policies, either by an administrator or a component of the data center.

Abstract: Systems and methods are described for efficient ways to manage storage of data in virtual desktops on writable volumes contained in attachable virtual disks. Multiple writeable volumes can be attached to a user's virtual desktop and data writes on the virtual desktop can be allocated among the writeable volumes based on preset policies or criteria, allowing the storage of different types of data in different writable volumes located on different storage devices.

Abstract: A method of migrating a user profile to a virtual desktop infrastructure (VDI) system includes enumerating applications installed at an endpoint of a user, retrieving a list of application settings files, determining file and registry locations of user profile data relating to the applications installed at the endpoint from the application settings files, and retrieving the user profile data from the determined file and registry locations and storing the user profile data in a shared storage. When a user logs in to a virtual desktop of the VDI system, the user profile data is retrieved from the shared storage and imported into file and registry locations specified by the application settings files of applications that are installed in the virtual desktop.

Abstract: The disclosure provides for repositioning applications from physical devices to a cloud location without removing the applications from the physical devices. This provides advantages of cloud-based availability for the applications while preserving device configurations. Thus, a user may continue to use the local version during transition to cloud usage so that if a problem arises during transition, adverse effects on user productivity are mitigated. Examples include generating, on a device, a first virtualization layer, and uninstalling an application from the first virtualization layer while capturing uninstallation traffic within the first virtualization layer. Examples further include generating, on the device, a second virtualization layer, installing the application in the second virtualization layer, and generating, from the second virtualization layer with the installed application, an application package. Examples are able to position the application package on a remote node for execution.

Abstract: The disclosure provides an approach for authenticating a user of a computer system, wherein the computer system implements a virtual desktop infrastructure (VDI), the method comprising connecting to a computing device through a network, receiving from the computing device authentication credentials, and determining whether the authentication credentials match an authorized user of the computer system. The approach further comprises extracting from the computing device features of the computing device, retrieving a machine learning (ML) model associated with the authorized user, wherein the ML model is at least one of (a) a supervised ML model or (b) an unsupervised ML model, and executing the ML model to authenticate the features of the computing device.

Abstract: A method of downloading or opening a file in response to a user input made through an application running in the computer system, includes the steps of detecting by the application that the user input is to download or open a file, issuing a request by the application to a file sanitation server to sanitize the file to remove embedded codes in the file and return the sanitized file, and upon receiving the sanitized file by the application, saving the sanitized file in a folder where the sanitized file can be opened.

Abstract: Systems and methods can enable select virtual session capabilities on a user device configured to access a virtual session, which is an instance of a virtual machine. The user device can receive and forward to a gateway sever, a request to launch a virtual session. Based on the virtual session launch request, the gateway server can obtain a compliance profile determined from operational data. The gateway can permit user device access a virtual session hosted on a virtual machine (“VM”) server. The VM server can use the compliance profile and security data from the user device to determine a risk profile of the user device. The virtual session can be configured at the VM server based on the risk profile so as to allow access to a subset of available applications and functions within the applications for the virtual session.

Abstract: Data that includes user data and application data that is generated during a remote desktop session to a cloud computing system is stored in cloud storage according to a risk level of the remote desktop session. The storage device has provisioned therein a plurality of storage containers, including first and second storage containers, where the first storage container stores less percentage of the user data than the second storage container. The first storage container is selected for storing the user data if the determined risk level of the remote desktop session is at a first level and the second storage container is selected for storing the user data if the determined risk level of the remote desktop session is at a second level that is lower than the first level.

Abstract: A system and method of de-elevating a process created in a computing device of a computer system are disclosed. In certain aspects, a method includes detecting a user login within a login session of a computing device in the computer system, the login session having a default security context. The method also includes creating a de-elevated security context for the login session, wherein the de-elevated security context has fewer privileges than the default security context. The method also includes detecting a process being created within the login session. The method further includes determining that the process is potentially malicious by comparing an intended state and a digital profile of the computing device. The method also includes launching the process using the de-elevated security context.

Abstract: A method of downloading or opening a file in response to a user input made through an application running in the computer system, includes the steps of detecting by the application that the user input is to download or open a file, issuing a request by the application to a file sanitation server to sanitize the file to remove embedded codes in the file and return the sanitized file, and upon receiving the sanitized file by the application, saving the sanitized file in a folder where the sanitized file can be opened.

Abstract: Examples herein describe systems and methods for concealing internal applications that are accessed over the internet. A user device can select a remote internal application to access using a client. The user device can send an access request to an open listening port of an access server. The access server can be a gateway and proxy to the internal application, which can reside elsewhere. The access server can open a different randomized access port for establishing the connection by proxy to the internal application. The port number for the access port can be identified in the access request at the listening port. The access server can open the access port for a short time interval. The connection can be made through the access port during that time interval. A firewall can then close the access port but maintain an established connection between the user device and the internal application.

Abstract: A method of migrating a user profile to a virtual desktop infrastructure (VDI) system includes enumerating applications installed at an endpoint of a user, retrieving a list of application settings files, determining file and registry locations of user profile data relating to the applications installed at the endpoint from the application settings files, and retrieving the user profile data from the determined file and registry locations and storing the user profile data in a shared storage. When a user logs in to a virtual desktop of the VDI system, the user profile data is retrieved from the shared storage and imported into file and registry locations specified by the application settings files of applications that are installed in the virtual desktop.

Abstract: Data that includes user data and application data that is generated during a remote desktop session to a cloud computing system is stored in cloud storage according to a risk level of the remote desktop session. The storage device has provisioned therein a plurality of storage containers, including first and second storage containers, where the first storage container stores less percentage of the user data than the second storage container. The first storage container is selected for storing the user data if the determined risk level of the remote desktop session is at a first level and the second storage container is selected for storing the user data if the determined risk level of the remote desktop session is at a second level that is lower than the first level.

Abstract: User profiles of applications installed in a user environment, which may be compromised by malware, are managed to protect against such malware gaining access to sensitive data that may be contained in the user profiles. The method includes the steps of detecting, by a management agent of a user environment, a launch of an application within the user environment, verifying, by a filter driver, an identity of the application against a stored profile of the application, and responsive to determining that the identity of the application matches the stored profile of the application, importing, by the management agent, an encrypted user profile from a remote storage to local storage, decrypting, by the filter driver, the encrypted user profile, and providing the decrypted user profile to the application.

Abstract: Systems and methods can enable select virtual session capabilities on a user device configured to access a virtual session, which is an instance of a virtual machine. The user device can receive and forward to a gateway sever, a request to launch a virtual session. Based on the virtual session launch request, the gateway server can obtain a compliance profile determined from operational data. The gateway can permit user device access a virtual session hosted on a virtual machine (“VM”) server. The VM server can use the compliance profile and security data from the user device to determine a risk profile of the user device. The virtual session can be configured at the VM server based on the risk profile so as to allow access to a subset of available applications and functions within the applications for the virtual session.

Abstract: Systems and methods are described for providing ways to protect client devices in communication with virtual desktops and virtual applications from keylogging attacks. A keyboard filter driver obfuscates scancodes from key presses produced on the keyboard of the client device so that malicious keylogging or keyboard hooking software is not able to observe user inputs. The obfuscated scancodes are conveyed and de-obfuscated before being applied in the virtual desktop or virtual application.

Abstract: The disclosure provides for repositioning applications from physical devices to a cloud location without removing the applications from the physical devices. This provides advantages of cloud-based availability for the applications while preserving device configurations. Thus, a user may continue to use the local version during transition to cloud usage so that if a problem arises during transition, adverse effects on user productivity are mitigated. Examples include generating, on a device, a first virtualization layer, and uninstalling an application from the first virtualization layer while capturing uninstallation traffic within the first virtualization layer. Examples further include generating, on the device, a second virtualization layer, installing the application in the second virtualization layer, and generating, from the second virtualization layer with the installed application, an application package. Examples are able to position the application package on a remote node for execution.

Abstract: The disclosure provides for repositioning applications from physical devices to a cloud location without removing the applications from the physical devices. This provides advantages of cloud-based availability for the applications while preserving device configurations. Thus, a user may continue to use the local version during transition to cloud usage so that if a problem arises during transition, adverse effects on user productivity are mitigated. Examples include generating, on a device, a first virtualization layer, and uninstalling an application from the first virtualization layer while capturing uninstallation traffic within the first virtualization layer. Examples further include generating, on the device, a second virtualization layer, installing the application in the second virtualization layer, and generating, from the second virtualization layer with the installed application, an application package. Examples are able to position the application package on a remote node for execution.

Abstract: The disclosure provides an approach for implementing a distributed firewall within a data center. The firewall is implemented as a kernel space filter driver within the operating system of virtual machines. Each virtual machine hosts several user sessions. The firewall may be dynamically updated with new security policies, either by an administrator or a component of the data center.

Abstract: An example method of dynamic privilege management in a computer system includes: receiving a task name at a service configured to launch a process corresponding to the task name. The method also includes determining the process is associated with an elevated security context based on a policy that associates the task name with the elevated security context. The method also includes launching, by the service, the process using the elevated security context such that the process runs with elevated privileges.