Abstract: A method of migrating a user profile to a virtual desktop infrastructure (VDI) system includes enumerating applications installed at an endpoint of a user, retrieving a list of application settings files, determining file and registry locations of user profile data relating to the applications installed at the endpoint from the application settings files, and retrieving the user profile data from the determined file and registry locations and storing the user profile data in a shared storage. When a user logs into a virtual desktop of the VDI system, the user profile data is retrieved from the shared storage and imported into file and registry locations specified by the application settings files of applications that are installed in the virtual desktop.

Abstract: A system is described for high-performance delivery of applications via attachable application storage volumes (ASV), particularly in cloud-based VDI environments, by precaching application data that is determined by learning the application behavior. Data blocks for files that are likely to be used by the application are prefetched and cached by virtual machines before the application requests those blocks so that the relevant data is instantly available in memory when required without needing to wait for the data to be transmitted from the ASV. In order to efficiently prefetch content, the read pattern for application files and their corresponding blocks is inspected. This information is used during application delivery after a user logs onto the virtual machine to selectively prefetch those blocks from the ASVs. As a result, when the user launches those applications, the system avoids the performance penalty of reading those blocks from the ASV.

Abstract: Systems and methods can enable select virtual session capabilities on a user device configured to access a virtual session, which is an instance of a virtual machine. The user device can receive and forward to a gateway sever, a request to launch a virtual session. Based on the virtual session launch request, the gateway server can obtain a compliance profile determined from operational data for the user device and compare it to a minimum access policy (“MAP”). The MAP can include threshold or binary values for states of a group of user device operational aspects. Where the compliance profile satisfies the MAP, the gateway can permit user device access a virtual session hosted on a virtual machine (“VM”) server. The virtual session can be configured at the VM server based on the compliance profile so as to allow access to a portion of a full virtual session capability scheme.

Abstract: Certain embodiments described herein are generally directed to executing applications on a computing device. In some embodiments, a method includes receiving, by an app store interface, a first distribution package from an app store, the first distribution package comprising a first virtual disk file comprising an application. The method further includes opening, by an application agent, the first virtual disk file based on a file type association (FTA) between the first virtual disk file and the application agent. The method further includes storing, by the application agent, the application in a second virtual disk file. The method also includes mounting the second virtual disk file at the computing device. The method also includes executing the application stored on the mounted second virtual disk file.

Abstract: A system is described for high-performance delivery of applications via attachable application storage volumes (ASV), particularly in cloud-based VDI environments, by precaching application data that is determined by learning the application behavior. Data blocks for files that are likely to be used by the application are prefetched and cached by virtual machines before the application requests those blocks so that the relevant data is instantly available in memory when required without needing to wait for the data to be transmitted from the ASV. In order to efficiently prefetch content, the read pattern for application files and their corresponding blocks is inspected. This information is used during application delivery after a user logs onto the virtual machine to selectively prefetch those blocks from the ASVs. As a result, when the user launches those applications, the system avoids the performance penalty of reading those blocks from the ASV.

Abstract: A system is described for fault-tolerant delivery of virtualized applications. A client on a client device requests access to a virtualized application. The application is launched in a server-based virtual machine and computer vision is used to determine whether the application launched successfully based on the UI produced by the application. If it is determined that the application failed to launch successfully, an alternative mechanism is used to deliver access to the application using an application storage volume (ASV), which is a mountable container containing the application. In one approach, the ASV is mounted directly to the client device. In another approach, a second virtual machine is launched and the ASV is mounted on the second virtual machine.

Abstract: The disclosure provides an approach for authenticating a user of a computer system, wherein the computer system implements a virtual desktop infrastructure (VDI), the method comprising connecting to a computing device through a network, receiving from the computing device authentication credentials, and determining whether the authentication credentials match an authorized user of the computer system. The approach further comprises extracting from the computing device features of the computing device, retrieving a machine learning (ML) model associated with the authorized user, wherein the ML model is at least one of (a) a supervised ML model or (b) an unsupervised ML model, and executing the ML model to authenticate the features of the computing device.

Abstract: A system and method of de-elevating a process created in a computing device of a computer system are disclosed. In certain aspects, a method includes detecting a user login within a login session of a computing device in the computer system, the login session having a default security context. The method also includes creating a de-elevated security context for the login session, wherein the de-elevated security context has fewer privileges than the default security context. The method also includes detecting a process being created within the login session. The method further includes determining that the process is potentially malicious by comparing an intended state and a digital profile of the computing device. The method also includes launching the process using the de-elevated security context.

Abstract: Described herein are systems, methods, and software to provide enhanced security when opening applications. In one implementation, an application service receives, over a network, an application request from an end user device to support a file open request on the end user device, wherein the application request occurs based on a security status of a file associated with the file open request. The application service further allocates a virtual node with an application to the end user device to support the application request, provides a remote connection for the application to the end user device, and opens the file in the application of the virtual node to support the file open request.

Abstract: The disclosure provides an approach for implementing a distributed firewall within a data center. The firewall is implemented as a kernel space filter driver within the operating system of virtual machines. Each virtual machine hosts several user sessions. The firewall may be dynamically updated with new security policies, either by an administrator or a component of the data center.

Abstract: Described herein are systems, methods, and software to provide secure browsers to end user devices. In one implementation, a secure browsing service receives, over a network, a request for an internet browser from an end user device. The secure browsing service further, in response to the request, allocates a virtual machine with an instance of the internet browser executing thereon to the end user device, and provide a remote connection to the internet browser on the virtual machine to the end user device.

Abstract: An example method of dynamic privilege management in a computer system includes: detecting launch of an application by a user in a login session of a desktop executing on the computer system; determining identification information for the application; evaluating at least one policy that specifies requirements for privilege elevation using the identification information as parametric input; generating a privilege elevation result for the application, the privilege evaluation result including a positive or negative indication of whether the at least one policy permits privilege elevation of a process created for the application within the login session; and elevating privilege of the process in response to the positive indication in the privilege elevation.

Abstract: Disclosed is a computer and method in a computer that detects attachment of an external device. A determination may be made whether the external device is trusted or untrusted. When the external device is deemed to be trusted, a first device stack may be instantiated in a first OS executing on the computer to conduct interactions with the external device. When the external device is deemed to be untrusted, a second device stack may be instantiated in a second OS executing on the computer to conduct interactions with the external device.

Abstract: An example method of dynamic privilege management in a computer system includes: detecting launch of an application by a user in a login session of a desktop executing on the computer system; determining identification information for the application; evaluating at least one policy that specifies requirements for privilege elevation using the identification information as parametric input; generating a privilege elevation result for the application, the privilege evaluation result including a positive or negative indication of whether the at least one policy permits privilege elevation of a process created for the application within the login session; and elevating privilege of the process in response to the positive indication in the privilege elevation

Abstract: Described herein are systems, methods, and software to enhance the management of inter-process communications (IPCs) for containers according to an implementation. In one implementation, a container management service executing on a host with a plurality of containers may identify an IPC object generation with a first identifier from one of the containers. Responsive to the request, the service may translate the first identifier into a second identifier, and store the IPC object in a memory system using the second identifier. Once stored, requests may be made from applications in approved containers for the object using the first identifier, and the service may retrieve the IPC object using the second identifier.

Abstract: Embodiments perform detection and prevention of unauthorized access to files in a target folder. A filter driver, interfacing with a target folder, intercepts a first request from a process to access a file in the target folder. The filter driver returns a virtual file, along with the existing files, to the process. Upon receiving a second request from the process to write to the virtual file, the filter driver designates the process as a hostile process and prevents further access attempts.

Abstract: Described herein are systems, methods, and software to provide enhanced security when opening applications. In one implementation, an application service receives, over a network, an application request from an end user device to support a file open request on the end user device, wherein the application request occurs based on a security status of a file associated with the file open request. The application service further allocates a virtual node with an application to the end user device to support the application request, provides a remote connection for the application to the end user device, and opens the file in the application of the virtual node to support the file open request.

Abstract: Described herein are systems, methods, and software to provide secure browsers to end user devices. In one implementation, a secure browsing service receives, over a network, a request for an internet browser from an end user device. The secure browsing service further, in response to the request, allocates a virtual machine with an instance of the internet browser executing thereon to the end user device, and provide a remote connection to the internet browser on the virtual machine to the end user device.

Abstract: User profiles of applications installed in a user environment, which may be compromised by malware, are managed to protect against such malware gaining access to sensitive data that may be contained in the user profiles. The method includes the steps of detecting, by a management agent of a user environment, a launch of an application within the user environment, verifying, by a filter driver, an identity of the application against a stored profile of the application, and responsive to determining that the identity of the application matches the stored profile of the application, importing, by the management agent, an encrypted user profile from a remote storage to local storage, decrypting, by the filter driver, the encrypted user profile, and providing the decrypted user profile to the application.

Abstract: Disclosed is a computer and method in a computer that detects attachment of an external device. A determination may be made whether the external device is trusted or untrusted. When the external device is deemed to be trusted, a first device stack may be instantiated in a first OS executing on the computer to conduct interactions with the external device. When the external device is deemed to be untrusted, a second device stack may be instantiated in a second OS executing on the computer to conduct interactions with the external device.