A method and system for detecting ransomware and repairing data following an attack. The method includes, collecting file statistics for files in a file system, identifying an affected file based on collected file statistics, locking down of access to the file system in response to identifying the affected file, undoing of reconcile processing, repairing the affected files, and unlocking access to the file system. The system includes a computer node, a file system, a plurality of disc storage components, a backup client, a backup client, and a hierarchical storage client. The hierarchical storage client is configured to collect file statistics for files in file system, identify affected files based on collected file statistics for the file, lock down of access to the file system in response to an identified affected file, undo reconcile processing, repair the affected file; and unlock access to the file system.

Systems and method that restore application data stored by a virtual machine database for an application (e.g., SQL, SharePoint, Exchange, and so on) running on the virtual machine are described. The systems and methods create an integrated snapshot of the application data stored in the virtual machine database, by creating a secondary copy of the application data stored in the virtual machine database, performing, via a virtual server agent (VSA), a software snapshot of the virtual machine, and performing, via the virtual server agent, a hardware snapshot of the software snapshot of the virtual machine.

A backup entity and a method for backing up a disk volume of a production device are provided. The backup entity is configured to: create a first backup image of the disk volume, in a backup repository. Further, the backup entity is configured to obtain a first indication from the production device, wherein the first indication is indicative of a first operation to be performed by the production device on the disk volume. The backup entity is further configured to perform the first operation on the first backup image, to obtain a second backup image in the backup repository. According to the application, a solution to mimic an operation that changes data of a production storage, in a backup system, is provided, which can reduce the amount of data sent from the production storage to the backup system and thus reduce a backup window.

In an approach for optimizing resources in a disaster recovery cleanup process, processors are configured for receiving transaction entries represented by transaction identifiers at a source database in communication with target databases via Synchronous-to-Asynchronous Traffic Converters (SATCs). Further, the processors are configured for transmitting a transaction payload from the SATCs to the target databases; identifying completed tracking entries corresponding to tracking entries having a complete status for the SATCs; deleting remaining transaction entries ranging from a transaction entry associated with a highest processed transaction identifier to a transaction entry associated with a lowest processed transaction identifier; providing a list of the remaining transaction entries that were deleted to predecessors of the SATCs; removing the remaining transaction entries from the SATCs if the transaction entries were delivered to all target databases; and detecting a topology change corresponding to one or more additional SATCs integrated with the one or more SATCs.

A data deduplication method includes receiving an overwrite request sent by an external device, where the overwrite request carries a data block and a first address into which the data block is to be stored, determining whether an overwrite quantity of the first address exceeds a first threshold within a time period [t1, t2], where both t1 and t2 are time points, and t2 is later than t1, and when the overwrite quantity of the first address exceeds the first threshold within the time period [t1, t2], skipping performing a deduplication operation on the data block or when the overwrite quantity of the first address does not exceed the first threshold within the time period [t1, t2], performing a deduplication operation on the data block.

Creating a replica of a storage system, including: receiving, by a first storage system from a computing device, data to be stored on the first storage system; reducing, by the first storage system, the data using one or more data reduction techniques; sending, from the first storage system to the second storage system, the reduced data, wherein the reduced data is encrypted; and sending, from the second storage system to a third storage system, the reduced data, wherein the reduced data is encrypted.

A system for providing backup services for limited-access user data includes persistent storage for storing a user data visualization enhanced user data backup and a manager. The manager identifies a backup generation event for limited-access user data based on a protection policy; in response to identifying the backup generation event, obtains fragmented user data from an application that gates access to the limited-access user data; obtains organizational metadata associated with the fragmented user data from the application; makes a determination that the fragmented user data is associated with a user data visualization; in response to making the determination, obtains user data visualization metadata associated with the fragmented user data from the application; and generates the user data enhanced user data backup using the organizational metadata, the user data visualization metadata, and the fragmented user data.

A memory tier is established in a cluster system having a deduplicated file system. The memory tier includes memory pages configured as huge pages, where writes to the huge pages are exported in a device file that is outside of a user process namespace within which processes of the deduplicated file system run. At least a portion of metadata generated by the deduplicated file system is written to the memory tier. The portion of metadata includes an index of fingerprints corresponding to data segments stored by the deduplicated file system to a storage pool. A determination is made that an instance of the deduplicated file system has failed. A new instance of the deduplicated file system is started to recover file system services by loading the index of fingerprints from the device file.

One example method includes receiving, by a backup appliance, a request concerning a dataset, performing, by the backup appliance, an inquiry to determine if end-to-end encryption is enabled for a volume of a target storage array, receiving, by the backup appliance, confirmation from the storage array that end-to-end encryption is enabled for the volume, and based on the confirmation that end-to-end encryption is enabled for the volume, storing the dataset in the volume without performing encryption, compression, or deduplication, of the dataset prior to storage of the dataset in the volume.

Some examples relate generally to computer architecture software for data classification and information security and, in some more particular aspects, to verifying audit events in a file system.