Cleaning malware from backup data
First Claim
Patent Images
1. A computer-implemented method for cleaning backup images, the method comprising:
- receiving a request from a backup server connected via a network;
in response to the request, beginning, by a backup cleaning logic executed by a processor, an input/output (I/O) recording session for I/O operations performed to a data storage system;
sending, by the backup cleaning logic, a request to anti-malware logic to scan the data storage system to locate a data object containing malicious instructions or data associated with a malware infection;
recording the I/O operations performed by the anti-malware logic to resolve the malware infection, including logging write IO requests to write data to a storage device of the data storage system, wherein the I/O operations replace at least a first sequence in the data object with a second sequence;
ending the I/O recording session after recording the I/O operations performed by the anti-malware logic; and
applying the I/O operations of the I/O recording session to resolve a malware infection in a backup image, wherein applying the IO operations comprisestransmitting the I/O operations of the I/O recording session over the network to a remote storage server and applying the I/O operations of the I/O recording session to the backup image via the remote storage server,storing the I/O operations of the I/O recording session to a journal of a continuous data protection system wherein the journal of the continuous data protection system duplicates write operations to the remote storage server to a remote copy of the data storage system,transmitting the journal over the network to the remote storage server, andapplying the recorder I/O operations to the backup image to resolve the malware infection in the backup image.
9 Assignments
0 Petitions
Accused Products
Abstract
Embodiments described herein perform cleanup of backup images of a storage system by applying a record of I/O operations recorded while performing anti-malware operations on the storage system. The recording of the I/O operations can be replayed to resolve malware infections in the backup images, snapshots, or replicas of the storage system without requiring a restore-cleanup cycle for each backup image.
61 Citations
12 Claims
-
1. A computer-implemented method for cleaning backup images, the method comprising:
-
receiving a request from a backup server connected via a network; in response to the request, beginning, by a backup cleaning logic executed by a processor, an input/output (I/O) recording session for I/O operations performed to a data storage system; sending, by the backup cleaning logic, a request to anti-malware logic to scan the data storage system to locate a data object containing malicious instructions or data associated with a malware infection; recording the I/O operations performed by the anti-malware logic to resolve the malware infection, including logging write IO requests to write data to a storage device of the data storage system, wherein the I/O operations replace at least a first sequence in the data object with a second sequence; ending the I/O recording session after recording the I/O operations performed by the anti-malware logic; and applying the I/O operations of the I/O recording session to resolve a malware infection in a backup image, wherein applying the IO operations comprises transmitting the I/O operations of the I/O recording session over the network to a remote storage server and applying the I/O operations of the I/O recording session to the backup image via the remote storage server, storing the I/O operations of the I/O recording session to a journal of a continuous data protection system wherein the journal of the continuous data protection system duplicates write operations to the remote storage server to a remote copy of the data storage system, transmitting the journal over the network to the remote storage server, and applying the recorder I/O operations to the backup image to resolve the malware infection in the backup image. - View Dependent Claims (2, 3)
-
-
4. The computer-implemented method of further comprising creating a remote journal including the I/O operations of the I/O recording session and applying the recorded I/O operations from the remote journal to the backup image to resolve the malware infection in the backup image.
-
5. A non-transitory machine-readable medium storing instructions which, when executed by one or more processors, cause the one or more processors to perform operations comprising:
-
receiving a request from a backup server connected via a network; in response to the request, beginning an input/output (I/O) recording session for I/O operations performed to a data storage system; sending a request to anti-malware logic to scan the data storage system to locate a data object containing malicious instructions or data associated with a malware infection; recording the I/O operations performed by the anti-malware logic to resolve the malware infection, including logging write IO requests to write data to a storage device of the data storage system, wherein the I/O operations replace at least a first sequence in the data object with a second sequence; ending the I/O recording session after recording the I/O operations performed by the anti-malware logic; and applying the I/O operations of the I/O recording session to resolve a malware infection in a backup image, wherein applying the IO operations comprises transmitting the I/O operations of the I/O recording session over the network to a remote storage server and applying the I/O operations of the I/O recording session to the backup image via the remote storage server, storing the I/O operations of the I/O recording session to a journal of a continuous data protection system wherein the journal of the continuous data protection system duplicates write operations to the remote storage server to a remote copy of the data storage system, transmitting the journal over the network to the remote storage server, and applying the recorder I/O operations to the backup image to resolve the malware infection in the backup image. - View Dependent Claims (6, 7, 8)
-
-
9. A system comprising:
one or more server devices coupled to a data storage system, the one or more server devices configured to; receive a request from a backup server connected via a network; in response to the request, begin an input/output (I/O) recording session for I/O operations performed to the data storage system; send a request to anti-malware logic executing on the one or more server devices to scan the data storage system to locate a data object containing malicious instructions or data associated with a malware infection; record the I/O operations performed by the anti-malware logic to resolve the malware infection, including logging write IO requests to write data to a storage device of the data storage system, wherein the I/O operations replace at least a first sequence in the data object with a second sequence; end the I/O recording session after recording the I/O operations performed by the anti-malware logic; and apply the I/O operations of the I/O recording session to resolve a malware infection in a backup image, including transmit the I/O operations of the I/O recording session over the network to a remote storage server and apply the I/O operations of the I/O recording session to the backup image via the remote storage server, store the I/O operations of the I/O recording session to a journal of a continuous data protection system wherein the journal of the continuous data protection system duplicates write operations to the remote storage server to a remote copy of the data storage system, transmit the journal over the network to the remote storage server, and apply the recorded I/O operations to the backup image to resolve the malware infection in the backup image. - View Dependent Claims (10, 11, 12)
Specification