System and method for virtual partition monitoring
First Claim
1. At least one non-transitory machine readable medium including code for execution that, when executed by one or more processors, is to:
- use an access code to gain access to a monitored process in a virtual partition of a virtualized platform;
create a memory region within the monitored process;
insert an embedded component into the memory region;
send, to an external handler configured to operate externally to the virtual partition, an event notification indicating an event associated with the monitored process;
perform a first task communicated by the embedded component in the monitored process to suspend a first thread of the monitored process;
execute, by a second thread in the virtual partition, a second task to identify context information associated with the event;
send, from the virtual partition, the identified context information to be evaluated; and
take an action based, at least in part, on an evaluation of the identified context information.
9 Assignments
0 Petitions
Accused Products
Abstract
A method is provided in one example embodiment that includes receiving in an external handler an event notification associated with an event in a virtual partition. A thread in the process in the virtual partition that caused the event can be parked. Other threads and processes may be allowed to resume while a security handler evaluates the event for potential threats. A helper agent within the virtual partition may be instructed to execute a task, such as collecting and assembling event context within the virtual partition, and results based on the task can be returned to the external handler. A policy action can be taken based on the results returned by the helper agent, which may include, for example, instructing the helper agent to terminate the process that caused the event.
-
Citations
24 Claims
-
1. At least one non-transitory machine readable medium including code for execution that, when executed by one or more processors, is to:
-
use an access code to gain access to a monitored process in a virtual partition of a virtualized platform; create a memory region within the monitored process; insert an embedded component into the memory region; send, to an external handler configured to operate externally to the virtual partition, an event notification indicating an event associated with the monitored process; perform a first task communicated by the embedded component in the monitored process to suspend a first thread of the monitored process; execute, by a second thread in the virtual partition, a second task to identify context information associated with the event; send, from the virtual partition, the identified context information to be evaluated; and take an action based, at least in part, on an evaluation of the identified context information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An apparatus, comprising:
-
one or more hardware processors; one or more virtual processors configured to execute in a virtual partition of a virtualized platform and to run on the one or more hardware processors; a helper agent to run on the one or more virtual processors to; use an access code to gain access to a monitored process in the virtual partition; create a memory region within the monitored process; insert an embedded component into the memory region; a security handler to operate externally to the virtual partition to receive an event notification indicating an event associated with the monitored process; a module to run on the one or more virtual processors to perform a first task communicated by the embedded component in the monitored process to suspend a first thread of the monitored process, wherein the helper agent is to run on the one or more virtual processors to further; cause execution of a second task by a second thread in the virtual partition, the second task to identify context information associated with the event; send, from the virtual partition, the identified context information to be evaluated; and take an action based, at least in part, on an evaluation of the identified context information. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
-
21. A method, comprising:
-
creating a memory region within a monitored process in a virtual partition of a virtualized platform, wherein the memory region is created by a helper agent in the virtual partition using an access code to gain access to the monitored process; inserting an embedded component into the memory region; sending, to an external handler configured to operate externally to the virtual partition, an event notification indicating an event associated with the monitored process; performing a first task communicated by the embedded component in the monitored process to suspend a first thread of the monitored process; executing, by a second thread in the virtual partition, a second task to identify context information associated with the event; sending, from the virtual partition, the identified context information to be evaluated; and taking an action based, at least in part, on an evaluation of the identified context information. - View Dependent Claims (22, 23, 24)
-
Specification