Virtual system and method with threat protection
First Claim
Patent Images
1. A computing device comprising:
- one or more hardware processors; and
a memory coupled to the one or more processors, the memory comprises one or more software components that, when executed by the one or more hardware processors, provide a virtualization software architecture including (i) a virtual machine, (ii) a plurality of hyper-processes and (iii) a hypervisor, whereinthe visual machine to operate in a guest environment and includes a process that is configured to monitor behaviors of data under analysis within the virtual machine,the plurality of hyper-processes to operate in a host environment and isolated from each other within an address space of the memory, the plurality of hyper-processes include a threat protection process to classify the data under analysis as malicious or non-malicious based on the monitored behaviors and a guest monitor process configured to manage execution of the virtual machine and operate with the process to obtain and forward metadata associated with the monitored behaviors to the threat protection process, andthe hypervisor is configure to enforce temporal separation of the plurality of hyper-processes and enable inter-process communications between the plurality of hyper-processes.
7 Assignments
0 Petitions
Accused Products
Abstract
A computing device is described that comprises one or more hardware processors and a memory communicatively coupled to the one or more hardware processors. The memory comprises software that supports a software virtualization architecture, including (i) a virtual machine operating in a guest environment and including a process that is configured to monitor behaviors of data under analysis within the virtual machine and (ii) a threat protection component operating in a host environment. The threat protection component is configured to classify the data under analysis as malicious or non-malicious based on the monitored behaviors.
-
Citations
34 Claims
-
1. A computing device comprising:
-
one or more hardware processors; and a memory coupled to the one or more processors, the memory comprises one or more software components that, when executed by the one or more hardware processors, provide a virtualization software architecture including (i) a virtual machine, (ii) a plurality of hyper-processes and (iii) a hypervisor, wherein the visual machine to operate in a guest environment and includes a process that is configured to monitor behaviors of data under analysis within the virtual machine, the plurality of hyper-processes to operate in a host environment and isolated from each other within an address space of the memory, the plurality of hyper-processes include a threat protection process to classify the data under analysis as malicious or non-malicious based on the monitored behaviors and a guest monitor process configured to manage execution of the virtual machine and operate with the process to obtain and forward metadata associated with the monitored behaviors to the threat protection process, and the hypervisor is configure to enforce temporal separation of the plurality of hyper-processes and enable inter-process communications between the plurality of hyper-processes. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A computerized method comprising:
-
configuring a virtualization software architecture with a guest environment and a host environment; processing an object by a virtual machine operating in the guest environment, the virtual machine includes a process that monitors behaviors of the object during the processing of the object by the virtual machine; classifying, by a plurality of hyper-processes operating in a host environment different from the guest environment, the object that undergoes processing by the virtual machine as malicious or non-malicious based at least on one or more of the monitored behaviors provided to a threat protection process being one of the plurality of hyper-processes; and supporting inter-process communications between the plurality of hyper-processes by a hypervisor communicatively coupled to the plurality of hyper-processes, wherein the plurality of hyper-processes include the threat protection process to classify the object as malicious or non-malicious based on the monitored behaviors and a guest monitor process configured to manage execution of the virtual machine and operate with the process to obtain and forward metadata associated with the monitored behaviors to the threat protection process that is isolated from the guest monitor process. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 33)
-
-
26. A non-transitory storage medium including software that, when executed by a processor, configures a virtualization software architecture with a guest environment and a host environment including a hypervisor, the medium comprising:
-
a virtual machine operating in the guest environment, the virtual machine to process an object and monitor behaviors of the object during processing of the object; a plurality of hyper-processes operating in a host environment different from the guest environment, the plurality of hyper-processes including a threat protection process to classify the object as malicious or non-malicious based at least on one or more of the monitored behaviors provided to the threat protection process; and supporting inter-process communications between the plurality of hyper-processes by the hypervisor communicatively coupled to the plurality of hyper-processes, wherein the plurality of hyper-processes include the threat protection process to classify the object as malicious or non-malicious based on the monitored behaviors and a guest monitor process configured to manage execution of the virtual machine and operate with the process to obtain and forward metadata associated with the monitored behaviors to the threat protection process that is isolated from the guest monitor process. - View Dependent Claims (27, 28, 29, 30, 31, 32, 34)
-
Specification