Selective virtualization for security threat detection
First Claim
1. A computerized method comprising:
- configuring a virtual machine running within a platform with a first virtualization logic;
monitoring, by the first virtualization logic, for a first plurality of requests that are initiated during processing of an object within the virtual machine, each of the first plurality of requests is associated with an activity to be performed in connection with one or more resources; and
selectively virtualizing, by the first virtualization logic, resources associated with a second plurality of requests that are initiated during the processing of the object within the virtual machine, wherein the second plurality of requests being lesser in number than the first plurality of requests and the selectively virtualizing of the resources comprisesintercepting a first request of the second plurality of requests,redirecting the first request of the second plurality of requests, the redirecting of the first request comprises generating a modified first request by changing a resource associated with the first request and subsequently passing the modified first request to system code for processing, andreceiving virtualized data in response to passing the modified first request to the system code.
7 Assignments
0 Petitions
Accused Products
Abstract
Selective virtualization of resources is provided, where the resources may be intercepted and services or the resources may be intercepted and redirected. Virtualization logic monitors for a first plurality of requests that are initiated during processing of an object within the virtual machine. Each of the first plurality of requests, such as system calls for example, is associated with an activity to be performed in connection with one or more resources. The virtualization logic selectively virtualizes resources associated with a second plurality of requests that are initiated during the processing of the object within the virtual machine, where the second plurality of requests is lesser in number than the first plurality of requests.
-
Citations
48 Claims
-
1. A computerized method comprising:
-
configuring a virtual machine running within a platform with a first virtualization logic; monitoring, by the first virtualization logic, for a first plurality of requests that are initiated during processing of an object within the virtual machine, each of the first plurality of requests is associated with an activity to be performed in connection with one or more resources; and selectively virtualizing, by the first virtualization logic, resources associated with a second plurality of requests that are initiated during the processing of the object within the virtual machine, wherein the second plurality of requests being lesser in number than the first plurality of requests and the selectively virtualizing of the resources comprises intercepting a first request of the second plurality of requests, redirecting the first request of the second plurality of requests, the redirecting of the first request comprises generating a modified first request by changing a resource associated with the first request and subsequently passing the modified first request to system code for processing, and receiving virtualized data in response to passing the modified first request to the system code. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 39, 40, 41)
-
-
19. A computerized method for configuring a virtual machine to selectively conduct virtualization of one or more resources during analysis of an object for malware, the computerized method comprising:
-
configuring the virtual machine running within a platform with a first virtualization logic that is configured with access to a first configuration data, the first configuration data comprises (i) information that is used by the first virtualization logic to identify and subsequently intercept at least a first request that, when processed, performs an activity on a first resource, and (ii) one or more usage patterns including information to determine whether to perform virtualization of the first resource associated with the first request and information associated with one or more activities that are to be performed in connection with the first resource during the virtualization operation; responsive to detecting an update to the first configuration data, modifying the first configuration data to alter at least one of (i) the information that is used by the first virtualization logic to identify and subsequently intercept at least the first request, (ii) one or more usage patterns including the information to determine whether to perform the virtualization of the first resource, and the information associated with the one or more activities that are to be performed in connection with the first resource associated with the first request during the virtualization operation, or (iii) obfuscation data used by the first virtualization logic to obfuscate the presence of the first resource or an entire set of resources; providing a second virtualization logic configured with access to a second configuration data, the second configuration data comprises (i) information that is used by the second virtualization logic to identify and subsequently intercept at least a second request that, when processed, performs an activity on a second resource, and (ii) the one or more usage patterns including information to determine whether to perform virtualization of the second resource associated with the second request and information associated with one or more activities that are to be performed in connection with the second resource during the virtualization operation; and responsive to detecting an update to the second configuration data, modifying the second configuration data to alter at least one of (i) the information that is used by the second virtualization logic to identify and subsequently intercept at least the second request, (ii) one or more usage patterns including the information to determine whether to perform the virtualization operation, and the information associated with one or more activities that are to be performed in connection with the second resource, or (iii) obfuscation data used by the second virtualization logic to obfuscate the presence of the second resource or an entire set of resources. - View Dependent Claims (20, 21, 22, 23)
-
-
24. A non-transitory computer readable medium that stores virtualization logic operating within a virtual machine that, when executed by one or more processors, performs operations comprising:
-
receiving, by the virtualization logic, a request from a process running on the virtual machine, the request is associated with a first resource; analyzing, by the virtualization logic, contents of the request to determine whether the first resource identified in the request is to be virtualized; and in response to determining by the virtualization logic that the first resource is to be virtualized, selecting one of a plurality of virtualization schemes conducted to the first resource, the plurality of virtualization schemes comprises (1) servicing the request by returning virtualized data to a portion of the process that initiated the request where the request is one of a first subset of a plurality of requests and (2) redirecting the request to a second resource that is different from the first resource, wherein the redirecting of the request is (i) for a first type of request being one of a second subset of the plurality of request that is associated with a particular activity that is independent of kernel involvement and (ii) directed to system code. - View Dependent Claims (25, 26, 27, 28, 29, 30, 34, 42, 43, 44)
-
-
31. A platform comprising:
-
one or more hardware processors; and a memory coupled to the one or more processors, the memory comprises one or more virtual machines that are configured to process an object under analysis, a first virtual machine of the one or more virtual machines comprises a first virtualization logic operating in a user mode, the first virtualization logic being configured to intercept a first request associated with a first subset of a plurality of activities that are handled by the first virtual machine, perform virtualization of a resource associated with the first request that produces virtualized data and return at least a portion of the virtualized data to a source that initiated the first request, and a second virtualization logic operating in a kernel mode, the second virtualization logic being configured to intercept a second request associated with a second subset of the plurality of activities that are handled by the first virtual machine and different from the first subset of the plurality of activities, perform virtualization of a resource associated with the second request that produces virtualized data, and return at least a portion of the virtualized data associated with the second request to a source that initiated the second request. - View Dependent Claims (32, 33, 35, 36, 37, 38, 45, 46, 47, 48)
-
Specification