Malware Detector
First Claim
1. A computer readable medium, the computer readable medium including a series of computer readable instructions that when executed by one or more processors performs a method for detecting malware on a virtual machine, the virtual machine residing on a host operating system, the instructions executed from outside the virtual machine, the method comprising:
- a. retrieving for inspection virtual machine internal system states from virtual resources, based on non-intrusive virtual machine introspection without perturbing their execution, the virtual resources including;
i. virtual machine memory; and
ii. at least one virtual disk; and
the virtual machine internal system states comprising;
i. virtual memory states; and
ii. virtual disk states;
b. extrapolating guest functions by interpreting the virtual memory states and the virtual disk states; and
c. transparently encapsulating and presenting the interpreted virtual memory states and the interpreted virtual disk states to anti-malware software; and
wherein the anti-malware software is configured to use the interpreted virtual memory states and the interpreted virtual disk states to detect system compromises.
2 Assignments
0 Petitions
Accused Products
Abstract
The malware detection system enables out-of-the box, tamper-resistant malware detection without losing the semantic view. This system comprises at least one guest operating system and at least one virtual machine, where the guest operating system runs on the virtual machine. Having virtual resources, the virtual machine resides on a host operating system. The virtual resources include virtual memory and at least one virtual disk. A virtual machine examiner is used to examine the virtual machine. With a virtual machine inspector, a guest function extrapolator, and a transparent presenter, the virtual machine examiner resides outside the virtual machine. The virtual machine inspector is configured to retrieve virtual machine internal system states and/or events. The guest function extrapolator is configured to interpret such states and/or events. The transparent presenter is configured to present the interpreted states and/or events to anti-malware software. The anti-malware software is configured to use the interpreted states and/or events to detect any system compromise.
477 Citations
20 Claims
-
1. A computer readable medium, the computer readable medium including a series of computer readable instructions that when executed by one or more processors performs a method for detecting malware on a virtual machine, the virtual machine residing on a host operating system, the instructions executed from outside the virtual machine, the method comprising:
-
a. retrieving for inspection virtual machine internal system states from virtual resources, based on non-intrusive virtual machine introspection without perturbing their execution, the virtual resources including; i. virtual machine memory; and ii. at least one virtual disk; and
the virtual machine internal system states comprising;i. virtual memory states; and ii. virtual disk states; b. extrapolating guest functions by interpreting the virtual memory states and the virtual disk states; and c. transparently encapsulating and presenting the interpreted virtual memory states and the interpreted virtual disk states to anti-malware software; and wherein the anti-malware software is configured to use the interpreted virtual memory states and the interpreted virtual disk states to detect system compromises. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A malware detection system, comprising:
-
a. a guest operating system running on a virtual machine, the virtual machine residing on a host operating system, the virtual machine having virtual resources, the virtual resources including; i. virtual machine memory; and ii. at least one virtual disk; and b. a virtual machine examiner residing outside the virtual machine, the virtual machine examiner including; i. a virtual machine inspector, the virtual machine inspector configured to retrieve for inspection virtual machine internal system states from the virtual resources, based on non-intrusive virtual machine introspection without perturbing their execution, the virtual machine internal system states comprising; 1. virtual memory states; and virtual disk states; ii. a guest function extrapolator, the guest function extrapolator configured to extrapolate guest functions by; 1. interpreting the virtual memory states; and 2. interpreting the virtual disk states; and iii. a transparent presenter, the transparent presentor configured to encapsulate and present the interpreted virtual memory states and the interpreted virtual disk states to anti-malware software, the anti-malware software configured to use the interpreted virtual memory states and the interpreted disk states to detect system compromises. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification