Suspending a Running Operating System to Enable Security Scanning

US 20090007100A1
Filed: 06/28/2007
Published: 01/01/2009
Est. Priority Date: 06/28/2007
Status: Abandoned Application

First Claim

Patent Images

1. One or more computer-readable media storing computer-executable instructions that, when executed on one or more processors, performs acts comprising:

virtualizing a processor into at least one virtual machine running a corresponding operating system; and

suspending the operating system effective to suspend progress of threads running on the operating system and effective to enable a determination of whether contents associated with the virtual machine have been improperly altered or contain malicious code.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques described herein enable virtualizing a processor into one or more virtual machines and suspending an operating system of one of the virtual machines from outside of the operating system environment. Once suspended, these techniques capture a snapshot of the virtual machine to determine a presence of malware. This snapshot may also be used to determine whether an unauthorized change has occurred within contents of the virtual machine. Remedial action may occur responsive to determining a presence of malware or an unauthorized change.

Citations

20 Claims

1. One or more computer-readable media storing computer-executable instructions that, when executed on one or more processors, performs acts comprising:
- virtualizing a processor into at least one virtual machine running a corresponding operating system; and
  
  suspending the operating system effective to suspend progress of threads running on the operating system and effective to enable a determination of whether contents associated with the virtual machine have been improperly altered or contain malicious code.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. One or more computer-readable media as recited in claim 1, further comprising:
    - determining a first state of the virtual machine at a time of the suspending of the operating system; and
      
      comparing the first state of the virtual machine with a second state of the virtual machine, the second state corresponding to a time prior to the suspending of the operating system.
  - 3. One or more computer-readable media as recited in claim 1, further comprising inspecting state of the suspended operating system to determine if the operating system includes malicious code.
  - 4. One or more computer-readable media as recited in claim 1, further comprising inspecting a virtual processor state of the virtual machine to determine if the operating system includes malicious code, the virtual processor state including contents of one or more processor registers for the virtual machine.
  - 5. One or more computer-readable media as recited in claim 1, further comprising inspecting a virtual device state of the virtual machine to determine if the operating system includes malicious code, the virtual device state including contents of hardware peripherals for the virtual machine.
  - 6. One or more computer-readable media as recited in claim 1, further comprising:
    - determining a state of the virtual machine at a time of the suspending of the operating system; and
      
      comparing the state of the virtual machine with contents of physical memory assigned to the virtual machine.

7. One or more computer-readable media storing computer-executable instructions that, when executed on one or more processors, performs acts comprising:
- receiving, at a virtual machine monitor, a request to suspend an operating system associated with a virtual machine; and
  
  suspending, by the virtual machine monitor, the operating system associated with the virtual machine, the suspending effective to enable a determination of whether contents associated with the virtual machine have been improperly altered or contain malicious code.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 8. One or more computer-readable media as recited in claim 7, wherein the suspending includes suspending threads scheduled to run on the operating system.
  - 9. One or more computer-readable media as recited in claim 7, wherein the suspending includes ceasing service of interrupts within the virtual machine.
  - 10. One or more computer-readable media as recited in claim 7, wherein the request to suspend the operating system is received according to a periodic schedule.
  - 11. One or more computer-readable media as recited in claim 7, further comprising:
    - determining if the contents associated with the virtual machine have been improperly altered or contain malicious code; and
      
      shutting down or rebooting the operating system responsive to determining that the contents have been improperly altered or contain malicious code.
  - 12. One or more computer-readable media as recited in claim 7, wherein the virtual machine is a first virtual machine, and further comprising:
    - determining if the contents associated with the first virtual machine have been improperly altered or contain malicious code; and
      
      responsive to determining that the contents have been improperly altered or contain malicious code, suspending an operating system associated with a second virtual machine to determine if contents associated with the second virtual machine have been improperly altered or contain malicious code.
  - 13. One or more computer-readable media as recited in claim 7, further comprising:
    - determining a state of the virtual machine at a time of the suspending of the operating system; and
      
      transmitting the state of the virtual machine to an antivirus application to determine if the first state includes malicious code.
  - 14. One or more computer-readable media as recited in claim 7, further comprising:
    - determining a state of the virtual machine at a time of the suspending of the operating system; and
      
      logging data associated with the state of the virtual machine.
  - 15. One or more computer-readable media as recited in claim 7, further comprising resuming, by the virtual machine monitor, the operating system associated with the virtual machine.
  - 16. One or more computer-readable media as recited in claim 7, further comprising:
    - determining that the contents associated with the virtual machine have been improperly altered from a first state to a second state;
      
      altering the contents that have improperly altered from the second state back to the first state; and
      
      resuming the operating system associated with the virtual machine.

17. One or more computer-readable media capable of suspending an operating system associated with a virtual machine and capturing a snapshot of the virtual machine at a time corresponding to the suspending, wherein the one or more computer-readable media operate outside of the operating system associated with the virtual machine.
- View Dependent Claims (18, 19, 20)
- - 18. One or more computer-readable media as recited in claim 17, wherein the snapshot includes one or more of:
    - a virtual processor state of the virtual machine, a virtual device state of the virtual machine, and contents of memory assigned to the virtual machine.
  - 19. One or more computer-readable media as recited in claim 17, wherein the virtual machine is a first virtual machine and wherein the one or more computer-readable media operate within a virtual machine monitor configured to virtualize a processor into one or more virtual machines including the first virtual machine.
  - 20. One or more computer-readable media as recited in claim 17, wherein the one or more computer-readable media are further capable of transmitting the snapshot to an entity configured to determine, with use of the snapshot, if contents associated with the virtual machine contain malicious code or have been improperly altered.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Field, Scott A., Baker, Brandon

Application Number

US11/769,916
Publication Number

US 20090007100A1
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 2009/45575   Starting, stopping, suspend...

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45558   Hypervisor-specific managem...

Suspending a Running Operating System to Enable Security Scanning

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Suspending a Running Operating System to Enable Security Scanning

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links