On-Access Anti-Virus Mechanism for Virtual Machine Architecture

US 20090158432A1
Filed: 12/12/2007
Published: 06/18/2009
Est. Priority Date: 12/12/2007
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a plurality of guest virtual machines (VMs) from malicious code, the plurality of guest VMs executing via a virtualization layer on a common host platform, method comprising:

scanning data using a scan engine of an anti-virus system, the scan engine being configured to execute within the virtualization layer outside a context of a target VM, the target VM being one of the guest VMs, the scanning comprising;

receiving a scan request from a driver portion of the anti-virus system, the scan request identifying the data to be scanned;

reading the data and comparing the data with a virus signature database;

determining a result of the scanning, the result indicating whether malicious code is present in the data; and

reporting the result of the scanning back to the driver portion that requested the scan; and

protecting the target VM using a driver portion of the anti-virus system, the driver portion being configured for installation in an operating system of the target VM, the protecting comprising;

intercepting an access request to a file, wherein the access request originates within the target VM;

communicating the scan request to the scan engine, the scan request including the identification of the data to be scanned by providing information identifying a location of the data to be scanned, the data to be scanned being or corresponding to contents of the file;

receiving the result from the scan engine, andtaking remedial action when the result indicates the file contains malicious code, the remedial action including one or more of notifying a user, deleting the file, or quarantining the file.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A tangible medium embodying instructions usable by a computer system to protect a plurality of guest virtual machines (VMs), which execute via virtualization software on a common host platform, from malicious code is described. A scan engine is configured to scan data for malicious code and determine a result of the scanning, wherein the result indicates whether malicious code is present in the data. A driver portion is configured for installation in an operating system of a target VM, which is one of the guest VMs. The driver portion intercepts an access request to a file, that originates within the target VM. The driver portion communicates information identifying a location of the data to be scanned by the scan engine without sending a copy of the data to the scan engine. The scan engine executes within the virtualization layer outside a context of the target VM.

240 Citations

33 Claims

1. A method for protecting a plurality of guest virtual machines (VMs) from malicious code, the plurality of guest VMs executing via a virtualization layer on a common host platform, method comprising:
- scanning data using a scan engine of an anti-virus system, the scan engine being configured to execute within the virtualization layer outside a context of a target VM, the target VM being one of the guest VMs, the scanning comprising;
  
  receiving a scan request from a driver portion of the anti-virus system, the scan request identifying the data to be scanned;
  
  reading the data and comparing the data with a virus signature database;
  
  determining a result of the scanning, the result indicating whether malicious code is present in the data; and
  
  reporting the result of the scanning back to the driver portion that requested the scan; and
  
  protecting the target VM using a driver portion of the anti-virus system, the driver portion being configured for installation in an operating system of the target VM, the protecting comprising;
  
  intercepting an access request to a file, wherein the access request originates within the target VM;
  
  communicating the scan request to the scan engine, the scan request including the identification of the data to be scanned by providing information identifying a location of the data to be scanned, the data to be scanned being or corresponding to contents of the file;
  
  receiving the result from the scan engine, andtaking remedial action when the result indicates the file contains malicious code, the remedial action including one or more of notifying a user, deleting the file, or quarantining the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the data to be scanned comprises a decrypted copy of the contents of the file.
  - 3. The method of claim 1, wherein the data to be scanned comprises the contents of the file as they exist on a mass storage device.
  - 4. The method of claim 1, wherein the information identifying the location of the data to be scanned comprises identification of at least one guest virtual disk block, the guest virtual disk blocks containing the file on a virtual disk that is accessible by the target VM, wherein the scanning further comprises:
    - obtaining identifications of physical disk blocks that are mapped to the guest virtual disk blocks, the physical disk blocks being disk blocks of a physical disk accessible to the host platform; and
      
      the reading of the data comprises accessing and reading the physical disk blocks.
  - 5. The method of claim 4, wherein the identifications of the physical disk blocks comprise offsets into a file containing an image of the virtual disk that is accessible by the target VM.
  - 6. The method of claim 1, wherein the information identifying the location of the data to be scanned comprises a network path to the file as it resides on a mass storage device, the network path specifically identifying the file across a network, and the scanning comprises accessing the file using the network path, the reading of the data comprising accessing and reading the file from the mass data storage device.
  - 7. The method of claim 1, wherein:
    - the protecting further comprises copying the data to be scanned to guest virtual memory at locations identified by one or more guest page numbers (GPNs);
      
      the information identifying the location of the data to be scanned comprises the guest physical page numbers; and
      
      the scanning further comprises obtaining physical page numbers (PPNs) of physical pages of system memory corresponding to the GPNs obtained for the driver portion.
  - 8. The method of claim 7, wherein the GPNs are guest physical page numbers.

9. A tangible medium embodying instructions usable by a computer system to protect a plurality of guest virtual machines (VMs) from malicious code, the plurality of guest VMs executing via a virtualization layer on a common host platform, the instructions comprising:
- instructions forming a scan engine of an anti-virus system, the scan engine being configured to scan data for malicious code and determining a result of the scanning, the result indicating whether malicious code is present in the data;
  
  instructions forming a driver portion of the anti-virus system, the driver portion being configured for installation in an operating system of a target VM, the target VM being one of the guest VMs, the driver portion intercepting an access request to a file, wherein the access request originates within the target VM, the driver portion further communicating information identifying a location of the data to be scanned by the scan engine without sending a copy of the data to the scan engine, the data to be scanned being or corresponding to contents of the file, the driver portion furthermore receiving the result of the scan communicated by the scan engine; and
  
  instructions forming a communication portion of the anti-virus system, the communications portion being configured to facilitate communication between the scan engine and the driver portion; and
  
  wherein the scan engine is configured to execute within the virtualization layer outside a context of the target VM and the communication portion facilitates the communicating of the information and the result between the driver portion within the context of the target VM and the scan engine outside the context of the target VM.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 10. The tangible medium of claim 9, wherein the scan engine is configured to execute in the virtualization layer attached to a virtualization kernel.
  - 11. The tangible medium of claim 9, wherein the scan engine is configured to execute in the virtualization layer on top of a host operating system.
  - 12. The tangible medium of claim 11, wherein the driver is configured to communicate the information identifying the data indirectly via an agent program that executes within the context of the target VM.
  - 13. The tangible medium of claim 11, wherein the virtualization layer includes a host operating system executing directly on the physical host platform, the scan engine being configured as a user-level application executing in conjunction with the host operating system.
  - 14. The tangible medium of claim 11, wherein, when the scan engine identifies malicious code in the file, the scan engine notifies a component of the virtualization layer to carry out VM-level action, the VM-level action comprising one or more of creating a snapshot of the guest VM, starting a recording that traces execution of the guest VM, disconnecting the guest VM from the network, and suspending the guest VM.
  - 15. The tangible medium of claim 11, wherein the scan engine compares the data being scanned with a virus signature database to determine whether the data being scanned contains the malicious code.
  - 16. The tangible medium of claim 11, wherein the identification of the location of the file comprises identification of at least one guest virtual disk block, the guest virtual disk blocks containing the file on a virtual disk that is accessible by the target VM, wherein the scan engine obtains identifications of physical disk blocks that are mapped to the guest virtual disk blocks, the physical disk blocks being disk blocks of a physical disk accessible to the host platform.
  - 17. The method of claim 16, wherein the identifications of the physical disk blocks comprise offsets into a file containing an image of the virtual disk that is accessible by the target VM.
  - 18. The tangible medium of claim 17, wherein the scan engine, upon receiving from the driver portion the information identifying a location of the data to be scanned, consults a scan history of the physical disk blocks that contain the file, the scan engine performing the scan only when the scan history indicates that the file has been modified since the last scan or that the file has not been previously scanned.
  - 19. The tangible medium of claim 18, wherein the scan engine returns a negative result that indicates that no malicious code is present without performing a new scan when the scan history indicate the file has been previously scanned, found to be free of malicious code, and has not been modified since the last scan.
  - 20. The tangible medium of claim 18, wherein each physical disk block includes a flag to indicate the scan history of that block, wherein the flag has one value indicating the physical disk block has not been previously scanned or has been modified since the last scan and a different value indicating that the physical disk block has been scanned, found to contain no malicious code, and has not been modified since the last scan.
  - 21. The tangible medium of claim 18, wherein the guest OS maintains the scan history by setting and clearing the flag.
  - 22. The tangible medium of claim 18, wherein the file is accessible to each of the plurality of guest VMs, and each of the plurality of guest VMs includes a corresponding driver portion for intercepting file accesses within a corresponding one of the VMs, wherein the scan engine returns the negative result without performing a new scan when the scan history indicates the file has been previously scanned, the previous scan found the file to be free of malicious code, and has not been modified since the previous scan regardless as to which driver portion previously requested the last scan.
  - 23. The tangible medium of claim 11, wherein the identification of the location of the file comprises a network path to the file, the network path specifically identifying the file across a network.
  - 24. The tangible medium of claim 23, wherein the scan engine maintains a scan history of the file content, the scan history identifying files that have been successfully scanned and remain unmodified since a most recent successful scan.
  - 25. The tangible medium of claim 24, wherein the scan history includes a signature corresponding to each successfully scanned file, the signature being a value that is a function of the content of the file, wherein the scan engine, upon receiving from the driver portion the information identifying the location of the data to be scanned, consults the scan history, the scan engine performing the scan only when the scan history indicates that the file has been modified since the last scan or that the file has not been previously scanned.
  - 26. The tangible medium of claim 25, wherein the signature is a hash of the content of the file.
  - 27. The tangible medium of claim 26, wherein the file is accessible to each of the plurality of guest VMs, and each of the plurality of guest VMs includes a corresponding driver portion for intercepting file accesses within a corresponding one of the VMs, wherein the scan engine returns the negative result without performing a new scan when the scan history indicates the file has been previously scanned, the previous scan found the file to be free of malicious code, and the file has not been modified since the previous scan regardless as to which driver portion previously requested the previous scan.
  - 28. The tangible medium of claim 11, wherein the identification of the location of the file comprises guest physical page numbers identifying locations in guest physical memory where content of the file is stored by the driver portion.
  - 29. The tangible medium of claim 28, wherein the driver portion stores the content of the file in the guest physical memory indirectly via an agent program that executes within the context of the target VM on behalf of the driver portion.
  - 30. The tangible medium of claim 28, wherein the scan engine obtains physical page numbers of physical pages of system memory corresponding to the guest physical page numbers obtained for the driver portion.
  - 31. The tangible medium of claim 30, wherein:
    - the scan engine maintains a scan history that identifies previously scanned data that has been identified as being free of malicious code; and
      
      the scan engine, upon receiving from the driver portion the information identifying a location of the data to be scanned, consults the scan history to determine whether the data to be scanned corresponds with data that has previously been successfully scanned, the scan engine performing the scan only when the scan history indicates that one or more of the physical pages has been modified since the last scan or that the file has not been previously scanned.
  - 32. The tangible medium of claim 31, wherein the scan history includes a signature for each file that the scan engine determines to be free of malicious codewherein the scan engine, upon receiving from the driver portion the information identifying the location of the data to be scanned, compares a new signature generated from the data to be scanned and compares the new signature with signatures in the scan history, the scan engine performing the scan only when the signatures in the scan history does not include a matching signature.
  - 33. The tangible medium of claim 32, wherein the file is accessible to each of the plurality of guest VMs, and each of the plurality of guest VMs includes a corresponding driver portion for intercepting file accesses within a corresponding one of the guest VMs, and the scan history includes signatures for files scanned for each of the plurality of guest VMs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Chen, Xiaoxin, Zheng, Yufeng, Le, Bich Cau, Krishnan, Jagannath Gopal, Uluski, Derek

Granted Patent

US 7,797,748 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/562   Static detection

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

On-Access Anti-Virus Mechanism for Virtual Machine Architecture

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

240 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

On-Access Anti-Virus Mechanism for Virtual Machine Architecture

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

240 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links