ON-ACCESS ANTI-VIRUS MECHANISM FOR VIRTUAL MACHINE ARCHITECTURE
First Claim
1. A method for protecting a plurality of guest virtual machines (VMs) from malicious code using an anti-virus system comprising a scan engine and a driver portion, the plurality of guest VMs executing via virtualization layer on a common host platform, method comprising:
- scanning data using the scan engine of the anti-virus system, the scan engine being configured to execute within a scanning VM executing on the host platform and logically isolated from a target VM, the target VM being one of the guest VMs, the scanning comprising;
receiving a scan request from the driver portion of the anti-virus system, the scan request identifying the data to be scanned;
reading the data and comparing the data with a virus signature database;
determining a result of the scanning, the result indicating whether malicious code is present in the data; and
reporting the result of the scanning back to the driver portion that generated the scan request; and
protecting the target VM using the driver portion of the anti-virus system, the driver portion being configured for installation in an operating system of the target VM, the protecting comprising;
intercepting an access request to a file, wherein the access request originates within the target VM;
communicating the scan request to the scan engine, the scan request including the identification of the data to be scanned by providing information identifying a location of the data to be scanned, the data to be scanned being or corresponding to contents of the file;
receiving the result from the scan engine, andtaking remedial action when the result indicates the file contains malicious code.
1 Assignment
0 Petitions
Accused Products
Abstract
A tangible medium embodying instructions usable by a computer system to protect a plurality of guest virtual machines (VMs), which execute via virtualization software on a common host platform, from malicious code is described. A scan engine is configured to scan data for malicious code and determine a result of the scanning, wherein the result indicates whether malicious code is present in the data. A driver portion is configured for installation in an operating system of a target VM, which is one of the guest VMs. The driver portion intercepts an access request to a file, that originates within the target VM. The driver portion communicates information identifying a location of the data to be scanned by the scan engine without sending a copy of the data to the scan engine. The scan engine executes within the virtualization layer outside a context of the target VM.
112 Citations
43 Claims
-
1. A method for protecting a plurality of guest virtual machines (VMs) from malicious code using an anti-virus system comprising a scan engine and a driver portion, the plurality of guest VMs executing via virtualization layer on a common host platform, method comprising:
-
scanning data using the scan engine of the anti-virus system, the scan engine being configured to execute within a scanning VM executing on the host platform and logically isolated from a target VM, the target VM being one of the guest VMs, the scanning comprising; receiving a scan request from the driver portion of the anti-virus system, the scan request identifying the data to be scanned; reading the data and comparing the data with a virus signature database; determining a result of the scanning, the result indicating whether malicious code is present in the data; and reporting the result of the scanning back to the driver portion that generated the scan request; and protecting the target VM using the driver portion of the anti-virus system, the driver portion being configured for installation in an operating system of the target VM, the protecting comprising; intercepting an access request to a file, wherein the access request originates within the target VM; communicating the scan request to the scan engine, the scan request including the identification of the data to be scanned by providing information identifying a location of the data to be scanned, the data to be scanned being or corresponding to contents of the file; receiving the result from the scan engine, and taking remedial action when the result indicates the file contains malicious code. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A machine readable storage medium non-transiently storing instructions usable by a computer system to protect a plurality of guest virtual machines (VMs) from malicious code using an anti-virus system, the plurality of guest VMs executing via a virtualization layer on a common host platform, the instructions causing the computer system to implement:
-
a scan engine configured to scan data for malicious code and determine a result of the scanning, the result indicating whether malicious code is present in the data; a driver portion configured for installation in an operating system of a target VM, the target VM being one of the guest VMs, the driver portion intercepting an access request to a file, wherein the access request originates within the target VM, the driver portion further communicating information identifying a location of the data to be scanned by the scan engine without sending a copy of the data to the scan engine, the data to be scanned being or corresponding to contents of the file, the driver portion furthermore receiving the result of the scan communicated by the scan engine; and a communication portion configured to facilitate communication between the scan engine and the driver portion; wherein the scan engine is configured to execute on the host platform logically isolated from the target VM, the communication portion facilitates the communicating of the information and the result between the driver portion and the scan engine, and at least one of the driver portion or the scan engine causes a remedial action to be carried out when the result indicates that malicious code is present in the data. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
-
38. A system for protecting a plurality of guest virtual machines (VMs) from malicious code, the plurality of guest VMs executing via a virtualization layer on a common host platform, the system implemented by a computer, the system comprising:
-
a scan engine configured to scan data for malicious code and determine a result of the scanning, the result indicating whether malicious code is present in the data; a driver portion configured for installation in an operating system of a target VM, the target VM being one of the guest VMs, the driver portion intercepting an access request to a file, wherein the access request originates within the target VM, the driver portion further communicating information identifying a location of the data to be scanned by the scan engine without sending a copy of the data to the scan engine, the data to be scanned being or corresponding to contents of the file, the driver portion furthermore receiving the result of the scan communicated by the scan engine; and a communication portion configured to facilitate communication between the scan engine and the driver portion; wherein the scan engine is configured to execute on the host platform logically isolated from the target VM, the communication portion facilitates the communicating of the information and the result between the driver portion and the scan engine, and at least one of the driver portion or the scan engine causes a remedial action to be carried out when the result indicates that malicious code is present in the data. - View Dependent Claims (39, 40, 41, 42, 43)
-
Specification