Hypervisor-Based Enterprise Endpoint Protection
First Claim
1. A client system comprising at least one processor configured to operate a hypervisor, the hypervisor configured to execute:
- a client virtual machine (VM); and
a security VM distinct from the client VM, the security VM configurable by a centralized security manager executing on a remote server connected to the client system by a network, wherein the remote server is programmed to configure a plurality of client systems including the client system, wherein the security VM is configured to control a network adapter of the client system according to a security policy received from the remote server, and wherein the security VM is further configured to;
receive a data unit from the network adapter, the data unit comprising a header and a payload, the data unit destined for the client VM,in response to receiving the data unit, determine whether the data unit is malicious according to a content of the payload,in response, when the data unit is not malicious, transmit the data unit to the hypervisor for transmission to the client VM, andin response, when the data unit is malicious,send a security report to the remote server, the security report indicative of the maliciousness of the data unit, andrestrict access of the client VM to the network adapter according to the security policy,wherein the hypervisor is further configured, in response to receiving the data unit from the security VM, to transmit the data unit to the client VM, and wherein the hypervisor comprises a memory introspection engine configured to;
determine whether the client VM comprises malware according to a content of a section of memory of the client VM, andin response, when the client VM comprises malware, send a security alert to the security VM.
2 Assignments
0 Petitions
Accused Products
Abstract
Described systems and methods allow the detection and prevention of malware and/or malicious activity within a network comprising multiple client computer systems, such as an enterprise network with multiple endpoints. Each endpoint operates a hardware virtualization platform, including a hypervisor exposing a client virtual machine (VM) and a security VM. The security VM is configured to have exclusive use of the network adapter(s) of the respective endpoint, and to detect whether data traffic to/from the client VM comprises malware or is indicative of malicious behavior. Upon detecting malware/malicious behavior, the security VM may block access of the client VM to the network, thus preventing the spread of malware to other endpoints. The client system may further comprise a memory introspection engine configured to perform malware scanning of the client VM from the level of the hypervisor.
296 Citations
18 Claims
-
1. A client system comprising at least one processor configured to operate a hypervisor, the hypervisor configured to execute:
-
a client virtual machine (VM); and a security VM distinct from the client VM, the security VM configurable by a centralized security manager executing on a remote server connected to the client system by a network, wherein the remote server is programmed to configure a plurality of client systems including the client system, wherein the security VM is configured to control a network adapter of the client system according to a security policy received from the remote server, and wherein the security VM is further configured to; receive a data unit from the network adapter, the data unit comprising a header and a payload, the data unit destined for the client VM, in response to receiving the data unit, determine whether the data unit is malicious according to a content of the payload, in response, when the data unit is not malicious, transmit the data unit to the hypervisor for transmission to the client VM, and in response, when the data unit is malicious, send a security report to the remote server, the security report indicative of the maliciousness of the data unit, and restrict access of the client VM to the network adapter according to the security policy, wherein the hypervisor is further configured, in response to receiving the data unit from the security VM, to transmit the data unit to the client VM, and wherein the hypervisor comprises a memory introspection engine configured to; determine whether the client VM comprises malware according to a content of a section of memory of the client VM, and in response, when the client VM comprises malware, send a security alert to the security VM. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A server system comprising at least one processor programmed to remotely configure a plurality of client systems, wherein configuring a client system of the plurality of the client systems comprises sending a security policy to the client system, and wherein the client system comprises at least one processor configured to operate a hypervisor, the hypervisor configured to execute:
-
a client virtual machine (VM); and a security VM distinct from the client VM, the security VM configured to control a network adapter of the client system, and further configured to; receive a data unit from the network adapter, the data unit comprising a header and a payload, the data unit destined for the client VM, in response to receiving the data unit, determine whether the data unit is malicious according to a content of the payload, in response, when the data unit is not malicious, transmit the data unit to the hypervisor for transmission to the client VM, and in response, when the data unit is malicious, send a security report to the server system, the security report indicative of the maliciousness of the data unit, and in response to receiving the security policy, restrict access of the client VM to the network adapter according to the security policy, wherein the hypervisor is further configured, in response to receiving the data unit from the security VM, to transmit the data unit to the client VM, and wherein the hypervisor comprises a memory introspection engine configured to; determine whether the client VM comprises malware according to a content of a section of memory of the client VM, and in response, when the client VM comprises malware, send a security alert to the security VM. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method comprising employing at least one processor of a client system to form a hypervisor configured to expose:
-
a client virtual machine (VM); and a security VM distinct from the client VM, the security VM configured to control a network adapter of the client system, the security VM configurable by a centralized security manager executing on a remote server connected to the client system by a network, wherein the remote server is programmed to configure a plurality of client systems including the client system, and wherein configuring the client system comprises the remote server sending a security policy to the client system; wherein the method further comprises; employing the security VM to receive a data unit from the network adapter, the data unit comprising a header and a payload, the data unit destined for the client VM, employing the security VM, in response to receiving the data unit, to determine whether the data unit is malicious according to a content of the payload, and in response, when the data unit is not malicious, to transmit the data unit to the hypervisor for transmission to the client VM, and when the data unit is malicious, to send a security report to the remote server, the security report indicative of the maliciousness of the data unit, and to restrict access of the client VM to the network adapter according to the security policy, and wherein the method further comprises employing the hypervisor, in response to receiving the data unit from the security VM, to transmit the data unit to the client VM, wherein the hypervisor further comprises a memory introspection engine configured to; determine whether the client VM comprises malware according to a content of a section of memory of the client VM, and in response, when the client VM comprises malware, send a security alert to the security VM.
-
-
18. A method comprising:
-
employing at least one processor of a server system to remotely configure a plurality of client systems connected to the server system by a network, wherein configuring a client system of the plurality of client systems comprises sending a security policy to the client system; and in response to configuring the plurality of client systems, employing at least one processor of the server system to receive a security report from the client system, wherein the client system comprises a hypervisor configured to execute; a client virtual machine (VM); and a security VM distinct from the client VM, the security VM configured to control a network adapter of the client system and further configured to; receive a data unit from the network adapter, the data unit comprising a header and a payload, the data unit destined for the client VM, in response to receiving the data unit, determine whether the data unit is malicious according to a content of the payload, in response, when the data unit is not malicious, transmit the data unit to the hypervisor for transmission to the client VM, and in response, when the data unit is malicious, send the security report to the server system, the security report indicative of the maliciousness of the data unit, and restrict access of the client VM to the network adapter according to the security policy, wherein the hypervisor is further configured, in response to receiving the data unit from the security VM, to transmit the data unit to the client VM, and wherein the hypervisor comprises a memory introspection engine configured to; determine whether the client VM comprises malware according to a content of a section of memory of the client VM, and in response, when the client VM comprises malware, send a security alert to the security VM.
-
Specification