On-access anti-virus mechanism for virtual machine architecture

US 8,010,667 B2
Filed: 08/12/2010
Issued: 08/30/2011
Est. Priority Date: 12/12/2007
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a plurality of guest virtual machines (VMs) from malicious code using an anti-virus system comprising a scan engine and a driver portion, the plurality of guest VMs executing via virtualization layer on a common host platform, method comprising:

scanning data using the scan engine of the anti-virus system, the scan engine being configured to execute within a scanning VM executing on the host platform and logically isolated from a target VM, the target VM being one of the guest VMs, the scanning comprising;

receiving a scan request from the driver portion of the anti-virus system, the scan request identifying the data to be scanned;

reading the data and comparing the data with a virus signature database;

determining a result of the scanning, the result indicating whether malicious code is present in the data; and

reporting the result of the scanning back to the driver portion that generated the scan request; and

protecting the target VM using the driver portion of the anti-virus system, the driver portion being configured for installation in an operating system of the target VM, the protecting comprising;

intercepting an access request to a file, wherein the access request originates within the target VM;

communicating the scan request to the scan engine, the scan request including the identification of the data to be scanned by providing information identifying a location of the data to be scanned, the data to be scanned being or corresponding to contents of the file;

receiving the result from the scan engine, andtaking remedial action when the result indicates the file contains malicious code.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A tangible medium embodying instructions usable by a computer system to protect a plurality of guest virtual machines (VMs), which execute via virtualization software on a common host platform, from malicious code is described. A scan engine is configured to scan data for malicious code and determine a result of the scanning, wherein the result indicates whether malicious code is present in the data. A driver portion is configured for installation in an operating system of a target VM, which is one of the guest VMs. The driver portion intercepts an access request to a file, that originates within the target VM. The driver portion communicates information identifying a location of the data to be scanned by the scan engine without sending a copy of the data to the scan engine. The scan engine executes within the virtualization layer outside a context of the target VM.

353 Citations

43 Claims

1. A method for protecting a plurality of guest virtual machines (VMs) from malicious code using an anti-virus system comprising a scan engine and a driver portion, the plurality of guest VMs executing via virtualization layer on a common host platform, method comprising:
- scanning data using the scan engine of the anti-virus system, the scan engine being configured to execute within a scanning VM executing on the host platform and logically isolated from a target VM, the target VM being one of the guest VMs, the scanning comprising;
  
  receiving a scan request from the driver portion of the anti-virus system, the scan request identifying the data to be scanned;
  
  reading the data and comparing the data with a virus signature database;
  
  determining a result of the scanning, the result indicating whether malicious code is present in the data; and
  
  reporting the result of the scanning back to the driver portion that generated the scan request; and
  
  protecting the target VM using the driver portion of the anti-virus system, the driver portion being configured for installation in an operating system of the target VM, the protecting comprising;
  
  intercepting an access request to a file, wherein the access request originates within the target VM;
  
  communicating the scan request to the scan engine, the scan request including the identification of the data to be scanned by providing information identifying a location of the data to be scanned, the data to be scanned being or corresponding to contents of the file;
  
  receiving the result from the scan engine, andtaking remedial action when the result indicates the file contains malicious code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the data to be scanned comprises a decrypted copy of the contents of the file.
  - 3. The method of claim 1, wherein the data to be scanned comprises the contents of the file as they exist on a mass storage device.
  - 4. The method of claim 1, wherein the information identifying the location of the data to be scanned comprises identification of at least one guest virtual disk block, the guest virtual disk blocks containing the file on a virtual disk that is accessible by the target VM, wherein the scanning further comprises:
    - obtaining identifications of physical disk blocks that are mapped to the guest virtual disk blocks, the physical disk blocks being disk blocks of a physical disk accessible to the host platform; and
      
      the reading of the data comprises accessing and reading the physical disk blocks.
  - 5. The method of claim 4, wherein the identifications of the physical disk blocks comprise offsets into a file containing an image of the virtual disk that is accessible by the target VM.
  - 6. The method of claim 1, wherein the information identifying the location of the data to be scanned comprises a network path to the file as it resides on a mass storage device, the network path specifically identifying the file across a network, and the scanning comprises accessing the file using the network path, the reading of the data comprising accessing and reading the file from the mass data storage device.
  - 7. The method of claim 1, wherein:
    - the protecting further comprises copying the data to be scanned to guest virtual memory at locations identified by one or more guest page numbers (GPNs);
      
      the information identifying the location of the data to be scanned comprises the GPNs; and
      
      the scanning further comprises obtaining physical page numbers (PPNs) of physical pages of system memory corresponding to the GPNs obtained from the driver portion.
  - 8. The method of claim 1, wherein the scan engine is configured to execute within a scanning VM, the scanning VM executing on the common host platform via the virtualization layer, the scan request being received by the scanning VM by way of the virtualization layer or a host operating system.
  - 9. The method of claim 8, wherein the scanning VM is a dedicated VM that has a single substantial function of providing anti-virus scanning function.
  - 10. The method of claim 1, wherein the scan engine resides in the virtualization layer.
  - 11. The method of claim 1, wherein the remedial action comprises one or more of notifying a user, deleting a file, or quarantining the file.

12. A machine readable storage medium non-transiently storing instructions usable by a computer system to protect a plurality of guest virtual machines (VMs) from malicious code using an anti-virus system, the plurality of guest VMs executing via a virtualization layer on a common host platform, the instructions causing the computer system to implement:
- a scan engine configured to scan data for malicious code and determine a result of the scanning, the result indicating whether malicious code is present in the data;
  
  a driver portion configured for installation in an operating system of a target VM, the target VM being one of the guest VMs, the driver portion intercepting an access request to a file, wherein the access request originates within the target VM, the driver portion further communicating information identifying a location of the data to be scanned by the scan engine without sending a copy of the data to the scan engine, the data to be scanned being or corresponding to contents of the file, the driver portion furthermore receiving the result of the scan communicated by the scan engine; and
  
  a communication portion configured to facilitate communication between the scan engine and the driver portion;
  
  wherein the scan engine is configured to execute on the host platform logically isolated from the target VM, the communication portion facilitates the communicating of the information and the result between the driver portion and the scan engine, and at least one of the driver portion or the scan engine causes a remedial action to be carried out when the result indicates that malicious code is present in the data.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 13. The machine readable storage medium of claim 12, wherein the scan engine is configured to execute in the virtualization layer.
  - 14. The machine readable storage medium of claim 12, wherein the scan engine is configured to execute within a scanning VM, the scanning VM executing on the host platform via the virtualization layer, the scan request being received by the scanning VM via the virtualization layer.
  - 15. The machine readable storage medium of claim 12, wherein the virtualization layer includes a host operating system executing directly on the physical host platform, the scan engine being configured as a user-level application executing in conjunction with the host operating system.
  - 16. The machine readable storage medium of claim 12, wherein the driver is configured to communicate the information identifying the data indirectly via an agent program that executes within the context of the target VM.
  - 17. The machine readable storage medium of claim 12, wherein the remedial action comprises notifying a component of the virtualization layer to carry out VM-level action, the VM-level action comprising one or more of creating a snapshot of the guest VM, starting a recording that traces execution of the guest VM, disconnecting the guest VM from the network, and suspending the guest VM.
  - 18. The machine readable storage medium of claim 12, wherein the remedial action comprises wherein the remedial action comprises one or more of notifying a user, deleting a file, or quarantining the file.
  - 19. The machine readable storage medium of claim 12, wherein the scan engine compares the data being scanned with a virus signature database to determine whether the data being scanned contains the malicious code.
  - 20. The machine readable storage medium of claim 12, wherein the identification of the location of the file comprises identification of at least one guest virtual disk block, the guest virtual disk blocks containing the file on a virtual disk that is accessible by the target VM, wherein the scan engine obtains identifications of physical disk blocks that are mapped to the guest virtual disk blocks, the physical disk blocks being disk blocks of a physical disk accessible to the host platform.
  - 21. The machine readable storage medium of claim 20, wherein the identifications of the physical disk blocks comprise offsets into a file containing an image of the virtual disk that is accessible by the target VM.
  - 22. The machine readable storage medium of claim 21, wherein the scan engine, upon receiving from the driver portion the information identifying a location of the data to be scanned, consults a scan history of the physical disk blocks that contain the file, the scan engine performing the scan only when the scan history indicates that the file has been modified since the last scan or that the file has not been previously scanned.
  - 23. The machine readable storage medium of claim 22, wherein the scan engine returns a negative result that indicates that no malicious code is present without performing a new scan when the scan history indicate the file has been previously scanned, found to be free of malicious code, and has not been modified since the last scan.
  - 24. The machine readable storage medium of claim 22, wherein each physical disk block includes a flag to indicate the scan history of that block, wherein the flag has one value indicating the physical disk block has not been previously scanned or has been modified since the last scan and a different value indicating that the physical disk block has been scanned, found to contain no malicious code, and has not been modified since the last scan.
  - 25. The machine readable storage medium of claim 22, wherein the guest OS maintains the scan history by setting and clearing the flag.
  - 26. The machine readable storage medium of claim 22, wherein the file is accessible to each of the plurality of guest VMs, and each of the plurality of guest VMs includes a corresponding driver portion for intercepting file accesses within a corresponding one of the VMs, wherein the scan engine returns the negative result without performing a new scan when the scan history indicates the file has been previously scanned, the previous scan found the file to be free of malicious code, and has not been modified since the previous scan regardless as to which driver portion previously requested the last scan.
  - 27. The machine readable storage medium of claim 12, wherein the identification of the location of the file comprises a network path to the file, the network path specifically identifying the file across a network.
  - 28. The machine readable storage medium of claim 27, wherein the scan engine maintains a scan history of the file content, the scan history identifying files that have been successfully scanned and remain unmodified since a most recent successful scan.
  - 29. The machine readable storage medium of claim 28, wherein the scan history includes a signature corresponding to each successfully scanned file, the signature being a value that is a function of the content of the file, wherein the scan engine, upon receiving from the driver portion the information identifying the location of the data to be scanned, consults the scan history, the scan engine performing the scan only when the scan history indicates that the file has been modified since the last scan or that the file has not been previously scanned.
  - 30. The machine readable storage medium of claim 29, wherein the signature is a hash of the content of the file.
  - 31. The machine readable storage medium of claim 30, wherein the file is accessible to each of the plurality of guest VMs, and each of the plurality of guest VMs includes a corresponding driver portion for intercepting file accesses within a corresponding one of the VMs, wherein the scan engine returns the negative result without performing a new scan when the scan history indicates the file has been previously scanned, the previous scan found the file to be free of malicious code, and the file has not been modified since the previous scan regardless as to which driver portion previously requested the previous scan.
  - 32. The machine readable storage medium of claim 12, wherein the identification of the location of the file comprises guest physical page numbers identifying locations in guest physical memory where content of the file is stored by the driver portion.
  - 33. The machine readable storage medium of claim 32, wherein the driver portion stores the content of the file in the guest physical memory indirectly via an agent program that executes within the context of the target VM on behalf of the driver portion.
  - 34. The machine readable storage medium of claim 32, wherein the scan engine obtains physical page numbers of physical pages of system memory corresponding to the guest physical page numbers obtained for the driver portion.
  - 35. The machine readable storage medium of claim 34, wherein:
    - the scan engine maintains a scan history that identifies previously scanned data that has been identified as being free of malicious code; and
      
      the scan engine, upon receiving from the driver portion the information identifying a location of the data to be scanned, consults the scan history to determine whether the data to be scanned corresponds with data that has previously been successfully scanned, the scan engine performing the scan only when the scan history indicates that one or more of the physical pages has been modified since the last scan or that the file has not been previously scanned.
  - 36. The machine readable storage medium of claim 35, wherein the scan history includes a signature for each file that the scan engine determines to be free of malicious codewherein the scan engine, upon receiving from the driver portion the information identifying the location of the data to be scanned, compares a new signature generated from the data to be scanned and compares the new signature with signatures in the scan history, the scan engine performing the scan only when the signatures in the scan history does not include a matching signature.
  - 37. The machine readable storage medium of claim 36, wherein the file is accessible to each of the plurality of guest VMs, and each of the plurality of guest VMs includes a corresponding driver portion for intercepting file accesses within a corresponding one of the guest VMs, and the scan history includes signatures for files scanned for each of the plurality of guest VMs.

38. A system for protecting a plurality of guest virtual machines (VMs) from malicious code, the plurality of guest VMs executing via a virtualization layer on a common host platform, the system implemented by a computer, the system comprising:
- a scan engine configured to scan data for malicious code and determine a result of the scanning, the result indicating whether malicious code is present in the data;
  
  a driver portion configured for installation in an operating system of a target VM, the target VM being one of the guest VMs, the driver portion intercepting an access request to a file, wherein the access request originates within the target VM, the driver portion further communicating information identifying a location of the data to be scanned by the scan engine without sending a copy of the data to the scan engine, the data to be scanned being or corresponding to contents of the file, the driver portion furthermore receiving the result of the scan communicated by the scan engine; and
  
  a communication portion configured to facilitate communication between the scan engine and the driver portion;
  
  wherein the scan engine is configured to execute on the host platform logically isolated from the target VM, the communication portion facilitates the communicating of the information and the result between the driver portion and the scan engine, and at least one of the driver portion or the scan engine causes a remedial action to be carried out when the result indicates that malicious code is present in the data.
- View Dependent Claims (39, 40, 41, 42, 43)
- - 39. The system of claim 38, wherein the scan engine is configured to execute in the virtualization layer.
  - 40. The system of claim 38, wherein the scan engine is configured to execute within a scanning VM, the scanning VM executing on the host platform via the virtualization layer, the scan request being received by the scanning VM via the virtualization layer.
  - 41. The system of claim 38, wherein the remedial action comprises notifying a component of the virtualization layer to carry out VM-level action, the VM-level action comprising one or more of creating a snapshot of the guest VM, starting a recording that traces execution of the guest VM, disconnecting the guest VM from the network, and suspending the guest VM.
  - 42. The system of claim 38, wherein the remedial action comprises wherein the remedial action comprises one or more of notifying a user, deleting a file, or quarantining the file.
  - 43. The system of claim 38, wherein the scan engine, upon receiving from the driver portion the information identifying a location of the data to be scanned, consults a history of previous scan locations, the scan engine performing the scan only when the scan history indicates that the data has been modified since the last scan or that the data has not been previously scanned.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VMware, Inc. (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Zhang, Yufeng, Krishnan, Jagannath Gopal, Uluski, Derek, Chen, Xiaoxin, Le, Bich Cau
Primary Examiner(s)
Meky; Moustafa M

Application Number

US12/855,498
Publication Number

US 20100306849A1
Time in Patent Office

383 Days
Field of Search

709200-203, 709217-227, 726/24
US Class Current

709/224
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/562   Static detection

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

On-access anti-virus mechanism for virtual machine architecture

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

353 Citations

43 Claims

Specification

Use Cases

Quick Links

Others

On-access anti-virus mechanism for virtual machine architecture

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

353 Citations

43 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others