System and method for virtual partition monitoring

US 9,298,910 B2
Filed: 06/08/2011
Issued: 03/29/2016
Est. Priority Date: 06/08/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, in an external handler associated with a virtualized platform, an event notification associated with an event in a virtual partition of the virtualized platform, wherein the external handler operates externally to the virtual partition, and wherein a helper agent operating within the virtual partition creates one or more threads for receiving communications from the external handler;

causing, by the external handler, a module within the virtual partition to suspend a thread of a process in the virtual partition that caused the event;

instructing, by a task request from the external handler, the helper agent to execute a task to identify context information associated with the event and to return results based on the task to the external handler, wherein the task is executed in at least one of the threads created by the helper agent in the virtual partition while the thread of the process that caused the event is suspended;

determining, externally to the virtual partition, whether the event violates a security policy, wherein the determining is based, at least in part, on the results returned by the helper agent; and

if the event violates the security policy, providing instructions indicating a policy action to be taken within the virtual partition.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment that includes receiving in an external handler an event notification associated with an event in a virtual partition. A thread in the process in the virtual partition that caused the event can be parked. Other threads and processes may be allowed to resume while a security handler evaluates the event for potential threats. A helper agent within the virtual partition may be instructed to execute a task, such as collecting and assembling event context within the virtual partition, and results based on the task can be returned to the external handler. A policy action can be taken based on the results returned by the helper agent, which may include, for example, instructing the helper agent to terminate the process that caused the event.

68 Citations

View as Search Results

27 Claims

1. A method, comprising:
- receiving, in an external handler associated with a virtualized platform, an event notification associated with an event in a virtual partition of the virtualized platform, wherein the external handler operates externally to the virtual partition, and wherein a helper agent operating within the virtual partition creates one or more threads for receiving communications from the external handler;
  
  causing, by the external handler, a module within the virtual partition to suspend a thread of a process in the virtual partition that caused the event;
  
  instructing, by a task request from the external handler, the helper agent to execute a task to identify context information associated with the event and to return results based on the task to the external handler, wherein the task is executed in at least one of the threads created by the helper agent in the virtual partition while the thread of the process that caused the event is suspended;
  
  determining, externally to the virtual partition, whether the event violates a security policy, wherein the determining is based, at least in part, on the results returned by the helper agent; and
  
  if the event violates the security policy, providing instructions indicating a policy action to be taken within the virtual partition.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the external handler operates in one of a virtualization host or a second virtual partition.
  - 3. The method of claim 1, wherein:
    - the external handler operates in a first virtualization guest in the virtualized platform; and
      
      the virtual partition is a second virtualization guest in the virtualized platform.
  - 4. The method of claim 1, wherein the event notification is received from a hypervisor extension in the virtualized platform.
  - 5. The method of claim 1, further comprising:
    - resuming other processes in the virtual partition in response to the thread that caused the event being suspended.
  - 6. The method of claim 1, wherein the event notification includes event data associated with the event, and wherein the results returned to the external handler from the helper agent comprise the identified context information associated with the event.
  - 7. The method of claim 1, wherein the policy action comprises terminating the process that caused the event.

8. Logic encoded in one or more non-transitory media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
- receiving, in an external handler associated with a virtualized platform, an event notification associated with an event in a virtual partition of the virtualized platform, wherein the external handler is configured to operate externally to the virtual partition, and wherein a helper agent is configured to operate within the virtual partition and to create one or more threads for receiving communications from the external handler;
  
  causing, by the external handler, a module within the virtual partition to suspend a thread of a process in the virtual partition that caused the event;
  
  instructing, by a task request from the external handler, the helper agent to execute a task to identify context information associated with the event and to return results based on the task to the external handler, wherein the task is to be executed in at least one of the threads created by the helper agent in the virtual partition while the thread of the process that caused the event is suspended;
  
  determining, externally to the virtual partition, whether the event violates a security policy, wherein the determining is based, at least in part, on the results returned by the helper agent; and
  
  if the event violates the security policy, providing instructions indicating a policy action to be taken within the virtual partition.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 9. The encoded logic of claim 8, wherein the external handler is configured to operate in one of a virtualization host or a second virtual partition.
  - 10. The encoded logic of claim 8, wherein:
    - the external handler is configured to operate in a first virtualization guest in the virtualized platform; and
      
      the virtual partition is a second virtualization guest in the virtualized platform.
  - 11. The encoded logic of claim 8, wherein the external handler is configured to receive the event notification from a hypervisor extension in the virtualized platform.
  - 12. The encoded logic of claim 8, wherein the operations further comprise resuming other processes in the virtual partition in response to the thread that caused the event being suspended.
  - 13. The encoded logic of claim 8, wherein the event notification includes event data associated with the event, and wherein the results returned from the helper agent comprise the identified context information associated with the event.
  - 14. The encoded logic of claim 8, wherein the policy action comprises terminating the process that caused the event.
  - 15. The encoded logic of claim 8, wherein the policy action comprises instructing the helper agent to terminate the process that caused the event.
  - 16. The encoded logic of claim 8, wherein the causing the module to suspend the thread of the process that caused the event includes instructing a virtual processor to execute the module.
  - 17. The encoded logic of claim 8, wherein the executing the task includes enumerating dynamic link libraries (DLLs) loaded within the process.
  - 18. The encoded logic of claim 8, wherein the instructions, indicating a policy action to be taken, are provided to one of the helper agent or the module.
  - 19. The encoded logic of claim 8, wherein the operations further comprise:
    - creating an embedded component within the process, wherein suspending the thread of the process includes performing, by the module, a task communicated to the module by the embedded component.
  - 20. The encoded logic of claim 8, wherein the instructing the helper agent to execute the task includes communicating the task request to one of the threads created by the helper agent.

21. An apparatus, comprising:
- one or more hardware processors coupled to a memory element;
  
  one or more virtual processors configured to operate in a virtual partition of a virtualized platform and to run on the one or more hardware processors;
  
  a helper agent configured to run on at least one of the virtual processors to create one or more threads for receiving communications in the virtual partition; and
  
  a security handler configured to operate externally to the virtual partition to;
  
  receive, in the security handler, an event notification associated with an event in the virtual partition;
  
  cause a module within the virtual partition to suspend a thread in a process in the virtual partition that caused the event;
  
  communicate a task request to at least one of the threads created by the helper agent to instruct the helper agent to execute a task to identify context information associated with the event and to return results based on the task to the security handler, wherein the task is associated with the event;
  
  determine whether the event violates a security policy, wherein the determining is based, at least in part, on the results returned by the helper agent; and
  
  if the event violates the security policy, provide instructions indicating a policy action to be taken within the virtual partition.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The apparatus of claim 21, wherein:
    - the security handler is configured to operate in a first virtualization guest in the virtualized platform; and
      
      the virtual partition is a second virtualization guest in the virtualized platform.
  - 23. The apparatus of claim 21, wherein the security handler is configured to receive the event notification from a hypervisor extension in the virtualized platform.
  - 24. The apparatus of claim 21, wherein other processes in the virtual partition resume in response to the thread that caused the event being suspended.
  - 25. The apparatus of claim 21, wherein the event notification includes event data associated with the event, and wherein the results returned to the security handler from the helper agent comprise the identified context information data associated with the event.
  - 26. The apparatus of claim 21, wherein the policy action comprises terminating the process that caused the event.
  - 27. The apparatus of claim 21, wherein the causing the module to suspend the thread includes instructing a virtual processor to execute the module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Dalcher, Gregory W., Edwards, Jonathan L.
Primary Examiner(s)
Abyaneh, Ali
Assistant Examiner(s)
DE JESUS LASSALA, CARLOS MANUEL

Application Number

US13/155,572
Publication Number

US 20120317570A1
Time in Patent Office

1,756 Days
Field of Search

726 22- 24, 718104-105
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

G06F 9/45558   Hypervisor-specific managem...

System and method for virtual partition monitoring

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for virtual partition monitoring

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links