System and method for virtual partition monitoring
First Claim
1. A method, comprising:
- receiving, in an external handler associated with a virtualized platform, an event notification associated with an event in a virtual partition of the virtualized platform, wherein the external handler operates externally to the virtual partition, and wherein a helper agent operating within the virtual partition creates one or more threads for receiving communications from the external handler;
causing, by the external handler, a module within the virtual partition to suspend a thread of a process in the virtual partition that caused the event;
instructing, by a task request from the external handler, the helper agent to execute a task to identify context information associated with the event and to return results based on the task to the external handler, wherein the task is executed in at least one of the threads created by the helper agent in the virtual partition while the thread of the process that caused the event is suspended;
determining, externally to the virtual partition, whether the event violates a security policy, wherein the determining is based, at least in part, on the results returned by the helper agent; and
if the event violates the security policy, providing instructions indicating a policy action to be taken within the virtual partition.
10 Assignments
0 Petitions
Accused Products
Abstract
A method is provided in one example embodiment that includes receiving in an external handler an event notification associated with an event in a virtual partition. A thread in the process in the virtual partition that caused the event can be parked. Other threads and processes may be allowed to resume while a security handler evaluates the event for potential threats. A helper agent within the virtual partition may be instructed to execute a task, such as collecting and assembling event context within the virtual partition, and results based on the task can be returned to the external handler. A policy action can be taken based on the results returned by the helper agent, which may include, for example, instructing the helper agent to terminate the process that caused the event.
68 Citations
27 Claims
-
1. A method, comprising:
-
receiving, in an external handler associated with a virtualized platform, an event notification associated with an event in a virtual partition of the virtualized platform, wherein the external handler operates externally to the virtual partition, and wherein a helper agent operating within the virtual partition creates one or more threads for receiving communications from the external handler; causing, by the external handler, a module within the virtual partition to suspend a thread of a process in the virtual partition that caused the event; instructing, by a task request from the external handler, the helper agent to execute a task to identify context information associated with the event and to return results based on the task to the external handler, wherein the task is executed in at least one of the threads created by the helper agent in the virtual partition while the thread of the process that caused the event is suspended; determining, externally to the virtual partition, whether the event violates a security policy, wherein the determining is based, at least in part, on the results returned by the helper agent; and if the event violates the security policy, providing instructions indicating a policy action to be taken within the virtual partition. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. Logic encoded in one or more non-transitory media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
-
receiving, in an external handler associated with a virtualized platform, an event notification associated with an event in a virtual partition of the virtualized platform, wherein the external handler is configured to operate externally to the virtual partition, and wherein a helper agent is configured to operate within the virtual partition and to create one or more threads for receiving communications from the external handler; causing, by the external handler, a module within the virtual partition to suspend a thread of a process in the virtual partition that caused the event; instructing, by a task request from the external handler, the helper agent to execute a task to identify context information associated with the event and to return results based on the task to the external handler, wherein the task is to be executed in at least one of the threads created by the helper agent in the virtual partition while the thread of the process that caused the event is suspended; determining, externally to the virtual partition, whether the event violates a security policy, wherein the determining is based, at least in part, on the results returned by the helper agent; and if the event violates the security policy, providing instructions indicating a policy action to be taken within the virtual partition. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. An apparatus, comprising:
-
one or more hardware processors coupled to a memory element; one or more virtual processors configured to operate in a virtual partition of a virtualized platform and to run on the one or more hardware processors; a helper agent configured to run on at least one of the virtual processors to create one or more threads for receiving communications in the virtual partition; and a security handler configured to operate externally to the virtual partition to; receive, in the security handler, an event notification associated with an event in the virtual partition; cause a module within the virtual partition to suspend a thread in a process in the virtual partition that caused the event; communicate a task request to at least one of the threads created by the helper agent to instruct the helper agent to execute a task to identify context information associated with the event and to return results based on the task to the security handler, wherein the task is associated with the event; determine whether the event violates a security policy, wherein the determining is based, at least in part, on the results returned by the helper agent; and if the event violates the security policy, provide instructions indicating a policy action to be taken within the virtual partition. - View Dependent Claims (22, 23, 24, 25, 26, 27)
-
Specification