SECURING ANTI-VIRUS SOFTWARE WITH VIRTUALIZATION

US 20090089879A1
Filed: 09/28/2007
Published: 04/02/2009
Est. Priority Date: 09/28/2007
Status: Active Grant

First Claim

Patent Images

1. A secured anti-virus system, comprising:

a first virtual machine that supports an anti-virus scanning component; and

a second virtual machine that supports a user environment, the second virtual machine interdepending upon the first virtual machine such that the anti-virus component securely protects the integrity of the user environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The subject disclosure relates to systems and methods that secure anti-virus software through virtualization. Anti-virus systems can be maintained separate from user applications and operating system through virtualization. The user applications and operating system run in a guest virtual machine while anti-virus systems are isolated in a secure virtual machine. The virtual machines are partially interdependent such that the anti-virus systems can monitor user applications and operating systems while the anti-virus systems remain free from possible malicious attack originating from a user environment. Further, the anti-virus system is secured against zero-day attacks so that detection and recovery may occur post zero-day.

458 Citations

20 Claims

1. A secured anti-virus system, comprising:
- a first virtual machine that supports an anti-virus scanning component; and
  
  a second virtual machine that supports a user environment, the second virtual machine interdepending upon the first virtual machine such that the anti-virus component securely protects the integrity of the user environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein the anti-virus component of the first virtual machine observes file system activity in the user environment in the second virtual machine.
  - 3. The system of claim 1, wherein the first virtual machine is isolated from the second virtual machine such that the anti-virus component is free from interference by components in the user environment.
  - 4. The system of claim 1, further comprising a virtual machine monitor that supports and controls the first and second virtual machines.
  - 5. The system of claim 4, wherein the virtual machine monitor permits the first virtual machine to access the second virtual machine and passes messages therebetween.
  - 6. The system of claim 1, wherein the first virtual machine includes a log file that retains entries related to file system operations performed by the second virtual machine.
  - 7. The system of claim 6, further comprising a replay component that employs the log file to generate files created by the operations logged.
  - 8. The system of claim 6, further comprising a checker component that periodically obtains snapshots of a disk of the second virtual machine, wherein the checker component replays operations entered in the log file on a previous snapshot and compares the resultant disk to a most recent snapshot to verify consistency of the disk of the second virtual machine with the log file.
  - 9. The system of claim 6, wherein the log file is append-only to prevent edits or deletions by a compromised user environment of the second virtual machine.
  - 10. The system of claim 2, wherein the second virtual machine includes a filter driver component that intercepts file system operations and provides operational information to the first virtual machine.
  - 11. The system of claim 10, wherein the anti-virus component monitors the operational information in real time to detect malicious activity.
  - 12. The system of claim 1, wherein the first virtual machine includes a file system employed by the user environment in the second virtual machine and the second virtual machine includes a stub interface to this file system.
  - 13. The system of claim 12, wherein the stub interface defines a set of commands the file system recognizes.
  - 14. The system of claim 12, wherein file system commands invoked via the stub interface are forwarded to the first virtual machine to perform on the file system.
  - 15. The system of claim 14, wherein the first virtual machine logs the performed operations.

16. A method for detecting malware, comprising:
- forking a virtual machine that supports a user environment;
  
  sending a shutdown command to a forked copy of the virtual machine; and
  
  monitoring write operations to disk to detect malware components.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16, further comprising redirecting user input to an original copy of the virtual machine.
  - 18. The method of claim 17, wherein forking the virtual machine comprises generating a copy of the virtual machine is response to a trigger from a pseudo-random timer expiration.

19. A computer readable medium having stored thereon computer readable instruction to carry out the steps of method 16.

20. A system for safeguarding anti-virus software integrity, comprising:
- means for isolating user applications in a first virtualized environment;
  
  means for supporting an anti-virus scanning component in a second virtualized environment; and
  
  means for enabling the anti-virus scanning component to verify soundness of the user applications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Parno, Bryan Jeffrey, Wang, Jiahe Helen, Lorch, Jacob R.

Granted Patent

US 8,307,443 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/53 by executing in a restricte...

SECURING ANTI-VIRUS SOFTWARE WITH VIRTUALIZATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

458 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURING ANTI-VIRUS SOFTWARE WITH VIRTUALIZATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

458 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links