发明名称 |
Strongly isolated malware scanning using secure virtual containers |
摘要 |
Described systems and methods allow protecting a host system, such as a computer or smartphone, from malware. In some embodiments, an anti-malware application installs a hypervisor, which displaces an operating system executing on the host system to a guest virtual machine (VM). The hypervisor further creates a set of virtual containers (VC), by setting up a memory domain for each VC, isolated from the memory domain of the guest VM. The hypervisor then maps a memory image of a malware scanner to each VC. When a target object is selected for scanning, the anti-malware application launches the malware scanner. Upon intercepting the launch, the hypervisor switches the memory context of the malware scanner to the memory domain of a selected VC, for the duration of the scan. Thus, malware scanning is performed within an isolated environment. |
申请公布号 |
US9117081(B2) |
申请公布日期 |
2015.08.25 |
申请号 |
US201314135902 |
申请日期 |
2013.12.20 |
申请人 |
Bitdefender IPR Management Ltd. |
发明人 |
Lukacs Sandor;Sirb Cristian B.;Lutas Dan H.;Colesa Adrian V. |
分类号 |
G06F9/45;G06F21/56;G06F9/46 |
主分类号 |
G06F9/45 |
代理机构 |
Law Office of Andrei D Popovici, PC |
代理人 |
Law Office of Andrei D Popovici, PC |
主权项 |
1. A host system comprising:
at least one hardware processor configured to execute a hypervisor, the hypervisor configured to expose a guest virtual machine (VM), a first virtual container (VC), and a second VC, wherein exposing the first and second VCs includes setting up a first memory domain for the first VC and a second memory domain for the second VC, the first and second memory domains isolated from each other and from a memory domain of the quest VM, wherein:
the guest VM is configured to execute a malware scanner on a virtualized processor of the guest VM; andthe hypervisor is further configured to:
in response to setting up the first memory domain, map a memory page containing a part of the malware scanner to a first memory page within the first memory domain,in response to setting up the second memory domain, map the memory page containing the part of the malware scanner to a second memory page within the second memory domain,in response to the guest VM launching a first instance of the malware scanner to determine whether a first target object comprises malware, switch a memory context of the first instance of the malware scanner from the memory domain of the guest VM to the first memory domain, andin response to the guest VM launching a second instance of the malware scanner to determine whether a second target object comprises malware, switch a memory context of the second instance of the malware scanner from the memory domain of the guest VM to the second memory domain. |
地址 |
Nicosia CY |