Process Evaluation for Malware Detection in Virtual Machines

摘要

Described systems and methods allow protecting a computer system from malware, such as viruses and rootkits. An anti-malware component executes within a virtual machine (VM) exposed by a hypervisor executing on the computer system. A memory introspection engine executes outside the virtual machine, at the processor privilege level of the hypervisor, and protects a process executing within the virtual machine by write-protecting a memory page of the respective process. By combining anti-malware components executing inside and outside the respective VM, some embodiments of the present invention may use the abundance of behavioral data that inside-VM components have access to, while protecting the integrity of such components from outside the respective VM.

主权项

1. A host system comprising at least one processor configured to execute:
a hypervisor configured to expose a virtual machine; a process evaluator executing within the virtual machine; a memory introspection engine executing outside the virtual machine; and a process-scoring module, wherein: the process evaluator is configured to:
determine whether an evaluated process executing within the virtual machine performs an action, andin response, when the evaluated process performs the action, transmit a first process evaluation indicator to the process-scoring module, the first process evaluation indicator determined for the evaluated process; the memory introspection engine is configured to:
intercept a call to an operating system function, to detect a launch of a protected process executing within the virtual machine, wherein the operating system function is configured to add the protected process to a list of processes executing within the virtual machine, andin response to detecting the launch,
determine whether the evaluated process attempts to modify a memory page of the protected process, andin response, when the evaluated process attempts to modify the memory page,
transmit a second process evaluation indicator to the process-scoring module, the second process evaluation indicator determined for the evaluated process; and the process-scoring module is configured to:
receive the first and second process evaluation indicators, andin response, determine whether the evaluated process is malicious according to the first and second process evaluation indicators.