Memory Resident Malware Protection on Virtual Machines

06 May

The I/O and CPU requirements of most malware solutions are a serious impediment to the optimal performance of virtual machines and older physical hosts. In a virtual environment consisting of many virtual machines each executing their own copy of a single malware protection package, the underlying hypervisor utilizes many I/O and CPU cycles that are sourced from each of its guests which are constantly scanning various files and memory pages. The memory, I/O and CPU cycles utilized to process calls generated by the Virtual Machine‘s malware software can be greatly reduced by eliminating the practice of installing malware software within a guest operating system.

A hypervisor Resident program (HRP) can be used to scan VM memory pages some of which are shared via transparent memory sharing (TPS) which essentially is a technique used to allow many virtual machines to share identical memory pages thus reducing the memory requirements of the host machine.

 All writes and modification of guest memory pages should be examined by the HRP which should be developed to use signatures stored on shared solid state storage. The signatures required by the HRP will be transferred from central storage to memory as required, if possible all signatures should be memory resident. The HRP should also support Heuristic detection of malware as a means of reducing the amount of signatures needed and thus reducing the storage required for these said signatures.

The caching of memory pages that have already been scanned can be achieved by storing a checksum of each scanned memory page to a protected portion of memory, cached pages should only be re-scanned if the page has been modified. I/O requirements are reduced by eliminating on-access scanning of files being written and read from disk,it is assumed that all malware needs to be executed while stored in main memory


Leave a comment

Posted by on May 6, 2012 in Uncategorized


Tags: , , , , , , , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: