CN105117649B - A kind of anti-virus method and system for virtual machine - Google Patents
A kind of anti-virus method and system for virtual machine Download PDFInfo
- Publication number
- CN105117649B CN105117649B CN201510458356.4A CN201510458356A CN105117649B CN 105117649 B CN105117649 B CN 105117649B CN 201510458356 A CN201510458356 A CN 201510458356A CN 105117649 B CN105117649 B CN 105117649B
- Authority
- CN
- China
- Prior art keywords
- virus
- virtual machine
- memory pages
- virtual
- memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Abstract
The present invention provides a kind of anti-virus methods for virtual machine, including:Step 1, the access for the first time of the more new content for the memory pages occurred on the memory pages for distributing to virtual machine on host is intercepted and captured;Step 2, the content of pages of the memory pages is scanned;Step 3, according to the scanning as a result, remove the content of pages of the memory pages, or restore the access to the memory pages.The present invention also provides a kind of Anti-Virus for virtual machine.Anti-Virus may be implemented independent of client operating system in technical solution of the present invention;It is identified before Virus execution and prevents the virus;The data volume of virus scan is reduced, scan efficiency is improved.
Description
Technical field
The present invention relates to computer virtualized technology fields, specifically, the present invention relates to a kind of for the anti-of virtual machine
Viral methods and system.
Background technique
There are mainly two types of the existing virus proof tech for virtual machine environment.One is structure as shown in Fig. 1, with
Anti-virus mode under physical machine environment is identical, i.e., complete antivirus software is installed in virtual machine client operation system, antivirus
Software operates on client operating system, carries out virus scan and processing to information such as files.Another kind is as shown in Fig. 2
Light broker architecture Anti-Virus, for example, byThe vShield Endpoint framework that company proposes, the party
Case specifically includes:By enhance safely secure virtual equipment, run in protected virtual machine and simplify agency (Epsec
Thin Agent), and the virtual management program module for supporting secure virtual equipment He simplifying communications between agents
(VMware Endpoint ESX).The program is by being installed on the behaviour for simplifying agent monitors virtual machine internal of virtual machine internal
Make system activity, and trigger the antivirus engine in secure virtual equipment and implement virus scan, is swept virus by antivirus engine
It retouches result and returns to protected virtual machine via agency is simplified.The program is supported to carry out file in file access real-time
Scanning, and operated by the planned file scan that the antivirus engine in secure virtual equipment is initiated.It is virtual by operating in
The virtual management program module simplified in agency and secure virtual equipment inside machine, virus scan task is unloaded from virtual machine
It is downloaded in secure virtual equipment, it can be to avoid one of main problem existing for the first aforementioned virus proof tech:In virtualization
It is caused under environment " antivirus storm " (AV storm, antivirus storm), i.e., when scanning multiple void on a host simultaneously
Computational resource requirements when quasi- machine can increase sharply in a short time, and then lead to service degradation.But the framework itself but exists separately
The problem of one aspect, i.e., the file to be scanned in protected virtual machine need to first pass through the offer of virtual management program module
Communication channel be transferred in secure virtual equipment and just can be carried out virus scan, the transmission of file data can consume host's physics clothes
The resource being engaged on device.
In addition, a common feature of above-mentioned existing virus proof tech is to need to rely on client operating system operation,
So that from client operating system start to anti-virus software (or agency) work normally between time in system be in
Unshielded state, to viral invasion with opportunity.For example, " leading viruses " are exactly during os starting
Memory is slipped into invade computer system.In addition, above-mentioned existing Anti-Virus depends on guest operation system due to its own
System operation, therefore the validity of itself is also difficult to be ensured well, e.g., invader may close anti-virus system by force
System, to get around antivirus protection and intrusion system.
In addition, existing Anti-Virus often checks virus by the way of total system file scan, it is not only time-consuming, and
And need to consume a large amount of computer resources, therefore, during the scanning process, it often will affect the processing of normal tasks, so that calculating
The processing speed of machine is substantially reduced.
Summary of the invention
The object of the present invention is to provide the solutions that one kind can overcome above-mentioned technical problem.
The present invention provides a kind of anti-virus methods for virtual machine, including:Step 1, it intercepts and captures and is distributed on host
To the access for the first time of the more new content for the memory pages occurred on the memory pages of virtual machine;Step 2, described in scanning
The content of pages of memory pages;Step 3, according to the scanning as a result, remove the content of pages of the memory pages, or restore
Access to the memory pages.
Preferably, the step 1 further includes:The visit that the memory pages of virtual machine are distributed on host is adjusted by dynamic
Ask that permission intercepts and captures the more new content for the memory pages occurred on the memory pages for distributing to virtual machine on host
Access for the first time;Wherein, " writeable " in the access authority and " executable " permission one of are wherein being in enabled state
In the case of, another permission is in non-enabled state.
Preferably, the step 3 further includes:It is to deposit in the case of viruses in the scanning result, removes the memory
The content of pages of the page, and position and handle the virus in virtual machine.
Preferably, the step 3 further includes:It is to deposit in the case of viruses in the scanning result, is killed according to preset
Malicious strategy handles the virus, and/or the information of the virus is notified to the user of virtual machine.
Preferably, the step 2 further includes:Use the virus signature with Virus entrance in same memory pages
Scan the content of pages of the memory pages.
The present invention also provides a kind of Anti-Virus for virtual machine, based on the virtual machine prison being placed on host
Visual organ.The system comprises:Virtual antivirus engine, for scanning internal storage data based on viral memory features code, and will scanning
As a result virtual anti-virus expansion module is fed back to;Viral memory features code database, for storing the viral memory features code;
The virtual anti-virus expansion module, is placed in the virtual machine monitor, distributes to void on the host for intercepting and capturing
The access for the first time of the more new content for the memory pages occurred on the memory pages of quasi- machine, and notify the virtual diseases prevention
Malicious engine is scanned the memory pages.
Preferably, the virtual anti-virus expansion module is distributed to virtually for being adjusted by dynamic on the host
What is occurred on the memory pages that the access authority intercepting and capturing of the memory pages of machine distribute to virtual machine on the host is directed to institute
State the access for the first time of the more new content of memory pages;Wherein, " writeable " and " executable " permission in the access authority is at it
In in the case that a permission is in enabled state, another permission is in non-enabled state.
Preferably, the virtual antivirus engine is multithreading and can reentry framework;The virus memory features code data
Library is stored on the host, is shared between multiple concurrent virtual antivirus engines;And/or in the virus
Depositing condition code is the virus signature with Virus entrance in same memory pages.
Preferably, the system also includes:Virtual anti-virus agent is in virtual machine internal, for receiving and according to next
The virus found from the information processing of the virtual anti-virus expansion module;The virtual anti-virus expansion module, it is fixed to be also used to
The source for the virus found in the scanning result of position, and the information of the virus is sent to the virtual anti-virus agent.
Preferably, the anti-virus agent, for according to information from the virtual anti-virus expansion module and default
Killing Tactics handle the virus, and/or communicated with the user of virtual machine.
Compared with prior art, technical solution proposed by the present invention has the following advantages that:
Anti-Virus may be implemented independent of client operating system in technical solution of the present invention;It is executed in Virus
The virus is accurately identified before and is prevented;The data volume of virus scan is reduced, scan efficiency is improved, thus to the maximum extent
Ensure the runnability of virtual machine.
Detailed description of the invention
It, below will be to attached drawing needed in embodiment description in order to illustrate more clearly of technical solution of the present invention
It is briefly described, it should be apparent that, the accompanying drawings in the following description is not construed as limiting the scope of this invention.
Fig. 1 is the system schematic of the first virus proof tech according to prior art;
Fig. 2 is the system schematic of second of virus proof tech according to prior art;
Fig. 3 is the Anti-Virus schematic diagram of embodiment according to the present invention;
Fig. 4 is the flow diagram of the anti-virus method of embodiment according to the present invention.
Specific embodiment
The present invention is further described through in the following with reference to the drawings and specific embodiments.
Fig. 3 shows the Anti-Virus schematic diagram of embodiment according to the present invention.As shown in figure 3, according to the present invention
Embodiment, the Anti-Virus for virtual machine is based on virtual machine monitor (the Virtual Machine being placed on host
Monitor, VMM) it realizes, which includes virtual antivirus engine (VirtAV-engine), viral memory features code data
Library, virtual anti-virus expansion module (VirtAV-stub), and virtual anti-virus agent (VirtAV-agent).
VirtAV-engine is the scanning engine based on viral memory features code.The engine uses multi-threaded architecture and can
The design method of reentry implements, and operates in virtual center processor (virtual cpu, VCPU) context of virtual machine, work
Make the User space in host, for the executable code in synchronous scanning memory to search virus.The scanning engine can be adopted
It is realized with the algorithm that commonly can be used for string matching, such as AC multi-pattern matching algorithm, BM single mode string matching algorithm, etc.
Deng.Specifically, VirtAV-engine is used to scan the internal storage data to be scanned in the buffer area of User space, and scanning is tied
Fruit feeds back to VirtAV-stub.
Aforementioned viral memory features code is the virus signature for following following principle and choosing:Can the unique identification virus,
Will the virus accurately distinguished out with other viruses and non-viral files;It can be made of one or more character strings.Preferably,
Aforementioned viral memory features code is also the condition code with the entrance of Virus in the same memory pages.Since Virus exists
It is loaded into during memory by the way of operating system " on-demand paging ", i.e., when VCPU will execute Virus code
It is just that unit reads memory from viral source file with the page (general size is 4096 byte) by Virus code, in turn
It is executed from memory by instruction fetch.Therefore, based on the entrance with Virus the same memory pages condition code into
Row virus scan can be performed before in first instruction of Virus and accurately find the virus.
The selection of the virus memory features code can be by pure artificial selection, can also be auxiliary in existing program supplementary means
It is chosen under helping.
Viral memory features code database comprising aforementioned viral memory features code, as shown in figure 3, being stored in host
On, it is shared between multiple concurrent VirtAV-engine.Based on this structure, due to need to only store portion on host
Memory features code database, therefore the update of database only needs to carry out on a shared database, to avoid
Virus base updates storm problem.
Further, according to one embodiment of present invention, the characteristic parallel based on the more VCPU of existing virtual machine, concurrently
Each VirtAV-engine corresponding VCPU process, and then Anti-Virus is for each VCPU of virtual machine
Instruction stream carries out the independent antivirus process including virus scan and killing;During the antivirus, cause the virtual machine of antivirus
VCPU can be suspended, and be resumed operation after the completion of kill virus again, and other VCPU of virtual machine still be able to be not interrupted after
Reforwarding row.Therefore, which can make full use of the concurrency of the more VCPU of virtual machine, influence virtual machine as small as possible
Runnability.
VirtAV-stub is the extension to VMM internal memory virtualization functional module, for occurring distributing to void by intercepting and capturing
Intend " executing for the first time after the update " event on the host memory pages of machine to be inserted into the virus scanning operation for internal storage data.
After intercepting the event, the virtual machine VCPU for generating the event is suspended, and corresponding physical cpu is instructed by VMEXIT
Host mode is entered, internal storage data to be scanned is transferred in the buffer area of User space by VirtAV-stub, for VirtAV-
Engine scanning.After the completion of VirtAV-engine scanning, the result of scanning is fed back into VirtAV-stub.If do not found
Virus, VirtAV-stub are instructed by VMENTER physical cpu being switched back into guest mode, and virtual machine VCPU and corresponding is restored
Client operating system and application program execution.If it find that virus, VirtAV-stub removes the virus in memory pages
Code, then the corresponding page table entry being arranged in client operating system, so that the corresponding memory pages inside client operating system
It not can be performed, so that Virus is terminated by client operating system.Wherein, the guest mode is that CPU is entering client
Mode when operating system;The host mode is mode of the CPU when entering VMM operation.
" being executed for the first time after update " event of the aforementioned host memory pages for distributing to virtual machine, as on host
Distribute to the memory pages of some virtual machine situation accessed for the first time after being updated.According to one embodiment of present invention,
Two-dimentional paging framework is virtualized based on memory, and VirtAV-stub adjusts the visit of the physical memory page on host by dynamic
Permission is asked to realize the intercepting and capturing to " executing for the first time after the update " event.Further, according to one embodiment of present invention,
VirtAV-stub is based on the priority assignation rule of " writeable with executable permission do not enable simultaneously ", to distributing to void on host
The access authority of the memory pages of quasi- machine carries out dynamic adjustment.In turn, virtual machine VCPU is sent out on the memory pages being updated
First instruction fetch operation out can generate VMEXIT event (physics i.e. corresponding with virtual machine VCPU because of permission violation
CPU enters host mode by VMEXIT instruction) it is intercepted and captured by VirtAV-stub.
In the case where finding virus, VirtAV-stub is also used to position the source of virus, and passes through VIRTIO etc.
Virtual I/O device interface communicated with the VirtAV-agent operated in inside client operating system, by virus base
This information is (such as viral name, the process (PID, Process Identification) for the virtual machine for executing Virus, virus text
Part name, etc.) notice to VirtAV-agent, virus document is isolated inside client operating system by it or is deleted,
Virus Logs are recorded, and this virus event is notified to the user of corresponding virtual machine.
VirtAV-agent is the broker program for operating in virtual machine internal, for as Anti-Virus and virtual machine
The interactive interface of user.The broker program is only used for the disposition after discovery virus and (including above-mentioned virus document is isolated
Or delete, record Virus Logs, etc.) and user's notice.(the packet from the foregoing it will be appreciated that anti-virus of Anti-Virus itself works
Include the scanning to virus, remove the viral code in memory pages, and terminate the execution of virus) it is not rely on this and acts on behalf of journey
Sequence, therefore, the failure of the broker program will not influence the anti-virus functionality of Anti-Virus itself.
In conclusion Anti-Virus according to the present invention is the anti-of the virus scan mode based on host memory view
Virus system.On the one hand, due to all being used in client operating system for files such as shared library file, binary files
The form of memory file caching carries out acceleration access, while also providing the share and access of file to different processes, and these are literary
Only storage is a in host memory view for part, and therefore, Anti-Virus according to the present invention is for each executable text
The virus scan of part only needs to carry out primary;Further, it is generated on the same memory pages as multiple VCPU aforementioned " after update
When execution for the first time " event, run-down is also only needed, to avoid carrying out multiplicating scanning to identical content, in turn
Under the premise of ensuring to scan all standing, virus scan quantity can be effectively reduced, improve scan efficiency, to avoid existing skill
The drawbacks such as art is time-consuming using virus scan mode file-based, resource consumption is big, ensure the operation of virtual machine to the maximum extent
Performance.On the other hand, since Anti-Virus according to the present invention is the virus scan mode based on host memory view, lead to
" executing for the first time after the update " event intercepted and captured and occurred on the host memory pages for distributing to virtual machine is crossed, it can be in viral journey
First instruction of sequence, which is performed before, finds the virus, and then realizes the real-time killing to virus, prevention disease much sooner
Poison causes damages to computer system.
Fig. 4 shows the flow diagram of the anti-virus method of embodiment according to the present invention.
As shown in figure 4, executing binary executable (such as with the process on virtual machine client operation system below
ELF format file in (SuSE) Linux OS) for, anti-virus method according to the present invention is described, wherein shown in solid arrow
For the processing operation to file or page table, dotted arrow show other kinds of execution process, and different dotted lines is for distinguishing
Process locating different location, such as guest virtual machine (hereinafter referred to as client computer), client process, guest operation system in systems
System, virtual machine monitor and antivirus engine etc..
Detailed process is as follows:
Client process is initiated execve () system and is called to request to execute binary file;Execve () system is called
After corresponding scope check, virtual memory space is distributed for the binary file and establishes the mapping of virtual memory and file
(mmap () as shown in Figure 4), but at this time guest physical memory can't be distributed for it;Process goes to binary system text
When part, due to not yet distributing corresponding guest physical memory, and then lead to that page faults (Page Fault) occurs;
The page faults are intercepted and captured by VMM;
VMM handles the page faults of client computer, host physical memory is distributed for it, and establish shadow page list item, into one
For step, EPT (Extended Page Table extends page table) page table entry can establish;VirtAV-stub in VMM is by page
" writing permission " position in list item is opened, and " executing permission " position is closed, so that process can be by the code segment of binary file
It is loaded into the memory pages;VMM injects page faults to the client computer, and client operating system handles page faults, filling page
Table, from reading code segment in binary file into the newly assigned page, and the execution of recovering process;
Process executes the code in the page, " holds since the VirtAV-stub in aforementioned VMM is closed in shadow page table
Row allows " position, exception is executed to generate;
The execution is intercepted and captured by VMM extremely;
VirtAV-stub in VMM notifies the address of the page to VirtAV-engine;VirtAV-engine is utilized
Existing virtual machine is examined oneself in the virtual machine that (Virtual Machine Introspection, VMI) module provides in virtual machine
It deposits access interface to read memory pages and be scanned, searches virus signature, and result is fed back into VirtAV-stub:
If aforementioned virus investigation result is discovery virus, VirtAV-stub injects exception into the client computer again, that is, closes
" executing permission " position of corresponding shadow page table, so that the Client Restore stops the execution of the process when running;Also,
The related access interface that VirAV-stub is provided by aforementioned VMI module resets the memory pages comprising virus signature with clear
Except virus;
If aforementioned virus investigation result is without discovery virus, VirtAV-stub opens " executing in corresponding shadow page table
Allow " position, " writing permission " position is closed, and restore the operation of the client computer, so that the corresponding process of the client computer is held safely
Row;When the client computer attempts that data are written into the client internal memory page for opening " executing permission " position, in VMM
VirtAV-stub can intercept the event, after completing corresponding scope check, open " writing permission " position of the page, simultaneously
" executing permission " position is closed, so that the legal memory pages write operation of the client internal can be carried out.
According to one embodiment of present invention, it finds after there is virus in virutal machine memory, also further positioning virus
Source.Process flow below for positioning viral source file, after description discovery virus.
Firstly, the related access interface positioning virtual machine VCPU that VirtAV-stub is provided by aforementioned VMI module currently refers to
Enabling the virtual address space mapping table of the corresponding process of stream and the process, (mapping table has recorded each in virtual address space
The information such as the start-stop address in a section, attribute, mapped file), in turn, determined according to the virtual address of VCPU present instruction
Corresponding viral source file is found in the section of process virtual address space where virus instruction.Later, VirtAV-stub is logical
The virtual I/O device interface for crossing VIRTIO etc. leads to the VirtAV-agent operated in inside client operating system
Letter, by the essential information of virus (such as viral name, process (PID, the Process of the virtual machine for executing Virus
Identification), virus file names, etc.) it notifies to VirtAV-agent.Finally, VirtAV-agent is according to default
Killing Tactics virus document is isolated inside client operating system or is deleted, records Virus Logs, and by this disease
Malicious event notifies the administrator or associated user of corresponding virtual machine.
Using method described in above-described embodiment, Anti-Virus may be implemented independent of client operating system;In disease
Malicious program accurately identifies the virus and is prevented before executing;The data volume of virus scan is reduced, scan efficiency is improved, thus
The runnability of virtual machine is ensured to the maximum extent.
The foregoing is merely the schematical specific embodiment of the present invention, the range being not intended to limit the invention.It is any
Those skilled in the art, made equivalent variations, modification and combination under the premise of not departing from design and the principle of the present invention,
It should belong to the scope of protection of the invention.
Claims (10)
1. a kind of anti-virus method for virtual machine, which is characterized in that the method includes:
Step 1, the update for the memory pages occurred on the memory pages for distributing to virtual machine on host is intercepted and captured
The access for the first time of content;
Step 2, the content of pages of the memory pages is scanned;
Step 3, according to the scanning as a result, remove the content of pages of the memory pages, or restore to the memory pages
Access.
2. anti-virus method according to claim 1, which is characterized in that the step 1 further includes:
It is intercepted and captured by the access authority for the memory pages for distributing to virtual machine on dynamic adjustment host and is distributed on host
The access for the first time of the more new content for the memory pages occurred on the memory pages of virtual machine;
Wherein, " writeable " in the access authority and " executable " permission be in the case where one of wherein in enabled state,
Another permission is in non-enabled state.
3. anti-virus method according to claim 1, which is characterized in that the step 3 further includes:
It is to deposit the content of pages for removing the memory pages in the case of viruses, and position and locate in the result of the scanning
Manage the virus in virtual machine.
4. anti-virus method according to claim 3, which is characterized in that the step 3 further includes:
It is to deposit in the case of viruses in the result of the scanning, handles the virus according to preset Killing Tactics, and/or
The information of the virus is notified to the user of virtual machine.
5. anti-virus method according to any one of claim 1 to 4, which is characterized in that the step 2 further includes:
Use the content of pages that the memory pages are scanned with virus signature of the Virus entrance in same memory pages.
6. a kind of Anti-Virus for virtual machine, based on the virtual machine monitor being placed on host, which is characterized in that
The system comprises:
Virtual antivirus engine for scanning internal storage data based on viral memory features code, and scanning result is fed back to virtually
Anti-virus expansion module;
Viral memory features code database, for storing the viral memory features code;
The virtual anti-virus expansion module, is placed in the virtual machine monitor, distributes on the host for intercepting and capturing
To the access for the first time of the more new content for the memory pages occurred on the memory pages of virtual machine, and notify described virtual
Antivirus engine is scanned the memory pages.
7. Anti-Virus according to claim 6, which is characterized in that
The virtual anti-virus expansion module, for adjusting the memory pages for distributing to virtual machine on the host by dynamic
Access authority intercept and capture occur on the memory pages for distributing to virtual machine on the host for the memory pages
The access for the first time of more new content;
Wherein, a case where permission is in enabled state wherein of " writeable " and " executable " permission in the access authority
Under, another permission is in non-enabled state.
8. Anti-Virus according to claim 6, which is characterized in that
The virtual antivirus engine is multithreading and can reentry framework;
The virus memory features code database, is stored on the host, draws in multiple concurrent virtual anti-viruses
It is shared between holding up;And/or
The virus memory features code is the virus signature with Virus entrance in same memory pages.
9. Anti-Virus according to claim 6, which is characterized in that the system also includes:
Virtual anti-virus agent is in virtual machine internal, for receiving and according to from the virtual anti-virus expansion module
The virus that information processing is found;
The virtual anti-virus expansion module is also used to position the source for the virus found in the scanning result, and will be described
The information of virus is sent to the virtual anti-virus agent.
10. Anti-Virus according to claim 9, which is characterized in that
The anti-virus agent, for according at information and preset Killing Tactics from the virtual anti-virus expansion module
The virus is managed, and/or is communicated with the user of virtual machine.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510458356.4A CN105117649B (en) | 2015-07-30 | 2015-07-30 | A kind of anti-virus method and system for virtual machine |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510458356.4A CN105117649B (en) | 2015-07-30 | 2015-07-30 | A kind of anti-virus method and system for virtual machine |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105117649A CN105117649A (en) | 2015-12-02 |
CN105117649B true CN105117649B (en) | 2018-11-30 |
Family
ID=54665634
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510458356.4A Active CN105117649B (en) | 2015-07-30 | 2015-07-30 | A kind of anti-virus method and system for virtual machine |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105117649B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106951775A (en) * | 2016-01-06 | 2017-07-14 | 梁洪亮 | A kind of safe-guard system based on operating system nucleus Intel Virtualization Technology |
CN106055976B (en) * | 2016-05-16 | 2021-05-28 | 新华三技术有限公司 | File detection method and sandbox controller |
CN106339628A (en) * | 2016-08-16 | 2017-01-18 | 天津大学 | Hardware anti-virus device based on microarchitecture level |
CN106778240A (en) * | 2016-11-18 | 2017-05-31 | 航天恒星科技有限公司 | A kind of virtual machine virus method method and device |
US10546120B2 (en) * | 2017-09-25 | 2020-01-28 | AO Kaspersky Lab | System and method of forming a log in a virtual machine for conducting an antivirus scan of a file |
CN110058921B (en) * | 2019-03-13 | 2021-06-22 | 上海交通大学 | Dynamic isolation and monitoring method and system for memory of client virtual machine |
CN111459609B (en) * | 2020-03-10 | 2024-04-19 | 奇安信科技集团股份有限公司 | Virtual machine safety protection method and device and electronic equipment |
CN115374444B (en) * | 2022-10-27 | 2022-12-27 | 北京安帝科技有限公司 | Virus detection method and device based on virtual host behavior analysis |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101364988A (en) * | 2008-09-26 | 2009-02-11 | 深圳市迅雷网络技术有限公司 | Method and apparatus determining webpage security |
CN102375946A (en) * | 2010-08-19 | 2012-03-14 | 腾讯科技(深圳)有限公司 | Method and device for detecting webpage trojan |
CN104080058A (en) * | 2014-06-16 | 2014-10-01 | 百度在线网络技术(北京)有限公司 | Information processing method and device |
CN104156389A (en) * | 2014-07-04 | 2014-11-19 | 重庆邮电大学 | Deep packet detecting system and method based on Hadoop platform |
CN104298918A (en) * | 2014-09-12 | 2015-01-21 | 北京云巢动脉科技有限公司 | Virus scanning method and system based on data block in virtual machine |
-
2015
- 2015-07-30 CN CN201510458356.4A patent/CN105117649B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101364988A (en) * | 2008-09-26 | 2009-02-11 | 深圳市迅雷网络技术有限公司 | Method and apparatus determining webpage security |
CN102375946A (en) * | 2010-08-19 | 2012-03-14 | 腾讯科技(深圳)有限公司 | Method and device for detecting webpage trojan |
CN104080058A (en) * | 2014-06-16 | 2014-10-01 | 百度在线网络技术(北京)有限公司 | Information processing method and device |
CN104156389A (en) * | 2014-07-04 | 2014-11-19 | 重庆邮电大学 | Deep packet detecting system and method based on Hadoop platform |
CN104298918A (en) * | 2014-09-12 | 2015-01-21 | 北京云巢动脉科技有限公司 | Virus scanning method and system based on data block in virtual machine |
Also Published As
Publication number | Publication date |
---|---|
CN105117649A (en) | 2015-12-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105117649B (en) | A kind of anti-virus method and system for virtual machine | |
US8010667B2 (en) | On-access anti-virus mechanism for virtual machine architecture | |
US9229881B2 (en) | Security in virtualized computer programs | |
Srinivasan et al. | Process out-grafting: an efficient" out-of-vm" approach for fine-grained process execution monitoring | |
US9832226B2 (en) | Automatic curation and modification of virtualized computer programs | |
US9747172B2 (en) | Selective access to executable memory | |
Lengyel et al. | Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system | |
US9436603B1 (en) | Detection and mitigation of timing side-channel attacks | |
CA2517442C (en) | Customized execution environment and operating system capable of supporting same | |
EP1316873A2 (en) | System and method for identifying infected program instructions | |
US10965679B2 (en) | Apparatus for monitoring file access in virtual machine and method for the same | |
Qi et al. | ForenVisor: A tool for acquiring and preserving reliable data in cloud live forensics | |
US9405708B1 (en) | Preventing attacks that rely on same-page merging by virtualization environment guests | |
US10489185B2 (en) | Hypervisor-assisted approach for locating operating system data structures based on attribute matching | |
US20180267818A1 (en) | Hypervisor-assisted approach for locating operating system data structures based on notification data | |
Portokalidis et al. | Eudaemon: Involuntary and on-demand emulation against zero-day exploits | |
CN108737373B (en) | Safety evidence obtaining method for large network equipment hiding technology | |
US11914711B2 (en) | Systems and methods for automatically generating malware countermeasures | |
Qiang et al. | CloudController: a writable and heterogeneous-adaptive virtual machine introspection for cloud management | |
Zhang et al. | Peda: comprehensive damage assessment for production environment server systems | |
Donghai et al. | A concurrent security monitoring method for virtualization environments | |
Sato et al. | Secure log transfer by replacing a library in a virtual machine | |
Sato et al. | Secure and fast log transfer mechanism for virtual machine | |
Cao et al. | Security scanner system of oVirt cloud platform | |
Srinivasan | Elevating virtual machine introspection for fine-grained process monitoring: Techniques and applications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |