VirtAV: An agentless antivirus system based on in-memory signature scanning for virtual machine

Antivirus is an important issue to the security of virtual machine (VM). According to where the antivirus system resides, the existing approaches can be categorized into three classes: internal approach, external approach and hybrid approach. However, for the internal approach, it is susceptible to attacks and may cause antivirus storm and rollback vulnerability problems. On the other hand, for the external approach, the antivirus systems built upon VMI technology cannot find and prohibit viruses promptly. Although the hybrid approach performs virus scanning out of the virtual machine, it is still vulnerable to attacks since it completely depends on the agent and hooks to deliver events in the guest operating system. To solve the aforementioned problems, based on in-memory signature scanning, we propose an agentless antivirus system VirtAV. VirtAV can monitor the specific event of the guest VM that is defined as the first instruction-fetch operation on a newly updated host memory page frame, and can scan virus in the page when the event occurs. As an external approach, VirtAV doesn't rely on any event or agent in the guest OS, so it guarantees the security of itself to the greatest extent. In addition, it provides full life cycle protection for VMs, no matter which state (running, paused, resumed or migrated) they are in. We implemented a prototype by extending Qemu/KVM hypervisor. Experimental result demonstrates that the function of VirtAV is verified (by finding 100% of the 3546 sample viruses) and the overhead of VirtAV on guest performance is acceptable. Especially, VirtAV has little impact on the performance of common desktop applications, such as video playing, web browsing and Microsoft Office series.

[1]  rey O. Kephart,et al.  Automatic Extraction of Computer Virus SignaturesJe , 2006 .

[2]  Brian D. Noble,et al.  When Virtual Is Better Than Real , 2001 .

[3]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[4]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[5]  Trend Micro Enterprise Security Changing the Game for Anti-virus in the Virtual Datacenter Changing the Game for Antivirus in the Virtual Datacenter , .

[6]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[7]  Zhiyong Liu,et al.  Libvmi: A Library for Bridging the Semantic Gap between Guest OS and VMM , 2012, 2012 IEEE 12th International Conference on Computer and Information Technology.

[8]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[9]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[10]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[11]  Yubin Xia,et al.  Defending against VM rollback attack , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN 2012).

[12]  Zhendong Su,et al.  Temporal search: detecting hidden malware timebombs with virtual machines , 2006, ASPLOS XII.

[13]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[14]  Tal Garfinkel,et al.  When Virtual Is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments , 2005, HotOS.

[15]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[16]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.