| CPC G06F 21/554 (2013.01) [G06F 21/54 (2013.01); G06F 21/566 (2013.01); G06F 2221/034 (2013.01)] | 24 Claims |
|
1. A method of protecting a virtual machine (VM) executing on a hypervisor against a security threat detected at the VM, wherein memory pages in a memory space of the VM include memory for both a guest operating system (OS) of the VM and for a software entity of the VM that is separate from the guest OS, the method comprising:
preventing, by the hypervisor, the quest OS from scheduling any tasks on virtual CPUs (vCPUs) of the VM by saving a state of the guest OS from registers of the vCPUs and transferring control of the vCPUs from the guest OS to the separate software entity to enable the separate software entity to schedule tasks thereon, wherein the hypervisor manages the vCPUs;
while the guest OS is prevented from scheduling any tasks on the vCPUs;
scanning, by the separate software entity, at least one of a list of processes of the VM and a subset of the memory pages of the VM; and
upon receiving an identification of a malicious process, the identification of the malicious process being determined from the at least one of the list of processes and the subset of the memory pages of the VM, terminating the malicious process by the separate software entity; and
after the separate software entity terminates the malicious process, enabling by the hypervisor, the guest OS to schedule tasks on the vCPUs by repopulating the registers of the vCPUs with the saved state of the guest OS and transferring control of the vCPUs from the separate software entity back to the guest OS.
|