Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Using microVM isolation to improve malware detection and defense

Use of microVMs for malware detection and isolation is growing, but expert Brad Casey cautions that the tactic isn't a cure-all for fighting malware.

My company has been evaluating network-based detection tools recently. In doing research, I came across a product that puts each Internet instance into its own virtual machine (VM) instead of even trying to detect malware and the like. What are your thoughts on such an approach? Do you think this would make for a more secure option?

Ask the Expert!

Have a question about network security for expert Brad Casey? Send them via email today! (All questions are anonymous

Placing each Internet instance into its own VM is definitely doable. In fact, the utilization of VMs to mitigate malware has become quite popular in recent years as it allows for the quick disposal and regeneration of an operating system without putting the host machine in any real danger. The concept you ask about is referred to as a micro-virtualization or a microVM. Each Internet task or process is automatically isolated in its own microVM; should a malware attack occur against that process, it is isolated in a way that doesn't allow damage to the rest of the system.

However, as promising as the microVM concept is, it is not a replacement for existing malware scanning methods. It may be true that when a microVM is used, any potential malware instance would be executed within the confines of the VM, but that doesn't mean that it would be permanently stuck there. While today I know of no documented case where malware in a microVM allowed any damage to the host, it is entirely possible that an attacker may eventually find a way to beat a microVM.

To that end, a word of caution: Virtualization is not a cure-all for combating malware. Many forms of malware actually have code that checks for the existence of a hypervisor, and if one is detected, the code deletes itself. Keep in mind that even though you are in a virtual environment, you're still operating within a network-connected device, and thereby not devoid of responsibility. Again, even without more specifics on your network infrastructure, along with any protective mechanisms you may have in place, I'm confident in saying that it's not wise to use microVMs in place of other malware-detection mechanisms -- at least not yet -- but there's no question that microVMs offer value as an additional layer of protection.

This was last published in December 2013

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)