Why can't antimalware tools scan inside virtual machines?
You'd think that it would be easy for an antimalware tool to see what's going on inside a virtual workstation. Unfortunately, it's not. In this expert Q&A, Ed Skoudis explains the difficulty of scanning a guest virtual machine.
To understand what an antimalware tool would have to do to scan a guest's memory from the host, let's start by considering a non-virtual machine first.
It's important to note that even non-virtual machines have virtual memory. Most modern operating systems have a virtual memory system that breaks up data inside the machine; these parts are called memory structures. Using several tables, the virtual memory is then mapped to physical hardware storage addresses. The memory structures make each program on the machine believe that there is an enormous amount of memory, even though physical RAM is actually limited. Most modern operating systems support virtual memory by swapping data between RAM and the hard disk or other high-volume storage devices.
In a virtual machine environment, the guest has its own virtual memory system, as well as its own tables that map various applications' view of memory to physical memory. But the physical memory of the guest machine is actually inside the virtual memory of the host machine, which is mapped into the physical memory underlying the host.
With all of the indirection here, it's no wonder that it's hard for an antimalware tool to see inside the host and figure out what's going on inside the virtual workstation. To scan the virtual system's memory for malware, the host antimalware tool would have to read and discern all of the virtual memory tables of the guest in real time. You might be thinking, "But it would just have to look for a few thousand strings in contiguous spaces in memory, right?" Not exactly. From the host's perspective, the strings to search for may not be contiguous at all since the guest's virtual memory system has been sliced and diced.
A similar issue happens in the file system. In most virtual machine implementations, the guest's file system is merely a big file in the host machine. But all kinds of formatting information is stored within that file, and any malware files here are broken down into different pieces that are then distributed throughout.
To scan the host machine, the antimalware scanner can rely on the operating system itself to group hard drive sectors into files. But, the antimalware scanner doesn't have that luxury inside the guest, where the guest's own file system breaks things down into virtual sectors and does so inside that big file on the host's hard drive.
Now, creating an antimalware tool that can run on a host and determine what's happening in the guest is theoretically possible and could be a very powerful tool in our arsenal. Its architecture though would likely be different from many of today's antimalware tools. Such a tool could implement its own code to discern a guest's virtual memory and file system. Alternatively, the tool could rely on software in the guest to do this unraveling; this would require hooks into the guest, however, and an extension of the antimalware tool from the host into the guest itself.
Another option would involve a different kind of antimalware tool that, instead of looking for a series of signatures, would look for other anomalies inside the guest. These anomalies can be more easily discerned from the host and wouldn't require a complete mapping of memory and the file system. I wholeheartedly expect to see such tools in the future.
More information:
