Problem solve Get help with specific problems with your technologies, process and projects.

Why can't antimalware tools scan inside virtual machines?

You'd think that it would be easy for an antimalware tool to see what's going on inside a virtual workstation. Unfortunately, it's not. In this expert Q&A, Ed Skoudis explains the difficulty of scanning a guest virtual machine.

Why can't outside scanners easily scan inside virtual workstations for worms, bots and other threats?
I get asked this question a lot. On the surface, you would think it would be a trivial matter for antivirus and antispyware tools to check up on what's happening inside the virtual workstation. After all, the guest virtual machine lives inside of the host machine. Unfortunately, it's not easy at all. Part of the virtualization process involves slicing and dicing data elements inside of the guest, making them very difficult for a software application, like an antimalware tool, to recognize. Consider two areas that antimalware tools heavily scrutinize to find malicious code: memory and file systems.

To understand what an antimalware tool would have to do to scan a guest's memory from the host, let's start by considering a non-virtual machine first.

It's important to note that even non-virtual machines have virtual memory. Most modern operating systems have a virtual memory system that breaks up data inside the machine; these parts are called memory structures. Using several tables, the virtual memory is then mapped to physical hardware storage addresses. The memory structures make each program on the machine believe that there is an enormous amount of memory, even though physical RAM is actually limited. Most modern operating systems support virtual memory by swapping data between RAM and the hard disk or other high-volume storage devices.

In a virtual machine environment, the guest has its own virtual memory system, as well as its own tables that map various applications' view of memory to physical memory. But the physical memory of the guest machine is actually inside the virtual memory of the host machine, which is mapped into the physical memory underlying the host.

With all of the indirection here, it's no wonder that it's hard for an antimalware tool to see inside the host and figure out what's going on inside the virtual workstation. To scan the virtual system's memory for malware, the host antimalware tool would have to read and discern all of the virtual memory tables of the guest in real time. You might be thinking, "But it would just have to look for a few thousand strings in contiguous spaces in memory, right?" Not exactly. From the host's perspective, the strings to search for may not be contiguous at all since the guest's virtual memory system has been sliced and diced.

A similar issue happens in the file system. In most virtual machine implementations, the guest's file system is merely a big file in the host machine. But all kinds of formatting information is stored within that file, and any malware files here are broken down into different pieces that are then distributed throughout.

To scan the host machine, the antimalware scanner can rely on the operating system itself to group hard drive sectors into files. But, the antimalware scanner doesn't have that luxury inside the guest, where the guest's own file system breaks things down into virtual sectors and does so inside that big file on the host's hard drive.

Now, creating an antimalware tool that can run on a host and determine what's happening in the guest is theoretically possible and could be a very powerful tool in our arsenal. Its architecture though would likely be different from many of today's antimalware tools. Such a tool could implement its own code to discern a guest's virtual memory and file system. Alternatively, the tool could rely on software in the guest to do this unraveling; this would require hooks into the guest, however, and an extension of the antimalware tool from the host into the guest itself.

Another option would involve a different kind of antimalware tool that, instead of looking for a series of signatures, would look for other anomalies inside the guest. These anomalies can be more easily discerned from the host and wouldn't require a complete mapping of memory and the file system. I wholeheartedly expect to see such tools in the future.

More information:

  • Is the "Blue Pill" a security concern? Ed Skoudis examines the virtual machine-based malware.
  • See how well virtualization products defend against malware.
  • This was last published in April 2007

    Dig Deeper on Malware, virus, Trojan and spyware protection and removal