(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2013/024.7133 A1
`Price et al.
`(43) Pub. Date:
`Sep. 19, 2013
`
`US 2013024.7133A1
`
`(54) SECURITY ASSESSMENT OF VIRTUAL
`MACHINE ENVIRONMENTS
`
`(52) U.S. Cl.
`USPC ................................................. 726/1; 726/25
`
`(75) Inventors: Michael Price, Las Condes (CL):
`Anthony Bettini, San Francisco, CA
`(US)
`: McAfee, Inc.
`73) A
`cAfee, Inc
`(73) Assignee
`(21) Appl. No.: 13/272,484
`
`(22) Filed:
`
`Oct. 13, 2011
`
`Publication Classification
`
`51) Int. C
`nt. C.
`G06F2L/00
`
`(2006.01)
`
`ABSTRACT
`(57)
`Each virtual machine in a set of virtual machines managed by
`the virtual machine manager is identified. For each virtual
`machine in the set, it is determined whether the respective
`virtual machine is online. For at least the virtual machines
`determined to be offline, a machine image is collected for
`each offline virtual machine. Security of the offline virtual
`machines is assessed from the collected images. For virtual
`machines identified as online, an agent is loaded on each
`online virtual machine in the set via the virtual machine
`ger. The loaded ag
`d
`ity ofth
`manager. The loaded agentS are used to assess Security Of the
`online virtual machines in the set.
`
`140
`
`lya,
`
`127
`
`
`
`135
`
`110
`
`SECURITY
`SERVER
`
`NETWORK
`
`
`
`115
`
`VIRTUAL
`MACHINE
`MANAGER
`
`SERVERPOOL
`
`
`
`120
`/
`VIRTUAL
`MACHINES
`
`125
`
`WIZ, Inc. EXHIBIT - 1048
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`Patent Application Publication
`
`Sep. 19, 2013
`
`Sheet 1 of 8
`
`US 2013/0247133 A1
`
`|
`
`|
`
`
`
`
`SANIHOVAN
`TWALYIA
`
`
`
`
` 0Zr
`
`100d YSAYNAS
`
`YADVNVA
`3NIHOVNW
`TYnLJIA
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Ob}
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Sb
`
`WALSAS WAY
`
`Ov
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`T ‘Old
`
`
`
`
`
`
`
`
`
`
`
`MYOMLAN
`
`3Aud3S
`人 LINno3S
`
`
`
`
`
`
`
`
`
`
`
`
`
`L- SEL
`
`— I
`— —
`—
`—
`3).
`Vivd LINS3aY
`
`
`
`
`
`
`
`
`
`
`/Cr
`/
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ge
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`=
`
` /
`
`
`
`
`

`

`Patent Application Publication
`
`Sep. 19, 2013
`
`Sheet 2 of 8
`
`US 2013/0247133 A1
`
`
`
`
`235
`
`ENGINE
`
`REPORTING
`
`
`
`
`
`
`
`TASK MANAGER 卜 _ 230
`
`
`
`
`
`
`
`[220
`
`SECURITY
`
`REAL MACHINE
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`285
`
`MANAGER
`
`AGENT
`
`
`
`
`
`
`
`
`
`
`IMAGE READER
`
`282
`
`MACHINE
`
`
`
`
`
`
`
`280
`
`ACCESS ENGINE
`
`VMM
`
`
`
`
`
`
`
`
`
`
`一 “19
`
`MEMORY
`
`
`
`
`
`
`
`225
`
`PROCESSOR 一 210
`
`SECURITY
`
`VIRTUAL MACHINE
`
`SECURITY TOOL
`
`a
`
`205
`
`200
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`2//
`
`
`
`
`
`
`
`
`MEMORY
`
`
`
`
`
`
`
`
`
`
`275
`API
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`292 才 IMAGE
`VIRTUAL MACHINE 3
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`IMAGE
`
`
`
`
`295 一 |
`
`
`
`
`
`
`
`
`
`
`
`
`
` VIRTUAL MACHINE 4
`
`
`
`
`
`
`
`
`
`270
`
`PROCESSOR
`
`
`
`
`
`
`
`IMAGE
`
`290 ~]
`
`
`
`
`
`
`
`VIRTUAL MACHINE 2
`
`
`
`
`
`
`
`
`
`
`245
`
`MANAGER
`
`VIRTUAL MACHINE
`
`
`
`
`
`
`
`
`
`
`IMAGE
`
`288 ~]
`
`
`
`
`
`
`
`VIRTUAL MACHINE 1
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`Sep. 19, 2013
`
`Sheet 3 of 8
`
`US 2013/0247133 A1
`
`|\305
`
`
`
`
`SERVER
`」 SECURITY
`
`
`
`
`
`
`
`[oe
`
`
`
`
`—“—
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`300a
`
`
`
`
`
`
`
`
`
`
`|
`
`LOA
`| MACHINE
`VIRTUAL
`|
`
`335
`\
`
`
`
`
`
`
`
`2
`
` 一 一
`
`340
`
`MACHINE MANAGER
`
`VIRTUAL
`
`!
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`3307
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`MACHINE 4 |
`7 VIRTUAL |
`
`325-
`
`
`
`
`
`
`
`320 一 | MACHINE 3
`VIRTUAL
`
`
`
`
`
`
`
`| MACHINE 2 |
`VIRTUAL |
`
`315~
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`MACHINE 1
`VIRTUAL
`
`
`
`
`310]
`
`
`
`
`
`
`
`—— ONLINE
`一 一 一 OFFLINE
`
`
`
`
`
`
`
`
`
`
`FIG. 3A
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Sep. 19, 2013 Sheet 4 of 8
`Sep. 19, 2013 Sheet 4 of 8
`
`US 2013/024.7133 A1
`US 2013/0247133 Al
`
`qo0e
`
`
`
`
`
`
`
`
`
`
`ALIMNOAS
`
`YSAYsAS
`
`
`
`YAOVNVAANIHOVA
`
`WALUIA
`
`G79
`
`============| IT TETT JE ?I?IT??I„-Szº
`
`7ANIHOVWTWNLYIA
`
`–1
`
`7Gce|
`
`
`
`
`
`bANIHOVWTWALYIA
`
`
`
`€ANIHOVWTWNLYIA
`
`OL€
`
`OZE
`
`
`
`@ANIHOVWTWNLUYIA
`
`–
`
`- - - - - - -->g?ç
`
`tLgy¢
`
`
`
`

`

`Patent Application Publication
`
`Sep. 19, 2013
`
`Sheet 5 of 8
`
`US 2013/0247133 A1
`
`
`
`
`
`
`
`360
`AN
`
`340
`
`Ve RESULT DATA 1
`
`MACHINE MANAGER
`
`VIRTUAL
`3
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`VIRTUAL MACHINE 1
`
`
`
`
`
`
`
`
`
`
`
`
`
`350 ™
`
`
`
`
`)
`1
`
`(
`(
`
`
`
`
`SERVER
`SECURITY
`
`
`
`
`
`
`
`
`
`
`pp |—
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`—
`
`
`
`
`
`
`
`
`
`
`[ER
`
`RESULT DATA
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` =|
`—
`
`VIRTUAL MACHINE 3
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`355 -一
`
`
`
`
`365
`
`330
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` —— ONLINE
`
`
`
`300c
`
`
`
`
`FIG. 3C
`
`

`

`Patent Application Publication
`
`Sep. 19, 2013
`
`Sheet 6 of 8
`
`US 2013/0247133 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`7
`305
`
`
`
`
`He
`
`=
`=
`三 百
`
`
`
`
`
`
`
`
`
`>
`
`\
`
`?
`uo
`
`=|
`|
`ES
`
`
`
`
`
`
`
`二
`
`
`
`
`
`
`
`
`
`
`SERVER
`SECURITY
`
`La wT 下
`
`MACHINE MANAGER
`
`VIRTUAL
`
`
`
`
`
`
`
`oot
`
`
`
`
`oo
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`— 7
`
`[ 一 一 /
`
`(~~ | MACHINE IMAGE |
`
`405
`
`330
`
`400
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`TI
`
`J
`
`LT
`
`
`
`
`
`
`
`L [LI
`
`
`
`
`
`
`
`
`
`
`
`
`VIRTUAL MACHINE 1
`
`
`
`
`
`
`
`一 一 ONLINE
`一 一 一 OFFLINE
`
`FIG. 4
`
`
`
`
`
`
`
`一
`
`315
`
`
`
`
`| VIRTUAL MACHINE 4「
`LT +—
`
`
`
`
`
`
`
`
`
`
`I
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`VIRTUAL MACHINE 3
`
`
`
`
`
`
`
`vk
`
`一 二 二 二 上 二 二
`
`

`

`Patent Application Publication
`
`Sep. 19, 2013
`
`Sheet 7 of 8
`
`US 2013/0247133 A1
`
` FIG. 5
`
`
`
`
` 回
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`525-7 The vendor has released an update to address this issue http:/Avww.microsoft.com/echnet/security/bulletin/ms10-066.
`
`
`
`
`Recommendation:
`
`
`
`
`
`
`
`5.1.567.123
`
`5.1.567.8
`
`\rpert4 dll
`C:\WINDOWS\system32
`
`Service
`
`xP
`ack
`Windows — pack
`Microsoft
`
`3
`
`X86.vmx
`Windows XP SP3
`SP3 x86/Micresoft
`Microsoft Windows XP
`datacenter/datastore1]
`
` [ha-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` 515 一 上 An unauthenticated remote code execution vulnerability exists in Microsoft Windows.
`
`
`
`Response From System:
`
`
`
`
`MEDIUM
`
`
`
`
`Could Allow Remote Code Execution (982802)
`
`
`
`
`
`
`
`510~L (VIX) (MS 10-066) Vulnerability In Remote Procedure Call
`
`©
`
`
`
`
`Criticality: None
`
`DNS Name:[Unknown] | 123.456.7.8 | [[Unknown]]
`
`
`
`
`Description:
`
`
`
`
`5.2.432.123
`
`5.2.432.1
`
`\rpert4 dll
`C:\WINDOWS\system32
`
`not_set
`
`2003
`Server
`Windows
`Microsoft
`
`00.vmx
`Windows XP SP3 x86
`SP3 x86 00/Microsoft
`Microsoft Windows XP
`datacenter/datastore1]
`[ha-
`
`520~_|
`
`
`
`
`
`
`
`
`
`Rows:[
`
`>>
`
`>
`
`1
`
`<
`
`<<
`
`Page 1of 1
`
`
`
`
`
`
`
`Vulnerabilities By IP
`
`1 [+]
`国 日
`
`
`
`
`vy
`
`|). @' A? Gy By Pager C} Toolsy
`
`1
`
` WW
`
`
`
`
`
`
` File
`|
`
`
`
`Help
`
`Tools
`
`View
`
`Edit
`
`
`
`
`
`
`
`Reports: Vulnerabilities By IP Report
`
`
`
`
`v | file:///C:/Program%20Files/Reports/VixFsi6
`
`Lr] [) [e)
`
`
`
`
`
`
`
`Reports: Vulnerabilities By IP Report
`Favorites
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Sep. 19, 2013 Sheet 8 of 8
`Sep. 19,2013 Sheet 8 of 8
`
`US 2013/024.7133 A1
`US 2013/0247133 Al
`
`PLURALITY OF VIRTUAL MACHINES
`610
`
`IDENTIFYAVIRTUAL MACHINE
`IDENTIFY A VIRTUAL MACHINE
`MANAGERMANAGING A PARTICULAR
`MANAGER MANAGING A PARTICULAR
`SET OF VIRTUAL MACHINESIN A
`SET OF VIRTUAL MACHINES INA
`PLURALITY OF VIRTUAL MACHINES
`
`IDENTIFYEACH VIRTUAL
`IDENTIFY EACH VIRTUAL
`MACHINE IN THE PARTICULAR
`MACHINE IN THE PARTICULAR
`SET OF VIRTUAL MACHINES
`SET OF VIRTUAL MACHINES
`
`605
`605
`
`610
`
`
`
`
`
`
`
` FOR
`FOR
`EACH VIRTUAL MACHINE IN
`EACH VIRTUAL MACHINE IN
`SET, ISVIRTUAL MACHINE
`SET,IS VIRTUAL MACHINE
`ONLINE
`ONLINE?
`
`
`
`
`
`COLLECT MACHINE IMAGE DATA
`COLLECT MACHINE IMAGE DATA
`OF VIRTUAL MACHINE VIA THE
`OF VIRTUAL MACHINE VIA THE
`VIRTUAL MACHINE MANAGER
`VIRTUAL MACHINE MANAGER
`
`635
`635
`
`640
`640
`
`645
`645
`
`600
`600
`y
`?
`
`YES
`YES
`
`
`
`LOADAGENT ONTO VIRTUAL
`LOAD AGENT ONTO VIRTUAL
`MACHINE VIA VIRTUAL
`MACHINE VIA VIRTUAL
`MACHINE MANAGERAPI
`MACHINE MANAGER AP
`
`620
`
`625
`
`620
`625
`
`
`
`ASSESS VIRTUAL MACHINE
`ASSESS VIRTUAL MACHINE
`SECURITY USING
`SECURITY USING
`COLLECTED MACHINE IMAGE
`COLLECTED MACHINE IMAGE
`
`PERFORM SECURITY
`PERFORM SECURITY
`ASSESSMENT ON VIRTUAL
`ASSESSMENT ON VIRTUAL
`MACHINE USINGAGENT
`MACHINE USING AGENT
`
`COLLECT RESULT DATA
`COLLECT RESULT DATA
`FROM SECURITY ASSESSMENT
`FROM SECURITY ASSESSMENT
`
`COLLECT RESULT DATA FROM
`COLLECT RESULT DATA FROM
`SECURITY ASSESSMENT
`SECURITY ASSESSMENT
`
`630
`630
`
`FIG. 6
`FIG. 6
`
`

`

`US 2013/024.7133 A1
`US 2013/0247133 Al
`
`Sep. 19, 2013
`Sep. 19, 2013
`
`SECURITY ASSESSMENT OF VIRTUAL
`SECURITY ASSESSMENT OF VIRTUAL
`MACHINE ENVIRONMENTS
`MACHINE ENVIRONMENTS
`
`TECHNICAL FIELD
`TECHNICAL FIELD
`0001. This disclosure relates in general to the field of
`[0001] This disclosure relates in general to the field of
`computer security and, more particularly, to performing Secu
`computersecurity and, moreparticularly, to performing secu-
`rity tasks on virtual machines.
`rity tasks on virtual machines.
`
`0009 FIG. 6 is a simplified flowchart illustrating example
`[0009]
`FIG. 6 is a simplified flowchart illustrating example
`operations associated with at least Some embodiments of the
`operations associated with at least some embodiments of the
`system.
`system.
`0010. Like reference numbers and designations in the
`[0010] Like reference numbers and designations in the
`various drawings indicate like elements.
`various drawings indicate like elements.
`
`DETAILED DESCRIPTION OF EXAMPLE
`DETAILED DESCRIPTION OF EXAMPLE
`EMBODIMENTS
`EMBODIMENTS
`
`BACKGROUND
`BACKGROUND
`Overview
`Overview
`0002. The Internet has enabled interconnection of differ
`0011. In general, one aspect of the subject matter
`[0002] The Internet has enabled interconnection of differ-
`[0011]
`In general, one aspect of the subject matter
`ent computer networks all over the world. The ability to
`described in this specification can be embodied in methods
`ent computer networks all over the world. The ability to
`described in this specification can be embodied in methods
`effectively protect and maintain stable computers and sys
`that include the actions of identifying each virtual machine in
`effectively protect and maintain stable computers and sys-
`that includethe actions of identifying each virtual machine in
`tems, however, presents a significant obstacle for component
`a set of virtual machines managed by a virtual machine man
`tems, however, presents a significant obstacle for component
`a set of virtual machines managed bya virtual machine man-
`manufacturers, system designers, and network operators.
`ager. It can be determined, for each virtual machine in the set,
`manufacturers, system designers, and network operators.
`ager. It can be determined,for each virtual machine in the set,
`This obstacle is made even more complicated due to the
`whether the respective virtual machine is online. A machine
`This obstacle is made even more complicated due to the
`whether the respective virtual machine is online. A machine
`continually-evolving array of tactics exploited by malicious
`image can be collected for each virtual machine in the set via
`continually-evolving array of tactics exploited by malicious
`image can be collected for each virtual machine in the set via
`software authors. Malicious software authors create mali-
`software authors. Malicious software authors create mali
`the virtual machine manager. Security of the offline virtual
`the virtual machine manager. Security of the offline virtual
`cious software (“malware') to disrupt or stop computer
`machines can be assessed from the collected images.
`cious software (‘malware’) to disrupt or stop computer
`machines can be assessed from the collected images.
`operations, steal information, gain unauthorized access to
`0012. In another general aspect of the subject matter
`operations, steal information, gain unauthorized access to
`[0012]
`In another general aspect of the subject matter
`system resources, and conduct other unauthorized abusive,
`described in this specification, a system can include a
`system resources, and conduct other unauthorized abusive,
`described in this specification, a system can include a
`hostile, intrusive, or annoying activities. Malware continues
`memory element storing data, a processor operable to execute
`hostile, intrusive, or annoying activities. Malware continues
`memory elementstoring data, a processor operable to execute
`to evolve with new malware objects being developed poten
`instructions associated with the stored data, and a security
`to evolve with new malware objects being developed poten-
`instructions associated with the stored data, and a security
`tially exposing computers and systems every day.
`assessment module. The security assessment module can be
`tially exposing computers and systems every day.
`assessment module. The security assessment module can be
`0003 System administrators and security product provid
`configured to identify each virtual machine in a set of virtual
`[0003]
`System administrators and security product provid-
`configured to identify each virtual machineinaset ofvirtual
`ers have developed a number of malware detection, security
`machines managed by a particular virtual machine manager,
`ers have developed a numberof malware detection, security
`machines managedbya particular virtual machine manager,
`assessment, firewalls, security policy enforcement tools, and
`determine, for each virtual machine in the set of virtual
`assessment, firewalls, security policy enforcementtools, and
`determine, for each virtual machine in the set of virtual
`other security products for monitoring, Scanning, and protect
`machines, whether the respective virtual machine is online,
`other security products for monitoring, scanning, andprotect-
`machines, whether the respective virtual machineis online,
`ing computing Systems against malware, viruses, and other
`load, via an API of the virtual machine manager, an agent on
`ing computing systems against malware, viruses, and other
`load, via an API ofthe virtual machine manager, an agent on
`threats. As security products mature to more satisfactorily
`each virtual machine in the set of virtual machines deter-
`each virtual machine in the set of virtual machines deter
`threats. As security products mature to moresatisfactorily
`meet the challenges present in more traditional personal com
`mined to be online, and use the agent to assess security of the
`meetthe challenges present in more traditional personal com-
`minedto be online, and use the agentto assess security of the
`puting and enterprise computing environments, accessing
`at least one online virtual machine.
`at least one online virtual machine.
`puting and enterprise computing environments, accessing
`and using computing assets evolve introducing new chal
`0013 These and other embodiments can each optionally
`and using computing assets evolve introducing new chal-
`[0013] These and other embodiments can each optionally
`lenges for security administrators, product and service pro
`include one or more of the following features. A query can be
`lenges for security administrators, product and service pro-
`include oneor more ofthe following features. A query can be
`viders. For instance, cloud computing has emerged as a popu
`sent to the virtual machine manager for information for the set
`viders. For instance, cloud computing has emerged as a popu-
`sent to the virtual machine managerfor informationforthe set
`lar alternative to maintaining a dedicated set of hard
`of virtual machines. Identification data can be received from
`of virtual machines. Identification data can be received from
`lar alternative to maintaining a dedicated set of hard
`computing assets, allowing individuals and enterprises to
`the virtual machine manageridentifying each virtual machine
`computing assets, allowing individuals and enterprises to
`the virtual machine manageridentifying each virtual machine
`access Supplemental and Scalable computing assets tempo
`in the set of virtual machines in response to the query. The
`access supplemental and scalable computing assets tempo-
`in the set of virtual machines in response to the query. The
`rarily and on-demand. The use of virtual environments real
`identification data can include identification, for each virtual
`rarily and on-demand. The use of virtual environmentsreal-
`identification data can includeidentification, for each virtual
`ized using cloud computing infrastructure are also expanding,
`machine in the set of virtual machines, of whether the virtual
`ized using cloud computing infrastructure are also expanding,
`machinein the set of virtual machines, of whether the virtual
`including the use of virtual machines in cloud and serverpool
`machine is online. At least one of the query or identification
`including the use ofvirtual machinesin cloud andserver pool
`machineis online. At least one of the query oridentification
`environments that can be selectively turned “on” as needed in
`data can be communicated over an APIofthe virtual machine
`data can be communicated over an API of the virtual machine
`environments that can be selectively tured “on”as needed in
`connection with the temporary Scaling up of a particular
`manager. The machine images of offline virtual machines in
`connection with the temporary scaling up of a particular
`manager. The machine imagesofoffline virtual machines in
`computer system or a user's computing needs.
`the set can be sent via an API of the virtual machine manager.
`computer system or a user’s computing needs.
`the set can be sent via an API of the virtual machine manager.
`An agent can be loaded, via an API of the virtual machine
`An agent can be loaded, via an API of the virtual machine
`manager, on at least one online virtual machine in the set. The
`manager, on at least one online virtual machinein the set. The
`agent can be used to assess security of the at least one online
`agent can be usedto assess security of the at least one online
`virtual machine. Result data can be collected that reports
`virtual machine. Result data can be collected that reports
`results of the security assessment of the at least one online
`results of the security assessment of the at least one online
`virtual machine, and the result data can be collected from the
`virtual machine, and the result data can be collected from the
`agent over the API of the virtual machine manager. The agent
`agent over the API ofthe virtual machine manager. The agent
`can be removed automatically at conclusion of the security
`can be removed automatically at conclusion of the security
`assessmentofthe at least one online virtual machine. Theset
`assessment of the at least one online virtual machine. The set
`can be a Subset of the plurality of virtual machines managed
`can be a subset of the plurality of virtual machines managed
`by the virtual machine manager and the set can include less
`by the virtual machine managerandthe set can includeless
`than all of the plurality of virtual machines.
`thanall of the plurality of virtual machines.
`0014 Further, these and other embodiments can each
`[0014]
`Further,
`these and other embodiments can each
`optionally include one or more of the following features.
`optionally include one or more of the following features.
`Result data can be collected from the security assessment of
`Result data can be collected from the security assessment of
`the offline virtual machines. The offline virtual machines can
`the offline virtual machines. The offline virtual machines can
`include a plurality of offline virtual machines and the result
`include a plurality of offline virtual machines andthe result
`data can describe virtual-machine-specific security condi
`data can describe virtual-machine-specific security condi-
`tions for each of the plurality of offline virtual machines. A
`tions for each ofthe plurality of offline virtual machines. A
`virtual-machine-specific report can be generated for each of
`virtual-machine-specific report can be generated for each of
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`BRIEF DESCRIPTION OF THE DRAWINGS
`0004 FIG. 1 is a simplified schematic diagram of a system
`[0004] FIG.1isa simplified schematic diagram ofa system
`including a plurality of virtual resources and a virtual
`including a plurality of virtual resources and a virtual
`machine manager in accordance with one embodiment;
`machine manager in accordance with one embodiment;
`0005 FIG. 2 is a simplified block diagram of an example
`[0005]
`FIG. 2 is a simplified block diagram of an example
`system including an example security tool for performing one
`system including an example security toolfor performing one
`or more security tasks relating to virtual resources in accor
`or more security tasks relating to virtual resources in accor-
`dance with one embodiment;
`dance with one embodiment;
`0006 FIGS. 3A-3C illustrate examples of performing
`[0006]
`FIGS. 3A-3C illustrate examples of performing
`example security tasks on virtual resources in accordance
`example security tasks on virtual resources in accordance
`with at least some embodiments;
`with at least some embodiments;
`0007 FIG. 4 illustrates other examples of performing
`[0007]
`FIG. 4 illustrates other examples of performing
`example security tasks on virtual resources in accordance
`example security tasks on virtual resources in accordance
`with at least some embodiments
`with at least some embodiments
`0008 FIG. 5 illustrates an example screenshot of an
`[0008]
`FIG. 5 illustrates an example screenshot of an
`example security tool used in performing one or more secu
`example security tool used in performing one or more secu-
`rity tasks relating to virtual resources in accordance with one
`rity tasks relating to virtual resources in accordance with one
`embodiment; and
`embodiment; and
`
`

`

`US 2013/024.7133 A1
`US 2013/0247133 Al
`
`Sep. 19, 2013
`Sep. 19, 2013
`
`scans, and other results generated during one or more security
`the plurality of offline virtual machines based at least in part
`scans, and other results generated during one or moresecurity
`the plurality of offline virtual machines based atleast in part
`tasks to assist administrator users in understanding security
`on collected result data. Assessing security of the offline
`tasks to assist administrator users in understanding security
`on collected result data. Assessing security of the offline
`conditions of their machines and systems.
`virtual machines from the collected images can include read
`conditions of their machines and systems.
`virtual machines from the collected images can include read-
`ing each image file to identify security characteristics of each
`0018 Security server 105 can perform one or more com
`ing each imagefile to identify security characteristics of each
`[0018]
`Security server 105 can perform one or more com-
`virtual machine in the offline virtual machines. Assessing
`puter security tasks on local computing assets, including
`virtual machine in the offline virtual machines. Assessing
`puter security tasks on local computing assets,
`including
`security of the offline virtual machines from the collected
`computer devices, software, and peripherals. Indeed, in some
`security of the offline virtual machines from the collected
`computer devices, software, and peripherals. Indeed, in some
`images can include simulating operation of each offline Vir
`instances, security server 105 can comprise a software-based
`images can include simulating operation of each offline vir-
`instances, security server 105 can comprise a software-based
`tual machine based on data in the corresponding image of the
`security tool installed on one or more computing devices,
`tual machine based on data in the corresponding image of the
`security tool installed on one or more computing devices,
`respective virtual machine. The plurality of virtual machines
`including personal computing devices. In other instances,
`respective virtual machine. Theplurality of virtual machines
`including personal computing devices. In other instances,
`can be firewalled. A security assessment toll can be authen
`security server 105 can perform computer security tasks on
`can be firewalled. A security assessmenttoll can be authen-
`security server 105 can perform computer security tasks on
`ticated at the virtual machine manager. The security assess
`remote computing devices and assets. In some instances,
`ticated at the virtual machine manager. The security assess-
`remote computing devices and assets. In some instances,
`ment of the offline virtual machines can include remedying at
`security server 105 can include multiple server devices pro
`mentofthe offline virtual machines can include remedying at
`security server 105 can include multiple server devices pro-
`least one of a security vulnerability or policy violation
`viding computer security services to multiple customers and
`least one of a security vulnerability or policy violation
`viding computer security services to multiple customers and
`detected for a particular one of the offline virtual machines
`computing devices. Security tasks can be performed on real
`detected for a particular one of the offline virtual machines
`computing devices. Security tasks can be performed on real
`before the particular virtual machine resumes online opera
`computing systems and assets (e.g., assets of system 115),
`before the particular virtual machine resumes online opera-
`computing systems andassets (e.g., assets of system 115),
`tion. The security assessment module can collect, for each
`including computing assets including real hardware and
`tion. The security assessment module can collect, for each
`including computing assets including real hardware and
`virtual machine in the set determined to be offline, a machine
`accompanying Software executed using the hardware. In
`virtual machinein the set determinedto be offline, a machine
`accompanying software executed using the hardware. In
`image of the virtual machine via the particular virtual
`addition to performing tasks on real computing infrastructure
`image of the virtual machine via the particular virtual
`addition to performingtasks on real computing infrastructure
`machine manager, and assess security of the offline virtual
`and assets, security server 105 can also be used to perform
`machine manager, and assess security of the offline virtual
`and assets, security server 105 can also be used to perform
`machines from the collected machine images.
`security tasks on virtual computing infrastructure, such as
`machines from the collected machine images.
`security tasks on virtual computing infrastructure, such as
`0015. Some or all of the features may be computer-imple
`virtual appliances (e.g., 120) hosted on one or more local
`[0015]
`Someorall of the features may be computer-imple-
`virtual appliances (e.g., 120) hosted on one or more local
`mented methods or further included in respective systems or
`and/or remote computing devices, such as computing devices
`mented methods or further included in respective systems or
`and/or remote computing devices, such as computing devices
`other devices for performing this described functionality. The
`in a cloud computing environment or on-demand serverpool
`other devices for performing this described functionality. The
`ina cloud computing environment or on-demandserver pool
`details of these and other features, aspects, and implementa
`(e.g., system 125).
`details of these and other features, aspects, and implementa-
`(e.g., system 125).
`tions of the present disclosure are set forth in the accompa
`0019. In some instances, virtual computing infrastructure
`tions of the present disclosure are set forth in the accompa-
`[0019]
`In someinstances, virtual computing infrastructure
`nying drawings and the description below. Other features,
`can be provided or hosted by for example in cloud computing
`nying drawings and the description below. Other features,
`can be providedor hosted by for example in cloud computing
`objects, and advantages of the disclosure will be apparent
`environments, including by cloud computing providers such
`objects, and advantages of the disclosure will be apparent
`environments, including by cloud computing providers such
`from the description and drawings, and from the claims.
`as Amazon Web Services, Citrix Xen systems, or the Google
`from the description and drawings, and from the claims.
`as Amazon Web Services, Citrix Xen systems, or the Google
`App Engine, among many others. Alternatively, such virtual
`App Engine, among manyothers. Alternatively, such virtual
`Example Embodiments
`infrastructure can also (or alternatively) be hosted within an
`Example Embodiments
`infrastructure can also (or alternatively) be hosted within an
`entity's direct or extended premises and computing pools
`0016 FIG. 1 is a simplified block diagram illustrating an
`entity’s direct or extended premises and computing pools
`[0016]
`FIG. 1 is a simplified block diagram illustrating an
`using solutions such as VMware's ESX, Microsoft's Hyper
`example embodiment of a computing system 100 including
`using solutions such as VMware’s ESX, Microsoft’s Hyper-
`example embodiment of a computing system 100 including
`V. Citrix's Xen, among many others. Computing applica
`one or more security tools 105 adapted to perform one or
`V, Citrix’s Xen, among many others. Computing applica-
`one or more security tools 105 adapted to perform one or
`tions, Software systems and other assets, including enterprise
`more computer security tasks on computing assets and appli
`tions, software systems andotherassets, including enterprise
`more computer security tasks on computing assets and appli-
`applications and Software systems are increasingly being
`ances, including scans in connection with policy compliance,
`applications and software systems are increasingly being
`ances, including scans in connection with policy compliance,
`moved to virtual infrastructure, mostly for economic reasons.
`Vulnerability assessment, malware protection, and other
`movedto virtualinfrastructure, mostly for economic reasons.
`vulnerability assessment, malware protection, and other
`Virtual infrastructure and virtual appliances can be imple
`security services. In some instances, security tasks can be
`Virtual infrastructure and virtual appliances can be imple-
`security services. In some instances, security tasks can be
`mented as virtual machines. Virtual machines can include
`mented as virtual machines. Virtual machines can include
`performed using security tool 105 on remote assets and appli
`performed using security tool 105 on remote assets and appli-
`Software implementations or virtualizations of a physical
`ances over one or more networks 110, including “real' (i.e.,
`software implementations or virtualizations of a physical
`ances over one or more networks 110, including “real”(1.e.,
`machine (i.e., computing device) executing particular oper
`non-virtual) system assets and appliances (e.g., at 115) and
`machine(i.e., computing device) executing particular oper-
`non-virtual) system assets and appliances(e.g., at 115) and
`ating systems (i.e., guest operating systems) and applications
`virtual assets and appliances, such as virtual machines 120
`ating systems(1.e., guest operating systems) and applications
`virtual assets and appliances, such as virtual machines 120
`as if it were a real, physical computer. Virtual machines can be
`hosted by servers in a serverpool 125, such as a cloud com
`as if it wereareal, physical computer. Virtual machines can be
`hosted by servers in a server pool 125, such as a cloud com-
`isolated Software containers, operating independent of other
`puting system. One or more virtual machine managers (e.g.,
`isolated software containers, operating independent of other
`puting system. One or more virtual machine managers(e.g.,
`virtual machines. Such isolation can assist in realizing Vir
`130) can be provided in connection with hosts of virtual assets
`virtual machines. Such isolation can assist in realizing vir-
`130) can be provided in connection with hosts ofvirtual assets
`tual-machine-based virtual environments that can execute
`tual-machine-based virtual environments that can execute
`and appliances and can provide administrators and customers
`and appliances and can provide administrators and customers
`applications and provide services with availability, flexibility,
`with interfaces for deploying, maintaining, and otherwise
`applications and provide services with availability, flexibility,
`with interfaces for deploying, maintaining, and otherwise
`and security, in some cases, Surpassing those on traditional,
`managing virtual machines hosted within the server pool or
`and security,