Malware detection systems often employ virtual environments to enable potentially malicious objects to be safely analyzed during run-time in one or more sandboxed virtual machines. Each virtual machine (VM) is provisioned with a guest image, where the guest image is configured in accordance with a particular software profile. This particular software profile is dependent on the type of object being analyzed. For example, where the object is an accessed web page, the software profile may prescribe a browser application that runs over a specific operating system (e.g., Windows®, Linux®, etc.). As another example, where the object is an electronic message, the software profile may prescribe an email application running over the same or a different operating system (e.g., Microsoft® Mobile®, Blackberry® OS, etc.).
For processing a suspicious object, the virtual machine is typically provisioned with a guest image that features software components for the prescribed software profile. During processing, the suspicious object may target specific sequences of instructions in order to carry out malicious behaviors. The location of these specific sequences of instructions may be referred to herein as Points of Interest (POIs) wherein a POI is a specific address at which an instruction within one of the specific sequences of instructions is located. Currently, malware detection systems running within a virtual machine may attempt to monitor execution of instructions located at POIs from within the VM; however, such monitoring is often detectable by advanced malware. When monitoring is detected by advanced malware, the advanced malware may halt or alter its instruction execution to avoid exhibiting detectable malicious behaviors in order to remain undetected or unidentified as malware. Thus, merely monitoring processing of a suspicious object using standard malware detection logic within the VM may cause a number of false-negatives. Alternatively, malware detection systems running within a virtual machine may attempt to monitor processing of a suspicious object from a virtual machine monitor (VMM) monitoring the VM; however, monitoring by a VMM may not provide the malware detection logic with sufficient information pertaining to the state of the VM and each running process within the VM to fully analyze an execution, or attempted execution, of an instruction at a POI. Therefore, in some instances, monitoring processing of a suspicious object within a VM from a VMM may result in inadequate cyber-threat information and, in some extreme cases, false-positives and/or false-negatives.