With virtual machines, a host computer may support a number of virtual machines, each representing its own execution environment. Each virtual machine may run an operating system and distinct applications. Because multiple operating environments may run on a single host, a virtual machine architecture provides a great deal of flexibility and scalability to a system administrator or computer system architect and may enhance security and reliability by effectively isolating the virtual machines from one another.
System administrators may bring virtual machines on-line and off-line faster than deploying physical computing devices. Also, virtual machines allow administrators to create, copy, modify, backup and rollback the execution state of the virtual machines faster than with physical computing devices. For example, in a server farm of web servers and e-commerce servers, the server farm may only have a fixed number of physical computing devices deployed. With virtual machines, the administrator may quickly change the ratio of web server to e-commerce servers to match demand by quickly deploying additional virtual machines within the server farm.
Virtual machine technology makes the operation of migrating from one server to another similar to that of copying and moving files. For example, suppose the virtual machine image of the web server faces increased utilization of processing and/or memory resources. If the virtual machine's host is unable to provide more resources, the virtual machine can be easily and quickly migrated to another host that can provide the additional resources needed. Such a process is often referred to as resource balancing or load balancing of virtual machines across hosts. Because this dynamic flexibility provides significant value for the user and administrator, virtual machines have seen a rapid adoption in many computing environments.
In addition, virtual machines allow for users to deploy and rapidly scale large numbers of servers. For example, depending on the hardware resources and the nature of the application, a single physical server may support tens of virtual machines, each supporting different applications. Virtual machines that don't need to be always running can be rapidly deployed or taken off-line to save resources. Along with the benefits of scalability come the challenges of management and security. With a vast number of virtual machines in a network, it becomes difficult to provide adequate protection against malicious software, also known as malware, such as computer viruses, spyware, worms, root kits and the like.
Further compounding the problem, because of the ease with which virtual machines may be brought on-line and off-line, an infestation of malware may become difficult to cure. For example, when a computer worm attacks a conventional network of computers, the worm typically infects multiple computers relatively quickly. Once the administrator identifies which machines are infected and provides the appropriate remedies, such as cleanup patches and procedures, the computers may be safe from being later infected.
However, in a virtual machine environment, virtual machines may be brought into service and brought out of service regularly. This transient topology of virtual machines makes it difficult for administrators to quickly identify and remove infected machines. Accordingly, virtual machines that are infected may be taken out of service, or off-line, before being cleaned or patched. Later, when the virtual machine is brought back into service, an infestation may be reintroduced to the network. As a result, worm and virus infections of networks of virtual machines tend to persist at a low-level indefinitely.
Traditional malware scanning technology provides the ability to scan computers for resident malware. Such software scanners are typically licensed and deployed on a per-computer-basis. Thus, an administrator may be forced to manage at least one malware application per operating environment.
With legacy scanning technology, in a virtual machine environment, the administrator may have to manage at least one malware application per virtual machine. The difficulty of such management may be exacerbated by the large number and transient nature of the virtual machines in the network. Operating an individual malware application per virtual machine may increasingly tax processing and memory resources, especially when more than one virtual machine may be deployed per physical computing device, and may incur costs for additional licensing for each antimalware agent deployed. Additionally, some malware is adept at hiding itself from antimalware programs that are running while the operating system is running.