Malware detection systems often employ virtual environments that enable potentially malicious objects to be safely analyzed during run-time in one or more virtual machines. Each virtual machine (VM) includes a guest VM and a host VM. The guest VM is a component that functions as if it were a physical network device and the host VM is the underlying hardware that provides computing resources such as processing power, data storage, and I/O (input/output). The guest VM may be instantiated by a virtual system (disk) image at run-time. To expedite activation of a guest VM instance, the virtual disk image may include a VM disk snapshot, namely an image that includes the runtime state of pre-launched software components of the guest VM, including applications, plugins and analytic tools.
As new software components or new versions of these software components are released by software vendors, new instrumented VM disk snapshots need to be developed and tested for these software components. Since updating a VM disk snapshot is a significant event, as the entire virtual disk image must be recompiled for each software component due to the monolithic configuration of the VM disk snapshot, the generation of an updated (new) VM disk snapshot often requires months of development and quality assurance testing before release.
Given the amount of time necessary to complete a newly-instrumented VM disk snapshot, some malware authors have a lengthy window of time for their malware to exploit certain unknown vulnerabilities of a newly released software component before addressed by a newly released VM disk snapshot. By reducing this window of time, spanning from the release of the software component to deployment of a new VM disk snapshot that addresses malware that may have evaded prior malware detection or eliminates a discovered vulnerability in that software component, the harmful effects of malware may be reduced.
Also, given that certain software components of a VM disk snapshot are more often utilized in malware detection than other software components, these certain software components are more important for malware detection (e.g., applications, plugins, malware detection components, etc.). As a result, in order to maintain a high level of success in malware detection, certain software components may need to be updated more frequently than others. Additionally, as more and more customers are requesting customized VM disk snapshots (e.g., VM disk snapshots that include customer-specific software components), the timely generation of updated VM disk snapshots has been more difficult to achieve.
Lastly, independent of the substantial time lag in creating VM disk snapshots to address evasive actions untaken by malware and/or logical issues with the VM disk image that are uncovered after its release, the transmission (including by online update) of these extremely large VM disk snapshots is expensive to maintain. A technique of increasing the efficiency in updating VM disk snapshots is needed.