Bitdefender B2B Help Center

Hypervisor Memory Introspection (HVI)

Overview

Note

HVI provides protection only to virtual machines on Citrix Xen hypervisors.

The HVI module may be available for your GravityZone solution with a separate license key.

Hypervisor Memory Introspection protects virtual machines against advanced threats that signature-based engines cannot defeat. It ensures real-time detection of attacks, by monitoring processes from outside the guest operating system. The protection mechanism includes several options to block attacks as they happen and immediately remove the threat.

Configuration

Following the memory separation principle of the operating systems, HVI includes two protection modules organized in the related categories:

  • User space, addressing normal processes of the user applications.

  • Kernel space, addressing processes reserved to the core of the operating system.

Additionally, the HVI policy includes two features to help you manage security and maintain the protected virtual machines:

  • Exclusions, for viewing and managing processes excepted from scanning.

  • Custom tools, for injecting tools that are necessary in operational and forensics activities, inside the guest operating systems.

User space

In this section you can configure the protection settings for processes running in user space memory.

Use the User Space Memory Introspection check box to enable or disable protection.

Functionality of this module relies on rules, allowing you to configure protection separately for different groups of processes. Additionally, you can choose to collect more forensic information.

User space rules

The module comes with a set of predefined rules that address most vulnerable applications, providing important information on each of them:

  • Rule name

  • Processes the rule applies to

  • Monitoring mode

  • Action that blocks the detected attack

  • Actions to remove the threat

You can also provide a list of custom rules for the processes you want to monitor.

To create a new rule:

  1. Click the add_inline.png Add button at the upper side of the table. This action opens the rule configuration window.

  2. Configure the module using the following rule settings:

    • Rule name - Enter the name under which the rule will be listed in the rules table. For example, for processes such as firefox.exe or chrome.exe, you can name the rule Browsers.

    • Processes - Enter the name of the processes you intend to monitor, separated by semicolon (;).

    • Monitoring mode - For a quick configuration, click the security level that best suits your needs (Aggressive, Normal or Permissive).

      Use the description on the right side of the scale to guide your choice.

      You can configure the module settings in detail by choosing the Custom protection level and selecting one or more of the following options:

      • Hooks being set on critical user mode DLLs - Detect DLL injections, which load malicious code into the calling process.

      • Unpacking/decrypting attempts in the main executable - Detect attempts to decipher the code in the main process executable, and protect the process from being altered with malicious instructions.

      • Foreign writes inside the target process - Protect against code injection in the protected process.

      • Exploits - Detect unintended process behavior caused by the exploitation of a bug or of a previously undisclosed vulnerability. Use this option if you want to monitor code execution from heap and stack of the protected applications.

      • Hooking of WinSock - Block interceptions of network libraries (DLLs) used by the operating system, ensuring a sound TCP/IP communication.

  3. Click Save.

Once created, you can edit a rule at any time. Clicking the rule name will open the rule configuration window.

GravityZone also allows you to quickly configure Memory Introspection behavior upon detections, by changing several rules at once. To set multiple rules with the same actions:

  1. Select the rules you want to change.

  2. Click the Action and Remediation button.

  3. Select the option you want for each action.

  4. Click Save.

    New actions will become effective once you save the policy, provided the target machines are online.

To remove one or several rules from the list, select them and then click the delete_inline.png Delete button.

Forensic information

Select the Application crash events check box below the user space rules grid to enable collecting detailed information when applications are being terminated.

You can view this information in the HVI Activity report, and find the reason which caused the application to terminate. If the event is related to an attack, its details will appear grouped with other events under the corresponding incident that led to the event.

Kernel space

HVI protects key elements of the operating system, such as:

  • Critical kernel drivers and the associated driver objects, involving fast I/O dispatch tables associated with core drivers.

  • Network drivers, whose alteration would allow a malware to intercept traffic and to inject malicious components in the traffic stream.

  • Kernel image of the operating system, involving the following: code section, data section and read-only section, including the Import Address Table (IAT), Export Address Table (EAT) and resources.

In this section you can configure the protection settings for processes running in the kernel space memory.

Use the Kernel Space Memory Introspection check box to enable or disable protection.

For a quick configuration, click the security level that best suits your needs (Aggressive, Normal or Permissive).

Use the description on the right side of the scale to guide your choice.

You can configure the module settings in detail by choosing the Custom protection level and selecting one or more of the following options:

  • Control registers - Control Registers (CR) are processor registers that control the general behavior of a processor or other digital device. Select this option to detect loading attempts of invalid values into specific Control Registers.

  • Model specific registers - These registers refer to any of the various control registers in the x86 instruction set used for debugging, program execution tracing, computer performance monitoring, and toggling certain CPU features. Select this option to detect attempts of changing these registers.

  • IDT/GDT integrity - The Global or Interrupt Descriptor Tables (IDT/GDT) are used by the processor to determine the correct response to interrupts and exceptions. Select this option to detect any attempts to change these tables.

  • Antimalware drivers protection - Select this option to detect attempts to alter drivers used by the antimalware software.

  • Xen drivers protection - Select this option to detect attempts to alter drivers of the Citrix XenServer hypervisor.

Additionally, you can choose to gather information that will enrich the data provided to forensic teams.

Select the OS failures events and Driver events check boxes to enable collecting information related to guest operating system failures or to events generated by additional modules loaded by the the operating system.

These events, preceding an incident, will help forensic investigations to faster zero in on the root-cause of the attack.

These events are aggregated in the HVI Activity report under the incident that led to them.

Exclusions

GravityZone allows you to exclude processes from HVI scanning, using the Blocked Applications and HVI Activity reports. The Exclusions section gathers all these processes from the mentioned reports and displays them in a grid formation.

For each excluded process you can view a comment the reason for exclusion.

If you want to revert the action, click the Delete button, and the excluded process will be included in future scans.

Custom tools

In this section you can configure tools injection inside the target guest operating systems. These tools must be uploaded to GravityZone before using them. For more information, refer to Using Tools.

To configure injections:

  1. Use the Activate injections check box to enable or disable the feature.

  2. Click the add_inline.png Add button at the upper side of the table to add a new tool. A configuration window is displayed.

  3. Select the tool you want to use from the Choose tool drop-down list.

    These tools were previously uploaded in GravityZone. If you cannot find the right tool in the list, go to the Tools Management Center and add it from there. For more information, refer to Using Tools.

  4. Under Tool description, enter the intended use of the tool or any other information you may find useful.

  5. Enter the tool's command line, together with all needed input parameters, just like you do in Command Prompt or Terminal.

    For example:

    bash script.sh <param1> <param2>

    For BD Remediation Tools you can only select the remediation action and backup remediation action from the two drop-down menus.

  6. Point the location from where the Security Server should gather the logs:

    • stdout - Select this check box to capture the logs from the standard output communication channel.

    • Output file - Select this check box to collect log file saved on the endpoint. In this case, you need to enter the path to where the Security Server can find the file. You can use absolute paths or system variables.

      Here you have two additional options:

      • Delete log files from Guest after they have been transferred - Select this option if you no longer need the files on the endpoint.

      • Transfer logs to - Select this option to move the logs file from the Security Server to another location.

        In this case, you need to provide the path to the destination location and the authentication credentials.

  7. Select how the injection will be triggered. You have the following options:

    • After a violation is detected in the guest virtual machine - The tool is injected right when a threat is detected on the virtual machine.

    • By e specific schedule - Use the scheduling options to configure the injection schedule. You can choose to run the tool every few hours, days or weeks, starting with a specified date and time.

      Please consider that the virtual machine must be on when the schedule is due. A scheduled injection will not run when due if the machine is powered off or paused.

      In such situations, it is recommended to enable the check box If scheduled injection time is missed run task as soon as possible.

    • Sometimes the tool may require a longer time than expected to finish its job or it may become unresponsive.

      To avoid crashes in such situations, in the Safety configuration section, choose after how many hours the Security Server should automatically terminate the tool's process.

    • Click Save.

      The tool will be added in the table.

You can add as many tools you need following the previously mentioned steps.

Operating custom tools injection with HVI

Bitdefender HVI releases you from the burden of troubleshooting issues, collecting forensic data, or running regular maintenance tasks on virtual machines in your Citrix environment, by allowing you to inject third party tools on-the-fly inside the guest operating systems. These operations are performed via Direct inspect APIs (no TCP/IP connection needed) and without disturbing the end users.

For this purpose, the tools must be able to run silently.

GravityZone gives you 3 GB space to keep your tools safe and from where to inject inside the guest operating systems.

To upload tool kits to GravityZone:

  1. Download the tool’s latest kit version to your computer.

  2. Archive the kit in a ZIP file.

  3. Go to GravityZone Control Center and click the Tools menu in the lower-left corner of the page.

    The Tools Management Center page is displayed.

  4. Click the appropriate upload button, based on the destination operating system: Upload Windows tool or Upload Linux tool.

  5. If the tools is for Windows, you must also choose the applicable computer architecture from the drop-down menu.

  6. Locate the ZIP file, select it and then click Open.

    For large files, you may have to wait a couple of minutes until upload is complete.

    When finished, the tool is added and the progress bar above the table refreshes the information on the available space for future uploads.

Along with the tool’s name, the table displays more useful details, such as:

  • The operating system and platform on which the tool runs.

  • A brief description of the tool. You can edit this field at any time, if you want.

  • The name of the user who uploaded the tool.

  • Upload status. Check this field to make sure the tool uploaded successfully.

  • Date and time of the upload.

Next, you can schedule via policies when to inject the tools, or you can inject them at any time by running tasks from the Network page.

When you no longer use the tools, select them and then click the Delete button to remove them.

Click Yes to confirm.

Best practices

Troubleshooting