Hypervisor Memory Introspection (HVI)

It is widely known that highly organized, profit-driven attackers seek unknown vulnerabilities (zero-day vulnerabilities), or use one-off, purpose-built exploits (zero-day exploits) and other tools. Attackers also use advanced techniques to delay and sequence attack payloads to mask malicious activity. Newer, profit-driven attacks are built to be stealthy and defeat traditional security tools.

For virtualized environments, the problem is now resolved, HVI protecting datacenters with a high density of virtual machines against advanced and sophisticated threats that the signature-based engines cannot defeat. It enforces strong isolation, ensuring real-time detection of the attacks, blocking them as they happen and immediately removing the threats.

Whether the protected machine is Windows or Linux, server or desktop, HVI provides insight at a level that is impossible to achieve from within the guest operating system. Just as the hypervisor controls hardware access on behalf of each guest virtual machine, HVI has intimate knowledge of both user-mode and kernel-mode in-guest memory. The result is HVI has complete insight into guest memory, and therefore full context. At the same time, HVI is isolated from the protected guests, just as the hypervisor itself is isolated. By operating at the hypervisor level and leveraging the hypervisor functionalities, HVI overcomes technical challenges of traditional security to reveal malicious activity in datacenters.

HVI identifies attack techniques rather than attack patterns. This way, the technology is able to identify, report and prevent common exploitation techniques. The kernel is protected against rootkit hooking techniques that are used during the attack kill chain to provide stealth. User-mode processes are also protected against code injection, function detouring, and code execution from stack or heap.


The HVI module may be available for your GravityZone solution with a separate license key.