Bitdefender’s Hypervisor Introspection (HVI) tool is designed to solve a difficult problem in virtual environments. Once a sophisticated malware enters the virtual machine and alters the kernel – or performs some other rootkit function – it is nearly impossible for the typical anti-malware product residing on the VM to detect it. This is because part of the malware’s functionality is obfuscation. This obfuscation takes place as a set of sophisticated processes that, essentially, take over the VM from the kernel on out to the application layer. There is only one location in a virtual environment that can have total visibility of the VMs: the hypervisor. And that is exactly where the Bitdefender product acts.
HVI sits at the hypervisor layer between the VMs and the host computer. From that perspective, it is able to see everything in the host’s memory. Because the guest VMs share host memory, this view lets HVI see every action in the guest memory without being part of the guest operating system. That means if a malware attempts anything that could alter the guest OS, it must address the OS through guest memory. Because it sees all of host memory, HVI sees the guest activity and stops it. Unlike anti-malware that sits on the VM – such that it cannot stop what it cannot see due to malware obfuscation – HVI has a sort of “outside-in” view of the guest.
While this is not a file system-based approach, there are some things that it can stop that feel as if it were. For example, ransomware does its damage at the file system and is not susceptible to HVI catching it at that point. However, sophisticated ransomware usually will attempt obfuscation. When it does, HVI will see it if it accesses guest memory and attempts kernel penetration and modification. This often occurs after the downloader portion of the ransomware injects the actual ransomware and that installs itself somewhere on the guest. An example is taking over Windows Explorer.
This is a tool best used in conjunction with your existing security stack and, in fact, Bitdefender estimates that around 40 percent of anti-malware products OEM include some Bitdefender technology. HVI does not require an agent – indeed, it should not have one since it is “introspective” from the hypervisor inwards toward the guest VM. Rather, it runs on its own secure virtual appliance, running as a guest. In order to be effective, HVI digs deeply into the hypervisor kernel, giving it overall visibility of the entire virtual datacenter at the hardware level.
Functionally, HVI looks at the exploitation technique – i.e., what the attacker is trying to do in a place it is not supposed to be – the guest kernel, for example. Therefore, HVI does not need signatures and does not need to know anything about vulnerabilities. In this example, it knows that one should not alter the kernel. Period. That means that there is no periodic updating to match up malware signatures. Its purpose is to break the kill chain.
Although HVI works with Bitdefender anti-malware, it works equally well with just about any competent anti-malware product so there is no need to rip-and-replace if you want to add HVI to your security stack. A major benefit of the approach Hypervisor Introspection uses is that, since no signatures, machine-learning algorithms or other constantly changing parameters need to be updated and, in fact, are not necessary, HVI can truly know the unknown and respond to zero-days – not because of what they are, but because of what they attempt to do.
The website is largely a marketing site, but it does have a lot of useful information. Support services are prominently available. There are support engineer services available as well. We have no doubt that if you are integrating with an existing system, you would be well-advised to take advantage of the help in order to get the most out of the product.
Overall, we liked this tool and we were impressed with its creative approach to anti-malware in a virtual environment. HVI is only available for Citrix XenServer at present and Citrix was an important partner with Bitdefender in the development of HVI, so it is tightly integrated into the Xen hypervisor. Pricing is very attractive, especially considering what it does. The only negative we found was that it is limited to XenServer. However, that is because the tight integration requires a lot of cooperation from the hypervisor vendor. We hope that other major players, such as VMware, will get on board with this fine product. – Peter Stephenson, technology editor
Product Bitdefender HVI (Hypervisor Introspection)
Price $1,500/physical CPU
What it does Uncovers memory violations by directly analyzing raw memory lines, thereby ensuring they are not being altered by malware.
What we liked This is a very creative approach to solving a very tough problem in a virtual environment.
The bottom line It really doesn’t matter what your security stack looks like at the moment, there is room for this tool if you are operating in a virtual environment on XenServer and it certainly deserves a deeper look if that is your environment.