Malware protection for virtual machines
US-2021234872-A1 · Jul 29, 2021 · US
Malware protection for virtual machines
US11604876B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11604876-B2 |
| Application number | US-202016774661-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jan 28, 2020 |
| Priority date | Jan 28, 2020 |
| Publication date | Mar 14, 2023 |
| Grant date | Mar 14, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A computer-implemented method at a data management system comprises: receiving, at a storage appliance from a server hosting a virtual machine, a write made to the virtual machine; computing, at the storage appliance, a fingerprint of the transmitted write; comparing, at the storage appliance, the computed fingerprint to malware fingerprints in a malware catalog; repeating the computing and comparing; and disabling the virtual machine if a number of matches from the comparing breaches a predetermined threshold over a predetermined amount of time.
First claim
Opening claim text (preview).
The invention claimed is: 1. A data management system, comprising: a storage appliance configured to store a snapshot of a virtual machine; and one or more processors in communication with the storage appliance, the one or more processors configured to perform operations including: receiving, at the storage appliance from a server hosting the virtual machine, a write made to the virtual machine; computing, at the storage appliance, a fingerprint of the received write; comparing, at the storage appliance, the computed fingerprint to malware fingerprints in a malware catalog while the virtual machine continues to receive writes; repeating the computing and comparing for the continued received writes; and disabling the virtual machine if a number of matches from the comparing breaches a predetermined threshold over a predetermined amount of time, the predetermined threshold greater than one. 2. The system of claim 1 , wherein the operations further include restoring the virtual machine using the snapshot stored in the storage appliance to a state before the predetermined threshold was breached. 3. The system of claim 1 , wherein the operations further include blocking writes from a source of the matches. 4. The system of claim 1 , wherein the operations further include generating the malware catalog including generating fingerprints of binaries and compressed binaries of known malware. 5. The system of claim 4 , wherein the fingerprints are computed at 4 kilobytes aligned offsets generated using SHA256. 6. The system of claim 1 , wherein the operations further include repeatedly generating snapshots of the virtual machine over time. 7. A computer-implemented method at a data management system, the method comprising: receiving, at a storage appliance from a server hosting a virtual machine, a write made to the virtual machine; computing, at the storage appliance, a fingerprint of the received write; comparing, at the storage appliance, the computed fingerprint to malware fingerprints in a malware catalog while the virtual machine continues to receive writes; repeating the computing and comparing for the continued received writes; maintaining a log of the continued received writes; and reversing the writes to revert the virtual machine per the maintained log if a number of matches from the comparing breaches a predetermined threshold over a predetermined amount of time. 8. The method of claim 7 , further comprising restoring the virtual machine using a snapshot stored in the storage appliance to a state before the predetermined threshold was breached. 9. The method of claim 7 , further comprising blocking writes from a source of the matches. 10. The method of claim 7 , further comprising generating the malware catalog including generating fingerprints of binaries and compressed binaries of known malware. 11. The method of claim 10 , wherein the fingerprints are computed at 4 kilobytes aligned offsets generated using SHA256. 12. The method of claim 7 , further comprising repeatedly generating snapshots of the virtual machine over time. 13. A non-transitory, machine-readable medium storing instructions which, when read by a storage appliance, cause the storage appliance to perform operations comprising, at least: receiving, at the storage appliance from a server hosting a virtual machine, a write made to the virtual machine; computing, at the storage appliance, a fingerprint of the received write; comparing, at the storage appliance, the computed fingerprint to malware fingerprints in a malware catalog while the virtual machine continues to receive writes; repeating the computing and comparing for the continued received writes; and disabling the virtual machine if a number of matches from the comparing breaches a predetermined threshold over a predetermined amount of time, the predetermined threshold greater than one. 14. The machine-readable medium of claim 13 , wherein the operations further include restoring the virtual machine using a snapshot stored in the storage appliance to a state before the predetermined threshold was breached. 15. The machine-readable medium of claim 13 , wherein the operations further include blocking writes from a source of the matches. 16. The machine-readable medium of claim 13 , wherein the operations further include generating the malware catalog including generating fingerprints of binaries and compressed binaries of known malware. 17. The machine-readable medium of claim 16 , wherein the fingerprints are computed 4 kilobytes aligned offsets generated using SHA256. 18. The machine-readable medium of claim 13 , wherein the operations further include repeatedly generating snapshots of the virtual machine over time.
Assignees
Inventors
Classifications
- G06F21/564Primary
by virus signature recognition · CPC title
where processing functionality is redundant (redundant communication control functionality G06F11/2005, redundant storage control functionality G06F11/2089) · CPC title
involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD · CPC title
Hypervisor-specific management and integration aspects · CPC title
Backup restoration techniques · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11604876B2 cover?
- A computer-implemented method at a data management system comprises: receiving, at a storage appliance from a server hosting a virtual machine, a write made to the virtual machine; computing, at the storage appliance, a fingerprint of the transmitted write; comparing, at the storage appliance, the computed fingerprint to malware fingerprints in a malware catalog; repeating the computing and com…
- Who is the assignee on this patent?
- Rubrik Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/564. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 14 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).