Abstract: The disclosure herein describes scanning a snapshot of a virtualized computing instance (VCI) for malware. A VCI snapshot associated with a version of a malware infected VCI is scanned for malware. The malware scanning includes selecting a first file of the VCI snapshot and determining that a file, in a previously scanned VCI snapshot associated with another version of the malware infected VCI, which corresponds to the selected first file has a clean reputation indicator. Further, it is determined that the metadata of the selected first file matches metadata of the corresponding file. Based on these determinations, the malware scanning proceeds to scan the next file for malware without scanning the selected first file for malware.

Abstract: A method for automatically reregistering a clone virtual machine with a cloud security monitoring service is provided. The method generally includes detecting a connection between a cloud agent running in a virtual machine on a host and a hypervisor module on the host. In response to detecting the connection, the cloud agent queries the hypervisor module for one or more first identifiers of the virtual machine. The method generally includes checking a database, by the cloud agent, for one or more second identifiers stored in the database matching the one or more first identifiers received from the hypervisor module and, based on finding no second identifiers stored in the database matching the one or more first identifiers, sending a request to the cloud security monitoring service to register the virtual machine with the cloud security monitoring service.

Abstract: Example methods and systems for a computer system to perform context-aware service query filtering are described. One example may involve a computer system intercepting a service query from a virtualized computing instance to pause forwarding of the service query towards a destination; and obtaining context information associated with an application running on the virtualized computing instance. In response to determination that the service query is a potential security threat based on the context information, service query filtering may be performed to inspect the service query for malicious activity. Otherwise, in response to determination that the service query is not a potential security threat based on the context information, the service query filtering may be skipped and the service query forwarded towards the destination.

Abstract: The disclosure provides an approach for hypervisor-assisted security analysis. Embodiments include receiving, at a hypervisor on a host computer, events from one or more virtual computing instances (VCIs). Embodiments include analyzing, by the hypervisor, the events according to one or more rules to identify a subset of the events for additional analysis. Embodiments include compressing, by the hypervisor, the subset of the events by performing deduplication to produce a compressed subset of the events. Embodiments include transmitting, by the hypervisor, the compressed subset of the events over a network to a separate analysis component, wherein the separate analysis component performs the additional analysis.

Abstract: Described herein are systems and methods to filter and classify multicast network traffic. In one example, a first computing node may receive a multicast communication from a second computing node and register a for a flow associated with the multicast communication, wherein the context includes at least the multicast port associated with the multicast communication. The first computing node further identifies an outbound communication destined for the second computing node and determines that addressing attributes in the outbound communication match the context for the flow. Once it is determined that the attributes match the context for the flow, the first computing node associates the outbound communication with the flow.

Abstract: An example method may include determining, by a first program running on a first compute node, that a shared datastore connected to the first compute node includes address information for downloading an agent installer and proxy information for accessing a proxy server. The address information and the proxy information may be stored in the shared datastore by a second program running on a second compute node based on a user-configured input. Further, the method may include reading, by the first program, the proxy information and the address information from the shared datastore. Furthermore, the method may include downloading, by the first program, the agent installer from a destination server corresponding to the address information via a proxy server associated with the proxy information. Further, the method may include executing, by the first program, the agent installer to install the agent on the first compute node.

Abstract: A method for virtual computing instance remediation is provided. Some embodiments include retrieving a first backup of a virtual machine from storage, the first backup comprising configuration information and data of the virtual machine, the configuration information comprising network connectivity information in a first software defined data center (SDDC) running on a first set of host machines. Some embodiments include configuring a second SDDC running on a second set of host machines based on the configuration information, where the second SDDC is network isolated from the first SDDC and powering on the virtual machine from the first backup in the second SDDC. Some embodiments include sending, from the virtual machine to a security platform, behavior information of the virtual machine running in the second SDDC and determining, based on the behavior information, whether the virtual machine running in the second SDDC is infected with malware.

Abstract: An example method may include determining, by a first program running on a first compute node, that a shared datastore connected to the first compute node includes address information for downloading an agent installer and proxy information for accessing a proxy server. The address information and the proxy information may be stored in the shared datastore by a second program running on a second compute node based on a user-configured input. Further, the method may include reading, by the first program, the proxy information and the address information from the shared datastore. Furthermore, the method may include downloading, by the first program, the agent installer from a destination server corresponding to the address information via a proxy server associated with the proxy information. Further, the method may include executing, by the first program, the agent installer to install the agent on the first compute node.

Abstract: Systems and methods are provided for efficiently registering cloned VMs while preventing unnecessary subsequent registrations. Two independent threads can execute on a cloned VM and control different variables indicating whether registration is needed or has already been performed. A first thread can set a first variable based on an internal identifier of the cloned VM relative to the parent VM. It can also check a second variable, set by a second thread, based on an external identifier of the cloned VM not being updated at a backend cloud service. It can then set a third variable indicating whether registration has been triggered or not, based on the other variables. To avoid duplication, the second thread sets the second variable based on both the external identifier as well as a status of the first variable. The variables can be atomic variables to avoid multi-thread interference and undesirable thread locks.

Abstract: A system is described providing ways to track and save the status of hardening processes performed by a hardening agent executing on a master virtual machine (VM) to prepared it for cloning. The hardening agent can produce progress updates for prerequisite hardening processes being carried out and the updates can be used by the management server to track and save the hardening state of the master VM. When the VM is powered off, the latest hardening state can be saved to make it available to administrators, and the hardening state can be automatically retained with a snapshot created of the master VM. When all prerequisite hardening processes are met, the master VM status is changed to indicate that it is ready to clone.

Abstract: Example methods are provided to use a guest monitoring mode (GMM) module in a hypervisor to authenticate hypercalls sent by a guest agent to the GMM module. The GMM module uses reference information, including thread information associated with a thread, to determine whether a hypercall associated with the thread was issued by the trusted guest agent or by potentially malicious code.

Abstract: Example methods are provided to use a guest monitoring mode (GMM) module in a hypervisor to monitor for attempts to maliciously modify operating system (OS) kernel objects in a virtualized computing environment. A created OS kernel object is migrated to a memory space where the GMM module can detect an attempt to modify the OS kernel object. The GMM module uses reference information to determine whether the modification is authorized by trusted OS kernel code or is being attempted by malicious code.

Abstract: Rapid launch of secure executables in a virtualized environment includes using a persisted security cache in a virtualized component (VC), such as a virtual machine. The VC generates a cache integrity value (IV), such as a hash value, for the security cache and sends it to a remote validator, which returns an indication of security cache validity or invalidity. Upon receiving a request to execute applications, the VC analyzes whether the applications have been determined to be safe to execute and have not been altered. The VC retrieves application IVs from the security cache, rather than hashing each of the applications, thereby saving compute time, and sends the application IVs to a remote validator, which returns an indication of application validity or invalidity.

Abstract: Virtual computing instance (VCI) agent authentication in a public cloud can include running a periodic task by an agent on a VCI created from a VCI base image on a public cloud backend, where the VCI base image includes the agent. The periodic task can include querying a basic input/output system (BIOS) identifier of the VCI and calculating a hash of a string of media access control (MAC) addresses associated with the VCI. In response to the BIOS identifier and/or the hash not being stored in association with the agent, the periodic task can include authenticating the agent with the public cloud backend.

Abstract: A method for automatically reregistering a clone virtual machine with a cloud security monitoring service is provided. The method generally includes detecting a connection between a cloud agent running in a virtual machine on a host and a hypervisor module on the host. In response to detecting the connection, the cloud agent queries the hypervisor module for one or more first identifiers of the virtual machine. The method generally includes checking a database, by the cloud agent, for one or more second identifiers stored in the database matching the one or more first identifiers received from the hypervisor module and, based on finding no second identifiers stored in the database matching the one or more first identifiers, sending a request to the cloud security monitoring service to register the virtual machine with the cloud security monitoring service.

Abstract: Example methods and systems for a computer system to perform context-aware service query filtering are described. One example may involve a computer system intercepting a service query from a virtualized computing instance to pause forwarding of the service query towards a destination; and obtaining context information associated with an application running on the virtualized computing instance. In response to determination that the service query is a potential security threat based on the context information, service query filtering may be performed to inspect the service query for malicious activity. Otherwise, in response to determination that the service query is not a potential security threat based on the context information, the service query filtering may be skipped and the service query forwarded towards the destination.

Abstract: The disclosure provides an approach for network security. Embodiments include receiving, by a kernel of a first machine, via a hook in a protocol stack of the first machine, one or more packets of a connection between the first machine and a second machine Embodiments include generating a metadata object for the connection based on at least a subset of the one or more packets. Embodiments include adding the one or more packets to a queue accessible by a security component of the first machine. Embodiments include determining, based on the metadata object, whether to continue capturing additional packets of the connection. Embodiments include receiving, from the security component, a security determination regarding the connection based on the one or more packets. Embodiments include performing an action with respect to the connection based on the security determination.

Abstract: The disclosure provides an approach for hypervisor-assisted security analysis. Embodiments include receiving, at a hypervisor on a host computer, events from one or more virtual computing instances (VCIs). Embodiments include analyzing, by the hypervisor, the events according to one or more rules to identify a subset of the events for additional analysis. Embodiments include compressing, by the hypervisor, the subset of the events by performing deduplication to produce a compressed subset of the events. Embodiments include transmitting, by the hypervisor, the compressed subset of the events over a network to a separate analysis component, wherein the separate analysis component performs the additional analysis.

Abstract: Described herein are systems and methods to filter and classify multicast network traffic. In one example, a first computing node may receive a multicast communication from a second computing node and register a for a flow associated with the multicast communication, wherein the context includes at least the multicast port associated with the multicast communication. The first computing node further identifies an outbound communication destined for the second computing node and determines that addressing attributes in the outbound communication match the context for the flow. Once it is determined that the attributes match the context for the flow, the first computing node associates the outbound communication with the flow.

Abstract: The disclosure provides an approach for network security. Embodiments include receiving, by a kernel of a first machine, via a hook in a protocol stack of the first machine, one or more packets of a connection between the first machine and a second machine Embodiments include generating a metadata object for the connection based on at least a subset of the one or more packets. Embodiments include adding the one or more packets to a queue accessible by a security component of the first machine. Embodiments include determining, based on the metadata object, whether to continue capturing additional packets of the connection. Embodiments include receiving, from the security component, a security determination regarding the connection based on the one or more packets. Embodiments include performing an action with respect to the connection based on the security determination.