Aiming at the problem that the traditional anti-virus structure cannot effectively solve malware threats on Windows OS on virtualization platform by using the benefits of virtualization, and traditional anti-virus softwares have to face their own security threats, an agentless online anti-virus technology of processes running on Windows VM based on KVM was proposed. By adding memory reading and writing functions in KVM kernel module and providing interfaces to register hooks in the kernel module of processes handling, the VM’s processes’ information could be resolved. After restoring process’s PE image in memory into disk file before running, the open source antivirus engine ClamAV would be called to scan virus. When results returned to the decision-making module, process handling module would deal with suspicious processes accordingly, and the current process could be scanned and killed without any agent. Analysis and test results showed that the technique could solve the traditional anti-virus frameworks’ resource consumption and security issues by taking advantage of virtualization’s benefits.
