Jay Lorch, Bryan Parno, and Helen Wang
5 April 2007
Today's desktop PCs rely on security software such as anti-virus products and personal firewalls for protection. Unfortunately, malware authors have adapted by specifically targeting and disabling these defenses, a practice exacerbated by the rise in zero-day exploits. In this paper, we present the design, implementation, and evaluation of SAV-V, a platform that enhances the detection capabilities of anti-virus software. Our platform leverages virtualization to preserve the integrity of AV software and to guarantee access to AV updates. SAV-V also uses secure logging and a split file system to preserve the fidelity of input to the AV program. Combined with our technique of fake shutdowns, these measures allow SAV-V to eventually detect any zero-day malware that writes to disk. Benchmarks of our prototype system suggest that SAV-V can be implemented efficiently, and we validate our prototype by testing it against real-world malware.