Microsoft Research Develops Undetectable Malware Scanner for Virtual Machines

Many businesses have replaced traditional desktops with virtual machines located in the cloud. Each virtual machine is an exact replica of a standard desktop complete with an operating system that is located on a cloud service provider’s server. One cloud server can house many virtual machines that run simultaneously. While antivirus software can be used on virtual machines, the signature-based detection is only good at identifying known malware. Malware that has yet to be identified and have its signature added to antivirus virus definition lists will remain active and operate undetected for long periods of time.

Microsoft Research has been working on a solution for identifying these unknown malware variants in the cloud and has announced that a solution is now up and running. When traditional antivirus scans are conducted, sophisticated malware can detect the scan and exit to evade detection. Microsoft’s solution conducts scans completely undetected by even the most sophisticated malware variants.

The malware scanner was developed by Microsoft Research under the name Project Freda, taking its name from the street where Marie Curie was born. Marie Curie was a pioneer in battlefield imaging. Microsoft’s solution performs revolutionary imaging too, albeit on a different battlefield.

“While snapshot-based memory forensics is a field now in its second decade, no commercial cloud has yet provided customers the ability to perform full memory audits of thousands of virtual machines (VMs) without intrusive capture mechanisms and a priori forensic readiness,” explained Microsoft in a blog post announcing the launch of the new solution. “Project Freta intends to automate and democratize VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button—no setup required.”

Malware is big business. If malware developers can develop malware that can remain undetected for long periods, their malicious code is extremely valuable. Microsoft’s aim is to increase the development cost of this malware to a point where it is simply no longer profitable. If malware scans can detect all forms of malware, regardless of the level of sophistication, the cloud will no longer be a suitable place for cyberattacks.

Project Freta is capable of automatically fingerprinting and auditing a memory snapshot of most cloud-based Linux VMs and supports over 4,000 kernel versions. Hyper-V checkpoint files captured from a modern enterprise can be searched for everything from cryptominers to advanced kernel rootkits. A prototype has been released which is available through a free to access analysis portal that can be linked to Azure accounts.

The scanner searches for evidence of OS and sensor sabotage in memory snapshots of live Linux systems. Since the scanner leaves the memory intact and doesn’t run any code in the memory, it is impossible for malware to detect.

Microsoft will add in a feature that allows the memory to be copied from live VM’s for scanning offline, which will allow the system to be scaled up to allow scans to be performed on more than 10,000 VMs at a time. Microsoft started with Linux, but will now turn its attention to providing Windows support.

Further information on Protect Freta can be found here.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of