There is a simple answer to this, and of course, a more complex one.

 

Simple answer.

No. The virtual application is read only and cannot be infected once it has been sequenced.

 

Complex answer.

There are several places a virus or malware can be introduced, let’s take a look at each of those areas.

 

The Sequencer. If the application media or the sequencer contains malware or a virus, then the sequenced application will probably be compromised, and as such will be distributed to the clients. Best practice for the sequencer is that it is in a known and consistent state, this means it is a base or core build, pre-scanned for viruses and malware (the scanner should be disabled for the install). You can scan the sequencer either online (using the latest signatures before any sequencing) or if it’s a virtual machine, it can be scanned offline by mounting the file system. The installation media should also be scanned, either by installing on a virtual machine and scanning or by using media that is already deployed in the environment.

Therefore, the answer to, “can the sequenced application be infected” is No. Theoretically it can, but I’d be far more worried about the rest of the environment if the basics were flawed.

 

SoftGrid Application Primary Cache. This cache is the local version of the streamed application; it is read only and in a proprietary format. This could only be infected by streaming a compromised application. See my point on The Sequencer.

Therefore, the answer to, “can the client global cache be infected” is No.

 

The Users Abstraction Cache. This is the machine global update cache and contains updates from the client machine (the PKG files; also known as the "personalisation abstraction layer"), for example, a user reads v-Outlook email and it wasn’t sequenced with RMS, they go to the Internet and install RMS – this component is kept in the update cache. This is read only once it has been created. This cache can be infected by one of two ways, 1. The source update was infected, or 2, the host machine was infected (see next section). Again assuming reasonable protection is in place and users are not downloading infected updates throughout the company, then point 1 is mute.

Therefore, the answer to, “can the client global update cache be infected” is No.

 

The host operating system. If the host operating system is infected with a virus or malware then several attacks try to happen. For a virus; if the application is not running, then the virus can not see it (as it’s not actually installed) and therefore can not attempt the infection; if the application is running, the virus will attempt to infect the application and fail as it cannot gain access to the systemguard environment, it may however add itself to the abstraction cache as an update. Another example, is a chain mail virus that kicks off and looks to attach to v-Outlook.  It tries to launch the .EXE but can’t as it cannot see it and it can’t connect to view it’s address book etc.

If the attack is malware (for example, an macro) then it has the same restrictions as a virus, it cannot alter the contents of the systemgaurd environment and any changes to the binaries are stores in the abstraction cache, see picture below. The difference is that although the macro is instantiated by the virtualised application it can alter the host machine, for example, it can alter DLL or executables on the host. It should also be noted that any Malware running within a virtual environment  would still be a real Process in Windows;  Thus, that process will be monitored by the Active Anti-Virus/Malware scanner and all the malware attempts at writes would also be monitored.

This type of infection is actually nothing to do with SoftGrid, however, in these scenarios, SoftGrid offers additional protection and several new recovery abilities, namely the resetting of the application to the core cache and the ability to re-populate machine instantly.

 

But what if something goes wrong and all your risk mitigation and precautions fail. Then, If the host is infected and has infected the Abstraction cache, you can simply clean the PC and reset the SoftGrid client cache (user can do this if required). If the sequenced application is infected, simply resequence, replace the virtual application file on the server or increment the version.

 

 

Technorati Tags: , ,