Virtualization-based security (VBS) has been around for a while, ingrained in most operating systems. VBS allows the user to create a digital copy of the operating system that is separate from the main device. This is where you can keep your most delicate files and information safe from any malicious software. You can also achieve such protection even if a virus infects your device.
In essence, VBS creates a ‘’bare bones’’ operating system. In this system, you can run an app separately from the main system in a sort of a sandbox mode. This will allow you to test and run any software or files you’re unsure of. You won’t have to risk your device.
It’s well-known that the safest information you can have is information that isn’t connected to the internet at all. VBS tries to simulate this for files you need to share with others or can’t remove from your device.
Virtualization-based security has many use cases in both individual and network devices. That said, this tool has 3 main uses:
- Data protection
- OS stability
- Key software isolation
Next, I’ll look deeper into these main uses and their regular implementations I’ll also go through the practical and theoretical extents to which you can use VBS.
VBS: All You Need to Know
Most devices you’ll encounter will have a single operating system working with a single set of hardware. This includes desktops, laptops, and mobile devices. Virtualization allows you to use the hardware you already have to spin up a separate system. Then, you can use this system to complete a specific task.
VBS uses this separate virtual space to run programs and apps that might be dangerous for your system. That said, this virtual drive will be deleted even after a successful attack. This is because the programs and apps are separate and not sharing system files.
For instance, let’s say you need to run a suspicious link you’ve received via email. In this case, it’s much better to use a virtual drive that’ll run it separately. If it’s safe, you can then remove the virtualization and run it normally for performance. If it’s a phishing link though, the virtual drive will protect you. You can just delete the whole virtual drive with the malware on it.
Why You Need VBS
Enhanced cybersecurity, in any situation, is beneficial. The volume of malicious software and cybercriminals increases daily. This means it’s essential to have a tool to protect your system. This is especially true when the tool is so easy to use.
Your system will require some extra processing power to run virtual drives. In turn, you’ll protect yourself from issues like phishing and external malware. These attacks are the most frequent for small to midsize companies, so the tradeoff is worth it.
Primarily, you’ll protect your system-crucial software from kernel attacks. Generally, these attack the Operating System directly. These can go unnoticed for a while and may endanger your entire operation.
Additionally, you get the benefit of data protection. In fact, you can store sensitive temporary files on virtual drives. This will make them disconnected from the rest of the system and system processes. As a result, they’re less likely to get attacked.
Key Software Isolation
VBS extensively isolates key applications and prevents them from being affected by either malware or unstable updates. For example, you could run your browser inside a VM. Then, you can click on any link or visit any page without ever fearing any lasting effects on your browser app.
Once you close the app and delete the VM, you’ll have the the same settings originally copied from the main machine.
Even for individuals, some apps are crucial for your business. Design apps, productivity apps, or communication and CRM apps can be something you rely on daily. Because these are as significant to you as the operating system, you should also protect them.
VBS can separate your key apps from any software that has system-wide kernel-mode control. Generally, kernel-focused malware and viruses would affect this software. These can have user-mode available on the main drive. In turn, this will make it more accessible and easier to share.
This means that by using virtualization-based security, you’ll be able to anchor the key application data in a safe environment. Simultaneously, you’ll keep the usable part is as available as it should be.
Take note that this wouldn’t be a replacement for other types of security. Your system will still need regular checkups. An infected computer can still compromise and leak the data you’re currently using. With regular checks, even the most front-facing devices can be constantly safe.
Limits of VBS Protection
Take note that VBS protects the device by creating a VM as a buffer. It doesn’t affect other places where an infection may happen. If removable storage directly infects a computer, your system won’t be safe. VBS also won’t protect you from infections through apps not running with VBS.
The most frequent issues are with apps that are otherwise safe and run on the computer without virtualization. This is frequently the case with many companies for CRM apps. If those apps become compromised, so will your device.
This is why you should run VBS together with antivirus, anti-spyware, and a reliable firewall. This will create a multi-layered cyber defense for your operations.
VBS Data Protection
The biggest advantage of the virtual drive is that it’s detached from the rest of the storage. That includes apps that are always on. This means that it has an additional protection layer. Existing malware that has infected the device can’t reach this virtual drive.
This is because the virtual machine is purposely not connected to the system apps of the physical machine you’re using. Although some malware can delete the virtual machine and all the data on it, it won’t be able to read any data stored inside.
With the information being stored in the virtual drive, it’ll be digitally separated from the rest of your device. This means most apps can’t reach or even see this drive. If it has password protection, you won’t be able to reach it very quickly.
In this case, VBS operates in reverse. It doesn’t protect your main system from malware in the virtual drive. Rather, it protects the data in the virtual drive from potential malware on the main device.
Even with instructions from kernel-based viruses to survey, record, or send data to other places and even parties on the internet, they won’t be able to reach the data stored on the virtual drive.
Protecting your data this way isn’t as safe as it is physically disconnected from the rest of the system. Yet, some businesses need many people to have access at different times. In those cases, this protection is very functional.
Operating System Stability
Modern malware focuses on system files, such as the infamous ‘’system32’’ on Windows machines. It can operate without interference from OS cybersecurity and anti-virus programs. These are called ‘’kernel-level’’ security systems and they are critical for the OS working.
Kernel-level attacks come when a malicious application starts. The virus is inside the executable file. Allowing the application to install will also install the virus to your system. Once installed, the only way to remove it is to either roll-back the operating system or install a completely new one.
VBS prevents these attacks by not installing or running apps on the main system. Rather, it installs them in a virtual environment. That way, the virus is affecting only that environment. In turn, you can easily delete it with the virtual machine once noticed, or if you don’t need the app anymore.
Now, I’ll go deeper into what virtualization based security is, and give a few examples of virtualization software.
What Is Windows Virtualization Based Security?
Virtual machines, or VM, basically create a separate operating system inside the device. This can isolate any data, apps, or processes from the main OS. VBS uses this principle in two directions, either using the VM either for sensitive information storage or as a sandbox for apps and systems that might come under attack.
When creating virtualization based security, we use a hypervisor to make virtual machines. These machines, which are separate from the main OS, can then run different apps and store different data. They work independently from the main system.
Sometimes, you need the main OS for regular operations. Yet, these can come under attack from malware, spyware, and viruses, such as the CVE-2020-17087, often called the ‘’zero day’’ exploit for Windows. (it takes control of kernel-based operations.)
Here, we can use virtual machines to store information where the kernel-level systems can’t see them. In addition, kernel-level security breaches can’t see the information here either.
The other use for VBS is to allow sandboxing and run different systems and processes in an environment separate from the main OS. In that case, we can run apps and processes, or receive suspicious data without risking the whole system.
Especially with micro-virtualization options like Bromium, it becomes easy to isolate every single process on the device. Then, you can check the process. For businesses, this allows everyone to work with relative ease while still being safe from malware.
Businesses, unlike regular users, have multiple people that need to open multiple apps. These users are seldom careful what they are opening. Additional app safety in those cases will make a difference between smooth operations and device down-time.
Bromium Micro-Virtualization
Bromium was founded as a startup in 2010 with the express goal to create virtualization solutions and reduce endpoint threats such as malware or viruses. From their founding, they have created several software and hardware solutions for this purpose.
In 2019, they were acquired by HP, formerly known as Hewlett-Packard. Bromium will start offering their virtualization based security solutions for all HP devices. They have partnered with Windows since 2015, and their VBS solutions are available on Windows 10.
How Bromium’s VBS solution works is that it has VMs on a buffer, which can even integrate as hardware solutions. Then, if an untrusted process starts, it’ll create a virtual machine just for that process. After that, it starts the process as a sandbox. In this sandbox, it’ll both run the process and start checking for malware. All this time, the process and main system are separate. Once the process is done, the virtual machine and any malware that was behind it will be gone.
This protection has specific uses in protecting from issues such as malware links and phishing. If you click on the malware link in the browser, it’ll start in the virtual machine that takes very little processing power. Then, if the page turns out to be malware, it will be terminated. The Bromium VBS will also add this page to the block list, preventing it from ever infecting your system again.
Now, I will go through how to see if your VBS is activated in Windows, and if not, how you may be able to activate it.
How Does Windows Use VBS?
Since 2015, Windows has included Hypervisor-protected code integrity (HVCI). It runs all untrusted software through a virtual machine first and tests for malware, spyware, and viruses. It also prevents block-listed apps and processes from running on your device.
This includes every single app that runs through the device, including internal apps, cloud based apps, and web apps. Yet, HVCI only focuses on executable applications and not processes run in other applications. It won’t protect you from phishing links you click on.
The main advantage of this system is that new applications can be run and tested freely. If those apps have some cybersecurity issues, your device won’t be affected.
Yet, the drawback is the performance. If you’re running this system on a laptop or an older device, each app you’re using might be visibly slower. That’s because it needs to run on a separate virtual machine.
VBS on Windows 11
With the new Windows 11, some of the HVCI drivers might not be available. That’s because the operating system has yet to go through some of the final touch ups and resolve backward compatibility issues. Yet, the security feature itself exists.
Namely, as is the case with every new Windows OS, we need to wait for legacy feature updates and optimizations. For a system admin, it’s better to wait with company-wide OS updates for at least a year.
If you’re starting out with a completely new system, a fresh Windows 11 will be a better option. That’s because you won’t face any unexpected changes. Your company will also be able to use all of the new features of the new OS.
HVCI is an integral Windows security tool. If you have a relatively modern computer running, it shouldn’t be even the slightest problem. It works to remove any new processes from kernel-focused malware that would affect your system. This way, it keeps you safe when accessing pages and apps that don’t have a good certificate.
You can turn it off for improved performance if you’re running an older device. Yet, consider investing in newer hardware for maximum security. That’s especially true if your devices frequently use the internet or share data.
How to Test if VBS Is Enabled on Your Device
For checking your VSB status on both Windows 10 and Windows 11, the process is very easy. Provided that you have all of the updates, you can find the features in the system app directly.
To do so, follow these steps:
- Press the ”Win” key on your keyboard or click on the Windows logo at the bottom of the screen (left for Win 10, on the dock for Win 11).
- Type out MSInfo32 which will open the system information app. Then, you’ll see a page that shows you if your VBS ins on or not.
If it’s disabled, you can enable it in 5 different ways. I’ll go through those next.
How to Activate VBS and HVCI in Windows
When reading through the information on virtualization based security you’ll often find ”specialized hardware” and ”supporting hardware” used interchangeably, even though they aren’t the same thing.
Specialized VBS hardware is CPUs and HDDs that focus on virtualization, such as the Intel Xeon or AMD Threadripper CPUs. Conversely, supporting hardware is any that allows Model-Based Execution control, which is available on consumer Intel chips since 2016.
With these, you have 5 options to turn on HVCI on both Windows 10 and Windows 11:
- Windows Security app
- Microsoft Intune
- Group Policy
- Microsoft Endpoint Configuration Manager
- Windows Registry
Using the registry is the same process as changing group policy, but with access to the secure boot mode on the device. If you’re using a personal device and have full administrative access, it’s always best to work from the secure boot. By default, it’ll be a VBS.
Still, the easiest way to activate VBS is with the Windows Security app. You don’t even need to follow the entire path. Simply press the Win key and type memory integrity. This will open a panel with an on/off switch that will allow you to turn VBS on.
Why Activate VBS and HVCI?
Every day, even the most experienced users make two very big mistakes. Sometimes, they think they’re too small or insignificant to be hacked. In other cases, they believe they’re too careful and knowledgeable for something like that to happen to them.
But remember that new malware spreads via AI and self-replicates through social media. This means everyone with internet access will come in contact with it. According to the rule of large numbers, everyone will be affected sooner or later.
By activating VBS, you’re predicting that you might click on malware at some point. You’re also admitting you want VBS to protect you when that happens. You’ll sacrifice a bit of processing power to let HVCI create virtual machines. Yet, these virtual machines will protect you when issues happen.
This feature allows you to have more leisurely access to the internet and communication with others while still being protected. As such, it’s one of the pillars of your cybersecurity that attacks threats when you find them.
VBS Hardware Requirements
Making a virtual machine, and especially a micro virtual machine (MVM) isn’t very hardware-demanding . Yet, it still requires some processing power. You should take this into account when deciding on the tool. Otherwise, you may not have this capacity, and it’ll be detrimental to your device’s performance.
Older CPUs will be able to run VBS, but using something a decade old will have serious performance issues. Intel cores will be slightly more forgiving when it comes to age. That’s because they can use the MBEC on models that are up to 6 years old.
For AMD, this technology was only introduced a few years ago with Zen 2 architecture, which corresponds with the third generation of Ryzen chips. AMD processors are significantly more affordable if you’re buying a new one. Yet, it’s less likely that you have one already installed on your devices.
If you’re trying to patch up a secured system quickly and are investigating used parts, you’ll likely find a system around Intel. Especially in the current environment where components are hard to find, even established companies should consider this option.
| Intel | AMD | |
| Price | Averages $400 | Averages $300 |
| Availability | More accessible in the US | More accessible Worldwide |
| Processing Power | Stronger per-core performance | More physical and logical cores on average |
| Compatibility | Requires same-generation motherboard | Compatible with all AM4 sockets |
| Futureproofing | Not planned | Planned |
Intel
When it comes to enterprise consumer CPUs, Intel has been on the top of the game for more than a decade now, with AMD and Snapdragon trailing behind. But that has come with a significant price tag on Intel’s products. With the new architecture from other companies, it’s now a question of which of the systems is viable.
When it comes to CPUs that would support VBS, it is completely possible to go with something like the Xeon E3-1281, which is the high-end model from 2014, and the Haswell lineup of processors.
The Intel i7 cores from the same generation will struggle more but have the MBEC available to run it on the CPU and not an emulation. Especially when it comes to the i7 5960X, the processing power shouldn’t be a major issue.
Ideally, you want at least Kaby Lake architecture. Just make sure that you don’t need an APU-type processor as graphics should be provided from a dedicated GPU. Thus, focus on the i5 7640X or the i7 7740X. Both will work perfectly for the VSB.
AMD Processors
Processors from AMD are slightly more forgiving when it comes to the build as well as the price. On average, their CPUs are roughly 30% cheaper than Intel for the same category. However, you should only consider the third generation of Ryzen and Threadripper CPUs. Yet, those are rather new and surprisingly rare in the US.
Currently, the line is on Zen 3+ generation with Zen 4 planned to come out in 2022. The Zen 2 that you need as a minimum should only be 3 years old. As most enterprises didn’t upgrade their system during the pandemic, the architecture needed will just not be there.
Namely, if you’re switching from Intel to AMD, you’ll also need appropriate motherboards. These will be hard to find for the next few months until the tech supply chain returns.
If you are looking for new parts, a Zen 3+ Threadripper would do miracles for virtualization. This CPU has 64 physical and 128 logical cores, making it perfect for virtualization. It’ll also let you run multiple MVMs at the same time.
But if you don’t need to overspend, taking something like the Ryzen 5 3600x would be enough. After testing, it didn’t show any significant reduction in processing power. It’ll easily manage one MVM at a time.
Final Words
Virtualization based security, or VBS, is extremely useful. It can isolate a process on your device and let it be attacked by malware without it ever affecting the rest of your system. Alternatively, it can protect a part of your data in a bubble where kernel-based malware, that attacks the operating system, can’t touch it.
You also have options for micro virtualization machines or MVM, that can isolate just one process and work on it in a sandbox while determining if it has malware or not. This feature is now integrated into both Windows 10 and the new Windows 11.
Enabling it in Windows is really straightforward. With the new search functions, it can take less than a minute for your VBS to be up and running. However, this is assuming that you have the hardware to run it. When it comes to considering processing power, you may want to take something stronger so as not to lose out on performance.
We mentioned several CPUs that’ll do the job purely because of processing power. Yet, plenty of other options in between might be more accessible or needed for other aspects of your business.
Do you have more questions about VBS? Check out the FAQ and Resources sections below!
FAQ
Should I enable virtualization based security?
Probably. If you’re at elevated risk from kernel-based malware, you should consider enabling VBS to protect your system while working.
Does virtualization affect performance?
A bit. While a micro virtual machine won’t drain as many resources as a whole OS, it’ll need processing power to create the virtual environment. Additionally, VM and MVM based on Linux will be less hardware-intensive than those based on Windows or macOS.
What is meant by virtualization?
In simple terms, it means making a separate environment that’ll make a mock OS with emulated hardware. This new computer exists only virtually inside your existing machine. Now, you also have services that offer full remote virtualization, often called DaaS or Desktop as a Service.
What are the types of virtualization?
Any aspect of the computer can be virtualized and created as a separate ecosystem. Yet, each ecosystem will fall into one of five categories. It’ll either be desktop, application, server, network, or storage virtualization. Depending on which part you need, you don’t need to create an entirely new machine. Rather, just focus on the aspect you need to reduce the strain on the hardware.
What are the disadvantages of virtualization?
Increased hardware requirements and performance issues. While the difference in performance for new devices will be minimal, older devices and less advanced hardware might have problems. In those cases, you should consider Linux virtual machines which are less hardware intensive.
Resources
TechGenix: Article on Managing Azure VMs
Learn more about managing Azure VMs using System Center Virtual Machine Manager.
TechGenix: Article on Azure VM Cost Tracking
Explore how to track Azure VM costs using PowerShell.
TechGenix: Article on Deploying Windows Servers as Azure VMs
Get informed on how to deploy Windows Server as an Azure VM.
TechGenix: Guide on Customizing the Microsoft RDP Client
Find out how to customize the Microsoft RDP client.
TechGenix: Article on Cyber Attacks spurring flurry of July patches from main developers
Read more on what the biggest software developers are doing to minimize the risks of cyber attacks.
Microsoft: Remote Desktop App
Discover the Microsoft Remote Desktop app.
Microsoft: Article on Remote Desktop Clients
Learn more about Remote Desktop clients.
ScienceDirect: Kernel Mode- an overview
Learn more about kernel mode on your system.
VMware Glossary: What is a hypervisor?
Learn more about hypervisors and what they do.
