This page provides an overview of Virtual Machine Threat Detection.
Virtual Machine Threat Detection is a built-in service of Security Command Center. This service scans virtual machines to detect potentially malicious applications, such as cryptocurrency mining software, kernel-mode rootkits, and malware running in compromised cloud environments.
VM Threat Detection is part of the Security Command Center threat detection suite and is designed to complement the existing capabilities of Event Threat Detection and Container Threat Detection.
VM Threat Detection findings are high-severity threats that we recommend you fix immediately. You can view VM Threat Detection findings in Security Command Center.
For organizations enrolled in Security Command Center Premium, VM Threat Detection scans are automatically enabled. If needed, you can disable the service or enable the service at the project level. For more information, see Enable or disable VM Threat Detection.
VM Threat Detection is a managed service that scans enabled Compute Engine projects and virtual machine (VM) instances to detect potentially malicious applications running in VMs, such as cryptocurrency mining software and kernel-mode rootkits.
The following figure is a simplified illustration showing how VM Threat Detection's analysis engine ingests metadata from VM guest memory and writes findings to Security Command Center.
VM Threat Detection is built into Google Cloud's hypervisor, a secure platform that creates and manages all Compute Engine VMs.
VM Threat Detection periodically performs scans from the hypervisor into the memory of a running guest VM without pausing operation of the guest. It also periodically scans disk clones. Because this service operates from outside the guest VM instance, it doesn't require guest agents or special configuration of the guest operating system, and it's resistant to countermeasures used by sophisticated malware. No CPU cycles are used inside the guest VM, and network connectivity isn't required. Security teams don't need to update signatures or manage the service.
Powered by Google Cloud's threat detection rules, VM Threat Detection analyzes information about software running on VMs, including a list of application names, per-process CPU usage, hashes of memory pages, CPU hardware performance counters, and information about executed machine code to determine whether any application matches known cryptocurrency mining signatures. When possible, VM Threat Detection then determines the running process associated with the detected signature matches and includes information about that process in the finding.
VM Threat Detection infers the type of operating system running on the VM and uses that information to determine the kernel code, read-only data regions, and other kernel data structures in memory. VM Threat Detection applies various techniques to determine if those regions are tampered with, by comparing them to precomputed hashes that are expected for the kernel image and verifying the integrity of important kernel data structures.
VM Threat Detection takes short-lived clones of your VM's persistent disk, without disrupting your workloads, and scans the disk clones. This service analyzes executable files on the VM to determine whether any files match known malware signatures. The generated finding contains information about the file and the malware signatures detected.
Outside of Google Cloud, malware detection is also available for Amazon Elastic Compute Cloud (EC2) VMs.
To scan AWS VMs, you must be a Security Command Center Enterprise customer and you must first enable VM Threat Detection for AWS.
You can enable this feature at the organization level only. During scanning, VM Threat Detection uses resources on both Google Cloud and on AWS.
For memory scanning, VM Threat Detection scans each VM instance immediately after the instance is created. In addition, VM Threat Detection scans each VM instance every 30 minutes.
For persistent disk scanning, which detects the presence of known malware, VM Threat Detection scans each VM instance at least daily.
If you activate the Premium tier of Security Command Center, VM Threat Detection scans are automatically enabled. If needed, you can disable the service and/or enable the service at the project level. For more information, see Enable or disable VM Threat Detection.
This section describes the threat findings that VM Threat Detection generates.
VM Threat Detection has the following threat detections.
VM Threat Detection detects the following finding categories through hash matching or YARA rules.
| Category | Module | Description |
|---|---|---|
|
CRYPTOMINING_HASH
|
Matches memory hashes of running programs against known memory hashes of cryptocurrency mining software. Findings are classified as High severity by default. |
|
CRYPTOMINING_YARA
|
Matches memory patterns, such as proof-of-work constants, known to be used by cryptocurrency mining software. Findings are classified as High severity by default. |
|
|
Identifies a threat that was detected by both the
CRYPTOMINING_HASH and CRYPTOMINING_YARA modules.
For more information, see
Combined detections. Findings are classified as High severity by default.
|
VM Threat Detection analyzes kernel integrity at run time to detect common evasion techniques that are used by malware.
The KERNEL_MEMORY_TAMPERING
module detects threats by doing a hash comparison on the
kernel code and kernel read-only data memory of a virtual machine.
The KERNEL_INTEGRITY_TAMPERING module detects threats by checking
the integrity of important kernel data structures.
Defense Evasion: RootkitKERNEL_MEMORY_TAMPERINGKERNEL_INTEGRITY_TAMPERINGDefense Evasion: Unexpected kernel read-only data modificationKERNEL_MEMORY_TAMPERING
Defense Evasion: Unexpected ftrace handlerKERNEL_INTEGRITY_TAMPERING
ftrace points are present with callbacks pointing to regions that are not in
the expected kernel or module code range. Findings are classified as High severity by default.
Defense Evasion: Unexpected interrupt handlerKERNEL_INTEGRITY_TAMPERING
Defense Evasion: Unexpected kernel modulesKERNEL_INTEGRITY_TAMPERING
Defense Evasion: Unexpected kprobe handlerKERNEL_INTEGRITY_TAMPERING
kprobe points are present with callbacks pointing to regions that are not in
the expected kernel or module code range. Findings are classified as High severity by default.
Defense Evasion: Unexpected processes in runqueueKERNEL_INTEGRITY_TAMPERING
Defense Evasion: Unexpected system call handlerKERNEL_INTEGRITY_TAMPERING
VM Threat Detection detects the following finding categories by scanning a VM's persistent disk for known malware.
| Category | Module | Description | Supported cloud provider |
|---|---|---|---|
Malware: Malicious file on disk
|
MALWARE_DISK_SCAN_YARA_AWS
|
Scans persistent disks in Amazon EC2 VMs and matches signatures that are used by known malware. Findings are classified as Medium severity by default. | AWS |
Malware: Malicious file on disk (YARA)
|
MALWARE_DISK_SCAN_YARA
|
Scans persistent disks in Compute Engine VMs and matches signatures that are used by known malware. Findings are classified as Medium severity by default. | Google Cloud |
Before VM Threat Detection can scan VMs in VPC Service Controls perimeters, you must add ingress and egress rules in each perimeter that you want to scan. For more information, see Allow VM Threat Detection to access VPC Service Controls perimeters.
VM Threat Detection supports Compute Engine VM instances, with the following limitations:
Limited support for Windows VMs:
For cryptocurrency mining detection, VM Threat Detection primarily focuses on Linux binaries and has limited coverage of cryptocurrency miners that run on Windows.
For kernel-mode rootkit detection, VM Threat Detection supports only Linux operating systems.
No support for Compute Engine VMs that use Confidential VM. Confidential VM instances use cryptography to protect the contents of memory as it moves in and out of the CPU. Thus, VM Threat Detection can't scan them.
No support for VMs that use Arm-based processors.
Disk scanning limitations:
Persistent disks that are encrypted with customer-supplied encryption keys (CSEK) or customer-managed encryption keys (CMEK) are not supported.
Only vfat, ext2, and ext4 partitions are scanned.
VM Threat Detection requires the Security Center Service
Agent to be able to list
the VMs in the projects and clone the disks to Google-owned projects. Some
organization policy
constraints—such
as constraints/compute.storageResourceUseRestrictions—can interfere
with such operations. In this case, VM Threat Detection scanning might not
work.
VM Threat Detection relies on the capabilities of Google Cloud's hypervisor and Compute Engine. Thus, VM Threat Detection can't run in on-premises environments or in other public cloud environments.
VM Threat Detection accesses the disk clones and memory of a running VM for analysis. The service analyzes only what is necessary to detect threats.
Contents of the VM memory and disk clones are used as inputs in the VM Threat Detection risk analysis pipeline. The data is encrypted in transit and processed by automated systems. During processing, data is safeguarded by Google Cloud's security control systems.
For monitoring and debugging purposes, VM Threat Detection stores basic diagnostic and statistical information about projects the service protects.
VM Threat Detection scans VM memory contents and disk clones in their respective regions. However, the resulting findings and metadata (such as project and organization numbers) might be stored outside those regions.
For more information about how Security Command Center handles your data, see Data and infrastructure security overview.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-06-10 UTC.