The widespread use of virtualization technology in today’s datacenter environment has provided a new opportunity for supporting security monitoring mechanism at the infrastructure level. In view of this, we develop a new technique for the interception of guest virtual machine (Guest VM) system call directly from the virtualization layer, which does not require any special driver preinstalled within the guest VM to be monitored. We also design an In-VM idle loop mechanism to improve the system call interception performance in multithreading environments. The use of demand paging in guest VM can affect the accuracy the system call interception. We propose the deferred introspection technique to address the issue. A prototype online virus scanning system is built based on the proposed system call interception mechanism. Our experimental results show that the overhead of the interception mechanism is closely related to the invocation rate of system calls. For a guest system with an average number of 128 system invocations per second, the overheard is a bare amount of 1%. Overall, the proposed mechanism helps realize security monitoring at the datacenter infrastructure layer and has a decent performance overhead