Virtual Machines + Security

Conrad11

Conrad11

Conrad11

Soldato
Joined
12 Jun 2005
Posts
5,361
Hi there,

I am right in assuming that if you get a virus on a virtual machine that it can't spread to the host?

Was thinking of setting up a virtual machine when testing or when I need to go on questionable websites.

Thanks.
 
It depends on the virus, as there was talk about potential flaws with VM machines but that was a while ago now
generally speaking though its pretty damn safe
 
Short answer is yes, it is secure. There is currently no way to hack through a VM to the host OS (i think)... Although I did read about hiding a rootkit in the CPU somewhere :p

However, if you are using shared folders (writable), have a mounted share or something similar, its possible for a virus to **** with these files, maybe infecting these files and getting manually executed on the host at a later point for example. But your pretty much safe, I wouldn't worry about it. Also If your guest was to get a worm, then under the correct circumstances (OS match) it could spread to your host if they are networked.

Take the usual precautions with the guest operating systems though if your going to expose them to the internet and you will be fine, I would advise using a NAT setup in the virtual machine settings, so its locked off from the rest of your LAN.
 
Last edited:
I've also found that running an AV product on the host protects the guests also, whether intentionally or not. For example, I started getting an FP on a certain file I use quite regularly (a DLL in GOM, for the record).

When I loaded up GOM in one of my VMs my host's AV fired up in the usual way and said the file was 'infected'. So it's clearly monitoring guest as well as host activity. Whether the vendor anticipated that or not, I don't know. But it does :D The false positive was rectified inside two hours of submission (way to go Avira!) BTW.
 
I was reading the Trend Micro AntiVirus blog (or equivalent), and they have said that some virii are getting very clever, in that if they detect they are being run on a virtual machine (Anti virus companies do this as, like said, running a virtual machine is a fairly safe way of playing with malware and not getting taken over), that they will not activate so as to make detecting them harder for the anti virus writers.
 
Burnsy2023 said:
For people that are interested, read this: link
Click to expand...

Good find, I'll enjoy reading the rest of that tomorrow.

Generally using a VM is fairly safe as it doesnt know its a virtual machine, so to speak.

Thats why I've used a VM for porn for well over a year now. :D
 
For viruses that rely on execution you are usually safe.
If you read and write files that are used outside of a VM then yes you can spread malicious code.
So Windows within Windows is probably the greatest risk, albeit a very small one.
 
I would not worry about "VM malware" yet... there's nothing in the wild that I've heard of.

What you should be concerned with though is whether that VM has network access. If it does then just "normal malware" could potentially spread to the host machine or other machines in the network depending on username/password/domain access to those machines and/or any exploits that have not been patched on those machines.
 
Rainmaker said:
I've also found that running an AV product on the host protects the guests also, whether intentionally or not. For example, I started getting an FP on a certain file I use quite regularly (a DLL in GOM, for the record).

When I loaded up GOM in one of my VMs my host's AV fired up in the usual way and said the file was 'infected'. So it's clearly monitoring guest as well as host activity. Whether the vendor anticipated that or not, I don't know. But it does :D The false positive was rectified inside two hours of submission (way to go Avira!) BTW.
Click to expand...

Correct me if I'm wrong, but that's really strange behaviour. That means the AV (which is just an application after all) is directly reading the memory allocated the to virtualised OS. Rather ironically this is a security risk in itself. What OS/VM software were you running?
 
theheyes said:
Correct me if I'm wrong, but that's really strange behaviour. That means the AV (which is just an application after all) is directly reading the memory allocated the to virtualised OS. Rather ironically this is a security risk in itself. What OS/VM software were you running?
Click to expand...

Was thinking along the same lines myself - I was under the impression the host apps cannot do anything to the VM. If there is access there is a way in/out of the VM and everyone can go malware crazy.
 
theheyes said:
Correct me if I'm wrong, but that's really strange behaviour. That means the AV (which is just an application after all) is directly reading the memory allocated the to virtualised OS. Rather ironically this is a security risk in itself. What OS/VM software were you running?
Click to expand...

I agree, unless the hypervisor gives specific access to a trusted program, but like you say that's an weak attack vector.
 
That's a good point, actually. I hadn't thought of it that way. :eek: It was Sun's VirtualBox with Avira Premium. Or was I running the Security Suite trial at the time? It was definitely Avira at any rate. lol

I did have the boxes ticked in VB's options to allow 3D acceleration, and to allow VB access to the CPU (VT-x, PAE etc). Maybe that's why?
 
You must log in or register to reply here.
Back
Top Bottom