VM for checking suspect files?

  • Thread starter Thread starter ajf
  • Start date Start date

ajf

ajf

ajf

Soldato
Joined
30 Oct 2006
Posts
3,053
Location
Worcestershire, UK
We are getting more and more suspect emails at work but often really need to check for sure before deleting.

My obvious thought was set up a virtual box machine on my main PCS to access these files?
The emails and files are held on for our mail scanning server.

However I am unsure what steps are needed to ensure my main OS is not infected, along with access to the network.

I assume simply not giving it mapped drives is a start but I guess it is possible for malware to access networks purely by IP etc?

What about the main OS?
 
Multiple layers of AV and network isolation would be my thinking.

Disable the VM NIC prior to opening, and the physical NIC too if you're paranoid.
 
Put the VM on it's VLAN with appropriate ACL / firewall rules to stop the VM getting back to your main VLAN? Then from that VM you could upload the attachment to VirusTotal as as a starting point.
 
I would use a old pc on a VLAN with a local account an not on the domain. Have a image of the PC on a USB stick then you can keep reloading it.

if you really want to keep it secure use a 3G stick to keep whole thing off your domain.
 
Sounds like a lot of effort. What do you currently have in place for scanning incoming emails? If you're running a mail server on-premise then put Mimecast or an equivalent in front of it, and if you're on Office 365 or Google Apps then I wouldn't worry about it - I honestly can't remember the last time I saw anything with a suspect attachment make it through their filters.
 
Thanks for the feedback and suggestions.
I'll give the options a thought and decide if it really is worth it.

We do have on premise Exchange and a mail filter/scanner but it does not always pick up certain files, such as office docs with macros in them. These are the primary concern as they have in some instances come from legitimate sources so are not obvious they are infected.
 
I'd look at a different filtering service then to be honest, Office documents with macros are early-2000s stuff.
 
You must log in or register to reply here.
Back
Top Bottom