Solved Malware on a VM -- is it really a problem

Hi everyone
everybody says for example get rid of XP since security updates won't be supported after XP reaches EOL (End of life).

However is this really relevant. If the VM is running on a HOST machine with adequate protection and the VM doesn't access the Internet is this really relevant -- and even if the VM Does access the Internet isn't there a way of making sure that the Host machine can screen the VM from any malware -- (Using application software like VMware workstation -- not base products like ESXi or HYPER-V).

As far as I can see VMware workstation is just an application running on a Host machine and therefore this application should be protected against Malware by the host.

I know people say a VM is a separate entity -- but if it's loaded up by an application program started on the Host then surely this application program should be protected from Malware.

I know I'm missing something here but I don't know what.

Any clarity on this subject would be welcome folks.

Thanks guys.

cheers
jimbo

Well, first off, VM is a sandbox if configured with no network connectivity at all.
As far as I know. Even if it is connected to a network, it would depend on the malware itself if it can infect other systems through the network. Which for malware I think is rare, that is more like a worm or virus activity.

So, if you launch a VM and it gets infected, and you are not doing session saves or differentials or anything, then closing the VM and reopening it should pop it out of there, or if you are, you may be able to revert to an earlier VM to get rid of it, like a system restore.

That's the theory anyway.

To begin: Deleting the infected VM is the highest protection. But this is not always a choice (maybe some useful programs or data is still running an we would like to finish the work...).

You should be protected as long as the host is protected and the VM guest has no control (any) in the host.
If there is something bad that can get loose from an infected guest to a host will only happen between network connection host-guest, shared folders and drag 'n' drop and the user is usually the one to blame because he's the one doing these operations (I've never heard of automatic drag 'n' drop or copy paste between host and guest performed by a program but this is a potential risk zone and might be possible in the future).

Again, the sandbox, as Tepid described, works pretty well BUT we'll have to keep in mind the possibility of infection by shared folders and/or drag 'n' drop.

If the VM is clean: than you can use shared folders.

If the VM is infected:
With no shared folders: you're safe
Recommended here are read-only shared folders and any program in the VM is unable to put files on the host.

Drag 'n' drop: seems to be safe in any VM. In theory there has to be some kind of complex virus that is able to intercept guest - host connection but can be VERY rare, and VMware gets new updates often (there are also security updates included).

Yeah, if the malware is included in the files in drag 'n' drop and it's a guest to host operation, this is more risky. We are still safe as long as the host AV solution can eliminate the threat.

In general virtualisation is pretty safe regarding malware in a VM. If you're an experienced user that uses VM's daily then you're even safer because you usually know what buttons to click.

To be safe, in my opinion, NO shared folders and NO drag 'n' drop if you know the VM is pretty dangerous. It's even better to use a clean snapshot/image of the VM disk and delete the infected one.

That's all I can say regarding the matter.

Cheers
Hopachi

Hi there
I don't think people have understood the post.

Of course you can use "Classical methods" to "disinfect" a VM --but that NOT what I was asking.

My query was that if you use an APPLICATION PROGRAM such as VMware workstation (albeit a COMPLEX application program --but STILL an application program) would not the HOST machine's malware detection system prevent the VM from picking up a virus in the first place.

The VM is "technically" a separate machine - but it's still just DATA to the application running on the HOST so in theory should be fully protected.

(I know a VM "appears" as a separate entity -- that's NOT what I'm asking -- if you don't follow what I'm trying to get at here then please RE-READ my first post in this thread).
Cheers
jimbo

jimbo45 said:

would not the HOST machine's malware detection system prevent the VM from picking up a virus in the first place.

Click to expand...

No, not necessarily - simplistically, if you run Linux in the VM, then MSE (or whatever AV the HOST is running) will not detect the Linux malware, and vice versa. There are some rare cross-over malware that have the ability to infect both Windows and Linux based OS, so a single AV in the HOST is no defense in this case.

The best defense is as correctly stated, avoid network connectivity between the VM and HOST.

Read this:
virtualization - How secure are virtual machines really? False sense of security? - IT Security

Regards,
Golden

NO the host as no way to see what happen in the OS running in vm, the virtualisation layer in VMware isolate the ram section where the VM OS run. So every OS running in VM need their own protection.

area 66 said:

NO the host as no way to see what happen in the OS running in vm, the virtualisation layer in VMware isolate the ram section where the VM OS run. So every OS running in VM need their own protection.

Click to expand...

Hi there

Thanks -- that's what I wanted to know -- good explanation.

I've got Malware detection on the VM of course - but I was curious to know if this was really necessary -- you've answered the question perfectly --thanks and much appreciated.

I'd rep you +1 but I can't seem to do this on W8 Forum --works fine on W7 Forum.

Cheers
jimbo

Sorry to bump in again here but some interesting article came up. It adds something to what I tried to explain in my first post.

Everything is possible, especially in the future as x64 evolves and hypervisors become a permanent part of an OS.

Reports of security flaws in virtualization software have steadily increased over the years as more companies embrace the technology, proving a juicy target for malicious hackers -- and VMware isn't the only target. Last June, for example, the U.S. Computer Emergency Readiness Team issued a security warning that some 64-bit operating systems and virtualization software running on Intel CPUs could be vulnerable to a local privilege escalation attack; the vulnerability could be exploited for local privilege escalation or a guest-to-host virtual machine escape. According to InfoWorld blogger David Marshall, that vulnerability was particularly noteworthy in that it didn't just affect a single vendor, but rather a number of different 64-bit hypervisors and OSes based on the type of processor they were operating.

Click to expand...

See article:
VMware patches spotlight growing virtualization security risks | Security - InfoWorld

Security flaws, yes, but this relates to malware designed to take control on this situations.

This kind of thing happened before. Attacks are expected on all software that becomes popular.
We'll just have to be careful and be up to date with the software.

In the meantime I agree with the current conclusion that we are practically safe with our software virtualisation.
Just wanted to point out the possibilities here.

Cheers
Hopachi