Windows 8 and 8.1 Forums


Malware on a VM -- is it really a problem

  1. #1


    Hafnarfjörður IS
    Posts : 4,376
    Linux Centos 7, W8.1, W7, W2K3 Server W10

    Malware on a VM -- is it really a problem


    Hi everyone
    everybody says for example get rid of XP since security updates won't be supported after XP reaches EOL (End of life).

    However is this really relevant. If the VM is running on a HOST machine with adequate protection and the VM doesn't access the Internet is this really relevant -- and even if the VM Does access the Internet isn't there a way of making sure that the Host machine can screen the VM from any malware -- (Using application software like VMware workstation -- not base products like ESXi or HYPER-V).

    As far as I can see VMware workstation is just an application running on a Host machine and therefore this application should be protected against Malware by the host.

    I know people say a VM is a separate entity -- but if it's loaded up by an application program started on the Host then surely this application program should be protected from Malware.

    I know I'm missing something here but I don't know what.

    Any clarity on this subject would be welcome folks.

    Thanks guys.

    cheers
    jimbo

      My System SpecsSystem Spec

  2. #2


    Posts : 835
    Win 8.1 Pro


    Well, first off, VM is a sandbox if configured with no network connectivity at all.
    As far as I know. Even if it is connected to a network, it would depend on the malware itself if it can infect other systems through the network. Which for malware I think is rare, that is more like a worm or virus activity.

    So, if you launch a VM and it gets infected, and you are not doing session saves or differentials or anything, then closing the VM and reopening it should pop it out of there, or if you are, you may be able to revert to an earlier VM to get rid of it, like a system restore.

    That's the theory anyway.
      My System SpecsSystem Spec

  3. #3


    Orbiting the Moon
    Posts : 2,975
    Windows 10 x64


    To begin: Deleting the infected VM is the highest protection. But this is not always a choice (maybe some useful programs or data is still running an we would like to finish the work...).

    You should be protected as long as the host is protected and the VM guest has no control (any) in the host.
    If there is something bad that can get loose from an infected guest to a host will only happen between network connection host-guest, shared folders and drag 'n' drop and the user is usually the one to blame because he's the one doing these operations (I've never heard of automatic drag 'n' drop or copy paste between host and guest performed by a program but this is a potential risk zone and might be possible in the future).

    Again, the sandbox, as Tepid described, works pretty well BUT we'll have to keep in mind the possibility of infection by shared folders and/or drag 'n' drop.

    If the VM is clean: than you can use shared folders.

    If the VM is infected:
    With no shared folders: you're safe
    Recommended here are read-only shared folders and any program in the VM is unable to put files on the host.

    Drag 'n' drop: seems to be safe in any VM. In theory there has to be some kind of complex virus that is able to intercept guest - host connection but can be VERY rare, and VMware gets new updates often (there are also security updates included).

    Yeah, if the malware is included in the files in drag 'n' drop and it's a guest to host operation, this is more risky. We are still safe as long as the host AV solution can eliminate the threat.

    In general virtualisation is pretty safe regarding malware in a VM. If you're an experienced user that uses VM's daily then you're even safer because you usually know what buttons to click.

    To be safe, in my opinion, NO shared folders and NO drag 'n' drop if you know the VM is pretty dangerous. It's even better to use a clean snapshot/image of the VM disk and delete the infected one.

    That's all I can say regarding the matter.

    Cheers
    Hopachi
      My System SpecsSystem Spec

  4. #4


    Hafnarfjörður IS
    Posts : 4,376
    Linux Centos 7, W8.1, W7, W2K3 Server W10


    Hi there
    I don't think people have understood the post.

    Of course you can use "Classical methods" to "disinfect" a VM --but that NOT what I was asking.

    My query was that if you use an APPLICATION PROGRAM such as VMware workstation (albeit a COMPLEX application program --but STILL an application program) would not the HOST machine's malware detection system prevent the VM from picking up a virus in the first place.

    The VM is "technically" a separate machine - but it's still just DATA to the application running on the HOST so in theory should be fully protected.

    (I know a VM "appears" as a separate entity -- that's NOT what I'm asking -- if you don't follow what I'm trying to get at here then please RE-READ my first post in this thread).
    Cheers
    jimbo
      My System SpecsSystem Spec

  5. #5


    Posts : 231
    Windows 8.1 x64


    Quote Originally Posted by jimbo45 View Post
    would not the HOST machine's malware detection system prevent the VM from picking up a virus in the first place.
    No, not necessarily - simplistically, if you run Linux in the VM, then MSE (or whatever AV the HOST is running) will not detect the Linux malware, and vice versa. There are some rare cross-over malware that have the ability to infect both Windows and Linux based OS, so a single AV in the HOST is no defense in this case.

    The best defense is as correctly stated, avoid network connectivity between the VM and HOST.

    Read this:
    virtualization - How secure are virtual machines really? False sense of security? - IT Security

    Regards,
    Golden
      My System SpecsSystem Spec

  6. #6


    Posts : 1,308
    Windows 8 enterprise x64


    NO the host as no way to see what happen in the OS running in vm, the virtualisation layer in VMware isolate the ram section where the VM OS run. So every OS running in VM need their own protection.

      My System SpecsSystem Spec

  7. #7


    Hafnarfjörður IS
    Posts : 4,376
    Linux Centos 7, W8.1, W7, W2K3 Server W10


    Quote Originally Posted by area 66 View Post
    NO the host as no way to see what happen in the OS running in vm, the virtualisation layer in VMware isolate the ram section where the VM OS run. So every OS running in VM need their own protection.

    Hi there

    Thanks -- that's what I wanted to know -- good explanation.

    I've got Malware detection on the VM of course - but I was curious to know if this was really necessary -- you've answered the question perfectly --thanks and much appreciated.

    I'd rep you +1 but I can't seem to do this on W8 Forum --works fine on W7 Forum.

    Cheers
    jimbo
      My System SpecsSystem Spec

  8. #8


    Orbiting the Moon
    Posts : 2,975
    Windows 10 x64


    Sorry to bump in again here but some interesting article came up. It adds something to what I tried to explain in my first post.

    Everything is possible, especially in the future as x64 evolves and hypervisors become a permanent part of an OS.

    Reports of security flaws in virtualization software have steadily increased over the years as more companies embrace the technology, proving a juicy target for malicious hackers -- and VMware isn't the only target. Last June, for example, the U.S. Computer Emergency Readiness Team issued a security warning that some 64-bit operating systems and virtualization software running on Intel CPUs could be vulnerable to a local privilege escalation attack; the vulnerability could be exploited for local privilege escalation or a guest-to-host virtual machine escape. According to InfoWorld blogger David Marshall, that vulnerability was particularly noteworthy in that it didn't just affect a single vendor, but rather a number of different 64-bit hypervisors and OSes based on the type of processor they were operating.
    See article:
    VMware patches spotlight growing virtualization security risks | Security - InfoWorld

    Security flaws, yes, but this relates to malware designed to take control on this situations.

    This kind of thing happened before. Attacks are expected on all software that becomes popular.
    We'll just have to be careful and be up to date with the software.

    In the meantime I agree with the current conclusion that we are practically safe with our software virtualisation.
    Just wanted to point out the possibilities here.

    Cheers
    Hopachi
      My System SpecsSystem Spec

Malware on a VM -- is it really a problem
Related Threads
Ransomeware Malware in System Security
I just now read an e-mail from a PC business in my area dated Jan. 31, 2015. Info below. Anyone familiar with this or have heard about it? A new form of malware called RANSOMEWARE is the most deadly of computer infections. Ransomware affects your FILES, not the Windows operating system. ...
Is svchost is a malware? in System Security
The free version of AVAST identified svchost.exe in C:\Windows\System32 as a malware, but some articles on internet state it is not a malware. Is svchost.exe in that location really a malware?
I downloaded some software for my new machine (Win 8.1) and immediately got odd behaviour from both Firefox and IE A screen would flash up showing a single line of code as follows window.google.javascript.redirect = 1 This may not be precise because it is only up for a fraction of a second...
Malware/Norton in System Security
Good morning Has anyone found a clash between Malwarebytes and Norton security when I run both Norton is very slow in responding but after uninstalling Malware its fine, just wondering. Thank you :confused:
Problem with possible malware: in System Security
I was about to change some folder settings when I noticed the following option: IMVU Inc Cb Toolbar (see attached screenshot) 43200
New form of malware which will block internet access to be aware of! more information
Eight Forums Android App Eight Forums IOS App Follow us on Facebook