Jump to content



Photo

Anti Virus on Virtual Machine

anti virus virtual machine

  • Please log in to reply
35 replies to this topic

#16 the_architect

the_architect

    Neowinian

  • Joined: 29-July 04

Posted 24 October 2012 - 22:28

From what I remember of the intel advisory that remixedcat posted, it effects hyperV, virtualbox and nearly every other VM system except vmware.


VMWare isn't immune from host->VM viruses, however: https://blogs.vmware...on-windows.html


#17 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 21
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 24 October 2012 - 23:40

VMWare isn't immune from host->VM viruses, however: https://blogs.vmware...on-windows.html

That is vmworkstation not vsphere.

#18 +goretsky

goretsky

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 12-March 04
  • Location: Southern California

Posted 25 October 2012 - 03:21

Hello,

Yes. You could download a file over a connection the host OS doesn't scan (SSL) and then would be unable to scan the guest OS for malware from the host OS. It would essentially be a "black box" in terms of the host OS not being able to scan inside of it for threats.

Regards,

Aryeh Goretsky

#19 the_architect

the_architect

    Neowinian

  • Joined: 29-July 04

Posted 25 October 2012 - 05:59

That is vmworkstation not vsphere.


I know - I assumed that was what he was referring to as it was not specified which version he meant. The home user is more likely to be using workstation.

#20 OP Dan~

Dan~

    Neowinian Senior

  • Joined: 21-May 03

Posted 25 October 2012 - 08:43

Cool thanks guy, general consensus is too go with AV, so I will.

Thanks

#21 +Phouchg

Phouchg

    Random Oracle

  • Tech Issues Solved: 6
  • Joined: 28-March 11
  • Location: Krikkit
  • OS: VTOS 6.1.7601 x64

Posted 25 October 2012 - 18:23

More or less proper system and network configuration, firewall, access control and safe browsing practices over antivirus cascade every day.
Antiviruses are reactive measures - a virus must already be inside the system to be detected by one. If there is such a hole, however, anything else can get in, given time.

#22 f0rk_b0mb

f0rk_b0mb

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 02-June 12
  • Location: 'Murica
  • OS: Windows, Linux, OS X
  • Phone: Motorola Moto G

Posted 25 October 2012 - 18:31

Just throw MSE on it to be safe.

#23 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 27 October 2012 - 08:58

I upgraded from ESXi 5.0 to 5.1 yesterday and ironically there's an interesting section in the upgrade guide about some modular AV for guests and the host machine, not sure if you need the paid version or just free but it might do exactly as you want, http://www.vmware.co...w-vsphere51.pdf
VMware vShield EndpointTM – Delivers a proven endpoint security solution to any workload with an approach that is simplified, efficient, and cloud-aware. vShield Endpoint enables 3rd party endpoint security solutions to eliminate the agent footprint from the virtual machines, offload intelligence to a security virtual appliance, and run scans with minimal impact.
Remixedcat will know more about it.

#24 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 75
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 29 October 2012 - 15:35

^ you can run endpoint shield vm on esxi - but you can not do it for free. In a nutshell the guest vms hand off the work of scanning and such to a different VM. A central point for all your vms antivirus/malware scanning.

You then only need to update 1 location for new signatures/dats - and work is done on 1 vm vs every vm having to use resources to scan, etc.

engpoint.jpg

This is not something you would normally have available in a "home" lab sort of setup. But if you have budget, and you have enough vms then it does make sense to go this route.

But I do believe that the agent is now part of 5.1 (free) so I guess if you had a FREE dedicated VM appliance that would do the scanning you could do it for free? I would also assume you need vcenter, the few companies I looked at that supply appliances, etc. State you need vcenter - which is not free again.

#25 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 31 October 2012 - 14:23

Sandbox ,which protect your host from virus.A sandbox is use for separating two programs , so that one cannot affect the other. It's a form of security for when there is uncertainty of one program's effect on the other. :)

NO! People assume a sandbox protects them well NO! IT DOES NOT!
Sandbox traps calls and emulates functions, but if someone wants to bypass it then they can and will.
Here's one that targets sandboxie for example http://www.wildersse...ad.php?t=251456

It's good practise to use but do NOT assume it gives you 100% protection or any kind of protection.

#26 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 01 November 2012 - 12:24

Ok... I got your point.. :)
If virtual machine has no network for access to your host,your host won't get affect by any virus in your guest operating system. :)

What? You're thinking of trojans, viruses don't need internet/network connections to operate.

#27 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 75
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 01 November 2012 - 12:59

His point was that if the guest can not access host via network, then its not possible to jump from guest to host. Which is true - guest unless setup has no access to host file system, so if no network access it should not be possible for infection to jump from guest to host.

Unless person with access to host filesystem exe something off guest file system.

#28 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 02 November 2012 - 13:27

His point was that if the guest can not access host via network, then its not possible to jump from guest to host. Which is true - guest unless setup has no access to host file system, so if no network access it should not be possible for infection to jump from guest to host.

Unless person with access to host filesystem exe something off guest file system.

No it's not true, viruses can exploit sandbox/VM things which is why recently as I said on the other page that hyperV, virtualbox, and all the other large-scale VM solutions with the exception of VMware had an exploit leaked that will pass from the guest to the host no problem. You've also got bugs in CPUs that can allow exploits too.

#29 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 75
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 02 November 2012 - 16:05

And that is a RARE specific exploit - I run vmware esxi, I have not heard of any guest to host exploits?

Could you link to these exploits from guest to host?

And along with I normally run antivirus on my windows guests. And when I use that to access questionable locations or files, I have a snapshot taken before and after done just rollback to before.

I agree no system is going to be 100% fullproof - but the odds of moving from guest to host has got to be rare. My point was that if the vm has network access or shared access to the host filesystem, then sure it would be easy for something to jump to another box on the network if a worm and other boxes are open to it, and or if guest has write access to host filesystem it could infect/encrypt/delete/etc files on the host filesystem.

#30 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 02 November 2012 - 17:14

The recent one was fine if you use vmware, it was not vulnerable.

Here's some links to things about the bugs;
http://www.aidanfinn.com/?p=12837
http://technet.micro...lletin/ms11-047
http://blog.coresecu...ploit-ms10-102/



Click here to login or here to register to remove this ad, it's free!