Anti Virus on Virtual Machine


Recommended Posts

Ok... I got your point.. :)

If virtual machine has no network for access to your host,your host won't get affect by any virus in your guest operating system. :)

What? You're thinking of trojans, viruses don't need internet/network connections to operate.

Link to comment
Share on other sites

His point was that if the guest can not access host via network, then its not possible to jump from guest to host. Which is true - guest unless setup has no access to host file system, so if no network access it should not be possible for infection to jump from guest to host.

Unless person with access to host filesystem exe something off guest file system.

Link to comment
Share on other sites

His point was that if the guest can not access host via network, then its not possible to jump from guest to host. Which is true - guest unless setup has no access to host file system, so if no network access it should not be possible for infection to jump from guest to host.

Unless person with access to host filesystem exe something off guest file system.

No it's not true, viruses can exploit sandbox/VM things which is why recently as I said on the other page that hyperV, virtualbox, and all the other large-scale VM solutions with the exception of VMware had an exploit leaked that will pass from the guest to the host no problem. You've also got bugs in CPUs that can allow exploits too.

Link to comment
Share on other sites

And that is a RARE specific exploit - I run vmware esxi, I have not heard of any guest to host exploits?

Could you link to these exploits from guest to host?

And along with I normally run antivirus on my windows guests. And when I use that to access questionable locations or files, I have a snapshot taken before and after done just rollback to before.

I agree no system is going to be 100% fullproof - but the odds of moving from guest to host has got to be rare. My point was that if the vm has network access or shared access to the host filesystem, then sure it would be easy for something to jump to another box on the network if a worm and other boxes are open to it, and or if guest has write access to host filesystem it could infect/encrypt/delete/etc files on the host filesystem.

Link to comment
Share on other sites

Link to comment
Share on other sites

Ok - 2nd one is dos attack, not a guest-host escape

"This is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the affected Hyper-V server to stop responding, requiring a restart. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights on the Hyper-V server, but it could cause the affected system to stop accepting requests."

3rd one again is talking about dos, not escape.

Again not saying they don't exist - there was Cloudburst back in 2009. But do you know of any active guest-host escapes in the wild? Other than whitepapers discussing the possibility?

Are you aware of any malware/extortionware/virus that uses such complicated exploits?

Again I will agree that nothing is 100% secure, and yes there always going to be security issues that need to be addressed. But it comes down to is the exploit in the wild? Is it something that you surfing the underbelly of the net, or driveby or even running some keygen or hacked game or application is going to be infecting your machine and jumping to your host?

I would be more concerned with running bad code (worm) that then could then seek out your other vms or physical or even host machine via network than a guest-host escape.

Generally speaking, not talking a targeted attack against your infrastructure - some paid hacker getting into a company through a vm that is exposed to the public net, etc. Just generally speaking its unlikely to have to be worried about a guest-host escape no matter what your running be it virtualbox, vmware workstation (type2) or something like esxi/xen/kvm (type1).

Should you be aware that such things can exist - sure! If your tinfoil hat is a bit tight, maybe you don't run the vm tools on your vm - this is generally going to be the attack vector currently. Must of the stuff I have seen has been against intel, so run amd cpus on your host ;)

But common sense would tell you not to allow your VMs to have rw to your host filesystem via vm sharing tools or setup, etc. And if your playing with bad code - you might want to isolate their network connectivity to the rest of your vms/host/local network.

Link to comment
Share on other sites

I don't know of any publically available viruses that utilise it no, but the reason for that is because the people that know about these security flaws will be governments and incredibly sophisticated hackers, they won't be telling OEMs about them nor releasing POCs about them either but will use them discreetly in the shadows without anyone knowing.

Link to comment
Share on other sites

"about these security flaws will be governments and incredibly sophisticated hackers"

So you think a virus scanner you got from mcafee or nod or whatever is going to protect against a government backed attack?

So as I was saying, generally speaking guest-host escapes is not something the general user base - say running some vms on my home lab box for example needs to be worried about protecting against. Other than making sure your VM software be it type1 or 2 is updated, and host os are patched and securely configured.

And in this context you could be pretty sure that this form of exploit is not going to be used when you download that keygen or hacked exe of some game or application or surf the dark underbelly of the net. What you should be concerned with is more that you can roll the vm back after you play with something like that. Or that the box does not become infected with the lastest worm that could infect your other vms/local network.

I think we are the same page yes?

Link to comment
Share on other sites

Hello,

There was a discussion not too long ago of the Windows version of OSX/Crisis infecting virtual machines, and I though the Koobface malware contained an exploit for VMware that allowed it to escape from the guest OS to the host OS, but I cannot seem to find an exact reference to it. I think this would have been around 2009-2010, though.

Regards,

Aryeh Goretsky

The recent one was fine if you use vmware, it was not vulnerable.

Here's some links to things about the bugs;

http://www.aidanfinn.com/?p=12837

http://technet.micro...lletin/ms11-047

http://blog.coresecu...ploit-ms10-102/

Link to comment
Share on other sites

Hello,

I am unsure of why McAfee or ESET of any of the other anti-malware programs would not protect you. They detect various pieces of malware such as ACAD/Medre, OSX/Lamadai, Win32/Duqu, Win32/Flamer, Win32/Georbot, Win32/R2D2 and Win32/Stuxnet which are generally acknowledged to be created (or tacitly approved by) various nation-states around the globe.

While it seems ludicrous that an anti-malware company might be fettered by the intelligence apparatus of the country in which it is headquartered, even if you were not to rule that out of hand, there are anti-malware companies located in countries around the world that are mutually antagonistic towards each other, and I could see a Chinese or a Russian anti-malware company treating malware created by an American or European government as a PR goldmine. The truth of the matter, though, is that governments are going to be pretty unlikely to inform anti-malware companies of malware they have developed or are using, since that violates the whole point of using malware in the first place: Plausible deniability.

Regards,

Aryeh Goretsky

"about these security flaws will be governments and incredibly sophisticated hackers"

So you think a virus scanner you got from mcafee or nod or whatever is going to protect against a government backed attack?

So as I was saying, generally speaking guest-host escapes is not something the general user base - say running some vms on my home lab box for example needs to be worried about protecting against. Other than making sure your VM software be it type1 or 2 is updated, and host os are patched and securely configured.

And in this context you could be pretty sure that this form of exploit is not going to be used when you download that keygen or hacked exe of some game or application or surf the dark underbelly of the net. What you should be concerned with is more that you can roll the vm back after you play with something like that. Or that the box does not become infected with the lastest worm that could infect your other vms/local network.

I think we are the same page yes?

Link to comment
Share on other sites

This topic is now closed to further replies.