Jump to content



Photo

Anti Virus on Virtual Machine

anti virus virtual machine

  • Please log in to reply
35 replies to this topic

#31 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 02 November 2012 - 18:21

Ok - 2nd one is dos attack, not a guest-host escape
"This is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the affected Hyper-V server to stop responding, requiring a restart. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights on the Hyper-V server, but it could cause the affected system to stop accepting requests."

3rd one again is talking about dos, not escape.

Again not saying they don't exist - there was Cloudburst back in 2009. But do you know of any active guest-host escapes in the wild? Other than whitepapers discussing the possibility?

Are you aware of any malware/extortionware/virus that uses such complicated exploits?

Again I will agree that nothing is 100% secure, and yes there always going to be security issues that need to be addressed. But it comes down to is the exploit in the wild? Is it something that you surfing the underbelly of the net, or driveby or even running some keygen or hacked game or application is going to be infecting your machine and jumping to your host?

I would be more concerned with running bad code (worm) that then could then seek out your other vms or physical or even host machine via network than a guest-host escape.

Generally speaking, not talking a targeted attack against your infrastructure - some paid hacker getting into a company through a vm that is exposed to the public net, etc. Just generally speaking its unlikely to have to be worried about a guest-host escape no matter what your running be it virtualbox, vmware workstation (type2) or something like esxi/xen/kvm (type1).

Should you be aware that such things can exist - sure! If your tinfoil hat is a bit tight, maybe you don't run the vm tools on your vm - this is generally going to be the attack vector currently. Must of the stuff I have seen has been against intel, so run amd cpus on your host ;)

But common sense would tell you not to allow your VMs to have rw to your host filesystem via vm sharing tools or setup, etc. And if your playing with bad code - you might want to isolate their network connectivity to the rest of your vms/host/local network.


#32 Geoffrey B.

Geoffrey B.

    LittleNeutrino

  • Tech Issues Solved: 9
  • Joined: 25-July 05
  • Location: Ohio
  • OS: Windows 8.1u1
  • Phone: Nokia Lumia 928 WP8.1u1

Posted 02 November 2012 - 18:31

i generally do not keep AV on my virtual machines.

#33 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 02 November 2012 - 19:35

I don't know of any publically available viruses that utilise it no, but the reason for that is because the people that know about these security flaws will be governments and incredibly sophisticated hackers, they won't be telling OEMs about them nor releasing POCs about them either but will use them discreetly in the shadows without anyone knowing.

#34 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 02 November 2012 - 20:08

"about these security flaws will be governments and incredibly sophisticated hackers"

So you think a virus scanner you got from mcafee or nod or whatever is going to protect against a government backed attack?

So as I was saying, generally speaking guest-host escapes is not something the general user base - say running some vms on my home lab box for example needs to be worried about protecting against. Other than making sure your VM software be it type1 or 2 is updated, and host os are patched and securely configured.

And in this context you could be pretty sure that this form of exploit is not going to be used when you download that keygen or hacked exe of some game or application or surf the dark underbelly of the net. What you should be concerned with is more that you can roll the vm back after you play with something like that. Or that the box does not become infected with the lastest worm that could infect your other vms/local network.

I think we are the same page yes?

#35 +goretsky

goretsky

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 12-March 04
  • Location: Southern California

Posted 04 November 2012 - 08:42

Hello,

There was a discussion not too long ago of the Windows version of OSX/Crisis infecting virtual machines, and I though the Koobface malware contained an exploit for VMware that allowed it to escape from the guest OS to the host OS, but I cannot seem to find an exact reference to it. I think this would have been around 2009-2010, though.

Regards,

Aryeh Goretsky

The recent one was fine if you use vmware, it was not vulnerable.

Here's some links to things about the bugs;
http://www.aidanfinn.com/?p=12837
http://technet.micro...lletin/ms11-047
http://blog.coresecu...ploit-ms10-102/



#36 +goretsky

goretsky

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 12-March 04
  • Location: Southern California

Posted 04 November 2012 - 09:00

Hello,

I am unsure of why McAfee or ESET of any of the other anti-malware programs would not protect you. They detect various pieces of malware such as ACAD/Medre, OSX/Lamadai, Win32/Duqu, Win32/Flamer, Win32/Georbot, Win32/R2D2 and Win32/Stuxnet which are generally acknowledged to be created (or tacitly approved by) various nation-states around the globe.

While it seems ludicrous that an anti-malware company might be fettered by the intelligence apparatus of the country in which it is headquartered, even if you were not to rule that out of hand, there are anti-malware companies located in countries around the world that are mutually antagonistic towards each other, and I could see a Chinese or a Russian anti-malware company treating malware created by an American or European government as a PR goldmine. The truth of the matter, though, is that governments are going to be pretty unlikely to inform anti-malware companies of malware they have developed or are using, since that violates the whole point of using malware in the first place: Plausible deniability.

Regards,

Aryeh Goretsky

"about these security flaws will be governments and incredibly sophisticated hackers"

So you think a virus scanner you got from mcafee or nod or whatever is going to protect against a government backed attack?

So as I was saying, generally speaking guest-host escapes is not something the general user base - say running some vms on my home lab box for example needs to be worried about protecting against. Other than making sure your VM software be it type1 or 2 is updated, and host os are patched and securely configured.

And in this context you could be pretty sure that this form of exploit is not going to be used when you download that keygen or hacked exe of some game or application or surf the dark underbelly of the net. What you should be concerned with is more that you can roll the vm back after you play with something like that. Or that the box does not become infected with the lastest worm that could infect your other vms/local network.

I think we are the same page yes?