To those testing malware: Do you test (in a VM) on your normal computer or a dedicated computer?

  • Total voters
    23

steel9

Level 4
Verified
I am interested in starting testing malware in a virtualized environment. Not only static analysis, but also executing the samples. From what I've read it should be pretty safe as long as you're using an up-to-date version of the VM software (VirtualBox in my case), read-only shared folders only and using NAT for the VM, and VPN. But there's always a possibility that the malware can escape through the VM if there's an vulnerability in the virtualization software.

So, what I am asking (to those who tests malware), do you test malware in a VM on your normal computer (which you use for normal tasks, banking for example), or is it worth it to test malware in a VM on a separate host PC? Also, do you use your normal network for malware testing (with VPN of course), or do you have a separate network only for malware testing? Thanks
 

Peter2150

Level 7
Verified
I test malware in a VM on my normal computer. BUT. I use a VM Ware Workstation v12 has it has a top notch reputationo. All my security software is not only on the host, but also the guest. Basically I am testing how good my security software is. Also one of the key components is Appguard. On the host all my VMware processes are listed as guard apps. That way it;s Memory Guard enchances the isolation.
 

shmu26

Level 83
Verified
Trusted
Content Creator
If you test on VM you still have to worry about connections to other computers on your local network, because of network worms.
Also, your malware might start spamming over the internet, and you might get a warning from your ISP.
 

boredog

Level 9
I test on my host with Virtual Box BUT I am in shadow mode on my host before opening the VM, just in case. I also have Appguard on my host but not VM because with that in your VM, I think it will stop anything from running? I only install what ever software I am testing in the VM.
 

HarborFront

Level 47
Verified
Content Creator
Are you testing sandbox-evasive malware or are you testing the security vulnerability of your VM software?

If it's the former then your VM is likely to be useless. Imagine such a malware that can sleep for 3 days before it wakes up to do its damage

If it's the latter then, I believe, many malware should get through if there are 'holes' in the VM software

and if you meet a sandbox-evasive and AV-evasive malware then your sandbox/virtualization and AV software are useless

:rolleyes:
 
Last edited:
D

Deleted Member 3a5v73x

I always make sure I have shared folders, drag & drop disabled and VPN is on in VMware. Sometimes when I am lazy doing snapshots, using Shadow Defender in VM. I consider VMware safe to use for malware testing, I believe there is more of a chanse to get struck by a lightning than encounter malware which exploits VMware and escapes, but I do have seen Sandbox/VM-aware malware. If I wanted serious testing to see real damage caused by malware, I would do it on dedicated PC, with my Host system image cloned and without VMware, just with something like Rollback RX to revert fast to clean baseline.
 
Last edited by a moderator:

XhenEd

Level 27
Verified
Trusted
Content Creator
I voted "(In a VM) on my normal computer".

Just like Peter's, I tested malware (static and dynamic execution) on a VM with my personal/regular laptop. But instead of VM Ware, I used VirtualBox. On the host, I guarded VirtualBox's processes through AppGuard. :)

But I stopped malware testing already. :)
 

Peter2150

Level 7
Verified
Only one time did I have to help a vendor and test a piece of ransomware on a live real computer with data on multiple internal disks. It did have a field day on all three disks. But I protected the machine with Shadow Defender which can protect all the disks. One reboot and the machine was clean. I don't recommend testing this way, but the machine was protected
 
D

Deleted member 65228

Anti VM Tricks
How to counter these types of Malware?
Control the malware. Put yourself in the drivers seat and give yourself control over what the sample can and cannot do on the system in real-time, and conceal evidence of it being controlled. That way in situations like that, you can spoof data returns... Even if the result would signify a virtual environment, you'll be controlling the data the sample actually comprehends -> now it is tricked.

There's no easy way for you to go about it. You need to grasp experience on software development and undocumented topics in Windows. The whole "Windows Internals" will open up a gate for you into understanding how to subvert anti-debugging/anti-analysis in dynamic form. Norton used to post about a lot of undocumented things for anti-reversing in the early days (e.g. 2006-2009) but I don't know if they still do. I did read an exceptional PDF which I believe was from them about kernel-mode attacks recently though.
 

Daljeet

Level 6
It is safe to test in a VM as long as the user knows what he/she is doing.

Even so, I will just leave this here (1st post):
How I got infected last time thread
@Soulweave you see any change in malware like they hide when executing in VM and hide its malicious activity anything else we have to take care. I want to know how much nasty today malware is? They're using any special techniques to pizzle malware hunter like I post above.
 

Soulweave

Moderator
Verified
Content Creator
Staff member
@Soulweave you see any change in malware like they hide when executing in VM and hide its malicious activity anything else we have to take care. I want to know how much nasty today malware is? They're using any special techniques to pizzle malware hunter like I post above.
I am no longer the best person to ask such question. as you can see from the post I linked, I retired from testing after the incident.
 

bribon77

Level 29
Verified
You had a bad experience But that can happen to anyone. We are at risk of playing with fire. I try to malwares all the time, but nobody is free of errors.
 
Last edited:
  • Like
Reactions: Daljeet