Host like a Fort Knok

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Hello,
If you had a pc with a host and a VM, which programs would you install on the host to be as sure as possible that nothing that might escape the VM can modify/infect the host? The ideal solution is to prevent any changes, not to be able to undo these.

Thank you
 
D

Deleted member 178

Sandboxie paid version with the shared folder isolated.
 
L

LabZero

Regarding the malware, some of them check if are virtualized or started into a debugger and act accordingly, to make more complex dynamic analysis, or for impersonating a not malicious program when analyzed.

Then, there are some flaws in virtualization software and have been published but they are quite rare and are rarely exploited.

However, given that many malware tends to try to replicate over the network, if the virtual machine has some kind of access that could prove a problem. If you leave the VM on ' NAT ', this is free to access resources within your LAN : router, access point, printers, other windows machines, to try to blow out and obviously there is a risk that malware connects to internet.
For this reason it is necessary that the VM is "virgin" without any email account, personal data etc. and above all there isn't network sharing.

It is essential to work on VM settings in doing so the real risk that "something" may escape from the VM and infect the HOST is quite low.
 

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Regarding the malware, some of them check if are virtualized or started into a debugger and act accordingly, to make more complex dynamic analysis, or for impersonating a not malicious program when analyzed.

Then, there are some flaws in virtualization software and have been published but they are quite rare and are rarely exploited.

However, given that many malware tends to try to replicate over the network, if the virtual machine has some kind of access that could prove a problem. If you leave the VM on ' NAT ', this is free to access resources within your LAN : router, access point, printers, other windows machines, to try to blow out and obviously there is a risk that malware connects to internet.
For this reason it is necessary that the VM is "virgin" without any email account, personal data etc. and above all there isn't network sharing.

It is essential to work on VM settings in doing so the real risk that "something" may escape from the VM and infect the HOST is quite low.

Thank you.
I remember there was a discussion about if bridge or Nat cobnection is safer. If I remember well, even though Nat had some flaws, it was the safest choice.
With network sharing, do you mean having other devices on the same network / router or internet acces in general?

Indipendent from this, what programs would you use on the host to protect it from anything that could escape from the vm?
I have some ideas as on the best BB to use (asked in another thread) but would like to get other experts thoughts.:)
 
  • Like
Reactions: LabZero
L

LabZero

Thank you.
I remember there was a discussion about if bridge or Nat cobnection is safer. If I remember well, even though Nat had some flaws, it was the safest choice.
With network sharing, do you mean having other devices on the same network / router or internet acces in general?

Indipendent from this, what programs would you use on the host to protect it from anything that could escape from the vm?
I have some ideas as on the best BB to use (asked in another thread) but would like to get other experts thoughts.:)
Well, I currently use F-Secure IS 2015 and Deepguard protection is very reactive.
Also Emsisoft offers good behaviour protection.
As a standalone product, independent of the antivirus you have installed, I remember PcTools Threatfire, a great tool unfortunately not developed anymore but still valid though I don't know if it is Win 10 compatible.

About network sharing: yes other devices on the same network and once installed a VM, system extensions and guest additions (driver) be careful not to create links (network drives or otherwise) between the host system and virtualized (guest), paying attention to shared folders

Example Virtualbox

Chapter 4. Guest Additions
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Isolate the VM from accessing / interacting with the Host PC.
- Disable shared features; files, networking, clipboard etc.
- Disable drag-n-drop.
- Don't create a risk on the VM, that could affect your network of devices.

Install an Antivirus or Security solution on both VM and Host PC.

Treat the VM as your own personal PC. No malware downloading.
 

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Thank you for your suggestions.:)
My idea is to have a dedicated pc to be used as a "tanker"....it will be used to go everywhere, also on probable dubious/ dangerous sites, to run also probable dangerous programs.
With your suggestions I make it more difficult for a program to escape the VM.
This is my first line of defence.
The second is the host, that I would like to have loke a Fort Knox.
I have a back up, the 3rd line of defence but would like to avoid as much as possible risks, even if low, to infect parts than cannot be detected/ deleted (bios, device firmware, router, ...).
I was thinking at using Emsiskft on the host because of its BB, voodoshield as anti exe, an anti exploit (MB, HMP).
Umbra suggested to run the VM with sandboxie paid version.
I used the free one until now to test some safe programs but saw how some managed to escape from it and keep track that they were already installed.
I never used Comodo but saw many members here using it and suggesting it.
What do you think, would it be a good idea to use Comodo firewall on high/max settings on the host with the other programs above (not sure it is compatible with them too)?
Thank you

P.S. If a browser in the VM accesses a bad url, will the AV on the host detect it if the url is in his database or it cannot "see" it as I know it cannot see what is happening inside the VM?
 
Last edited:
  • Like
Reactions: LabZero

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top