- Jun 23, 2015
- 198
I didn't know about testing offline mode, i only know now because i want teach myself for clean up the system infected.
"Edit: disconnect the internet is for light virtualization systems like Shadow Defender because of data loss."
Or you have to hide, or move your personal data.
The first objective is the safety of the tester and his data, but then everyone can decide how best to do.
The problem of data theft, such as multiple times said, concerns just SD because it's virtualized the current session and the data that may it contains.
Using the VM the problem does not exist because usually it does not contain personal data unless you add them, but this would not make sense: the VM should be just for testing purposes.
- Jun 23, 2015
- 198
Oh thank you LabZero for full information!
- May 14, 2016
- 1,597
Just some remarks :
Never test a script-based downloader with internet disconnected
or don't test it with Shadow Defender
(I am sure some people have already made the mistake )
Never test a script-based downloader with internet disconnected
or don't test it with Shadow Defender (I am sure some people have already made the mistake
)- How to know the script you want to test is a downloader ?
=> see the details on VT/Hybrid/etc,... before, or for an unknown sample, don't take the risk : consider it's a downloader
=> see the details on VT/Hybrid/etc,... before, or for an unknown sample, don't take the risk : consider it's a downloader
- Some script downloaders wait for a connection to be available (a loop) : always be sure the sample isn't running when you decide to stop the tests and connect back to internet.
Last edited:
- Jun 23, 2015
- 198
Nah, I use virtual box or VMware... for malware test..
The dynamic test has to be run with an active internet connection for the reasons mentioned by @DardiM and for the fact that anti-malware technologies need server connections.
I strongly recommend to use a VPN in the virtual machine, which usually shares the host IP.
This is to avoid that the malware can process our real IP!
I strongly recommend to use a VPN in the virtual machine, which usually shares the host IP.
This is to avoid that the malware can process our real IP!
- Jul 22, 2014
- 2,525
I use a VPN on the host, wouldn't like to see a malware terminate it...
Hi! are tests reliable if I test on a PC partition? (multiboot)
(no personal information on pc)
(no personal information on pc)
Last edited:
Not sure I have correctly understood, but also on multiboot systems, it is necessary to use a virtualized environment.
Even if you have no personal data on that system, but you have a another homework multiboot system, there is risk that a specific malware such as bootkits, or advanced rootkits can infect this system.
I never use it, I use it only to try programs before deciding if it worth to install them on my "official" devices.
so even if the malware coul infect another partition (with another OS , linux or W ) I don't care. I can't installa a VM there, poor hardware
it's a netbook that still works
If the system is used only for testing then there is no problem, important is not to share personal data (due to error) with that system.
sure, it is not even connected/share folders with other PCs.
anyway malwares could spread even on other partitions , even if there is a different OS in each partition? thank you
I suppose yes because I can move files
Depending on the malware yes, that's why it would be better to always use a VM in this context as well.
Windows malware does not infect Linux, but Linux can become an infection vector if you insert the USB devices here and then insert them in Windows, for example.
Last edited:
From Linux if the Linux malware can access the Windows files it can infect a file on that partition with that OS installation so you become infected on Windows when you use it, and vice versa. But the malware author would need to be knowledgeable on both Linux and Windows malware development to pull this off and it'd be tricky to do it correctly without mess up with a high chance of success.
For example the malware author patches a program present on your Windows installation from within the Linux environment which happens to be auto-started at boot on Windows (based on registry configuration), so when it runs the malicious code is executed since the Linux malware had accessed this file on the Windows system and patched it, so now the infection payload is executed (or in terms of a virus, it spreads on now when infected programs are ran, etc).
List can go on with scenarios.
But honestly I have never even seen this happen before
I just thought of the theory and yes in terms of theory what I just said can be done but like I said you'd need knowledge on both Linux and Windows development to pull this off
- Jul 22, 2014
- 2,525
Pls remember that malware can infect other devices in the same network, IOT and your router.
How will you restore the system to the previous (clean) status?
thank you for your interest :as said before not connected with other devices in the network. no IoT in my home.
the router: well I did not think about that thank you
is it enough to turn off wifi?
restore: image of the disk or recovery partition
I would put that netbook in the junk otherwise
the router: well I did not think about that
thank youis it enough to turn off wifi?
restore: image of the disk or recovery partition
I would put that netbook in the junk otherwise
Yes it is enough turn off wifi if you have not connected also the network cable.thank you for your interest :as said before not connected with other devices in the network. no IoT in my home.
the router: well I did not think about that
is it enough to turn off wifi?
restore: image of the disk or recovery partition
I would put that netbook in the junk otherwise
you turn off the wifi too? what you do? a vpn?with a vpn it would not infect a router?
Mainly I do static malware analysis so the problem doesn't exist.
In the case of dynamic analysis, it is necessary to have the internet connection active to identify domains, and packets related to malware, using in my case Cyberghost VPN.
I've never had router infections until now, but in the case I reset the router to the factory settings.
Edit: VPN does not protect your router from targeted malware infection.
Last edited:
Similar threads
