Is testing malware inside sandbox or vm safe?

D

Dieselman

Level 1
Thread author
Mar 26, 2011
762
If you really want to be a malware tester the use a system image. Malware can and will jump out of a sandbox.
 
win7holic

win7holic

New Member
Apr 20, 2011
2,079
RE: Virtualization Software on 64-bit OS

Dieselman said:
If you really want to be a malware tester the use a system image. Malware can and will jump out of a sandbox.
Click to expand...

Malware can and will jump out of a sandbox...? :D
I think.. you must learn how to use it and how work it
 
LaserWraith

LaserWraith

Level 1
Feb 24, 2011
497
RE: Virtualization Software on 64-bit OS

Dieselman said:
If you really want to be a malware tester the use a system image. Malware can and will jump out of a sandbox.
Click to expand...

You forgot to mention how it jumps out.
 
Tom172

Tom172

Level 1
Feb 11, 2011
1,009
RE: Virtualization Software on 64-bit OS

Dieselman said:
If you really want to be a malware tester the use a system image. Malware can and will jump out of a sandbox.
Click to expand...

hmmm...Does it use a trampoline?
 
H

HeffeD

Level 1
Feb 28, 2011
1,690
RE: Virtualization Software on 64-bit OS

Actually, there is malware that can recognize if it's within a sandbox and will not deploy. Then if you happen to access it when it isn't sandboxed, it will run.
 
bogdan

bogdan

Level 1
Jan 7, 2011
1,362
RE: Virtualization Software on 64-bit OS

There are tools available that you can use to add anti-sandbox and anti-debugging features to your malicious program. It is possible for a malicous program to detect that it is running inside a sanboxed environment. It is not impossible for a malicious program to escape a VM and infect the host but in most cases this means that the malware was programmed to do exactly that. Fortunately most malware authors don't care about this issue. Their main concern is to infect the majority of PC-s and they can do that without worrying about VMs. With that being said, nothing is bullet proof and having a backup is the right thing to do just in case something bad happens.

Note: Almost all the off-topic fun was removed from this thread.
 
Jack

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,378
Interesting topic.......Yes , their are a lot of malware pieces out there that won't run in a virtual environment(with anti-sandbox and anti-debugging features) and if someone start testing in VM , very soon they will see this fact with their own eyes. :D
I've been "playing" with malware samples in a VM Workstation for almost 3 years and I never manage to see a malware sample that can "jump" out of the VM.....I'm not saying it's impossible but I never seen any malware sample capable of doing that while in a VM Workstation. :p
To prevent any possible damange that an eventual leak might provoke to your host PC it would be a good idea to always run the Virtual Machine on dedicated testing PC , always have system image to use as back-up and have a solid security on your host.
 
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Also even you use a junk PC its necessarily to have a realtime AV sitting there.
 
MrXidus

MrXidus

Super Moderator (Leave of absence)
Apr 17, 2011
2,503
Been using VM's for 5 years and never has a piece of malware smiled at me and jumped out onto my host PC. Hope it stays that way.
 
MrXidus

MrXidus

Super Moderator (Leave of absence)
Apr 17, 2011
2,503
When ever Vmware alerts me of an update I do it straight away, probably why I haven't encountered it. And that I use Secunia software to keep me up to date.
 
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Well those are clever to make sure that the malware will not run in sandbox or virtual and made only to run in a real system.
 
H

HeffeD

Level 1
Feb 28, 2011
1,690
MrXidus said:
Been using VM's for 5 years and never has a piece of malware smiled at me and jumped out onto my host PC. Hope it stays that way.
Click to expand...

Yes, and there are people who say they've run multiple real-time AV's for years and have never had a problem. ;)

Malware getting out of virtual environments is a very real concern, but like Bogdan mentioned, most malware authors are going for the easy infections that will spread rapidly.

This fact is what amuses me about the people that set their AV's max. file size to xxxGB to ensure that every single file is scanned. Sure there is large malware out there, but probably 99% (yes, I'm just pulling that number out of a hat...) of the malware out there is going to be smaller file sizes (Less than 40MB) just so they can spread rapidly. 2GB malware isn't going to spread very quick...

I know of a guy that runs his VM's in Sandboxie. :D
 
MrXidus

MrXidus

Super Moderator (Leave of absence)
Apr 17, 2011
2,503
"VM's in Sandboxie."

Very amusing to hear that but as for the malware getting out of V-Environments I do not see it has a concern.. well simply because its never happened to me in my 5 years but hey I ain't saying it could and won't happen, it could very well happen the next time I test out an AV in VM and the day it happens I'm going to be surprised.

"Run multiple real-time AV's for years and have never had a problem."

I've now gone 504 days WITHOUT an Antivirus, infections in sight? Nope all is well :p
 
MrXidus

MrXidus

Super Moderator (Leave of absence)
Apr 17, 2011
2,503
I know some that would debate on that Valentin but in my opinion yes my favored tool is common sense and my knowledge.
 
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Knowledge and common sense is equivalent on using AV, Firewall, Sandbox and etc.....
 
Valentin N

Valentin N

Level 2
Feb 25, 2011
1,314
MrXidus said:
I know some that would debate on that Valentin but in my opinion yes my favored tool is common sense and my knowledge.
Click to expand...

AV is there to prevent people from installing bad things; average users usually thinks "WoW.. cool. lets try it out" before making some research.

I usually do research with various tools to see if a exe/msi file is safe and I also google it. I happens that I ask the comodo staff to scan and say if it's safe. This research that I do take some min but that's worth it :)

I have CIS because I love the d+ and its concept. The AV is not needed but I have just to have it ^^ :D
 
MrXidus

MrXidus

Super Moderator (Leave of absence)
Apr 17, 2011
2,503
Got the firewall, sandboxie, I do not need the AV how ever, It all comes down to the user allowing themself to get infected or not, Take my Google Images fake scanner page incident, I did not get infected by them because I did not download the .exes, That right there is because of my knowledge and common sense. I know its malware and I know better then to run it, No AV needed to tell me otherwise.
 
You must log in or register to reply here.

Similar threads

Xeno1234
    • Like
    • Applause
Serious Discussion How to set up a safe environment for Malware Testing
Replies
18
Views
952
General Security Discussions
ForgottenSeer 97327
F
L
    • Like
    • +Reputation
Evasive Sample
Replies
12
Views
1,664
Malware Analysis Archive
piquiteco
piquiteco
simmerskool
AI Assist turning on virtualization in VMware in order to run Windows Sandbox
Replies
7
Views
272
AI-Powered Dedicated Forum
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top