Protecting Host Machine from Malware escaping a VM.

Discussion in 'General Security Discussions' started by 3link9, Jan 18, 2012.

  1. Solarquest

    Solarquest Moderator
    Staff Member AV Tester

    Jul 22, 2014
    #61 Solarquest, Jul 24, 2014
    Last edited: Jul 24, 2014
    N.nvt, thank you!
    Yesterday I forgot one question, what about the router? How safe/weak is it? How can you protect if from malware that attemps to change the settings? First step is to change User name and password, second to update the firmware , but then, whan can be done? :)

    What about Bios, Cmos and MBR? How can they be protected and/or backed up?
    For the VM, if internet access is blocked, then many pcs of malware might not activate nor download other malware and show all capabilities, same for the AV that cannot check using the cloud.....
    Using firewall on guest and host, NAT and VPN allow a relatively safe way to grant access to internet without compromising too much the security of the network (with Static IP)?
  2. Solarquest

    Solarquest Moderator
    Staff Member AV Tester

    Jul 22, 2014
    What sandbox program would you recommend?
    About malware that infects firmare of devices, can and will AV be able to protect from these infections and to scan these firmwares (not sure the scan is possible as of now)?:(
  3. Aura

    Aura Level 20

    Jul 29, 2014
    Technical Support Tier 2
    Québec, Canada
    Windows 10
    I know this is an old post but, Jack is right. I've never seen a malware that escaped a VM to infect the host system before. Nor on my computers, nor on the computers of people I've been assisting both IRL and online. These malwares exists, YES, but most of the time, they have been created to target specific users and organisations or to bypass certain specific piece of software. In fact, these kind of malwares are mainly ... "custom coded" for the specific situation they'll be used in. Yes it's possible to come across a malware that will inject itself in your shared RAM and jump from the VM to the host system, it can happen, or will spread using the shared clipboard feature, etc. but these are still quite rare. It's like BIOS-Rootkits. They are very rare, made to be used in specific situations against specific people and organisations so I doubt you'll ever get one if you know what you're doing. I don't say that you'll never get once, the chance is still there but it's pretty low if you ask me.
    Just my 2 cents on the matter.
  4. MrBrian

    MrBrian New Member

    May 25, 2014
    There can be a difference. See post #58 for more details.
    Solarquest likes this.
  5. RejZoR

    RejZoR Level 7

    Nov 26, 2016
    Security Software Guru
    Windows 10
    If you're using hardware based virtualization, chances of malware escaping are nearly impossible, especially if you're running it in HyperV mode. There is a slight chance of being done via VM exploit, but it's very unlikely.

    I personally still always run extra protection on host system.
    SHvFl, Solarquest and Sr. Normal 2.0 like this.
  6. DC47561

    DC47561 Level 3

    Feb 3, 2017
    IT Support
    Windows 10
    VMWare machine adapter in NAT mode - Limited user account on Windows 10 - Software restriction policies including only run programs in the program files directories (x86 and 64) on host.
    vemn likes this.
  7. vemn

    vemn Level 6
    AV Tester

    Feb 11, 2017
    A question I always had actually.
    How secure is the hypervisor against "insider" Attack?
    Security vendors primarily will recommend securing the VMs first, granular fw configuration or HIPS.
  8. larry goes to church

    Mar 10, 2017
    Elementary OS
    Qihoo 360
    Any advise on securing VMWare hosts?

    I am running esxi in my home lab wouldn't mind any tips other users have about securing their servers.
    DracusNarcrym likes this.
  9. DracusNarcrym

    DracusNarcrym Level 19

    Oct 16, 2015
    Windows 10
    Without too much trouble, use a separate physical machine and a separate subnet for the VM.

    Otherwise stuff gets rather complex, although the VM by itself should be rather secure without any user intervention as far as tweaks and 3rd party software is concerned.

    For further, more detailed information, you should consult some of the malware testers around here, they'll have enough experience and knowledge on the subject.
    SHvFl likes this.
  10. TwinHeadedEagle

    TwinHeadedEagle Removal Expert
    Staff Member

    Mar 8, 2013
    Malware Removal, Gaming
    Windows 7
    #70 TwinHeadedEagle, Mar 15, 2017
    Last edited: Mar 15, 2017
    Spawn, XhenEd, SHvFl and 1 other person like this.
  11. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    Supermodel for McDonald's
    Windows 10
    Good reminder that there always going to be expoits. Sure the important exploits are not used at the everyday malware but people testing malware should be aware that a leak might be possible and a separate machine or reset of the whole pc after you are done testing might be a good practice.
  12. S3cur1ty 3nthu5145t

    May 22, 2017
    I run Appguard on my Host and have placed Vmware in its Guarded Apps to mitigate any potential exploits via memory, and have isolated the guest from the Host completely. Utilizing NAT networking does not allow the Guest direct access to the Network, although you will still want something on the Host to monitor the network with.

    Both Norton and Eset have excellent Network monitor/scanning, and both have proved to be quite reliable for this task. Combine them with Appguard in Lockdown mode on the Host when you fire up that VM, and chances of anything nailing the network or Host are now very slim. Setting a snapshot as stated above and resetting it after is also a good idea, and a practice i do without thinking now days.

    I have run my share of malware through my VM over time, and have yet to have an incident.
    Solarquest likes this.