Protecting Host Machine from Malware escaping a VM.

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Solarquest

Moderator
Staff member
AV-Tester
Jul 22, 2014
1,925
15,552
#61
N.nvt, thank you!
Yesterday I forgot one question, what about the router? How safe/weak is it? How can you protect if from malware that attemps to change the settings? First step is to change User name and password, second to update the firmware , but then, whan can be done? :)

What about Bios, Cmos and MBR? How can they be protected and/or backed up?
For the VM, if internet access is blocked, then many pcs of malware might not activate nor download other malware and show all capabilities, same for the AV that cannot check using the cloud.....
Using firewall on guest and host, NAT and VPN allow a relatively safe way to grant access to internet without compromising too much the security of the network (with Static IP)?
 
Last edited:

Solarquest

Moderator
Staff member
AV-Tester
Jul 22, 2014
1,925
15,552
#62
What sandbox program would you recommend?
About malware that infects firmare of devices, can and will AV be able to protect from these infections and to scan these firmwares (not sure the scan is possible as of now)?:(
 

Aura

Level 20
Jul 29, 2014
963
2,456
Operating System
Windows 10
Installed Antivirus
Emsisoft
#63
What VM software are you going to use for testing? VMware Workstation?
VM Worstation is the safest virtual machine on the market , and with it there is a very really slim chance of getting infecting while using it... Why?If a malware can bypass the virtual machine software than it must have a great code and any good malware writer will have his malware poll running processes during startup of his app and look for virtual processes to prevent from being run and analyzed in a virtual environment, basically a well coded piece of malware will crash or not run in a virtual environment.
I have been using a vm for quiete awhile and I have never seen a piece of malware that could actually escape from the vm and infect the system.



The web guard component of a security suite can interfere with your malware testing so to not ger interrupted you can disable it , however their is no need to disable your antivirus engine while testing.
I know this is an old post but, Jack is right. I've never seen a malware that escaped a VM to infect the host system before. Nor on my computers, nor on the computers of people I've been assisting both IRL and online. These malwares exists, YES, but most of the time, they have been created to target specific users and organisations or to bypass certain specific piece of software. In fact, these kind of malwares are mainly ... "custom coded" for the specific situation they'll be used in. Yes it's possible to come across a malware that will inject itself in your shared RAM and jump from the VM to the host system, it can happen, or will spread using the shared clipboard feature, etc. but these are still quite rare. It's like BIOS-Rootkits. They are very rare, made to be used in specific situations against specific people and organisations so I doubt you'll ever get one if you know what you're doing. I don't say that you'll never get once, the chance is still there but it's pretty low if you ask me.
Just my 2 cents on the matter.
 

MrBrian

New Member
May 25, 2014
14
6
#64
  • If there's a way for the malware to exchange information with the host. This can be over the network; in this respect, there's no difference between using a VM and using a separate physical machine, so you need to firewall the VM appropriately (allow only the bare minimum, don't do anything that might allow the server to hijack the client such as SSH with X forwarding).
There can be a difference. See post #58 for more details.
 
Likes: Solarquest
Nov 26, 2016
342
1,581
Operating System
Windows 10
Installed Antivirus
Avast
#65
If you're using hardware based virtualization, chances of malware escaping are nearly impossible, especially if you're running it in HyperV mode. There is a slight chance of being done via VM exploit, but it's very unlikely.

I personally still always run extra protection on host system.
 
Feb 3, 2017
103
105
Operating System
Windows 10
Installed Antivirus
Kaspersky
#66
VMWare machine adapter in NAT mode - Limited user account on Windows 10 - Software restriction policies including only run programs in the program files directories (x86 and 64) on host.
 
Likes: vemn

vemn

Level 6
AV-Tester
Feb 11, 2017
268
1,235
#67
A question I always had actually.
How secure is the hypervisor against "insider" Attack?
Security vendors primarily will recommend securing the VMs first, granular fw configuration or HIPS.
 
Oct 16, 2015
909
5,661
Operating System
Windows 10
Installed Antivirus
Comodo
#69
Any advise on securing VMWare hosts?

I am running esxi in my home lab wouldn't mind any tips other users have about securing their servers.
Without too much trouble, use a separate physical machine and a separate subnet for the VM.

Otherwise stuff gets rather complex, although the VM by itself should be rather secure without any user intervention as far as tweaks and 3rd party software is concerned.

For further, more detailed information, you should consult some of the malware testers around here, they'll have enough experience and knowledge on the subject.
 
Likes: SHvFl

SHvFl

Level 32
Content Creator
Verified
Nov 19, 2014
2,161
16,402
Operating System
Windows 10
Installed Antivirus
Emsisoft
#71
Demonstrating a now (silently) patched VMware escape

Twitter
Good reminder that there always going to be expoits. Sure the important exploits are not used at the everyday malware but people testing malware should be aware that a leak might be possible and a separate machine or reset of the whole pc after you are done testing might be a good practice.
 
May 22, 2017
262
1,598
#72
I run Appguard on my Host and have placed Vmware in its Guarded Apps to mitigate any potential exploits via memory, and have isolated the guest from the Host completely. Utilizing NAT networking does not allow the Guest direct access to the Network, although you will still want something on the Host to monitor the network with.

Both Norton and Eset have excellent Network monitor/scanning, and both have proved to be quite reliable for this task. Combine them with Appguard in Lockdown mode on the Host when you fire up that VM, and chances of anything nailing the network or Host are now very slim. Setting a snapshot as stated above and resetting it after is also a good idea, and a practice i do without thinking now days.

I have run my share of malware through my VM over time, and have yet to have an incident.
 
Likes: Solarquest