Setting VM network for malware analysis

[Raffaele]

Hello to all,
I should do the analysis of a malware for educational purposes.
How do I configure network parameters to make sure the real machine is secure?
At this time I have a connection in NAT mode. Is it safe?
I need an internet connection because I need to analyze network traffic.
Thank you all.

 

[Rengar]

Im gonna ping some members to help you @harlan4096 @Lockdown @XhenEd .

 

[harlan4096]

Yes, I think NAT is ok, and is how I have network config in my VMs machines (VMWare)

 

[Lightning_Brian]

For your requirements, I’d recommend NAT mode.

Please remember this:

NAT Mode: Your host computer (your own computer) will act as the given gateway to your network for your VM. No one on your network except your own computer will be able to see it since you will be on a separate network.

Bridged Mode (quite risky in my opinion in any situation): Your host computer (your own computer) will now share its own network connection with your VM. Your VM will be set up as if it was another computer on your network and everyone on the given network will see it and could potentially interact with it.

I say by all means please use NAT. For added security you could use a VPN on your physical computer (not the VM) to ensure that your even more secure from a potential leak. This is a great question! Glad you asked this question on the forms.

Please remember to not share any folders or files between the VM and your physical computer. One can never be too safe. Just for added security I'd also recommend running a backup of your phyiscal machie prior to the use of any malware samples - this is just my personal preference just in case.

Excellent question!

 

[Raffaele]

Thanks for your help

 

[Lightning_Brian]

Thanks for your help

You bet! Glad we can all be of assistance!

 

[tim one]

NAT mode is the best choice, but keep in mind that your IP is shared host/guest so if you do dynamic malware analysis, it is necessary to use a VPN host level to avoid that some malware may process your real IP not for benevolent purposes for sure.

 

[Lightning_Brian]

NAT mode is the best choice, but keep in mind that your IP is shared host/guest so if you do dynamic malware analysis, it is necessary to use a VPN host level to avoid that some malware may process your real IP not for benevolent purposes for sure.

Indeed very true! I mentioned this in my posting as well. A VPN is a must, in this case, to ensure your host IP is not discovered. Windscribe free VPN is nice if you want to keep to a free VPN with 10 GB of traffic allowed.

From all of my experience use a VPN on my host computer, router, and for added security, I use it inside my VM too. While it slows stuff down a bit I know for sure my actual IP address is not leaked what-so-ever.

 

[grumpy_joe]

For your requirements, I’d recommend NAT mode.

Please remember to not share any folders or files between the VM and your physical computer. One can never be too safe. Just for added security I'd also recommend running a backup of your phyiscal machie prior to the use of any malware samples - this is just my personal preference just in case.

Excellent question!

If you really want you can actually share a folder but just make it read only.

Alternatively just upload files to the cloud

 

[tim one]

Indeed very true! I mentioned this in my posting as well. A VPN is a must, in this case, to ensure your host IP is not discovered. Windscribe free VPN is nice if you want to keep to a free VPN with 10 GB of traffic allowed.

From all of my experience use a VPN on my host computer, router, and for added security, I use it inside my VM too. While it slows stuff down a bit I know for sure my actual IP address is not leaked what-so-ever.

Fully agree about Windscribe, I'm using it, pretty fast and I got 50GB per month thanks to a previous giveaway

Sorry @Lightning_Brian I have to admit I read your post too quickly and I had not noticed you had already mentioned the VPN

 

[vemn]

Nice Advices here!
I think I should implement VPN for my test lab ><, just in case...

 

[Lightning_Brian]

No worries @tim one . A VPN inside your host to help keep your real IP safe and hidden is best - in my humble opinion. I don't go testing anything without having this on. In addition to this I back up my system to ensure I have a backup to fall back on. This is a full disk image backup. Prior to doing any testing - making sure that image is super squeeky clean too.

I take things even a step further with turning on Shadow Defender on my physical operating system to protect it even more and lock it down like Fort Knox.

I don't like to risk anything at all. A VPN integrated with my router too makes things tough to crack. Just have to find one that's not slowing things down on ya'.

Stay safe testing!