VirtualBox tweaking and snapshot

[TheMalwareMaster]

Good afternoon, I never tweaked my virtual box that I use for malware testing, and I'd like to know if there are any important tweaking to do to make it more secure or if it is okay at default settings. The second question is about snapshots. I Save every time I test a product a New snapshot with new virus definition updates (to download less next time). Is there a way to delete all the snapshots except the most recent one (all in one time), or to overwrite everytime the old one?

 

[McLovin]

Now I'm not really good with VirtualBox, but when it comes to snapshots, I'd recommend doing them when you have a clean install of Windows. Doing a snapshot of every definition update is a bit much and will use alot of space on your hard drive. Best to install what antivirus you are testing update it then take a snapshot, then if you want to test that antivirus again, open the snapshot you saved and then just update the antivirus. Hope that helped in a way.

 

[JM Safe]

Hi @TheMalwareMaster

As I always say, you cannot be secure 100% when testing malware, even if you are in a virtual environment. It depends on the malwares you are testing. It is important to do not run malwares, which can be able to connect to internet and infect your connection. The most important thing to remember is that if you want to do dynamic malware analysis, you can't do that in a VM, but you must do that on a war PC.
Instead, if you want only to testing antivirus, so context scans, heuristic scans, etc. without run the malwares, you can obviously do it, also using softwares as Shadow Defender.

However there are several points to remember when you do malware testing in VMs:

• Use a different operating system for the host and for the guest. So, if you want to test malwares, which can infect Windows machines, you can use a Ubuntu host.
• Another important point is the security of the connection, for example if you are testing malwares, which can infect Windows guest, you can use an OpenBSD, which can't be attacked by malwares and viruses.
• Common sense...

I hope I helped you.

 

[TheMalwareMaster]

Well, I always run malwares in my VM to do the dynamic test but I kill the process if undetected.. I have never had problems with the Internet connection and I even did a banking payment without any issue

 

[illumination]

Well, I always run malwares in my VM to do the dynamic test but I kill the process if undetected.. I have never had problems with the Internet connection and I even did a banking payment without any issue

The important thing with testing in a VM is to make sure to use Nat networking to restrict direct access to the network, isolate the guest from the host by making sure things like shared folders, drag n drop, or copy and paste are disabled. These things will greatly reduce the chance of anything happening. In all my testing, the only thing I have seen physically happen is some samples trying to connect outbound to their C&C servers which my Host security stopped.

With snapshots, I create a Base which is the OS updated and any other applications like On demands I will be using while testing. Then I create another snapshot off the base to test with. Once this one has been created I then add the main application I will be testing. I only create more snapshots generally after my guest OS needs and applies OS updates, and or the application I'm testing needs a major update/upgrade, then I will create another snapshot after applying these.