Question VMware isolation and AV block on Host??

[simmerskool]

Running the current version VMware Workstation 17... host win10 -- fedora 42 is Guest. been running fedora many months, no issues. The AV on Host win10 is DeepInstinct. I do allow copy & paste between Host & Guest, but not "drag & drop." I opened firefox in fedora and purchased an item with paypal. During this transaction on Guest fedora, I used my iphone to get two factor authentication code (2fa) for paypal and entered the 6-digit code 2fa code into firefox on Guest and it was accepted and transaction completed and order confirmed. All good, but...

Contemporaneously during the transaction I got a Host DeepInstinct blockage alert > C:\Program Files\WindowsApps\Microsoft.YourPhone_1.25032.76.0_x64__8wekyb3d8bbwe\SharedUtilities.QrCodeGenerator.dll

How / why is the possible? I never touched the Host during this transaction. The 2fa code was on my iphone, it never touched the host, I manually typed the 2fa code from keyboard into federa Guest firefox to verify the paypal payment. How could DeepInstinct on Host even react to my eyeballs reading 2fa code on iphone and typing it into Guest OS. As far as I know, all computer are "clean" and my iphone is not linked to Host win10, never has been. And I maybe get one alert from DeepInstinct every 3 or 4 months, and never got one about QrCodeGenerator.dll before and I was NOT generating a QRcode during the transaction. Seems doubtful it was a coincidence and unrelated to the transaction, but WTF? Is it safe?

 

[Bot]

It seems like a false positive from DeepInstinct. The alert might not be related to your transaction. The DLL in question is related to the "Your Phone" app in Windows 10, which is used to link your phone and PC. It's possible that DeepInstinct flagged it due to some routine operation. If you're not using the "Your Phone" app, you might consider disabling it. However, to be on the safe side, you should also run a full system scan to ensure there's no malware.

 

[bazang]

Running the current version VMware Workstation 17... host win10 -- fedora 42 is Guest. been running fedora many months, no issues. The AV on Host win10 is DeepInstinct. I do allow copy & paste between Host & Guest, but not "drag & drop." I opened firefox in fedora and purchased an item with paypal. During this transaction on Guest fedora, I used my iphone to get two factor authentication code (2fa) for paypal and entered the 6-digit code 2fa code into firefox on Guest and it was accepted and transaction completed and order confirmed. All good, but...

Contemporaneously during the transaction I got a Host DeepInstinct blockage alert > C:\Program Files\WindowsApps\Microsoft.YourPhone_1.25032.76.0_x64__8wekyb3d8bbwe\SharedUtilities.QrCodeGenerator.dll

How / why is the possible? I never touched the Host during this transaction. The 2fa code was on my iphone, it never touched the host, I manually typed the 2fa code from keyboard into federa Guest firefox to verify the paypal payment. How could DeepInstinct on Host even react to my eyeballs reading 2fa code on iphone and typing it into Guest OS. As far as I know, all computer are "clean" and my iphone is not linked to Host win10, never has been. And I maybe get one alert from DeepInstinct every 3 or 4 months, and never got one about QrCodeGenerator.dll before and I was NOT generating a QRcode during the transaction. Seems doubtful it was a coincidence and unrelated to the transaction, but WTF? Is it safe?

Hair on Fire

Coincidence

False Positive

Disconnect your iPhone if it is connected to your PC via the Phone App; just do not use it

 

[simmerskool]

Hair on Fire

Coincidence

False Positive

Disconnect your iPhone if it is connected to your PC via the Phone App; just do not use it

Well I suggested it could be a coincidence, just seems unlikely (to me). My iphone is not connected to my Host or to the Guest. Phone App on win10 was not running, I have never used it. Issue is not whether it is a DeepInstinct false positive, but how could DI react to it at all, unless it wasn't and it was a coincidence. seems unlikely. The event is being analyzed, by real IT person, will report more if I hear anything of value.
PS DI blocked it as a "dropper" using Deep Static Analysis.

 

[SeriousHoax]

Probably a coincidence but since you don't use the Your Phone app, I suggest you to uninstall it.

 

[bazang]

Well I suggested it could be a coincidence, just seems unlikely (to me). My iphone is not connected to my Host or to the Guest. Phone App on win10 was not running, I have never used it. Issue is not whether it is a DeepInstinct false positive, but how could DI react to it at all, unless it wasn't and it was a coincidence. seems unlikely. The event is being analyzed, by real IT person, will report more if I hear anything of value.
PS DI blocked it as a "dropper" using Deep Static Analysis.

Coincidence

False positive

The two events are not connected in any way

 

[Vitali Ortzi]

Running the current version VMware Workstation 17... host win10 -- fedora 42 is Guest. been running fedora many months, no issues. The AV on Host win10 is DeepInstinct. I do allow copy & paste between Host & Guest, but not "drag & drop." I opened firefox in fedora and purchased an item with paypal. During this transaction on Guest fedora, I used my iphone to get two factor authentication code (2fa) for paypal and entered the 6-digit code 2fa code into firefox on Guest and it was accepted and transaction completed and order confirmed. All good, but...

Contemporaneously during the transaction I got a Host DeepInstinct blockage alert > C:\Program Files\WindowsApps\Microsoft.YourPhone_1.25032.76.0_x64__8wekyb3d8bbwe\SharedUtilities.QrCodeGenerator.dll

How / why is the possible? I never touched the Host during this transaction. The 2fa code was on my iphone, it never touched the host, I manually typed the 2fa code from keyboard into federa Guest firefox to verify the paypal payment. How could DeepInstinct on Host even react to my eyeballs reading 2fa code on iphone and typing it into Guest OS. As far as I know, all computer are "clean" and my iphone is not linked to Host win10, never has been. And I maybe get one alert from DeepInstinct every 3 or 4 months, and never got one about QrCodeGenerator.dll before and I was NOT generating a QRcode during the transaction. Seems doubtful it was a coincidence and unrelated to the transaction, but WTF? Is it safe?

Probably 2fa was sent to an account connected to the PC specifically to the phone app and when the PC tried showing the 2fa deep instinct falsely saw the behavior as malicious
At least that's what I think happened

 

[simmerskool]

Probably a coincidence but since you don't use the Your Phone app, I suggest you to uninstall it.

I never directly intentionally installed Your Phone in first place. I assume it came with some MS update. Also very difficult to access C:\Program Files\WindowsApps\ -- chatGPT says it can be done but need to mess with Group Policies which I'm not using. But yes, ChatGPT also said uninstall it -- I will. Still waiting for more_feedback from DeepInstinct analyst who can inspect my portal.

 

[simmerskool]

Probably 2fa was sent to an account connected to the PC specifically to the phone app and when the PC tried showing the 2fa deep instinct falsely saw the behavior as malicious
At least that's what I think happened

sounds logical, but I have never used Your Phone on win10_Host (that I know of) and I checked Start Apps and Your Phone is/& was checked OFF (disabled). Maybe Quantum spooky action at a distance...
EDIT PS the win10_host running DeepInstinct is also running Cyberlock on smart-aggressive mode AND something triggered the DI block popup flag.

 

[SeriousHoax]

I never directly intentionally installed Your Phone in first place. I assume it came with some MS update. Also very difficult to access C:\Program Files\WindowsApps\ -- chatGPT says it can be done but need to mess with Group Policies which I'm not using. But yes, ChatGPT also said uninstall it -- I will. Still waiting for more_feedback from DeepInstinct analyst who can inspect my portal.

Your Phone comes with Windows by default. I think you have HiBit Uninstaller, right? You can use it to uninstall the app. I think you would find it in HiBit's, Windows Store App Manager section in Tools.

 

[bazang]

Running the current version VMware Workstation 17... host win10 -- fedora 42 is Guest. been running fedora many months, no issues. The AV on Host win10 is DeepInstinct. I do allow copy & paste between Host & Guest, but not "drag & drop." I opened firefox in fedora and purchased an item with paypal. During this transaction on Guest fedora, I used my iphone to get two factor authentication code (2fa) for paypal and entered the 6-digit code 2fa code into firefox on Guest and it was accepted and transaction completed and order confirmed. All good, but...

Contemporaneously during the transaction I got a Host DeepInstinct blockage alert > C:\Program Files\WindowsApps\Microsoft.YourPhone_1.25032.76.0_x64__8wekyb3d8bbwe\SharedUtilities.QrCodeGenerator.dll

How / why is the possible? I never touched the Host during this transaction. The 2fa code was on my iphone, it never touched the host, I manually typed the 2fa code from keyboard into federa Guest firefox to verify the paypal payment. How could DeepInstinct on Host even react to my eyeballs reading 2fa code on iphone and typing it into Guest OS. As far as I know, all computer are "clean" and my iphone is not linked to Host win10, never has been. And I maybe get one alert from DeepInstinct every 3 or 4 months, and never got one about QrCodeGenerator.dll before and I was NOT generating a QRcode during the transaction. Seems doubtful it was a coincidence and unrelated to the transaction, but WTF? Is it safe?

VMWare Workstation and VirtualBox do not fully isolate the real physical system (Host) from the virtual machine (Guest). At least not by default, anyway.

You have to do the research and figure out all the hardening that is required to effectively isolate the Host system from the virtual machine (Guest).

Virtual machines write files to your Host file system by default - and I am not talking about file sharing. I am talking about files created by VMWare or VirtualBox on the Host during its operation - unknown by you.

 

[piquiteco]

@simmerskool In my humble opinion, if I were you I would use Linux on the Host.

 

[simmerskool]

Your Phone comes with Windows by default. I think you have HiBit Uninstaller, right? You can use it to uninstall the app. I think you would find it in HiBit's, Windows Store App Manager section in Tools.

well I discussed removing YourPhone with chatGPT and it suggested powershell commands as yourphone was in \program files\windowsapps\ which the system highly protects. I learned some stuff today! GPT also suggested O&O appbuster but it did not even see YourPhone. Has anyone used the O&O appbuster? Eventually we got YourPhone removed w/ps. & GPT suggested several ms apps that can be removed as unnecessary and rarely used that are listed by O&O.

O&O AppBuster - O&O Software GmbH

O&O AppBuster: Free uninstaller for unwanted apps Download Version 1.4.1345, file size 1MB. Released on: 07/10/2024 When setting up Windows 10 and 11, Microsoft not only installs the operating system alone, but also a whole range of additional apps – … Continue reading →

www.oo-software.com

 

[simmerskool]

VMWare Workstation and VirtualBox do not fully isolate the real physical system (Host) from the virtual machine (Guest). At least not by default, anyway.

You have to do the research and figure out all the hardening that is required to effectively isolate the Host system from the virtual machine (Guest).

Virtual machines write files to your Host file system by default - and I am not talking about file sharing. I am talking about files created by VMWare or VirtualBox on the Host during its operation - unknown by you.

chatGPT suggested that VMware Tools might have been doing something like that under the hood. But it was also "concerned" that DeepInstinct alerted to dll as as "dropper" & deep static analysis pe64. I removed yourphone.

 

[simmerskool]

@simmerskool In my humble opinion, if I were you I would use Linux on the Host.

I am headed toward putting a linux distro on hardware. I've been practicing with linux in VM for several months.

 

[simmerskool]

UPDATE the the IT tech who can see into my DeepInstinct portal says it was a coincidence -- but gee I'm happy to have removed yourphone.

 

[piquiteco]

I am headed toward putting a linux distro on hardware. I've been practicing with linux in VM for several months.

Good to know, I've just installed VirtualBox on Linux Mint, it's super light, I believe that if you use it on Linux you'll get more performance depending on the distribution and that's an advantage, apart from the security you get if you do Malware tests.

 

[simmerskool]

Good to know, I've just installed VirtualBox on Linux Mint, it's super light, I believe that if you use it on Linux you'll get more performance depending on the distribution and that's an advantage, apart from the security you get if you do Malware tests.

I've used VB in more distant past, but then no vm's, then about a year or 2 ago I started with VMware Workstation 15 (paid) and learned it pretty quickly, and runs great. But open to trying VB again -- not testing malware, just trying to avoid it

 

[piquiteco]

I've used VB in more distant past, but then no vm's, then about a year or 2 ago I started with VMware Workstation 15 (paid) and learned it pretty quickly, and runs great.

I agree with you that Vmware is better than VB, but there is VMware for Linux and you can install it one day to try it out, as far as I know VMware for Linux is similar to VMware for Windows.

 

[SeriousHoax]

well I discussed removing YourPhone with chatGPT and it suggested powershell commands as yourphone was in \program files\windowsapps\ which the system highly protects. I learned some stuff today! GPT also suggested O&O appbuster but it did not even see YourPhone. Has anyone used the O&O appbuster? Eventually we got YourPhone removed w/ps. & GPT suggested several ms apps that can be removed as unnecessary and rarely used that are listed by O&O.

O&O AppBuster - O&O Software GmbH

O&O AppBuster: Free uninstaller for unwanted apps Download Version 1.4.1345, file size 1MB. Released on: 07/10/2024 When setting up Windows 10 and 11, Microsoft not only installs the operating system alone, but also a whole range of additional apps – … Continue reading →

www.oo-software.com

Yeah, in fact mine was deleted using O&O AppBuster. I use AppBuster for deleting Windows Store apps only. But since you had HiBit I thought that should do the job also. Using powershell commands to remove left some files behind when I tried a few years ago. But I think there are also powershell command that can completely get rid off it. Anyway, good to get the confirmation that DI detection was just a coincidence.