What's a good basic virtual machine config to test malware?

[shootfire]

(Disclaimer: I have no idea where to post this... if it needs to be moved, sorry)

I'm looking for suggestions for basic VM setups to test malware on. I'd consider myself an advanced user (worked at a computer lab doing malware removal, builds, hardware repair etc) but have zero experience using VMs. My machine is Win 10x64. Any suggestions appreciated. PS I know this is a risky practice; no need to remind me of that.

Thx!

 

[generalwu]

The two favourite VM Players are Oracle Virtual Box and VMware Player.

Both are free to use.

I prefer VMware Player due to it's GUI (Personal Preferences).

 

[illumination]

Thread moved.

If you are asking for basic info on how to set the virtual machine up for testing then I can help.

With Networking, chose NAT so as to keep the guest from direct access to your network. Isolate the guest from the host, this means disabling shared folders, drag and drop, copy and paste. Creating a Base snapshot in the virtual machine and then creating additional snapshots to test with will not only save you time for testing, but in the event something goes wrong in the snapshot you are in you can revert it without having to start completely over installing the guest again.

There is a giant warning that is not able to be missed in the MalwareHub, it is at the top of every thread, stating live malware, dangerous, doing this is at your own risk. Live system testing is not permitted. As long as you understand these, you are welcome to come spin your hand at testing.

 

[McLovin]

I currently use VMware but have it setup a few different way as for network. I have 2 virtual machines one with Windows Server 2012 and then have just a Windows 7 and I'm playing around with if anything from the server can get across to other computers connected within that domain. But as for the most safest and most common it would have to be NAT like @illumination said. Now snapshots, I like them for the reason is that you're able to snapshot everything you do. It's like a backup and reverting back to it if something has gone wrong. I normally do a snapshot if I do big things to the VM, i.e if I have just installed Windows I will do a fresh clean snapshot and maybe another when I have it connected to a domain for example.

It's quite easy to get into malware testing on a virtual machine just have to make sure you have an updated host when it comes to your antivirus and your Windows operating system AND have a powerful enough machine to perform and run a virtual machine. Most people I've seen are wanting to get into malware testing which is not a big deal at all but they are running like a Intel Core 2 DUO which is not bad, but would be better if you (what I think) have a minimum of an Intel i5 and AMD equivalent and higher. As for RAM I'd have to say for most common OS's now a days it would have to be 4 GB which if you have your host running 4 GB it's best to upgrade that first. The virtual machine will still run just won't have the power to give it a boost. It's like not having breakfast in the morning, you just don't get that hype for the day while if you have breakfast you get that boost and are ready to give it your all during the day.

Another thing to understand that malware will typically not spread to your host but when malware testing I ALWAYS have my shared folders to the VM turned off as if something does happen that is the quickest and easiest way for them to spread. Apart from that there is nothing really else just make sure you have an updated host and have snapshots of a fresh install so if something happens you can revert back to that snapshot.

Hope this helped in some way or another, tried not to make it that long haha

 

[hjlbx]

VirtualBox causes conflicts with Emsisoft Internet Security. There is a workaround whereby you remove the bridge networking.

Just posting this fact here so OP is aware of it.

 

[shootfire]

Thx for the suggestions. My laptop should be powerful enough... it is a 1.5 yr old Pentium dual core (surprisingly peppy) with 8GB of RAM and SSD.

As for terms, help me out here since I'm new to the whole virtualization thing hehe. Host = the system you're 'shadowing' , i.e my laptop as it stands now with Windows 10, I assume? Is NAT an actual application to use in conjunction with VMware (or similar), or are your referring to a NAT firewall (dumb question, I know lol). I understand the snapshot term.

Currently I use my phone's data plan as my internet connection at home b/c I live in the sticks and there are no high speed internet providers. So there is not a typical home network with a router per se... in case that makes any difference.

Yeah, my goal for doing the testing is just trying out various AV configs. Lately I'm sick of using traditional suites like Norton, BD etc and have been creating my own freeware layered solutions (right now I am using Windows Defender + Win Firewall + WinPatrol Free + Malwarebytes Anti Exploit as on-access protection)... and I'm curious to see how that type of setup stands up to malware vs a Norton or similar... Just geeky stuff like that.

Again thanks for the help all... I have taught myself everything I know about PCs, OSes etc by forums and trial & error, over the past 10 yrs. No certificates, classes or anything, and I successfully worked as a tech for two years. Just a thank you to people like you who share your knowledge with others. It's better than any formal schooling out there, if you're serious about learning that is.

 

[McLovin]

@shootfire The host will be your main OS I.e Apple or Windows 10 what you use everyday. NAT is a type of networking "Network address translation (NAT) is a methodology of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device." - Source, Google
So in simple terms means your hosts IP will be used in the VM for the internet. No program is needed for this just need to set that up when you have a Virtual Machine installed.
Doesn't matter when it comes to internet as what you are using if you are comfortable using your phones internet that's fine. You can still hook that up to the Virtual Machine.

Doing all the testing in a VM is perfect you get to see what works with each other and what doesn't the performance will be different but that will be understandable because it's being done on a Virtual machine

That's the thing I like about this forum and others you learn and get to get knowledge off other users as well.

 

[shootfire]

Thanks... I am going to try VM Ware and Virtual Box in the next couple days and will post back if I have questions .... I appreciate the guidance.

 

[LabZero]

Many useful things have already been said here and, as we know, the VM's network configuration is very important to prevent a malware can propagate itself.
I use VirtualBox and, by default, VB uses a single network adapter in NAT mode.
This setting is important because it allows you to determine how the virtual network interface interacts with the “physical” hardware installed on the host system. Choosing NAT, VirtualBox provides the virtual machine with a private IP address, completely inaccessible from the local network as well as from the host system. Assuming, for example, that the host system is assigned the IP 192.168.1.2 in NAT mode, VirtualBox will attach to the virtual machine the IP 10.0.2.x. It is possible to check It by opening up on the Windows guest, the command prompt and typing ipconfig /all
So NAT configuration allows access without problems to the Internet from the virtual machine and proves to be the most suitable for malware testing.

 

[Sandboxie Help]

That's not what Sandboxie is for, so something else. VM?

Sandboxie is designed to Sandbox IE..Internet Explorer. That's what it was designed to do in 2004. However, it now isolates many browsers and online programs. It's not designed to "tweak" windows, etc.

 

[McLovin]

@HeavyEarly Sandboxie, VMware, Virtual Box, and Shadow Defender are all somewhat similar. With that being said, virtual machines you are able to play around with an OS for example before you decide to upgrade your current one or just want to get a feel of it before you have to go out and buy one.
I've never been a fan of Shadow Defender and Sandboxie only due to the fact I like to play around with operating systems, that meaning I love virtual machines.

Hope that somewhat answered your question/trouble

 

[jamescv7]

Vmware and Virtualbox contain predefined configuration (in layman term is a fixed configuration) where you don't need to mess everything.

Here are some points.

• Avoid network shared folders during malware test activity. (Worms and other nasty threats may jump to your host PC)
• No need to mess the network settings, NAT is design to isolate your I.P Address from your host.
• Have your Antivirus to be turn on, just for safety precaution.

 

[McLovin]

@McLovin: Well I'm still a little confused. You say......."I've never been a fan of Shadow Defender and Sandboxie only due to the fact I like to play around with operating systems, that meaning I love virtual machines." So that means Shadow Defender is not considered a virtual machine, correct?? If it's not, what's it considered? I just looked on their website and it gives a 30 day free trial which I think I'm gonna try. Is there anything I should be FULLY AWARE of after I install it that can possibly screw up anything? Or is it pretty self explanatory?

Shadow defender is not a virtual machine correct, but more classified as visualisation. I've only heard but you when running programs within Shadow Defender everything is fine, but they can still access personal information. Not sure if this is correct but. @Umbra is the one to talk to when it comes to setting Shadow Defender up as he uses/used it all the time.

@jamescv7: Thanks alot. But I'm still kinda unclear if your describing Vmware and Virtualbox only. I'm only considering Shadow Defender, and also, I'm not going to be testing malware. I only want to use it as an extra level of protection, and as something I can tweak the registry with and wipe it clean if I don't like what I've done, and also to be able to test different security configurations together.

@jamescv7 is talking about VMware and Virtualbox yes. If you are not going to consider doing any malware testing at this time. I would more than likely recommend Shadow Defender or Sandboxie just to try out the style of "virtualisation"

Hope this helped.

 

[McLovin]

@McLovin : Thank you.....this is EXACTLY what I was curious about. I'm pretty sure I can eventually manage to figure out Shadow Defender, but the thread talk above about Virtual Machines made me question my ability to figure those out.....that's why I wanted to know if Virtual Box and Shadow Defender were the exact type of thing. Also, thanks for letting me know about Umbra, because Shadow Defender's forum doesn't look like it's up and running anymore.

No problem man! Down the track if you need help at all or have anymore questions regarding virtual machines I'll definitely help you out.

 

[jamescv7]

@HeavyEarly: Well I just answered the OP post above and for virtualization feature of Shadow Defender, then try it.

Just be aware that setting up the files and folders for exclusion is too complex and better do the task outside of virtualization session.

 

[Wihat]

The last time I installed a linux PC on Virtualbox v.5, it's so slow although I shared 4 Gb for that machine, then I switched to VMware, it's working great.