Host computer detected VMware guest "Virus"

carboncopy

A friend of mine has AVG running on his Host OS Windows Vista. He is running a guest VMware VM that is running Windows XP with no Anti Virus. He browsed to a malicious site on the XP VM and the Host OS Anti Virus (AVG) picked up the malicious site that was seen on the VM.

I am not really sure how and why that would happen. He was using NAT for networking and the malicious process that Vista picked up was vmnat.exe.

Anyone know why it was able to detect the malicious page through the vmnat process?


He is running the latest VMware Sever.

HeroPsycho

A guest OS is not completely isolated from the Host OS.

carboncopy

HeroPsycho wrote: »

A guest OS is not completely isolated from the Host OS.

So analyzing malware on a VM is not completely safe I would assume. That is if the host os is vulnerable to what is being analyzed on the vm.

Is there a way to make the Guest OS completely isolated from the Host OS?

HeroPsycho

carboncopy wrote: »

So analyzing malware on a VM is not completely safe I would assume. That is if the host os is vulnerable to what is being analyzed on the vm.

Is there a way to make the Guest OS completely isolated from the Host OS?

You're looking at it a bit wrong. You're assuming the host analyzing the guest for malware activity is to prevent the malware from spreading to the host through the virtualization software. Malware detection doesn't analyze to protect the host. It doesn't have a motive; it's an application. It detects malware and prevents the malware from running and eradicates it.

The simple fact of the matter is the AV is capable of analyzing processes in the VM. It doesn't know how the networking is configured. Maybe a potentially protected VM could infect the host via a network connection. Maybe it would do it through a buffer overflow in the virtualization software. There's simply no way of knowing for sure what malware might do.

Can you completely isolate the guest from the host? No. Can you completely isolate the host from the guest? For all intents and purposes, yes.

You *might* be able to configure the AV to not examine the memory spaces used by the VM, or what is being executed via the virtualization process. But that's an AV configuration thing specific to your AV.

carboncopy

I see... Thanks!

Bl8ckr0uter

It would be possible for a host to get a virus from a guest if a shared file was infected and executed against one or the other. What I mean is if I am downloading stuff from limewire in the guest to a location that is mapped on the host (like a data share) and the items were infected, it is possible for both the host and the guest to get infected (correct?).

RobertKaucher

knwminus wrote: »

It would be possible for a host to get a virus from a guest if a shared file was infected and executed against one or the other. What I mean is if I am downloading stuff from limewire in the guest to a location that is mapped on the host (like a data share) and the items were infected, it is possible for both the host and the guest to get infected (correct?).

Yes, in this way the realtionship tot he infecting file is the same as if they were simply two different physical computers.

Remember what I always say! LimeWire! It's like AIDS, but for your computer.

HeroPsycho

knwminus wrote: »

It would be possible for a host to get a virus from a guest if a shared file was infected and executed against one or the other. What I mean is if I am downloading stuff from limewire in the guest to a location that is mapped on the host (like a data share) and the items were infected, it is possible for both the host and the guest to get infected (correct?).

That's just one of several ways. But my point here is the host OS as far more knowledge and ability to execute within the guest OS than vice versa. A guest can never be truly isolated from the host OS. How else do you think it's possible to install VMTools/Virtual Machine Additions, etc.?

JDMurray

If you will be doing possibly damgerous things with your VMs, like connecting to potentially malicious Web sites, it should be done on a separate machine running virtualization software that uses a minimal host OS (VMware ESXi) that has little chance of being infected by VM-aware Malware. The machine should also have an Internet connection that is separate from your LAN.

If you absolutely need the VM to be running on your desktop machine using software like VMware Player or Fusion, use sand boxing software (like SandBoxie) on the VM, do not create shares to the VM's guest OS, and revert to a clean snapshot when done. Depending on your LAN hardware, there are also a number of ways to isolate the VM's traffic from your LAN's traffic using VLANs or a VPN connection to your Internet gateway.


Does anyone know of a good book or blog that contains extensive details about sandboxing VMs from surrounding OSes and networks?

HeroPsycho

JDMurray wrote: »

If you will be doing possibly damgerous things with your VMs, like connecting to potentially malicious Web sites, it should be done on a separate machine running virtualization software that uses a minimal host OS (VMware ESXi) that has little chance of being infected by VM-aware Malware. The machine should also have an Internet connection that is separate from your LAN.

If you absolutely need the VM to be running on your desktop machine using software like VMware Player or Fusion, use sand boxing software (like SandBoxie) on the VM, do not create shares to the VM's guest OS, and revert to a clean snapshot when done. Depending on your LAN hardware, there are also a number of ways to isolate the VM's traffic from your LAN's traffic using VLANs or a VPN connection to your Internet gateway.


Does anyone know of a good book or blog that contains extensive details about sandboxing VMs from surrounding OSes and networks?

No, but I can provide a few tips myself:

Use non-persistent virtual disks if you know you never need to save data in the VMDKs. Eliminates the pain of constant snapshots/reverts.

For ultra security, use a separate VM acting as a firewall between the Guest and the physical network and configure your virtualization networking to force the guest to route through this VM.

Run your host if possible with a 64-bit OS, with hardware DEP enabled.

If running virtual machine OS integration package such as VMTools, don't forget to update those when you patch your virtualization product.

Patch your virtualization software regularly.

Don't use the same passwords between guest and host. A keystroke logger in the guest works the same.

Harden the guest just like you would a physical machine. Patch it, etc.

MentholMoose

JDMurray wrote: »

Does anyone know of a good book or blog that contains extensive details about sandboxing VMs from surrounding OSes and networks?

VMware products have settings to increase guest isolation. Some of them are detailed here:
IT Audit: 6 VMWare Settings Every IT Auditor Should Know About