| Forum Home | ||||
| PC World Chat | ||||
| Thread ID: 81471 | 2007-07-28 16:14:00 | Uninfected VMs? | SurferJoe46 (51) | PC World Chat |
| Post ID | Timestamp | Content | User | ||
| 573577 | 2007-07-28 16:14:00 | I read the following article, as got a little more confused. If the STORM worm can detect if it is trying to infect a VM, it cancels the infection and just moves on...or does it? That's not clear to me. Read this article yourselves and then can anyone make it a little clearer to us who do not understand the concept. ARTICLE (www.techworld.com) Does a VM NOT get infected at all? Is running a VM a good idea for most dangerous applications or software? Does anti-malware application run in a VM-like mode anyway, even if the user has not installed a VM? Can a VM-based mal-program jump to the True Machine or is the barrier defiant enough to prevent it? Since Storm seems to not bother the VM, does that mean that the anti-ware is not bothering to protect the VM side of a system? |
SurferJoe46 (51) | ||
| 573578 | 2007-07-28 21:56:00 | Would be great if it didn't :D I am going to run everything in a VM and keep my host OS nice and clean for gaming :D |
The_End_Of_Reality (334) | ||
| 573579 | 2007-07-28 22:00:00 | OK..another thought then I have used the Live-CDs for Mepis etc, and then they allow one to install by just clicking..so why is a VM trojan/virus not using the same venue to enter the True Machine? |
SurferJoe46 (51) | ||
| 573580 | 2007-07-28 23:47:00 | I'm not an expert on these things but I'll answer these as I understand them - 1. Does a VM NOT get infected at all? In this case the point is not to infect the VM to avoid pain-free analysis 2. Is running a VM a good idea for most dangerous applications or software? Yes. It's probably the top reason to, not that most people use dangerous applications purposefully, but for testing, etc. its good. 3. Does anti-malware application run in a VM-like mode anyway, even if the user has not installed a VM? Probably not, but I don't really know what you're getting at. 4. Can a VM-based mal-program jump to the True Machine or is the barrier defiant enough to prevent it? No. It's a standard sandboxed environment and is like an industry standard. That said, VM software is still just that (software) so there could be vulnerabilities separate from the concept of a virus jumping from guest to host all the same. You can network the host and guest system in standard fashion so this could serve as a path for infection. 5. Since Storm seems to not bother the VM, does that mean that the anti-ware is not bothering to protect the VM side of a system? No. Software installed on the host system has no bearing over how the guest system is going. It's like asking whether the AV/AM software on the kitchen computer protects the other non-networked computer in your bedroom. |
sal (67) | ||
| 573581 | 2007-07-28 23:49:00 | I read the following article, as got a little more confused . If the STORM worm can detect if it is trying to infect a VM, it cancels the infection and just moves on . . . or does it? That's not clear to me . Read this article yourselves and then can anyone make it a little clearer to us who do not understand the concept . ARTICLE ( . techworld . com/security/news/index . cfm?newsid=9625" target="_blank">www . techworld . com) Does a VM NOT get infected at all? Is running a VM a good idea for most dangerous applications or software? Does anti-malware application run in a VM-like mode anyway, even if the user has not installed a VM? Can a VM-based mal-program jump to the True Machine or is the barrier defiant enough to prevent it? Since Storm seems to not bother the VM, does that mean that the anti-ware is not bothering to protect the VM side of a system? Virtual machines are often used by security researchers to analyse malware in a secure environment . To a virtual machine the underlying OS or Hypervisor should be no more accessible than networking or specialised interfaces permit . Infecting a VM isn't particularly worthwhile for a desktop worm as the system can be reset to an earlier state . It's definitely worthwhile doing to slow analysis . |
TGoddard (7263) | ||
| 573582 | 2007-07-29 00:11:00 | Does a VM NOT get infected at all? It theoretically should be able to infect the VM guest OS. But since Storm cannot touch the host OS, it would be detected, isolated and dissected easily. I think that that is why the Storm creators do not want to infect a VM guest OS - they don't want it to be analysed. Is running a VM a good idea for most dangerous applications or software? I would avoid running the dangerous ap in the first place. But a VM should make recovering from an infection easier. Does anti-malware application run in a VM-like mode anyway, even if the user has not installed a VM? It should. Just like it would on a natively-running OS. Can a VM-based mal-program jump to the True Machine or is the barrier defiant enough to prevent it? A well-designed VM should hide all evidence of its existence. The guest OS, and anything else running on the guest OS should not be aware of anything outside the guest OS. FreeBSD jails (en.wikipedia.org) are a good example. Since Storm seems to not bother the VM, does that mean that the anti-ware is not bothering to protect the VM side of a system? ? |
vinref (6194) | ||
| 573583 | 2007-07-29 03:52:00 | Go to the SANS Internet Storm Center and read the diary archives there. This was mentioned about 2 days ago. | beeswax34 (63) | ||
| 573584 | 2007-07-29 06:29:00 | ? What I mean is: does the security program not bother testing and securing the VM side of the system? Does the anti-stuff actually care or is it designed to not bother to protect the virtual side of an OPSYS . . I know! . . . the OPSYS doesn't know it's even there, but can the security programs see any activity by malware on a VM side? |
SurferJoe46 (51) | ||
| 573585 | 2007-07-29 07:42:00 | What I mean is: does the security program not bother testing and securing the VM side of the system? Does the anti-stuff actually care or is it designed to not bother to protect the virtual side of an OPSYS . . I know! . . . the OPSYS doesn't know it's even there, but can the security programs see any activity by malware on a VM side? Oh . The anti-malware app should run on the guest OS as per normal . The host OS should only try to contain the guest OS and its apps in the VM . |
vinref (6194) | ||
| 1 | |||||