While using a web browser inside a XP guest (VBox 4.2.0, XPx64 host) I got some alerts from the host's antivirus program saying that a trojan or malware attempted to enter the system by means of the Virtualbox.exe process and was blocked by the antivirus.
Meanwhile the antivirus installed in the guest said nothing, presumably (am I right?) because the malware had been blocked before getting to the guest.
I usually surf the web from that (NAT) guest (which has no shared folders and USB disabled in order to keep it as "isolated" as possible) because I thought this was a good way for reducing the risks of host infection. I thought that, in case of infection, the guest would have been infected at first and then, unless the virus was very... good and the guest had some access to the host's filesystem, the infection would remain inside the guest.
Now things look quite different, as the infection seems to reach, at first, the host; shall I infer that, if the host's antivirus is not able to block it, the malware would infect the host leaving the guest alone?
Thanks for any help.
Can malware infect host when guest has no shared folders?
-
noteirak
- Site Moderator
- Posts: 5231
- Joined: 13. Jan 2012, 11:14
- Primary OS: Debian other
- VBox Version: OSE Debian
- Guest OSses: Debian, Win 2k8, Win 7
- Contact:
Re: Can malware infect host when guest has no shared folders
You can breate - the malware did reach your host yes, but not as something that ran on it.
The NAT setting basically use your host as a router, so the data comes to your host first then is send to your guest. This data is not executed in anyway, it is only transfered, just like any network transfer.
Antivirus look at what is being transfered on your interfaces, to block malware or virus to even be able to be copied to your system. This is what you're seeing.
This is the expected behaviour - Virtualbox and your antivirus worked as expected!
The malware will still infect the guest alone, because only the guest would run the code. The host only transfer the 1 and 0 that he receives for your guest.
The NAT setting basically use your host as a router, so the data comes to your host first then is send to your guest. This data is not executed in anyway, it is only transfered, just like any network transfer.
Antivirus look at what is being transfered on your interfaces, to block malware or virus to even be able to be copied to your system. This is what you're seeing.
This is the expected behaviour - Virtualbox and your antivirus worked as expected!
The binary code of the malware (which is what Antivirus look at) reached your host yes, only because your host is a router for your guest. Nothing more.Now things look quite different, as the infection seems to reach, at first, the host; shall I infer that, if the host's antivirus is not able to block it, the malware would infect the host leaving the guest alone?
The malware will still infect the guest alone, because only the guest would run the code. The host only transfer the 1 and 0 that he receives for your guest.
Hyperbox - Virtual Infrastructure Manager - https://apps.kamax.lu/hyperbox/
Manage your VirtualBox infrastructure the free way!
Manage your VirtualBox infrastructure the free way!
Re: Can malware infect host when guest has no shared folders
Well, I wasn't worried to the point I couldn't breathe... 
but your clear explanation was very kind and helpful.
Moreover, while I somehow suspected (and hoped) the host was just intercepting the not-executed-malware passing by, I expected the malware to reach the guest anyway, without being blocked by the host AV. So I also learned something new.
Thanks a lot
but your clear explanation was very kind and helpful.
Moreover, while I somehow suspected (and hoped) the host was just intercepting the not-executed-malware passing by, I expected the malware to reach the guest anyway, without being blocked by the host AV. So I also learned something new.
Thanks a lot