Hi,
I would like to use Virtualbox as a way of running XP as a guest OS and infecting the guest with malware and experimenting with malware removal tools and techniques. If I allow the guest OS to become infected will this impact my host system. My host system runs XP SP3 fully updated and running AVG AV free version v.9 also fully updated.
I hope this isn't going to be viewed as a dumb question! I read a few articles online that stated the guest and host are isolated. I installed XP SP 3 as a guest and deliberately left it un-updated (MS, Java, etc...). I went to a web-site known to infect visitors with malware and AVG on the host PC blocked access as it would if I visited the site on my host OS. I know the guest OS runs in Virtualbox within the host OS, but is it safe to use Virtualbox for malware experimentation?
Thanks in advance!
Mike
Using Virtualbox guest OS as test OS for Malware removal
-
MarkCranness
- Volunteer
- Posts: 875
- Joined: 10. Oct 2009, 06:27
- Primary OS: MS Windows 7
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Windows Server 2008 R2; Ubuntu 11.04; Windows 2000 Server; Windows XP
Re: Using Virtualbox guest OS as test OS for Malware removal
You will need to firewall the host from the guest or disable services and harden the host if you are concerned about the guest infecting the host, because the guest can TCP/IP connect to your host and attempt exploits.
If your guest VM uses VirtualBox NAT networking (the default) then any intrusion from the guest has a source IP of localhost which very likely AVG or other firewalls will not block.
If your guest VM uses VirtualBox Bridge networking then any intrusion from the guest has a separate IP on your local lan (assigned either by DHCP on your lan, or static) which AVG or other firewalls might not block because they might assume local network addresses are safe.
I suggest that:
- If you follow any suggestions given here, I/we are not responsible for any damage to your host!
- Use Bridged networking, but first make sure that your host firewall rejects connections from the guest's IP. Perhaps install a scanner in the guest first and ensure it cannot connect to the host.
Re. AVG blocking access: If your guest VM uses VirtualBox NAT networking then as far as AVG can see, a program (VBoxSVC.exe or VirtualBox.exe) is accessing an IP that AVG thinks is bad, so it is blocked.
If you set your guest VM to use Bridged networking, then AVG might not see the traffic and might not block access.
IIRC: These modes allow the guest to connect to the host:
- NAT (connection interface = localhost loopback)
- Bridged (connection interface = the host's first or main network connection?)
- Host-only (connection interface = the VirtualBox Host-Only connection)
These modes allow the host to connect to the guest:
- NAT when portforwarding rules have been added to the guest (only on the ports forwarded)
- Bridged
- Host-only
These modes allow the guest internet access:
- NAT
- Bridged
See also this recent post: How safe is using NAT for virus testing? (I've changed my advice since making that post.)
If your guest VM uses VirtualBox NAT networking (the default) then any intrusion from the guest has a source IP of localhost which very likely AVG or other firewalls will not block.
If your guest VM uses VirtualBox Bridge networking then any intrusion from the guest has a separate IP on your local lan (assigned either by DHCP on your lan, or static) which AVG or other firewalls might not block because they might assume local network addresses are safe.
I suggest that:
- If you follow any suggestions given here, I/we are not responsible for any damage to your host!
- Use Bridged networking, but first make sure that your host firewall rejects connections from the guest's IP. Perhaps install a scanner in the guest first and ensure it cannot connect to the host.
Re. AVG blocking access: If your guest VM uses VirtualBox NAT networking then as far as AVG can see, a program (VBoxSVC.exe or VirtualBox.exe) is accessing an IP that AVG thinks is bad, so it is blocked.
If you set your guest VM to use Bridged networking, then AVG might not see the traffic and might not block access.
IIRC: These modes allow the guest to connect to the host:
- NAT (connection interface = localhost loopback)
- Bridged (connection interface = the host's first or main network connection?)
- Host-only (connection interface = the VirtualBox Host-Only connection)
These modes allow the host to connect to the guest:
- NAT when portforwarding rules have been added to the guest (only on the ports forwarded)
- Bridged
- Host-only
These modes allow the guest internet access:
- NAT
- Bridged
See also this recent post: How safe is using NAT for virus testing? (I've changed my advice since making that post.)
-
Red Squirrel
- Posts: 118
- Joined: 25. Jan 2009, 05:28
Re: Using Virtualbox guest OS as test OS for Malware removal
Another option is to setup another VM to act as a "hardware" firewall (install smoothwall or other linux based system) and pretty much block everything except for the ports you need. Perhaps FTP to upload files to the guest. If the guest does not require any kind of outside access then just block it all. Or even disable networking completly.
Also do not install the VM tools. This is my paranoid self, but just in case, a virus is designed to detect that it's in a VM, and can somehow use the tools to get out, then by not having them installed it's an extra step. I highly doubt there are such viruses or if it's even possible though. It's just an extra precaution I like to take.
Also do not install the VM tools. This is my paranoid self, but just in case, a virus is designed to detect that it's in a VM, and can somehow use the tools to get out, then by not having them installed it's an extra step. I highly doubt there are such viruses or if it's even possible though. It's just an extra precaution I like to take.