virtualbox.org

Hello,

Has anyone had updated 64-bit W10 Pro host crash a VB VM due to Trojan:O97M/Obfuse.K (https://www.microsoft.com/en-us/wdsi/th ... 2147729872)? I had to tell my 64-bit W10 to allow it and manually revert my VM back to the previous snapshot to redo what I was doing (getting today's monthly updates for W11 Home guest). It quarantined my D:\VirtualBoxVMs\64bit W11 Home\Snapshots\{476f17d6-14c5-48f1-964b-b93e56b8a245}.vdi file. I restored it, but it was 0 byte. Weird/Odd.

Thank you for reading and hopefully answering soon.

I haven't heard of that specific situation. But if host AV snatches a file out from under a running VM, the VM is not going to like it.

Host AV should stay out of the VMs' folders, and the VM OS's should run their own AV. Exceptions can be set on host AV to achieve this.

scottgus1 wrote:I haven't heard of that specific situation. But if host AV snatches a file out from under a running VM, the VM is not going to like it.

Host AV should stay out of the VMs' folders, and the VM OS's should run their own AV. Exceptions can be set on host AV to achieve this.

I wonder how often this happens. I assume it is a false positive.

ant wrote:I wonder how often this happens.

You're the second user reporting such a type of issue. A similar issue was reported in .vdi file disappeared and is gone.

fth0 wrote:

ant wrote:I wonder how often this happens.

You're the second user reporting such a type of issue. A similar issue was reported in .vdi file disappeared and is gone.

Wow. Thanks.

The VM's disk file is a file on the host. And if the VM gets a virus, real or false positive, and the host AV catches it, the host AV will pull the file and kill the VM. Typical AV behavior, no surprises.

Gotta keep the host AV from scanning the VMs.

I wonder if Defender hasn't quietly added code to parse the interior of VDI files? Dumb scanning of files of that size seems especially... dumb. And counter-productive too: VMs are supposed to be isolated black boxes.