VB and viruses

[Solecs]

Hi I was wondering if a virus on a guest can carry over and infect my host. Sorry if it is a stupid question to ask but I wanted to test some anti-malware tools and need something to test with.

[sirius]

It's not likely if you take certain precautions, but it's definitely a possibility.

Using folder sharing is a big risk, that would definitely allow a viral transfer.

A network enabled virus (blaster for example) could potentially jump from the guest to the host as well. There may be VBox network settings that prevent this, but I'm not familiar enough with the different networking modes to be certain.

[mpack]

Using folder sharing is a big risk, that would definitely allow a viral transfer.

Definitely? Hardly. The virus would be limited to the mechanisms served up by the hosts folder sharing protocol: view list of files, open/create file, read/write file etc - and all assuming that the most open permissions are in place. To cut this short: we can assume that the only real viral transfer mechanism is "write file", so the only escape route for the virus is for it to patch an executable file. If you don't keep unprotected executable files in shared folders then its pretty much impossible for a virus to escape that way. Ditto if you do keep executable files there, but treat them with even moderate caution. It's the user dumbly copying executable files around between PCs that's creating this risk, not the shared folders feature per se.

[sirius]

If the guest has write permissions to a shared folder, the virus could spread to that folder. How it spreads beyond that isn't necessarily the point; it's a threat, it's on the host machine, and it may go unnoticed and be spread further even if it's dormant.

[mpack]

If the guest has write permissions to a shared folder

Semantics. The folder cannot cause infection of the host by itself. The user has to cooperate, for example by storing an executable file there which can be patched, and later executing it without a virus scan. The folder itself is virtual and there is nothing to infect. The risk to the host, what there is of it, is just as high or higher with any external drive - and people don't stop using those.

[sirius]

There's plenty of active content in this day and age, no need for an executable.

[mpack]

"Active content"? Please define, in the context of this discussion.

[sirius]

Examples would include any sort of macros or scripts attached to documents, which could be triggered when opened.

[mpack]

Examples would include any sort of macros or scripts attached to documents, which could be triggered when opened.

Macro == executable. I did not confine my remarks to .exe files. I note however that the danger associated with (e.g.) a Word macro is very limited, in the same way that an executable run inside a VM has limited reach.

[sirius]

Now who's getting into semantics?

[mpack]

Not at all - the meaning of the generic term "executable" is well understood. In fact I wouldn't need a generic term if there was only one kind.

[sirius]

A "document" is not generally considered an "executable", even if it has active content. Most people won't open a strange executable, but if a virus attaches itself to a familiar document in the form of a macro, script, or other active content, the likelihood of it being triggered increases dramatically.

Getting back on topic, if a virus in a VM infects a document in a folder shared by the host, it exists on the host machine, period. As soon as the document is opened on the host machine, the virus can be triggered and spread there.

Regardless of how you evaluate the risk, it IS possible for a virus to spread from a VM to the host machine, and shared folders or drives are a very simple vector for this. Unless you have 100% confidence in your host's AV software, don't take the risk.

So to the OP: if you're going to be mucking about with viruses in a VM, it's best to turn off shared folders and drives, and if you really want to be safe, disable networking.

Best of luck!

[Solecs]

Great thanks for the info sirius and mpack you guys really went at it. I guess i will have to find a different computer to mess with the virus on. sounds like it is going to be a little more tricky then i thought it was going to be. Thanks for the responses they are very much appreciated.

[kebabbert]

I was thinking about this as well. If you use different OS for a guest, would that be safer? Let us say you have Linux as host, and run Windows as guest. Would a Windows virus be able to infect Linux? Are there any cross platform viruses? For instance, MS VisualBasic macro viruses? Or Java?

(In Solaris 11 it is possible to turn off network to the main Solaris install, but allow network traffic to virtualized instances of Solaris where you run VirtualBox. This means the VirtualBox VM should have no way of reaching the Solaris main install because it has all network traffic turned off (it can not even reach internet))

[jonsof]

Sirius what about using the "shared-folder" with read-only permissions for the guest - this is an option in shared folder settings.Also what about using NAT, or internal networking with another VM as gateway? The scenarios are many.
Besides the presence of an infected file isn't absolutely a threat.Because the threat level is defined by the user's level of expertise.

There is no need to generalise and scare people