Virtual Machine Security

[Swampster]

This may seem like a dumb question . . . but here goes anyway.

I am running Vista Business on a test machine. I have added Microsoft Virtual Machine and installed Windows XPP into it. The host OS is running a full compliment of security programs and in any case is not used for any high-risk surfing.

Does the virtual OS (XPP in this case) have to have its own Virus/Malware/Firewall programs, or would the host OS be providing protection?

Swampster

 

[degibson]

The host will be providing firewall service unless you've done something unusual with the VM's network setup. The host will provide a small degree of 'virus detection' (e.g., data execution prevention, in some cases), but you should not rely on the host for Malware and/or Virus protection.

A good approach, if possible, is to make the VM immutable -- get it to a place where everything you want is installed, then freeze all the disk state, take a checkpoint, and never allow the disk state to change again. Your virtual OS can then be virus-free with a simple rollback whenever you suspect you've picked on up, and without the overhead and hassle of Malware/VScanners in virtualized environments. I'm not sure how to do with with M$ VMM, but its trivial under VMWare.

 

[mechBgon]

Originally posted by: degibson
I'm not sure how to do with with M$ VMM, but its trivial under VMWare.

the Undo Disk checkbox is your friend. And yeah, the virtualized OS needs its own defensive strategy. I'd recommend starting with low-rights operation and a Software Restriction Policy as the foundation, as well as patching all installed software, risk avoidance, antivirus and firewall.

 

[Swampster]

Many thanks to mechBgon and degibson!

That is as I suspected. For now, this is only an experiment to bcome familiar with the best way to set this up, and I am behind a good hardware/software firewall, have full security on the host system, plus not doing anything foolish. In any case, the whole setup is disposable as it is on a test-bed system that has 6 hard drives and I plug in the one I want before I boot.

On this system, I am able to do beta testing (for Microsoft and others), general experimentation, learning (as in this case) and refining of technique without the worry about contaminating anything important.

When this goes live on a client's computer, all this will not exist, which was why I needed confirmation from someone with just a little more experience in this particular area. I have several clients that, for various reasons, don't want to upgrade certian older software programs or are not able to get a satisfactory replacement and this technique will allow them to have all the advantages of Vista while still hanging onto the old stuff.

Not to mention the small fact that it allows me to close the deal on more than several new Vista systems! <VBG>

Once again, many thanks to both of you.

GARY

 

[gsellis]

And if there was any remaining doubt, someone demoed exploits of VMWare through the VM sessions at this year's Blackhat. So yeah, VM session protection adds a layer of defense.

 

[FreshPrince]

Originally posted by: gsellis
And if there was any remaining doubt, someone demoed exploits of VMWare through the VM sessions at this year's Blackhat. So yeah, VM session protection adds a layer of defense.

do you happen to have a link?

 

[gsellis]

Originally posted by: FreshPrince

Originally posted by: gsellis
And if there was any remaining doubt, someone demoed exploits of VMWare through the VM sessions at this year's Blackhat. So yeah, VM session protection adds a layer of defense.

do you happen to have a link?

No. One of our office crew attended the session and gave us a briefing on it. It was one of those "Oh" moments because sometimes we assume that a VM session was a safe place to test things when we wanted to see if they are unsafe. Found out that that was not always a good idea.

 

[degibson]

I have practical experience in which various bad things happening in the VM not only affected the host, but crashed the host. Suffice to say that isolation between guest and host is not complete.

 

[FreshPrince]

Originally posted by: degibson
I have practical experience in which various bad things happening in the VM not only affected the host, but crashed the host. Suffice to say that isolation between guest and host is not complete.

could you please elaborate?

 

[degibson]

Originally posted by: FreshPrince

Originally posted by: degibson
I have practical experience in which various bad things happening in the VM not only affected the host, but crashed the host. Suffice to say that isolation between guest and host is not complete.

could you please elaborate?

I can elaborate.

I forget the various versions of things involved, but I have managed to bluescreen two laptops (admittedly, very similar HW/SW), both using AMD mobile chips and Win XP, while installing Linux distributions on top of VMWare workstation. There's not much else to tell, in all honesty. It can be done.

Perhaps it was due to bugs in various software... in fact, I'm sure of it. However, bugs can go undetected for a long, long time... so it is incorrect to assume isolation is absolute.

 

[RebateMonger]

Introducing viruses and spyware into virtual machines is a common way of testing and demonstrating malware. You get little security assistance from the Host operating system.

As noted, "Undo Disks" are the way to fix things if your virtualized OS gets contaminated.