The article 'On the Cutting Edge: Thwarting Virtual Machine Detection', found at http://handlers.sans.org/tliston/Thw...on_Skoudis.pdf, mentions on page 23 some undocumented VMware settings that reduce the ability of a program to detect that it's running in a virtual machine. Those of you who like to test malware in a virtual machine may find this information useful, since some malware changes its behavior when a virtual machine is detected. I haven't personally tested this yet.

I briefly mentioned this once before, I think when talking about RkU VM detection. I use clean VM, you can clean the environment up somewhat of anything VMware software/hardware related.

{QUOTE-> I use clean VM <-QUOTE}

Can you elaborate on this please? Is this a script?

{QUOTE-> Can you elaborate on this please? <-QUOTE}
References to VMWare - file & registry.
Configuring services - vmx file.

{QUOTE-> – Am I running inside the Matrix,
or in the Real World?
<-QUOTE}

{QUOTE-> References to VMWare - file & registry.
Configuring services - vmx file. <-QUOTE}

Thank you.

Here is a webpage called 'VM Hardening Guide' - http://honeyclient.org/trac/wiki/VMHardeningGuide#.

Hi,

I will check it out, but won´t this break stuff inside VM? I believe that I´ve read something like this. Of course for the real hardcore malware testers out there, this could be a nice workaround, luckily most of my malware sample work just fine.

But a couple of days ago I did download a malware sample (some fake video site trying to make you run some fake codec) and it terminates itself immediately. As a matter of fact, a lot of malware do this inside a sandbox (SafeSpace/SBIE) too. But I´m not sure if this is because they recognize the fact that they run sandboxed (making analyzing impossible), or because they notice they can´t do nothing anyway?

{QUOTE->
I will check it out, but won´t this break stuff inside VM? <-QUOTE}

According to the article p. 24, yes it will break things such as Shared Folders and VMware Tools. I haven't tried this myself yet, but I posted it because I thought it may be of use to others.

{QUOTE-> But I´m not sure if this is because they recognize the fact that they run sandboxed (making analyzing impossible), or because they notice they can´t do nothing anyway? <-QUOTE}
Both are highly likely. They may detect SBIE's driver/protection and so they shutdown quietly or they get tired of repeated failures.