virus in virtual Partition

Discussion in 'General Returnil discussions' started by virtualxx, Dec 19, 2009.

Thread Status:
Not open for further replies.
  1. virtualxx

    virtualxx Registered Member

    Joined:
    Dec 19, 2009
    Posts:
    2
    hi,

    I am in session lock.
    I download a file infected with virus or trojan...........
    i save the file in my virtual Partition
    I reboot. now the system protection is off.

    1) can the virus infect my physical PC and my real hard drive Co_O??
    or the virus will be Isolated and can not bypass my virtual Partition o_O

    2)after reboot and system protection is Off can i open the infected file in my virtual Partition o_O??


    if the same scinario happen in my virtual pc (VM).
    can the virus bypass my virtual PC and infect my hard drive C
    Do I need AV for my virtual PC to protect my physical pco_O
    or all viruses will be isolated in my VM.

    thanks
     
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hello virtualxx and welcome to the forums :)

    Bad idea. If you suspect that something is malicious, you should not deactivate System Safe (virtualization). That is the reason that it is there in the first place; a simple restart removes active content from the virtual system and ensures that the real system stays clean.

    In this particular scenario, the only thing infected following a restart will be the original file you downloaded to the Virtual Disk. So you have it contained. Though you could get into a bouncing ball situation where activation of that file causes the malicious content to become active, you just restart and are again left with the inactive "land mine" of the original file. Simply delete that file, restart your system (assuming virtualization starts with Windows) and the malicious content is gone.

    The virtual system will become infected while the real system remains isolated in nearly 100% of cases. This is not absolute as there are a small number of malware families that are designed to bypass virtualization which are dealt with specifically by the RVS Virus Guard and AE features. You should not take this as some type of magical armor where you can abandon common sense however...

    RVS is part of an intelligent, layered strategy; and an important part of that strategy will always be the same as physical security:

    1. Know where you are
    2. Pay attention to what is going on around you
    3. Base your activity on the risks

    Ex: surfing warez sites has a much higher risk than surfing the Microsoft downloads site...

    Yes, if it is not recognized/blocked by the RVS Virus Guard, AE, or your other security solutions, the file can be activated. If it was activated while System Safe was turned on in Session Lock mode (off after a restart), the active components installed into the virtual session will be gone after the restart, but the original file still remains dangerous. In fact, it is now much more dangerous due to the fact that virtualization is now deactivated (in your scenario). This is why it is much safer, and more appropriate to RVS's purpose, to keep System Safe activated with Windows start unless you need to do the following on a known, clean system:

    1. Microsoft/Windows updates
    2. Hard disk defragmentation
    3. File and/or complete computer backups and recovery images

    Antivirus updates do not require RVS virtualization to be turned off as they will update as expected. Those updates lost at restart are simply reapplied by the AV program then next time it is started/connects to the internet.

    Yes, if the malware can bypass the VM, it can infect the host. This is why we recommend using RVS on both Host and Guest as this will ensure that malicious content can be removed with a simple restart of either OS and as a result, keep both clean.

    Yes, if the VM has access to the Internet and/or other computers within your network, you will need to use the same level of security within the VM as you do on the Host unless you are using the VM to perform specific testing or research. This is an advanced configuration however that should be used only by those with the training to do this safely.

    Mike
     
  3. virtualxx

    virtualxx Registered Member

    Joined:
    Dec 19, 2009
    Posts:
    2
    hi bro, thanks a lost for your explanation.
    my question is: can a malware bypass microsoft virtual PC 2007o_O??
    i thought the virtual PC (guest) is isolated from the Host.

    also, i am quoting this from returnil web site: " virtual machine:
    The best option when you are testing new software or playing with malware.
    disadvantage: some malware is aware it is in virtual machine and stays dormant until released on the real system."

    if the infected file stay in the virtual PC, how can be released on the real systemo_O??

    I only use my virtual PC to download and save movies from different websites. these movies might have malware. I do not move any movie from my virtual pc to my real PC.
    my concern is to protect only my physical PC. if my virtual pc got infected, i just delet my virtual hard disc and creat new 1.

    I used RVS 2008 version on my physical PC. i used the locked sesion every time before i started my virtual PC.
    can the malware bypass the virtual pc and returnil and infect my physical PCo_O?

    thanks
     
    Last edited: Dec 20, 2009
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    First, don't panic. Some malware can detect whether it is in a VM or on a legitimate Host system. This does not mean that it can bypass the virtualization by default, but some ARE designed to take advantage of known vulnerabilities in the software. A good place to start would be at Secunia:

    http://secunia.com/advisories/vendor/1/

    Look for the Microsoft Virtual PC 2004 and 2007 links to see if anything is listed.

    1. User action: Malicious file is accidentally saved or copied to the Host.
    2. Malware is designed to take advantage of a known or unknown vulnerability in the VPC software itself.
    3. The Guest is allowed a trusted connection to other computers (Host included) on your network.
    4. Vulnerability in a different program installed in the VM.
    5. etc

    As mentioned, there are a small number of specific malware families that are designed to bypass any form of virtualization. Usually, these programs evolved from hacker tools for getting around locked down public access systems or in countries with more restrictions over personal liberties than we are used to in the West. These programs are rare and chances of you running into one are not as likely as others. With that said however, the RVS Virus Guard and Anti-Execute features are there to offer protection from known variants of these programs.

    There is no way to eliminate all risk. Look at taking a bath for example. Though highly unlikely, there is always a risk that you might slip and hit your head. Do you spend time worrying about this possibility? The answer is probably no, as the actual risk is negligible on a normal daily basis.

    The way you are using VPC is valid, just don't proceed as though its use represented some type of magical armor where there are no risks...

    Mike
     
Thread Status:
Not open for further replies.