Virus inside of a Virtual Machine

Discussion in 'sandboxing & virtualization' started by Acadia, Oct 22, 2013.

Thread Status:
Not open for further replies.
  1. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    I have a Win7 system and on it I have WinXP installed inside of VirtualBox. I have the Guest Additions installed in VB but there is absolutely no networking or file sharing.


    Just for fun the other day, I wanted to test the anti-Virus that I have inside of VirtualBox so I went to a site that tries to download the EICAR test virus onto your system. Imagine my surprise when it was the anti-Virus on my host system that nailed the test virus (I use two different AV for the host and guest). Somehow my host AV had "seen through" the VM and nailed the virus.

    I posted about this on the VirtualBox forum and in so many words received an answer that stated something like, VirtualBox is still just binary code inside of a file on your host so it will still be scanned by your scanner; everything was working as it should.

    I know that Sandboxie will allow things like scanners in but still keep the virus trapped. Is this also the way that VMs work? I thought that VMs gave a little bit more isolation than this or was I mistaken? Interested to see if folks here agree with the VB forum.

    Thanks much,
    Acadia
     
  2. tomazyk

    tomazyk Guest

    Hi!

    Is it possible that AV on your host system detected test file during download, when scanning all http traffic?

    I would disable AV on host, download file and then re-enable AV. Then I would try to open test file in VM and see if AV on host would detect it.
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    How do you have the vm's networking setup? NAT, bridged, Internal? i think if it's bridged then your vm shares the same networking device driver as the host, so maybe the host machine's antivirus is scanning the infected data that your vm is downloading. Just a guess.
     
  4. tomazyk

    tomazyk Guest

    I did the test with ESET. It is ESET's HTTP protection that detects a file and not real-time scanner.

    P.S.: my VM is using attached to NAT type connection so it looks like my AV can scan this network traffic.
     
  5. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Bingo, tomazyk, that was it!! Thank you very much.

    Acadia
     
  6. tomazyk

    tomazyk Guest

    You're welcome! :)
     
  7. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    phew had me worried ! :D
     
Loading...
Thread Status:
Not open for further replies.