Why it's best to test for possible malware in a real machine

Discussion in 'other security issues & news' started by MrBrian, May 12, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  2. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Raymond is right :thumb: a VM is not the real thing, and with those clever crypters that he shows that
    only testing on a non VM is 100% valid.

    Avira with heuristics on High, always seems to intercept any unusual crypted files, even if they are legit. For some people this might an inconvenience, but i prefer it, and to manually allow/deny. Also if the file was actually allowed to run, again heuristics should come into action if it's unknown but suspicious.

    Some other AV's also will also do this, with varying degrees of success.

    @MrBrian and mvario

    Thanks for posting :thumb:
     
  4. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Well, this is just what I've always been saying. A real test is testing on a real system, not in a virtual machine.

    As for malware actually bypassing virtual machines, typically it doesn't. Instead of bypassing, it just commits suicide and refuses to do its malicious work as long as it's being virtualized. Which is either a) very bad, if it leads you to thinking the file is benign and executing it in a real system or b) very good, if it means the malware doesn't ever get to do anything malicious because you never take it out of the virtual machine.

    Of course VMs are quite convenient for some things, and malware testing on a real system isn't exactly reliable either, if you don't have a very reliable way of cleaning the system between tests (or heavens forbid, actual real-life use).
     
  5. wat0114

    wat0114 Guest

    Anyone with the competency level to run a virtual machine for testing malware is not likely going to believe the malware "laying low in the weeds" so to speak, is a benign file.
     
    Last edited by a moderator: May 13, 2010
  6. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Agreed that it's not likely, but sometimes it does happen. Sometimes even to parties that should be experts, such as AV companies. And I've seen it happen far more often than I'd like to hobbyist type folks. Being careful isn't the chief virtue of most humans. :D
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Notice that some security software running on a real machine, such as Sandboxie, is also targeted.
     
Loading...
Thread Status:
Not open for further replies.