9 Replies Latest reply: Oct 26, 2009 3:29 AM by jokke RSS

    Virus Infection Containment & isolation vs SnapShot-Restore

    Valmiki Novice

       

      Hi experts,

      Need clarification regarding a specific security/Virus issue.

      I have installed Win-XP-SP2 OS, both in the Host- system &  Guest Vmware-Workstation.

      A N/w-adaptor is configured in the Guest (as NAT).   Vmware Shared folder is also configured in guest.

      Moreover Host has some shared folders (visible in Network), but only with read rights (No write permissions).

       

      I have made sure Host system is perfectly clean. (i.e. No Virus/worm infections).

      Same with guest also initially.

       

      Now consider the following scenario:-

       

      1. I  take a Snapshot of Guest & store in the name "SnapShot-1".

       

      2. I browse to internet from guest, download some files (virus infected) & further Execute it.

         Resulting in my guest system being surely compromised (virus infected).

       

      3. I am assuming that my host is still clean (literally) at this point, either with or without the protection from an Antivirus installation.

         At least I am assuming step-2 will not affect host security status.

       

      4. Now I Shutdown & Reboot the Guest.

       

      5. From the top Vmware menu, I invoke SnapShot Manager & reverts back to SnapShot-1 point.

       

      Is my system  both guest & host, completely assured of no infections & completely safe/secure after Step-5 ?

       

      Common sense dictates, that it is so. But I want confirmation from the Vmware & Security Gurus here.

       

      Also can u pick any holes in my line of arguments from Step-1 to Step-5?

      Thanks & regards.

       

       

       

        • 1. Re: Virus Infection Containment & isolation vs SnapShot-Restore
          continuum Guru User Moderators vExpert

          Lets be very paranoid for arguments sake ...

          Probably the safest way is ....

          1. you do not use shared folders

          2. you do not  have vmware-tools installed inside the guest

          3. you configure the vmx-file of the guest in such a way that it disables the backdoor

          4. you use a USB-network device inside the guest instead of the NAT interface

           

          Second best

          1. you do not use shared folders

          2. you do not  have vmware-tools installed inside the guest

          3. you configure the vmx-file of the guest in such a way that it disables the backdoor

          4. you use bridged networking and disable all protocols other than the vmnet-bridge protocol from your host

           

          Third-best

          1. you do not use shared folders

          2. you do not  have vmware-tools installed inside the guest

          3. you configure the vmx-file of the guest in such a way that it disables the backdoor

          4. you use NAT networking

           

          next comes what you use now

          ___________________________________

           

          VMX-parameters- VMware-liveCD - VM-Sickbay

          • 2. Re: Virus Infection Containment & isolation vs SnapShot-Restore
            Valmiki Novice

             

            @continuum I did not get an  answer for my most crucial question (Query1)! I was not asking a general question, atleast in this post.  I  had a specific query.  Can somebody (expert) answer to the point? Rationale & general safety precautions are also welcome after it.

             

            But, Thanks continuum anyway for ur response.

            It was helpful in gaining a general idea.

             

            btw the scenario I depicted was not because of paranoi. Some times some free software you download from internet may be suspect (especially P2P S/w) , interms of their damage potential for virus/spam infection. Before deciding to install it in to your host system & thereby risking infection, you can gain confidence by undertaking a test install in your Vmware Guest, thereby containing infection.  So you are intentionally playing with fire, in a controlled environment,  assuming your (security) doors & seals are tight, and the test-germs wont escape into the wild. In the off chance infection is detected, you can rollback into your baseline-snapshot, getting back a fully clean system. This is the background for the scenario in my first post.  I wanted the first query to be simple, to get a focussed answer, before going into a generic safety scenario.

             

             

            The idea is based on common sense.  I simply want to vet it with some experts here. So a pointed answer to my 1st question in post-1 will be helpful. regards

             

             

             

             

             

            • 3. Re: Virus Infection Containment & isolation vs SnapShot-Restore
              continuum Guru User Moderators vExpert

              what was query one ???

               

              If it is the question : can I clean up a guest VM after malware or Virus-infection by restoring  a clean snapshot ?

              then the answer is yes

               

               

               

               

              ___________________________________

               

              VMX-parameters- VMware-liveCD - VM-Sickbay

              • 4. Re: Virus Infection Containment & isolation vs SnapShot-Restore
                Valmiki Novice

                Thanks for ur answer continuum. Yes, that was part-1 of my 1st question, & you have answered.

                Now what above the Host system.

                 

                Query_21: During the interim period starting from  download, execute, infect & then finally cleanup-by snapshot-restore, in the Guest, by anychance Host can get infected?

                 

                Remember,

                (a) I have my Host Network shared folder with read permission only.

                (b) I use NAT method for Guest (Virtual) network adapter.

                (c) I use Vmware Shared folders again only with Read-permissions from guest.

                 

                regards

                • 5. Re: Virus Infection Containment & isolation vs SnapShot-Restore
                  continuum Guru User Moderators vExpert

                  Query_21: During the interim period starting from download, execute, infect & then finally cleanup-by snapshot-restore, in the Guest, by anychance Host can get infected?

                   

                  Sorry - I can't give you a clear NO here - we have to regard this as UNKNOWN.

                  In the past there have been at least two vulnerabilities of the VMware NAT-service that I have heard of. Both times VMware released a security-update.

                   

                  (a) I have my Host Network shared folder with read permission only.

                  As far as I know this is no protection against worms - as they may use other ports to attack.

                   

                  If you need read-only access to files stored on the host I would suggest you present those files wrapped in ISOs - then you do not need any network-connection between host and guests

                  ___________________________________

                   

                  VMX-parameters- VMware-liveCD - VM-Sickbay

                  • 6. Re: Virus Infection Containment & isolation vs SnapShot-Restore
                    Valmiki Novice

                    Thanks, ur answer was helpful.

                    The Unknown you seem to be referring, is more due to security vulnerabilities in vmware.

                    So by design the scenario i am depiciting should be foolproof in theory, but in practice we need to consider the security vulnerabilities of the vmware.

                    (a) I have my Host Network shared folder with read permission only.

                    As far as I know this is no protection against worms - as they may use other ports to attack.

                     

                     

                     

                     

                     

                     

                    I am not very sure of your suspicion here again.   OS should definitely protect with read permisssion of network access rights.  You may be referring to "Vmware Shared folder",  read only access rights.   Both should be OK, unless  again there is no design flaws or security vulnerabilities in vmware. So you must be classifying these again in the regime of unknown.

                     

                     

                     

                    I would like to hear the opinion of other experts here also along with continuum.

                     

                    thanks & regards

                    • 7. Re: Virus Infection Containment & isolation vs SnapShot-Restore
                      continuum Guru User Moderators vExpert

                      OS should definitely protect with read permisssion of network access rights.

                       

                      No - you really can't make this assumption.

                       

                      but in practice we need to consider the security vulnerabilities of the vmware.

                       

                      I believe VMware itself can be regarded as quite safe - at least the history of vulnerabilities of Workstation is quite short - but you can not say the same for your host OS itself.

                       

                      Little tip - if you don't get any further opinions here - ask the same question again in this section http://communities.vmware.com/community/vmtn/general

                       

                      Ulli

                       

                      ___________________________________

                       

                      VMX-parameters- VMware-liveCD - VM-Sickbay

                      • 8. Re: Virus Infection Containment & isolation vs SnapShot-Restore
                        Valmiki Novice

                        Thanks again & also for the tip.

                        Before winding up, one last question.

                        OS should definitely protect with read permisssion of network access rights.

                        No - you really can't make this assumption.

                        1. I am not sure on what basis u conclude so. Definitely not by design! So probably based on the NOT so shining track record of MS-Os's in general, and probably by experience.

                         

                        Whatever may be the case, and even if the above is true, I hope I can safely make the following 2 assumptions:-

                         

                        2. A folder configured as a network share  with read-only rights, cannot be considered as a protection by you. So even if any corruption or infection can happen to such configured folders, files in other folders of the host cannot be infected, from guest.

                         

                        i.e. as long as I am wise not to execute any program from the possibly infected shared folder.

                         

                         

                         

                        3. By your argument (Vmware is more reliable than OS),  then Vmware Shared Folders (with read-only permission configured)  should be more reliable, and hence cannot be infected by guest.

                         

                        Please give ur comments for the above 3 points.

                        regards.

                        • 9. Re: Virus Infection Containment & isolation vs SnapShot-Restore
                          jokke Expert

                           

                          For the more than average security paranoid people, one could consider;

                           

                           

                          1. To add the /minint switch to boot.ini and effectively preventing any write operation to your registry (everything gone when rebooted).

                           

                           

                          2. Install the Enhanced Write Filter driver (EWF) which come along with XP Embedded, and prevent ANY write operation to survive a reboot (complete filesystem readonly and written temporarily to cache).

                           

                           

                           

                           

                           

                          And possibly many more precations as well..

                           

                           

                           

                           

                           

                          Joakim