Protecting VirtualBox Host from Guest Virus

A

allanc

Well-Known Member
Reaction score
387
Location
Toronto, Ontario, Canada
I have read through some posts regarding a virus spreading from a VirtualBox Guest to a Windows XP Host.
Some threads suggested disabling network card, setting the firewall on the host to block all, etc.
The scenario I would like to set-up is that the guest has access to the Internet (so as to get infected) temporarily.
I have found that if I set the Comodo Firewall on the Host to 'Block All' - the guest machine cannot access the internet.
What is the preferred method to allow the temporary Internet access, disable it and meanwhile protecting the Host during the infection and cleanup phase?
Thank you in advance.
 
I actually am faced with exactly the same issue. Temporarily I gave up and went to tend to other pressing tasks, but I'd also like a solution to this.
 
allanc said:
I have read through some posts regarding a virus spreading from a VirtualBox Guest to a Windows XP Host.
Some threads suggested disabling network card, setting the firewall on the host to block all, etc.
The scenario I would like to set-up is that the guest has access to the Internet (so as to get infected) temporarily.
I have found that if I set the Comodo Firewall on the Host to 'Block All' - the guest machine cannot access the internet.
What is the preferred method to allow the temporary Internet access, disable it and meanwhile protecting the Host during the infection and cleanup phase?
Thank you in advance.
Click to expand...

Simply disable shared folders, uncheck cable attached in network for the guest in virtualbox and disable clipboard sharing.
 
allanc said:
For clarification....
Is each of these settings in Windows or Virtual Box itself?
Host or Guest?
TIA.
Click to expand...

Before running your guest, go into the guest setting pages and make sure that under General - Advanced - Shared Clipboard is disabled. Then disable the network adapter under Networking (you can do this as the guest is running as well). Also clear out the shared folders under Shared Folders.

If the worm has a way out of virtualbox it will be a flaw in the virtaulbox itself. You may be able to run virtualbox from Sandboxie, but I think the images would be too big for it. Personally I would just disable everything and call it safe enough. Needless to say that you should always have a backup of anything important just in case (now if I heeded that advice myself... :))
 
purple_minion said:
Before running your guest, go into the guest setting pages and make sure that under General - Advanced - Shared Clipboard is disabled. Then disable the network adapter under Networking (you can do this as the guest is running as well). Also clear out the shared folders under Shared Folders.

If the worm has a way out of virtualbox it will be a flaw in the virtaulbox itself. You may be able to run virtualbox from Sandboxie, but I think the images would be too big for it. Personally I would just disable everything and call it safe enough. Needless to say that you should always have a backup of anything important just in case (now if I heeded that advice myself... :))
Click to expand...
In your scenario, how is your Guest becoming infected (in the sequence of events).?
Have you not disabled the NIC before the infection?
 
I have setup a similar thing but im using Hyper-V from Microsoft. What i did was not to use the integration software. Also make sure that the firewall is turned on the host computer, etc etc. Also and most important, take a snapshot of the virtual computer before infection. You do this so that once the virtual computer is infected, you can always go back to a previous state before the computer was infected.

My host computer has not been infected or shown any signs of infection. :)
 
Ok im not sure purple minion quite understands (or maybe i dont) but what i think your trying to do is have internet access and get infected right? well basically i dont think that is the best way to go about it, i have done this for uni studies and the way we did it was to go to a site that keeps these files for this exact situation and download them (say on the host machine, disable and delete the network adapters if any, for virtual box (personally use virtualPC for stability, VB often has problems and is constantly updating/breaking) then unleash the virii and you should be fine. let me know if i missed anything
 
Yes, I think the problem is that the OP was wanting internet access while still protecting the host somehow.
 
Psychoticus said:
Ok im not sure purple minion quite understands (or maybe i dont) but what i think your trying to do is have internet access and get infected right? well basically i dont think that is the best way to go about it, i have done this for uni studies and the way we did it was to go to a site that keeps these files for this exact situation and download them (say on the host machine, disable and delete the network adapters if any, for virtual box (personally use virtualPC for stability, VB often has problems and is constantly updating/breaking) then unleash the virii and you should be fine. let me know if i missed anything
Click to expand...
Correct.
Yes, I was thinking that I could grab a specific file and place on write protected USB key and infect that way (with networking turned off).
However, at that point is the scenario not orchestrated in the sense that I know what the infection is that I am attempting to clean?
I was hoping to get infected with some 'random' malware and see if I can diagnose and clean (hence the need to have Internet access).
 
I've been doing just that and I've seen no signs of cross infection. I use the bridged adaptor mode on Virtual Box and then block the IP address of the guest machine on the host machine's firewall. I tend to turn off the guest networking once I've infected the machine just to be doubly sure but as I say, so far this system has been fine.

A safer way, which I am intending to adopt, is to turn my host PC into a Win7/Ubuntu dual boot system and then run the Windows guest VMs on linux. I'd still block the IP from the guest but clearly a Windows malware isn't going to have much interest in a Linux host.
 
I would use a physical drive for this, get better results. Make a copy of Windows on another drive and infect it as normal cutting out Virtual Box

You can even then run a Linux live CD and try to clean the windows partition that way?

Then when you are done blank the drive.

Just a thought
 
You can literally do everything you just said in a VM. You can even to a snapshot pre-infection, and revert to it in seconds. That will give you the ability to test new malware on a clean slate.

Honestly if you disable shared folders, and don't connect any USB devices, you shouldn't have an issue. Update your Virtualbox, just in case there is a local vulnerability that has been patched. But otherwise, you should be fine.
 
In theory, and in terms of this sort of security, there really is little difference between a virtual machine and a real one, other than features like shared folders.

AFAIK, in terms of the networking it's like any two machines on the same subnet. So you have just as much chance being infected by a customer laptop you've allowed access to your network. I.e. not much if you have the firewall on.

I'm not even sure how much of a risk the shared folder thing is
 
I don't know how helpful I will be because I am a Linux user and all of my systems running VM's are Linux hosts. I do have a few windows systems on my network but they are media center PC's. Anyway what I do to stop a virus from spreading is I first make sure the NIC on the guest OS is set up as "nat" rather then bridged. Then I create a symbolic link with no write permissions to my USB drive. I make sure file sharing has no write permissions and thats it. I have infected quite a few VM's with all kinds of things and I have only had it bite back once. I use to connect my thumb drive directly to the VM but it got infected with an auto run virus once. Luckily I spotted it before I used the drive in a Windows computer. Anyway thats why I use the sym-link now.
 
You must log in or register to reply here.

Similar threads

HCHTech
Windows 11 folder sharing problem
Replies
19
Views
3K
HCHTech
HCHTech
Rigo
Brother MFC-L3745CDW - Network Scanning, not
Replies
14
Views
3K
YeOldeStonecat
YeOldeStonecat
HCHTech
Can't contact Hyper-v Host, Guest is fine
Replies
10
Views
4K
Sky-Knight
Sky-Knight
HCHTech
VLAN options - when to use what
Replies
4
Views
2K
VISA MC
V
phaZed
[SOLVED] How to uninstall Forticlient AV that was installed from EMS management dashboard?
Replies
2
Views
17K
Your PCMD
Your PCMD
Back
Top