linux - Virus on vdi files dangerous for host machine?
2014-07
user3643269
This question already has an answer here:
TecOpen
The whole idea of Virtualbox, and such technologies, is to create an isolated environment that emulates a seperate computer. As such, there is no way for a virus in a guest machine to affect the host machine directly, or vice versa, as it acts as a seperate entity.
However, virus propagate via network and disks, so if you connect your host to your guest via any sort of shared folder or network connection there is the risk that any virus will try to contage any connnected system(s).
Questioner
I have a requirement for which I have to get online without protection (firewall, anti-virus). At the same time, I don't want to risk getting infected with viruses.
If I install a virtual machine (VirtualBox) to test, and it does get infected with viruses, will it also infect my host system? In other words, can I use the virtual machine for testing without being concerned about a virus on the virtual machine infecting my host?
A Dwarf
If I install a virtual machine (VirtualBox) to test, and it does get infected with viruses, will it also infect my host system? In other words, can I use the virtual machine for testing without being concerned about a virus on the virtual machine infecting my host?
There seems to be some misconceptions about NAT and bridge connections in VM environments. These do not allow your host to be infected. A VM operating system will have no access whatsoever to the host operating system and will be completely unaware it is operating as a Client Virtual Machine. Software running inside that operating system will be even less wise about it.
It is through direct relationships between the client and the host machine that may exist a chance of getting infected. This happens if you allow the client and the host to share folders. The largest chunk of VMware (to name one popular product) vulnerabilities of note ever found have been directly or indirectly tagged to this feature. A complete isolation is achieved by turning off shared folders. Any other vulnerability has been discovered on the Host side when vulnerabilities on the VM engine itself would allow a potential attacker to hook up through the host machine and gain access to any clients, or run code of their own.
Security issues may indeed be more involving if one is running a large VM structure such as those proposed through VMware Server topologies. But if running single-computer VMware Workstation solutions, there is no security issue under NAT or Bridge connections. You are safe as long as you don't use shared folders.
EDIT: To be clear, when I speak of NAT or Bridge connections I'm speaking only of the VM ability to share the host network connection with its clients. This does not give the client any access to the host and it remains entirely isolated, provided functionality like VM Shared Folders is turned off. Naturally, if instead the user decides to network Host and Client, then said user explicitly decided to connect both machines, and with it wave intrinsic VM security. This then becomes no different from any other private network environment and the same securities issues and concerns need to be addressed.
Lieven Keersmaekers
It depends.
If your virtual machine (guest) has no network access to your host, your host won't get affect by any virus in your guest operating system.
Garrett
My 2 cents...
In a nutshell, malware that executes in the context of the guest OS will NOT be able to infect the host OS, and will likely not even be aware that there is a host OS (though, hypothetically, breaking out of the virtualized environment IS possible, it won't become very common for a while, I suspect).
Some exceptions:
Overall, web surfing in the context of a VM is probably the safest way to surf, hands down (given the poor track record of AV s/w and other avenues of protection). In fact, using a separate, restricted account is probably sufficient, but a VM will certainly provide additional isolation.
William Hilsum
No, if you don't setup any network connection (like NAT or Bridge) between host and guest OS. If you want to ensure total separation between the two worlds, please prefer "Bridge" connections and map one NIC to your Host PC and one other NIC to your VM-ed Guest.
It would be like having two isolated networks sharing only the powering bus (your actual PC, indeed).
VirtualBox, but also VMWare or Xen or Parallels, can easily setup for you such an environment
Stephan Unrau
Technically it is 100% possible to be sure - even if the network is isolated and are not sharing folders.
Although it is very unlikely unless the virus developer knew of a flaw in the combination of your host OS and your Guest VM and targeted it sepcifically. If you want to make a virus you want to make one that affects the largest number of computers possible and you won't find a flaw to exploit in some rare frequently used application.
The same answer holds for a sandbox or any layer of interpretation between the two. I think if you could run a 32 bit guest OS and a 64 bit host you would be the most safe since the exploit to target the guest OS to overflow and then also trigger the overflow in the vm/sandbox would be even more challenging since you'd have to compile the payloads in 4 combinations - but then again this is what is typically done with an attacker and a single operating system layer - the payload is prepared for the OS or exploitable service version and one for each 32 and 64 then he just throws them both at the machine.
It is exactly like the previous comment on BSD - the more uncommon your setup is the least likely a virus will target it.
If we all ran VM's to test out software we were suspicious of or to browse the net, the fact it's in a VM wouldn't matter anymore and to be very clear again you are open to a virus infection.
Also, there are special hardware considerations with the newer virtualization technologies and I'm primarly talking about software virtualization in which the guest machine code is being run by software in the host so that overflowing to the software instruction pointer seems to me to be extremely challenging and a waste of time. I'm not at all sure how this changes when we deal with a bios enabled hyper V or Xen etc - it may be that the virtual machines are more isolated or it may also be worse due to a vm running it's code in the actual hardware pipeline - it really depends on how the 'bios virtualization' works.
8088
If in VirtualBox you have no shared folders or use any of the device features and if you want to be even more sure, look at the bottom of the VirtualBox window:
You should be able to run any viruses and not get one on the host machine, although to be sure, keep antivirus software running.
8088
You should try Sandboxie (or any other sandboxing tool)
It will isolate your browser and delete everything after your done. That way, even if you get a virus, it won't be able to leave the sandbox.
Benefits of the Isolated Sandbox
- Secure Web Browsing: Running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially.
- Enhanced Privacy: Browsing history, cookies, and cached temporary files collected while Web browsing stay in the sandbox and don't leak into Windows.
- Secure E-mail: Viruses and other malicious software that might be hiding in your email can't break out of the sandbox and can't infect your real system.
- Windows Stays Lean: Prevent wear-and-tear in Windows by installing software into an isolated sandbox.