Solved

Using VMware as an Anti-Virus configuration?

Posted on 2009-06-30
27
938 Views
Last Modified: 2013-11-22

Using VMware as an Anti-Virus configuration?

I am fed up with virus infections.  This is the third time this year I've had to completely reformat my PC to get rid of some malware because no product would kill it.  I've been using several spyware products, a hardware AND a software firewall, and an anti-virus product, as well as pop-up protection, registry mod blockers, etc etc.  Nothing works.  It's the equivalent of having a vasectomy, using a condom, and sticking to a vow of celibacy and STILL catching something somehow...

I'm looking for something completely different.  Take another approach to virus protection...  live loose & free with no protection, get infected, and just reboot and you're clean again.  

This could probably be done by burning your OS to CD and booting off of it and not having a hard drive, but then you could do much with the PC now could you?  So I was wondering if VMware could solve the problem.  I've never used it, but my understanding is that you can use the guest OS like a normal system, and if it gets screwy, just dump the session & restart it.

I am interested in wiping my drive, installing Linux as the host OS, and then using Vmware to install a Guest Win Xp OS.  Because I want to be able to use all my current software and settings just like a typical OS install.

Is this possible?  Will it be effective?  How do I do it?  (instructions for the neophyte please!)
What Vmware solution would be best?  I'm looking for something that is freeware...

Thanks.
0
Comment
Question by:okacs
  • 11
  • 7
  • 4
  • +5
27 Comments
 
LVL 18

Assisted Solution

by:Rartemass
Rartemass earned 20 total points
ID: 24751817
VMware for linux can be downloaded from here:
http://www.vmware.com/download/ws/
You need to register to download.

Using Virtual machines will reduce your performance. Even with a bare bones linux installation, resources will be consumed by it. These resources won't be available for the Windows installation.

You may be approaching this backwards. Do you use your applications on the internet? If not then I would suggest keeping Windows XP as the host but block all access to the internet on it, ie nothing in, nothing out. Then create the VM session with linux OS to access the web. If you then grab files from the VM session and save them to the host, you will still need to scan for viruses.

Another method would be to image your PC with something like BartPE:
http://www.nu2.nu/pebuilder/
Setup the PC with exactly what you want installed, then image it with the ghost application on BartPE. Use the PC as needed, save data to an external drive. Keep the anti-virus and firewalls on it to protect the system and data on external drives. When the system gets virused, restore from the image.
If you then want to add a new application installed, restore the image, install the app, and create a new image.
You can store the image on DVD or on an external drive if the image is too large.

On a side note, have you tried the Yoggie for anti-virus?
http://www.yoggie.com/

0
 
LVL 24

Assisted Solution

by:ryder0707
ryder0707 earned 20 total points
ID: 24751882
I totally dont agree "Using Virtual machines will reduce your performance", can i know why are you saying this?
I've been using vm at home for many years no problem at all
I suggest that you create a vm, install everything you want in the OS then clone it
next time if you have problem just delete the problematic vm then start with the cloned vm, tadaaa...u have a fresh vm to start!
just make sure you store all your important data somewhere
or you can use the snapshot feature to revert back the OS as needed
just be carefull that snapshot may take a lot of space, delete all unwanted snapshots, no point keeping them
0
 
LVL 15

Assisted Solution

by:xmachine
xmachine earned 20 total points
ID: 24751920
Hi,

1) Using Windows XP as a guest OS under Vmware is a good idea, since many viruses nowadays are engineered to evade running inside a virtual environment as a technique to make reverse-engineering of the sample a hard task. One the image got infected by something, you just reset it to the previous state, and you are up an clean again. But, not to forget, that blackhats are thinking in a different way, some viruses have the ability to exploit your virtual setup to access the physical network!

2) Use a solution to reset your OS once infected like:

DeepFreeze: http://www.faronics.com/

ProtectOn: http://www.teacherbuy.com/html/protecton.html

Windows SteadyState: http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

3) Browse the Internet using a live Linux CD (Recommended):

http://www.livecdlist.com/purpose/desktop

http://www.knopper.net/knoppix/index-en.html
0
 
LVL 35

Accepted Solution

by:
torimar earned 300 total points
ID: 24753057
Although I am generally very much in favour of users renegading from MS platforms to the free and self-determined world of Linux, I absolutely don't see any necessity for you to do so, if all you want to achieve is to browse and read your email without catching a virus.

It is just as easy and a lot faster for you to create a Windows virtual machine under Windows, using VMWare or, which I like better, VirtualBox: http://www.virtualbox.org
All you need to do is develop the habit to use that VM for internet related activity, and for testing unknown software. If anything goes wrong, just restore a backup copy of that VM (restore point in VBox) and you are set to go.

Another Windows-based method would be to consider installing "Sandboxie": http://www.sandboxie.com/
This is shareware at a moderate price that will isolate your internet applications from the rest of your system, making it impossible for malware to affect your normal Windows.

A third way which would not require any changes in your present OS settings and partitioning is to use a Linux live CD (which was already suggested before). However, there is a trick to this: whereas the normal way will be to insert the CD, power down your XP, reboot off the CD, and wait for it to configure your hardware, you could abbreviate this process drastically by simply booting a virtual machine off any live CD. The VM only needs to exist physically (configured with a drive, LAN support etc.), but no OS actually needs to be installed inside this VM.
I'm not a friend of Knoppix any more, use any Linux Live CD you really like. There are Linux distros that are very small and boot up very fast.
I just made a test with booting off the Parted Magic iso (www.partedmagic.com) inside VirtualBox: it takes 35-40 seconds to boot, and 2 seconds to get the wired LAN working. Once up, you can keep the VM running alongside XP, and work in both of them at the same time.
0
 

Author Comment

by:okacs
ID: 24754113

The problem with the single OS and retore methods like BartPE is that, after infection, you would have to be able to run the EXE that restores the last state.  The viruses that I've been catching are like "System Security" and other fake AntiVirus products - and they lock the system down horribly:

      Will not let me run any EXEs
      Will not let me use Ctrl-Alt-Del
      Will not let me use Regedit
      Will not let me run "CMD"
      Will not let me see hard drives other than C:
      Will not let me boot into safe mode
      Will not let me boot to "last known good config"
      Will not let me browse to download any cleanup utilities
      (I even reinstalled the OS twice, once as repair & once as dual boot & both were immediately reinfected.)
      
In these suggested VM scenarios (LInux host, Win Gues, and Win Host, Win Guest) when I "reset to the previous state".  How do I keep my legitimate changes to the OS (install an app, apply windows updates, save a word DOC, etc)?

I like the idea of Sandboxie, but is it REALLY going to be effective agaist the types of viruses I am getting??
Wont the virus just get "beneath" the sandbox like it is already doing to the OS, AV, and Spyware apps?

Thanks
0
 

Author Comment

by:okacs
ID: 24754146
On a side note, 100% of all my infections seem to come from browsing the web (as opposed to email, software installs, hacking, etc).  Is there a safer browser for XP?  Something that can run flash, etc but NOT put malware on your PC?   I had my IE 7 locked down fairly well (or so I thought) and that does not seem to help....
0
 
LVL 19

Assisted Solution

by:vmwarun - Arun
vmwarun - Arun earned 20 total points
ID: 24754362
Are you using an Anti-virus or an Internet Security Product ?

Another option which I would suggest is to use cloning products such as Acronis True image to clone your Base OS Installation once you have completed the installation of the Operating System and the required drivers.

I have been using this option for a long time. I also use Kaspersky Internet Security 2009 instead of an antivirus product.
0
 
LVL 35

Expert Comment

by:torimar
ID: 24755131
You seem to be missing the idea behind my "Win host - Win guest" suggestion.
The idea is not that you use the VM as a regular OS; you use it exclusively for online stuff and browsing. Which means you keep it rudimentary: you do not install productivity software or tools on it, you do not create or edit Office documents, you do not even install Windows updates (it is a waste of time unless a serious issue requires you to - which I cannot imagine; I have installed one single little hotfix manually in the past 7 months on my XP3 box, and it's running better than those with automatic updates enabled).

All you do is this:
- install XP SP3 on your VM software of choice
- install the VM extensions/additions and configure internet acces, graphics and sound
- customize XP to your liking
- install a non-MS browser (Opera or Firefox), maybe some good browser extensions like Adblock or Noscript, maybe an email client, and a good free Anti-Virus (I suggest avast!) which may be used to check your downloaded stuff before transferring to the host
- create a restore point (in Vbox: snapshot) of your current VM state
- (if you want to make it even faster, create a copy of your virtual disk with a backup extension inside the original folder)
- enjoy

When you boot into Windows, start up the VM and whenever you have to look anything up on the internet, do it inside the VM window. (A nice feature would be to use a tool that creates virtual desktops on your host: then the VM could be running fullscreen on the second desktop and wouldn't interfere with your productive work).
For exchange of data between both systems use a shared folder or USB pendrive. If you choose Opera, you don't even have to backup your bookmarks, you can use its online synchronization.
Whenever you realize that something odd or suspicious is going on, simply restore the snapshot or change the name of the backup disk, and continue browsing with a fresh and clean system.

As to your question about browsers: it is in general a good rule of thumb to try and avoid as many Microsoft applications as possible; I have never used IE, Outlook/Express, MSN Messenger, Windows Addressbook, Windows Media Player etc., I prefer Openoffice over MS Office, and I cannot recall a single grave malware issue in 15 years.
0
 

Author Comment

by:okacs
ID: 24755299
OK, I see your point about WIn/WIN using the guest OS as just a browser, similar to the linux guests.  I started this post assuming that I'd want my whole OS as a guest so that if anything happened, I could restore the whole thing.  (Hence the original concept of a linux host OS).

Maybe I use another product for that - like Ghost or BartPE.  And then also keep my browser sandboxed or VM'ed.  But I'd also want a USB boot devices with the ghost restore app.

I've use OpenOffice and it is good... but not quite as good as Word & Excel.  And unfortunately OO does not have a clone of MS Access wich I use extensively - as I also do with MS Visual Studio 2008.
0
 
LVL 35

Expert Comment

by:torimar
ID: 24756000
If you intend to virtualize your complete OS in order to be able to "restore the whole thing", then I don't see what you will gain from it.
The problems that you are going to run into are exactly the same as on a normal OS:
- how often will you have to make a backup to preserve the most recent changes to the virtual OS?
- how much time are you willing to invest into repairing a damaged virtual OS because you don't have a recent backup?
- etc.

These are the same questions you have to answer on a normal XP which is set up in a smart way, i.e. with a small ~20 GB OS partition, that you keep mirrored/imaged/ghosted regularly, whereas the rest of your programmes, data and backups go to other partitions.
Just restoring the OS partition will, in 95% of all cases, restore your complete OS to a stable state - much better, than System Restore can do.

So, if all this is easily possible, why have it all virtualized, and on top of that, hosted by an operating system that you don't know?

Please don't get me wrong: I don't wish to discourage you from using Linux, I just wish to point out that you haven't yet made clear that you actually need to use it.
0
 

Author Comment

by:okacs
ID: 24756225
Yes, I was originally thinking that a LImux Host OS would be "uninfectable" and would guarantee a goot boot up so that I could re-launch a VM gues OS - rather than having to boot off CD or USB to restore a Ghost image.

But you are correct about the maintenance of the image either way.  I tend to be a "utility junkie" always D/L and instlaling free new useful tools.  But my core applications don't often change.  I would not be too botherd if I lost my utils.  I can always get them again.

After pondering this all morning, I am thinking about just going with a basic XP install, and using Sandboxie for my TCPIP apps.  I already backup data online.  Then maybe I'll do a one time backup image to speed up basic restoration in the future...
0
 

Author Comment

by:okacs
ID: 24756242
* Sorry, I meant Linux.  THat prolly not the only mispelling! lol
0
 
LVL 16

Assisted Solution

by:warturtle
warturtle earned 20 total points
ID: 24767654
I don't use VMWare, but on my PC I use NoScript within Firefox which blocks all unknown websites from executing any code on my computer. When I open a website that would normally open lots of popups, they get completely blocked by NOScript and I only allow access to the main website and not the advertising websites. That way, all extra stuff is not even running, so I am quite safe from malware that way.

You said that you normally get these malware from internet, so this might help.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 10

Assisted Solution

by:dnilson
dnilson earned 100 total points
ID: 24768347
ckup to your original Premise

"I want to reboot and everything is back to where it started.'

While I'm a HUGE VMware fan and user, you might want to look at software, some free, that do exactly what you asked.

maintian a steady and uncorruptable installation that can be fully cleared to the last acceptable state wit ha reboot.

Free product - Windows Steady state
http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx
Robust enough for public terminals and kiosks, tunable enough to allow you to set execptions appropriate to your work, smart enough to shut off those things that can help a virus take hold, with a virtually write protected disk.

Deep Freeze : http://www.faronics.com/html/deepfreeze.asp
Fortres : http://www.fortresgrand.com/

Have a look at http://users.telenet.be/mydotcom/howto/linuxkiosk/webterm02.htm using linux as a backend will also reduce vulnerabilities to malware and viruses...

All of the above are actual security PROTECTION mechanisms aas opposed to clever workarounds.
0
 

Author Comment

by:okacs
ID: 24795094

I like free...  :)

Using Windows SteadyState, can I lock have one profile that is locked down and one that is not?  IE:  An administrator account that I use to install updated and new software, and a user account that is totally wiped and restored at reboot?

On a side note, I cant seem to clean off this stinkin virus.  Formatted drive & installed AV, AS, FW, sandbox and other securities, then did updates and install ed other apps.  Now virus is back.  So I disco'ed the network,  Cleaned it with Spybot, MalwareBytes, Rootkitrevealer, AVG antivirus, etc - SEVERAL times.  Reboot, and it's infected again.  I think I've got a rootkit on there that I cant get rid of.  :(
0
 
LVL 35

Expert Comment

by:torimar
ID: 24795370
Did you try ComboFix?
Download it from here to your desktop and - just to make sure - rename it slightly before issuing the download command:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then study the instructions carefully, as this is no easy tool to handle:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Run ComboFix from your desktop, disable all antivirus applications as well as file/folder shields and guards that may be running in the background. Remember to not click the CF window while it is running, as this will cause it to freeze.
ComboFix may reboot your machine, it will also temporarily deactivate your internet connection.

Combofix uses the Gmer rootkit detector (ww.gmer.net) and should be able to handle most known kits.

On the other hand: if you formatted and reinstalled, I don't see how a rootkit could have survived. If you think the malware may have infected the complete network, disable the network (simply unplug), and use CF on all machines.
0
 

Author Comment

by:okacs
ID: 24795474
There is no network. I had only one PC connected to the SOHO router wirelessly.  Then I pulled out the USB wireless adapter and after several reboots and disinfecting I am still getting reinfected.
0
 
LVL 35

Expert Comment

by:torimar
ID: 24797097
The only explanation for this would be a bootsector virus.

How did you format? With Windows fdisk during installation?
And are you sure there aren't any other (hidden) partitions that might host your unwelcome guest? Most standard vendor PCs have a recovery and a utility partition that is hidden - but only to Windows.

You might want to do the following:
-- Boot your system off the Parted Magic boot CD: www.partedmagic.com
-- Run the Partition Editor (GParted) and delete *all* partitions that are found on the disk
-- In a terminal, type the follwing command:
# dd if=/dev/zero of=/dev/sda count=10k
-- Rerun GParted and create your Ntfs partition
-- Reinstall XP

During this process, the infected bootsector should be wiped along with the partition table and all rootkits hiding there. For Windows, this will be a raw new disk.

(Note: The above assumes you only have 1 HDD in that system. If there are more, post back and I'll help you check out how to change that 'dd' command in order to be effective.)
0
 

Author Comment

by:okacs
ID: 24797246
Yes, there is another small recovery partition (It is a HP PC with OEM default recovery partition).  But I never booted off of it.  There is only one HD.

Can the second partition re-infect hte first if it was never booted??
0
 
LVL 10

Expert Comment

by:dnilson
ID: 24797492
YES, Steady State allows the AQdministrator unfettered access to change hte machine, although there are some additional dialog prompts (are you REALLY" sure you want to save your changes) at shutdown / reboot.

No administrator changes are permanet until a reboot  / and accept (as above) sequence, so even the admin account is protected from disk saves, but not limited in its ability to use / change the machine.

Other accounts can be configured in varying degrees of locked-down-ness as needed for what you.

================
Given what you have run, not certain its a virus you are looking for.

Download combofix and burn it to a CD, as certain things may prevent a download from the affected computer.

Follow the instructions at:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

you can also download from that page.

Dont download this from just anywhere, get it from the source ..... have been problems from certain sites offering this or info as a download.

0
 
LVL 10

Expert Comment

by:dnilson
ID: 24797856
The Hp and Dell Recover partions are pretty immune to stuff - they are nonstandard and resist many commands on partiton tools too, becuase of non standard sector start / stop on clyinders etc.

That said, If I learned enough to describe this, perhaps someone might take the time to specifically target one of these brands but its pretty unlikely.  

You dont mention the brand of AV, etc you installed, and I hesitate to add another because I beleive COMBOFIX will do the job for you, but If you are concerned aobut rootkits and want to make sure D/L DrWeb Live CD http://www.freedrweb.com/livecd/ , burn to a CDROM on a safe machine andboot from that - will cure any bootsector or rootkit.

But it really sounds like you have an Internet refreshed Malware, and Combofix is king at cleaning those - its what you use when Malware bytes comes up short.

Trust me.  Try the fix insstead of blowing your machine away.

0
 
LVL 35

Expert Comment

by:torimar
ID: 24798211
dnilson,

I already suggested Combofix and gave detailed instructions for it above.
0
 
LVL 10

Expert Comment

by:dnilson
ID: 24803653
Yes torimar, I saw that,and I'm sure the author did too.

My caution to him was to TAKE that advice and avoid blowing away the partition which was  your susequent suggestion, and one, IMHO, which was unwarranted at this point, so I pointed him back to Combofix.

In any event the fix for his problem is not the question orginally posted which was how to configure so it doesnt happen again.

0
 
LVL 35

Expert Comment

by:torimar
ID: 24806965
I only suggested to reformat the partition because okacs already did it. Quote:
"Formatted drive & installed AV, AS, FW, sandbox and other securities, then did updates and install ed other apps.  Now virus is back."

I had to assume then that this was a fresh install with nothing of value to safeguard. Hence I suggested to do it again, and this time to do it properly.

It's not my custom to tell people to wipe their hard drives clean, unless they themselves think to have already done so ;)

And yes, I agree. We are beginning to digress from the original problem here. If after having run Combofix the issue should persist, it is advisable to deal with it in a separate thread in the anti-virus/malware sections.
0
 

Author Comment

by:okacs
ID: 24815843

At this point, I am convinced that I have been fighting several different viruses over the last few days.  I actually ended up infecting another PC and had to wipe it also.  Sheesh!  All data is backed up, so it is no loss, just pain.  Good news is that I'm rebuilding them more securely...

Combofix detected the virus (the real, or at least current one - VIRUT - and not just its subsequent payloads) but was not able to remove it.  Dr Web Live CD was able to remove it ... but did so by deleting all the EXEs on my drive.  So I put the WinXP install CD in and ran a repair on the windows installation.  I rebooted and now when I go to login as any of the users, it says loading your profile... then saving your profile... and immediately logs me out.  I never even get as far as seeing the desktop.  This happens in safe mode also.

0
 

Author Comment

by:okacs
ID: 24822887

I have more to post, but it would be off topic at this point.  The original question was regarding forward going security measures to isolate infections using VM.  You guys have bee a ton of help.  Thanks.

PS - I really love SandboxIE.  Wont leave home without it anymore!
0
 

Author Comment

by:okacs
ID: 24823020
Ok.  I hope the points split was fair.  I will open another question about the remaining issues as time allows.  Thanks.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This article will show you how to create an ISO CD-ROM/DVD-ROM image (*.iso), and MD5 checksum signature, for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5). It's a good idea to compare checksums, because many installations fail because of a corr…
Veeam Backup & Replication has added a new integration – Veeam Backup for Microsoft Office 365.  In this blog, we will discuss how you can benefit from Office 365 email backup with the Veeam’s new product and try to shed some light on the needs and …
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
This video shows you how to use a vSphere client to connect to your ESX host as the root user. Demonstrates the basic connection of bypassing certification set up. Demonstrates how to access the traditional view to begin managing your virtual mac…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now