Virtual Machines and anti-malware


kelper

kelper

Well-known member
Pro User
VIP
Local time
2:12 PM
Posts
4,071
Location
Hawes, North Yorkshire
OS
Windows 11 Pro 25H2 26200.8524
If I run Oracle VirtualBox VMs, are they protected by the host's anti-malware - Webroot in my case. I reckon that a native boot Windows VHD would not be protected; am I right?

I disable MS Security on my host but let it run in my VMs.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8524
    Computer type
    Laptop
    Manufacturer/Model
    Acemagic LX15PRO
    CPU
    AMD Ryzen 7 5825U with Radeon Graphics
    Memory
    16GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 2TB
    Internet Speed
    30 Mbps
    Browser
    Brave
    Antivirus
    Webroot Secure Anywhere
    Other Info
    System 3

    Acer Swift SF114-34 laptop
    OS Windows 11 Pro 26200.8524
    CPU Pentium Silver N6000
    RAM 4GB
    SSD Samsung 970 EVO Plus SSD 2TB (an upgrade)
  • Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
    Browser
    Brave
    Antivirus
    Webroot
kelper said:
If I run Oracle VirtualBox VMs, are they protected by the host's anti-malware - Webroot in my case. I reckon that a native boot Windows VHD would not be protected; am I right?

I disable MS Security on my host but let it run in my VMs.
Click to expand...
VirtualBox VMs are only partially protected by the host anti-malware.
A native-boot Windows VHD is essentially not protected by the host’s AV while booted into it.
Your setup (host Webroot + Defender disabled; Defender enabled inside VMs) is generally the correct way to think about isolation.
 

My Computer

System One

  • OS
    Windows 11 Professional
    Computer type
    PC/Desktop
    Manufacturer/Model
    Microcenter B677
    CPU
    Intel Core i5-9400
    Motherboard
    ASRock H310CM-HDV/M.2
    Memory
    32GB
    Graphics Card(s)
    Integrated Intel UHD Graphics 630
    Sound Card
    Intel Kaby Lake - High Definition Audio / cAVS (Audio, Voice, Speech) [A0]
    Monitor(s) Displays
    LG Model: GSM59F1
    Screen Resolution
    2560x1080
    Case
    Lian Li 205M
    Antivirus
    Kaspersky AV
Sir_George said:
VirtualBox VMs are only partially protected by the host anti-malware.
A native-boot Windows VHD is essentially not protected by the host’s AV while booted into it.
Your setup (host Webroot + Defender disabled; Defender enabled inside VMs) is generally the correct way to think about isolation.
Click to expand...
Please explain the part I put in bold.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8524
    Computer type
    Laptop
    Manufacturer/Model
    Acemagic LX15PRO
    CPU
    AMD Ryzen 7 5825U with Radeon Graphics
    Memory
    16GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 2TB
    Internet Speed
    30 Mbps
    Browser
    Brave
    Antivirus
    Webroot Secure Anywhere
    Other Info
    System 3

    Acer Swift SF114-34 laptop
    OS Windows 11 Pro 26200.8524
    CPU Pentium Silver N6000
    RAM 4GB
    SSD Samsung 970 EVO Plus SSD 2TB (an upgrade)
  • Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
    Browser
    Brave
    Antivirus
    Webroot
kelper said:
Please explain the part I put in bold.
Click to expand...
kelper said:
Please explain the part I put in bold.
Click to expand...
The host anti-malware protects:
The VirtualBox application itself,
VM files stored on disk (.vdi, .vbox, snapshots, etc.),
network traffic it can observe, and some interactions between host and guest.
But it may not fully inspect:
malware executing inside the guest OS,
memory activity inside the VM,
encrypted files or processes within the guest,
or attacks confined entirely to the virtualized environment.

So "partially protected” means"
Your host antivirus can help reduce risk, but it does not replace installing security software inside the VM itself.
 

My Computer

System One

  • OS
    Windows 11 Professional
    Computer type
    PC/Desktop
    Manufacturer/Model
    Microcenter B677
    CPU
    Intel Core i5-9400
    Motherboard
    ASRock H310CM-HDV/M.2
    Memory
    32GB
    Graphics Card(s)
    Integrated Intel UHD Graphics 630
    Sound Card
    Intel Kaby Lake - High Definition Audio / cAVS (Audio, Voice, Speech) [A0]
    Monitor(s) Displays
    LG Model: GSM59F1
    Screen Resolution
    2560x1080
    Case
    Lian Li 205M
    Antivirus
    Kaspersky AV
The reason a host-based security product can't scan files inside your VM is because of exclusive file access to the virtual disk.

When not in use, a VM's virtual disk could (in theory) be mounted as a host disk volume. A security product could then scan the volume's files. But while the volume is mounted this way, your VM can't be running. Likewise when your VM is running, the virtual disk can't mounted by Windows.
 

My Computer

System One

  • OS
    Windows 7
But can Webroot not see internet traffic?
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8524
    Computer type
    Laptop
    Manufacturer/Model
    Acemagic LX15PRO
    CPU
    AMD Ryzen 7 5825U with Radeon Graphics
    Memory
    16GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 2TB
    Internet Speed
    30 Mbps
    Browser
    Brave
    Antivirus
    Webroot Secure Anywhere
    Other Info
    System 3

    Acer Swift SF114-34 laptop
    OS Windows 11 Pro 26200.8524
    CPU Pentium Silver N6000
    RAM 4GB
    SSD Samsung 970 EVO Plus SSD 2TB (an upgrade)
  • Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
    Browser
    Brave
    Antivirus
    Webroot
kelper said:
But can Webroot not see internet traffic?
Click to expand...
A VM's network traffic is relayed through the host (using a virtual driver). But your AV product can't see this traffic from where it sits.

It's not like an external observer can see VirtualBox (as a Windows process) sending web requests. VM's network packets are dumped out to the host's network stack. I don't know if Webroot inspects at this level. There are more advanced network security products that can filter at this level, but they're highly specialized and expensive.

You could set up something inside the VM, which relays all network requests to an external web proxy (which points to a web proxy you've installed on the host). But now, it's becoming a very messy setup to manage. And probably bad for performance.
 

My Computer

System One

  • OS
    Windows 7
Can an infected VM infect its host? My VMs all run MS Security, so I feel fairly safe.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8524
    Computer type
    Laptop
    Manufacturer/Model
    Acemagic LX15PRO
    CPU
    AMD Ryzen 7 5825U with Radeon Graphics
    Memory
    16GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 2TB
    Internet Speed
    30 Mbps
    Browser
    Brave
    Antivirus
    Webroot Secure Anywhere
    Other Info
    System 3

    Acer Swift SF114-34 laptop
    OS Windows 11 Pro 26200.8524
    CPU Pentium Silver N6000
    RAM 4GB
    SSD Samsung 970 EVO Plus SSD 2TB (an upgrade)
  • Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
    Browser
    Brave
    Antivirus
    Webroot
Webroot can see the destination IP address and not much else. DNS client cache and resolution only happens in the VM. Webroot doesn't do deep packet inspection as it lacks a SSL decryption feature. Hypervisors (virtual box being a type 2 hypervisor) can be susceptible to hyper visor escape class of vulnerabilities wherein malware executing within a VM can escape and gain context in the host system. If this were achieved and malware dropped on your host system that is where Webroot will take action, however it would be blind if the malware simply existed in the guest.
 

My Computer

System One

  • OS
    Linux Mint
    Computer type
    Laptop
    Manufacturer/Model
    System76 Lemur Pro
If malware only exists in the guest, why would I care? I only run VMs to teach myself and they are not used for any serious work.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8524
    Computer type
    Laptop
    Manufacturer/Model
    Acemagic LX15PRO
    CPU
    AMD Ryzen 7 5825U with Radeon Graphics
    Memory
    16GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 2TB
    Internet Speed
    30 Mbps
    Browser
    Brave
    Antivirus
    Webroot Secure Anywhere
    Other Info
    System 3

    Acer Swift SF114-34 laptop
    OS Windows 11 Pro 26200.8524
    CPU Pentium Silver N6000
    RAM 4GB
    SSD Samsung 970 EVO Plus SSD 2TB (an upgrade)
  • Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
    Browser
    Brave
    Antivirus
    Webroot
If it can escape it could potentially steal data, credentials or anything else from the host since a VM escape can often interact with the host system with the highest privileges (SYSTEM)
 

My Computer

System One

  • OS
    Linux Mint
    Computer type
    Laptop
    Manufacturer/Model
    System76 Lemur Pro
neemobeer said:
If it can escape it could potentially steal data, credentials or anything else from the host since a VM escape can often interact with the host system with the highest privileges (SYSTEM)Seems very unlikely to me.
Click to expand...
"it could potentially" is a bit tautological, isn't it?
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8524
    Computer type
    Laptop
    Manufacturer/Model
    Acemagic LX15PRO
    CPU
    AMD Ryzen 7 5825U with Radeon Graphics
    Memory
    16GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 2TB
    Internet Speed
    30 Mbps
    Browser
    Brave
    Antivirus
    Webroot Secure Anywhere
    Other Info
    System 3

    Acer Swift SF114-34 laptop
    OS Windows 11 Pro 26200.8524
    CPU Pentium Silver N6000
    RAM 4GB
    SSD Samsung 970 EVO Plus SSD 2TB (an upgrade)
  • Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
    Browser
    Brave
    Antivirus
    Webroot
It possiblity might be maybe true yeah sure
 

My Computer

System One

  • OS
    Linux Mint
    Computer type
    Laptop
    Manufacturer/Model
    System76 Lemur Pro
You must log in or register to reply here.

Similar threads

Virtual machine files not accessible after upgrade to Win11
Replies
1
Views
929
Celery
C
Solved Virtual machines in general
2 3
Replies
59
Views
10K
hdmi
hdmi
Windows 11 Goes Into Boot Loop After Enabling Virtual Machine Platform
Replies
1
Views
3K
riverofwind
R
Hyper-V did not find any virtual machines to import ...
Replies
7
Views
8K
Bree
Bree
Simple way of moving / copying a HYPER-V virtual machine to another computer or disk(s)
Replies
3
Views
9K
Hopachi
Hopachi

Latest Support Threads

Latest Tutorials

Back
Top Bottom