2

This is back in 2014.

Question: Is the antivirus supposed to detect a virus which is running inside a guest OS inside a virtual machine?

If yes, does this mean the host can be also in danger, or that the guest is not encapsulated 100%?

Details:

  • VirtualBox
  • Guest OS: Win XP x32 sp3
  • Host OS: Win 7 x64 sp1
  • Antivirus on host: Avast
  • Guest OS is connected to internet through host, has firewall but no antivirus.
  • The (pseudo)virus is just a C application which tries to write on memory and open files and processes and stuff. Doesn't try anything on registry, or replicate self, or other stuff which I don't even know about :D
Improve this question
1
  • running, probably. on disk, probably not.
    – Frank Thomas
    Commented Jun 15, 2017 at 15:45

2 Answers 2

Reset to default
1

Short answer: no.

Think of your VM as being any other computer on your network. That's how your host sees it. In a purely physical sense, the contents of the .vdi file are basically invisible to anything running on the host.

Improve this answer
4
  • Instead of giving an analogy, why don't you state Why you believe it's "invisible"?
    – barlop
    Commented Jun 15, 2017 at 18:02
  • It's not an analogy. That's literally how virtualization works.
    – Charles Burge
    Commented Jun 15, 2017 at 22:26
  • When you say "Think of your VM as being any other computer on your network" If you mean it literally is then don't say "Think of your VM as". . Say it is.. Also I don't think the OP denied this. Perhaps you mean it's literally the same as any other physical computer on the network, though that's not really true either 'cos if you smash one physical machine on the network it won't break another one. And these words of yours "In a purely physical sense, the contents of the .vdi file are basically invisible to anything running" that's very untechnical mysterious language you are using
    – barlop
    Commented Jun 15, 2017 at 22:36
  • @CharlesBurge If the antivir is not supposed to do that, then what does it mean if it can actually do it? Also, from what I searched and understood, there's no such thing as 100% isolation, since memory, cpu, disk are all shared between host and guest.
    – jack
    Commented Jun 16, 2017 at 8:57
1

Normal it's more save to treat a vm like a normal system, so using an antivirus in the guest os.

However there is also a possiblilty to scan the vmdk file. Its based on VMware, but should be the same for other products.

Symantec Offline Image Scanner (SOIS) is a stand-alone tool that can be >used to scan .vmdk files using Symantec Endpoint Protection (SEP) 12, >Symantec Endpoint Protection (SEP) 11, or Symantec AntiVirus (SAV) 10 virus >definitions.

Short explain about the files:

nvram

This is the file that stores the state of the virtual machine's BIOS.

.vmdk

This is a virtual disk file, which stores the contents of the virtual >machine's hard disk drive.

A virtual disk is made up of one or more .vmdk files. If you have specified >that the virtual disk should be split into 2GB chunks, the number of .vmdk >files depends on the size of the virtual disk. As data is added to a >virtual disk, the .vmdk files grow in size, to a maximum of 2GB each. (If >you specify that all space should be allocated when you create the disk, >these files start at the maximum size and do not grow.) Almost all of a >.vmdk file's content is the virtual machine's data, with a small portion >allotted to virtual machine overhead.

If the virtual machine is connected directly to a physical disk, rather >than to a virtual disk, the .vmdk file stores information about the >partitions the virtual machine is allowed to access.

Earlier VMware products used the extension .dsk for virtual disk files.

Improve this answer
2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .