Firewall Protection and Virtual Machines

[Guest]

[andyman35]

I agree,there is no example of a malware hypervisor and it's certainly not a trivial task to create one.I know that Joanna Rutkowska has written about so called 'blue pill' malware,so it's possibly something of concern for the future.The more I think of it there would be incredible problems with the security software on a host system attempting to monitor a guest OS.

I'm no programmer so correct me if I'm wrong,but as I see it if the host is running XP and the guest Debian for example it'd be an impossibility for Windows based software to directly interact with the Linux kernel.The emulation layers such as Crossover Linux which allow the use of Windows software on Linux are patchy and limited at best,as one example.It makes perfect sense to me that a firewall on the host would have nothing to do with a VM

[panic]

Regardless, there is only one hardware interface to the outside world and this is monitorable by the host system. Providing the guest OS is using IP or some other monitorable stack, of course.

Ewen :-)

[FrankDaegas]

Give me ONE FIREWALL that can block an application that is running on the guest system inside virtual PC.

I guarantee you cant.

The one in my mind? If a host kernel debugger knows Virtual PC etc etc etc. That isn't the point. The point is that you need a HIPS to disallow letting Virtual PC use the network. The good WinXP HIPS systems warn that Virtual PC is asking for low-level access to the HD and keyboard, which is enough of a warning for me to kill it. I haven't found one yet that warns Virtual PC is asking for low level access to the network, but I haven't really looked. There isn't much of a need to look for one either, because when I setup Virtual PC I know how to deal with it and if something else wants to install/run Virtual PC the HIPS will warn me.

I like the new COMODO BTW.

Wait I take it back. I love it. I only hope it is as good as it appears to be security wise. I am too lazy to run any tests.

[SpacemanPT]

I'm not very good writing in english... but if you install a VM and then give it permition to use the net and every other stufff, it is your own fault. cfp can only see the vm process, not the other processes inside the VM... I guess this is all just to stupid

if you make a vm like virus, then it'll be a virus anyway, and no one would allow it to install in the first place... i really believe that cfp would detect that install attempt, and the disk access, memory access, etc...
just try using the task manager in the host SO and look for the VM OS processes... you can't find them...

on the other hand, why should cfp care for the data leaked from inside the VM... it's VM's data, not the host data. CFP was installed in the host, not in the VM...

once again... it will be you're own fault for trusting the VM in the first place.

[Burillo]

i've read through original topic and this one too, and all i can say that while the problem certainly exists, still Debunker's posts are more aggressive than anyone's on these threads. In the other words, what he says is total bullsh-t. I've been using VM's for some time (really just for fun and exploration) and i never had a single thought of NOT installing separate security software inside VM (except when i deliberately wanted to infect it with malware just to see what happens). OK, it's not about VM's, but about installing a kernel driver than can act similar to VM's virtual NIC. I'd quote Melih from another thread - "the real power of the CPF is prevention". That is - CPF ain't no antivirus. Therefore - a malware asks about installing a kernel driver. You allow it. Then it can do what it wants, including sending traffic in a similar to VM way. Security flaw? Well, not exactly. You allowed an installation of kernel driver - YOU are to blame, not the firewall. Yes, maybe CPF can't block VM's traffic by default (didn't test that yet) but it surely can block kernel driver installation - the root of the problem. It's somewhat similar to allowing a rootkit installation and then blaming the security software that can't block an already running rootkit.

[00hmh]

Debunker asserts that VirtualPC has drivers at kernel level which are not monitored or detected by the HOST firewall or HIPS.

I believe Melih makes the point that when VirtualPC is installed you will be prompted to allow these "hooks."

Debunker asserts that it is not VirtualPC but rather teh possibilityt that similar drivers are used in other malignant software. 

Melih does not at this point respond, but I believe the design of CFP3 would in fact detect installation of these drivers. 

Debunker says he can install Virtual PC so he can install malware similarly.  EVeryone agrees that it is possible to install malware.  Isn't the simple testable question whether CFP3 will popup and warn that a process is attempting to install kernel level drivers? 

BOClean or CMG or CFP3 all could be taken to represent that they do this, Debunker apparently believes at least that CFP3 does not.   Do I understand the debate?  Is there a test to answer the issue raised by Debunker?  I must say his argument that VirtualPC installs does not end the discussion IF CFP makes a query?  It may not do so now because it is in fact on a whitelist, so he has a way to go with his hypothetical malware, to show it can be installed.  THAT is the question.

Comodo cannot prove a negative, that is they cannot prove that there is NO malware that can be installed.  They have, however, made a plausible case that their design will detect and prevent MOST malware. 

If all that Debunker is proving is that nobody is perfect, or that Comodo may not stop ALL malware, he is saying very little.  He seems to think he is saying that since SOME software MIGHT be able to evade CFP, that ALL malware could.  That is either a trivial truth by tautology, or a very weak claim riding on the word "could."  Pigs could be made to fly, but it is sure not easy.  I am willing to risk it and not install nets over the pigpen.     I won't criticize the guy who builds a fence that requires the pigs to build a catapult to get over it.

If Debunker is right that these malignant drivers are very easy to insert in malware and hard to detect and would evade CFP, I thank him, but he has only asserted that not proven it yet. 

Debunker, Melih et al,  have I fairly stated the issue, do you have a response? 

[OD]

I have followed these threads scince the begining,  and reread them several times.
I give some creedence to what debunker is saying but if a user always allows unknown activity he is going to get bitten.

I would say the below is a valid summery

OD

Debunker asserts that VirtualPC has drivers at kernel level which are not monitored or detected by the HOST firewall or HIPS.

I believe Melih makes the point that when VirtualPC is installed you will be prompted to allow these "hooks."

Debunker asserts that it is not VirtualPC but rather teh possibilityt that similar drivers are used in other malignant software. 

Melih does not at this point respond, but I believe the design of CFP3 would in fact detect installation of these drivers. 

Debunker says he can install Virtual PC so he can install malware similarly.  EVeryone agrees that it is possible to install malware.  Isn't the simple testable question whether CFP3 will popup and warn that a process is attempting to install kernel level drivers? 

BOClean or CMG or CFP3 all could be taken to represent that they do this, Debunker apparently believes at least that CFP3 does not.   Do I understand the debate?  Is there a test to answer the issue raised by Debunker?  I must say his argument that VirtualPC installs does not end the discussion IF CFP makes a query?  It may not do so now because it is in fact on a whitelist, so he has a way to go with his hypothetical malware, to show it can be installed.  THAT is the question.

Comodo cannot prove a negative, that is they cannot prove that there is NO malware that can be installed.  They have, however, made a plausible case that their design will detect and prevent MOST malware. 

If all that Debunker is proving is that nobody is perfect, or that Comodo may not stop ALL malware, he is saying very little.  He seems to think he is saying that since SOME software MIGHT be able to evade CFP, that ALL malware could.  That is either a trivial truth by tautology, or a very weak claim riding on the word "could."  Pigs could be made to fly, but it is sure not easy.  I am willing to risk it and not install nets over the pigpen.     I won't criticize the guy who builds a fence that requires the pigs to build a catapult to get over it.

If Debunker is right that these malignant drivers are very easy to insert in malware and hard to detect and would evade CFP, I thank him, but he has only asserted that not proven it yet. 

Debunker, Melih et al,  have I fairly stated the issue, do you have a response? 

[andyman35]

Pigs could be made to fly, but it is sure not easy.  I am willing to risk it and not install nets over the pigpen.     I won't criticize the guy who builds a fence that requires the pigs to build a catapult to get over it.

That mental imagery summed it up beautifully,you get me vote 

[Tags:]