Malware Testing Query

I do malware tests on real system. For this I use my home wifi internet with belkin router. My main system is win 7 64 & I do the tests on XP 32.

So can any malware infect the main system when I am doing malware tests on XP?

Yes, but really need more info. Virtual Machine, seperate machine, depends on how the machines are set up, etc, etc, etc…


What if the main system is shutdown during the test on XP, still the main system can be infected?

No Virtual Machine here on any system.

No wired connection i.e both the system connect home wifi with belkin router.

Administrator account on both the system.

Both the system uses Windows FW Default. On main i.e Win 7, Home Network selected for my wifi & Avast Free Default.

What else?

Hi Naren. I know you test a lot from your posts. If you are asking will the real system get infected on xp then yes, it will be a matter of seconds before you get the system infected if you keep clicking run… when you execute the malware.

Were you using an av when doing the tests?, or were you executing on a live unprotected system?. not sure if i understand the question as if you had been doing previous testing on a live xp os then the gremlins would have free access to roam around your system and do their dirty work and you would have your answer…most probably an unusable system.

Most of us on these forums know that even an av with say 20 engines in real time, if that were at all practical without stopping your pc stone dead, would at some point fall fowl of zero day nasties and you will get infected…whats needed is a layered protection such as Comodo already has with its Av, Hips and sandbox… but then you know what is needed already as i know you have tested it…


Hi dave1234

You misunderstood my query.

I meant was, I have 2 systems at home win7 & XP & belkin router. With belkin router both the systems connect wifi i.e I use win 7 connected to my home wifi & XP also connected to my home wifi. And I do test on real system XP i.e testing security softwares & CTM beta installed for rollback.

I wanted to know, as both the systems connect to my home wifi,

Can win 7 get infected if it is connected to my home wifi, and at the same time I am doing test on XP which also is connected to my home wifi?

and Can win 7 get infected if it is shutdown, and at the same time I am doing test on XP connected to wifi?

There are too many unknowns to answer your query with any certainty.

However, if we talk about risks, then clearly there is a risk that your XP test system could infect your W7 production system. A likely vector, although not restricted to, would be the network. Wired or wireless is irrelevant to you, but wireless does expose other unprotected wireless networks to risk.

As per the replies here, there are chances of Win 7 getting infected during test on XP.

What are the chances of infection, say out of 100%?

I am asking this coz I dont have any other way of testing on XP, as my internet is MAC binded & so it cannot be used on other system except wireless & I dont want to test on main system Win 7 with VMWare too.

For me same answer as before: There are too many unknowns to answer your query with any certainty.

However, over time it is possible that the risk might become 1:1 depending on what you’re actually doing & what assumptions you have made. The fact that you’re asking the sort of questions that you have probably increases the risk and significantly so if you’ve already performed live malware testing.

Malware testing is not my expertise, but I suspect that it’s all about identifying the cross infection risks within your testing environment/procedures and then doing what you can to either completely eliminate or mitigate those risks (to an acceptable level).

On saying that… why can’t you run a VM XP instance actually on your XP testing platform? This should help to reduce the risks on the testing platform.

Also, what do you mean by “MAC binded”?

My XP is an old system with 55 GB harddisk & 512 MB RAM so VMWare, VirtualBox, etc slows down the system a lot. One thing here, I test on XP real system with malware so if I format & reinstall the system it will be clean, right?

MAC Binded - is like specific to laptop. If I want to use internet directly on other laptop I have to call my service provider & he changes/transfers MAC on the other system, without this the net doesn’t works on other system. The only other option is wireless. Changing MAC costs 500 bucks per change.

I’m surprised, that sounds within the minimum requirements to me. Mind you, I guess it could be the CPU.

If you mean an XP install format, then no… I don’t believe that is sufficient with some types of infections. But, you’ll need someone with more experience in this field to confirm or deny that. Sorry.

Maybe this is not a problem. MAC spoofing: eg. Technitium MAC Address Changer | A Freeware Utility To Spoof MAC Address Instantly

Then what format would be good? I have tested malware heavily on this real system, though I use Comodo Time Machine 2.9 Beta for rollback each time to safe point.

Hi Naren.Comodo Time machine has been shown in tests to be vulnerable to certain types of malware, rootkits i think. I understand from many months ago that all this was going to get fixed in a new version, 3.00 maybe, but at present with 2.9 if you do loads of testing its possible that you may infect your pc when you roll back ad the malware would still be present…If i were testing…i would use sandboxie or shadow defender as neither of these two have ever been genuinely breached as far as i can tell…Just an observation.


Do Not do live malware testing on any networked computer unless you fully understand the risks on cross-compromise, “trampolining” or “leap-frogging”. All Windows boxes have hidden shares which are accessible over network.

Investigate VMWare Player or VirtualBox - both free and require minimal hardware resources.

Do your testing inside one of those.

If a system is shutdown then too it can get infected during the test on other system if both wirelessly connects my home connection with router?

While it is shutdown - no. However, some malware (eg. Conficker) stays resident on the infected machine unless you completely wipe the drive removing the MBR/FAT etc. If the malware is still resident when you boot up the other machine it will poll for administrative shares eg. IPC$ and then infect the “clean” machine.

If you have to test on a production machine make sure it is off when you start the clean machine.

kail is correct in saying there are far too many unknowns. For starters, what are the security constants of the XP system? Oh, and soft-disconnection of the XP system (that is, to disconnect via the network manager only) does not prevent malware from going out, trust me on that one. It happened here. And I agree with kail that using wireless exposes others to threats. If it happened here, I don’t see why it shouldn’t happen to others.

Formatting does not eliminate all malware. Some of them still manage to reside in the MBR or if you’re using the XP installer to format, escape deletion somehow (not sure how this was possible, but active remnants of sixteen malware remained after a complete format).

My advice is to run Linux with LXDE environment (for minimal system resources), install a VM if it works then run the testing there. Avoid any other browser but IE and force it in a sandbox before testing. That should pretty much minimize the damage.

Having one system turned off prevents infection from spreading, but if it were using wireless, the infected system exposes other systems to threats.

I’d like to share how I used to do my testing (I no longer do tests). See if you can get anything from it:

What I need:
Bootable Linux USB
Hiren’s BootCD
1 Linux
Dual-boot XP’s: FAT32 and another with NTFS. I’ll refer to them as XP1 and XP2)

XP1 has FAT32 file system, Sandboxie, and whatever suite I’ll be testing, ProcessHacker, Unlocker
XP2 has NTFS file system with custom file permissions for particular folders, LUA+EMET+Wondershare Time Freeze 2, Easy File Locker, Unlocker, Sandboxie+BSA, and my preferred security setup

  1. Before running tests, make sure that the AV (I’m assuming you’re testing a suite or an av) is already updated.
  2. Download the samples via Linux and archive them to keep them from running. Copy them on the XP system
  3. In the XP system, I have Sandboxie installed and force IE to be Sandboxed whenever it is run.
  4. Final updates before extraction. Turn off the wireless router.
  5. Extract and run EACH malware in an isolated folder (I mean to say in a folder of its own). This is strenuous and time-consuming, but it allows you to identify which went undetected. This will be helpful in tracking it down later.
  6. List down detected and undetected malware. Undetected malware are copied from the Linux built and analyzed via ThreatExpert/Sandboxie+BSA (if upload fails). Behavior is analyzed and logged in a text file. Copy the text file to the bootable USB.
  7. Boot from the Linux USB and manually remove remnants. (Do this while still possible. You don’t want errors while formatting. Too time-consuming and wears out your patience and hard drive.)
  8. Reboot to confirm activity. If no activity is traced, proceed to formatting and reinstallation.

I had no trouble with this setup before.