Network Threats In VMware

Hello, I was going to do some AV testing inside VMware. I was wondering if Comodo’s Firewall, which is installed on my host and all other machines on my network, would be able to protected all machines on my network if malware were to escape through my network connection? In case anyone was wondering, I am using a bridged connection inside the VM.

Thanks in advance.

If you’re going to be testing malware, you should really use NAT on your VM instead of a bridged connection.

Edit: Forgot to mention, when you’re purposefully playing with malware, you’re always at risk. The firewall will help, but there is always the chance that something will slip passed.

Thank you for telling me to use a NAT connection, because I was mistakenly told bridged was the right way to go. Will I be getting false alerts(or maybe accurate) results from Comodo while using the VM? If you can, do you know what the best way to protect the network(I know there is never a 100 percent guarantee) from malware?

With a bridged connection, your VM will show up as just another machine on your network, as it is able to connect directly to your network adapter. With NAT, your VM will be invisible to the other machines. No possibility of an accidental connection to the VM.

Are you asking if you’ll be getting alerts on your host machine from malware on the VM? No, any malware alerts should be specific to the installation on your VM. You’ll only get alerts on your host machine if the malware jumps out of the VM.

The best way to protect your network would be to disconnect all other machines from the network while playing with malware.

Does the bold above also means wifi network i.e 2 machines using own home wifi wired & wireless?

Does that mean just disconnect my other machines from the Internet during testing? And once I re-enable network access afterwords, would I have to worry about any malware then?

You said earlier “With NAT, your VM will be invisible to the other machines. No possibility of an accidental connection to the VM.” Does that mean the VM does not have access to my adapter?

If it’s on the network, then disconnect it. It doesn’t matter whether the network is wired or wireless. This way, on the off chance any malware escapes the VM and infects the host machine, it can’t possibly spread to any other machines on your network.

The internet isn’t the same as your network. Disconnect any networked machines. I would only re-enable network access on the other machines if you are completely sure your VM and host machine are clean.

Yes, the VM will have access to your adapter, but only indirectly through your host machine. Think of it like this. Most people have a router between their machine and the internet. Many of these routers are using NAT, which means that your computer isn’t seeing any unsolicited internet traffic because your router has supplied your computer an internal IP address. (Your computer isn’t a part of your ISP’s network)

In the case of a VM using NAT, the host machine is acting like a router, which the VM is sitting behind. So any unsolicited network traffic will not be seen by the VM because your host machine has supplied your VM with an internal IP address. (Your VM isn’t a part of your LAN)

I appreciate the run down of what it all means. Is there any way to isolate from my LAN and run without disturbing the other machines running on my network? The reason why I posted in this section of the forum(I probably should have mentioned this earlier) was because under the firewall settings, I have enabled my Stealth Ports Wizard to block all incoming connections and make my ports invisible to everyone. Is that a possible substitute for disconnecting the machines running on my network?

You should be fine if your other machines are protected with Comodo. Emphasis on should… Nothing is 100%.

But your machines will be just as protected on your LAN as they would be if they were directly facing the wild internet. The only difference being, you’re actively trying to infect a VM while the host is connected to your network. So there is risk involved, no matter how you look at it.

Yes, stealth ports wizard should help, but no, it’s not a possible substitute for disconnecting the other machines on your network. Nothing is a substitute for that. But if that’s the best you can do and you’re willing to take the risk with your other machines, as I said, they should be fine. Comodo is a very capable firewall.

Thanks, that is why I have been using Comodo’s Firewall and Defense + for years, well before the Internet Security suite was even established. I thank you truly for your help and useful information, and am confident I am using the most secure settings for testing. This might seem like a really silly question, but is running a full scan on the VM test machine with multiple scanners going to be able to make sure the network connection is secure?

In my opinion, and probably most people on this forum would agree, that Comodos HIPS and Default-Deny technology is far superior and well beyond the capabilities of most paid anti-malware programs on the market today. No matter what happens, I would trust Comodo to take care of business no matter what escapes over the network(though I would prefer it to never get that far).

Yes, full scans with multiple scanners should be a pretty good indicator of whether or not your host machine is clean. Assuming that you haven’t stumbled upon a zero-day threat that none of the scanners are able to detect, but then again, you have Defense+.

Thanks for that quick response. It might sound like I am trying to avoid turning of the network for all of my machines to take a shortcut(which in sense I am trying to avoid), but if I just restored the VM back to a clean state, could that change anything?

I know you cant give me a study results, but can you please do your best to tell me the odds of:

-Malware getting through VMware into network

-Malware getting through Comodo Firewall/Defense +

Well, that would ensure that the VM is clean…

Such odds are impossible to determine.

Malware that can escape a VM and infect the host is quite rare, but I’m definitely not going to be the one to say it’s safe for you to experiment with malware. There is always a risk when doing this! I personally would never do it on a networked machine, or without a complete backup of the host machine in case things go wrong.

I completely understand your reasoning behind not including probably, because I guess the first piece of malware I test could go through the network. Inside the VM, I would be using an additional antivirus to prevent threats from escaping, but even then I guess it is still not a sure fired way of protecting the system. Thank you for your time and well thought-out explanations. I am not doubting anything you have said, but do you know of anybody on these forums I can send a personal message to who test malware in the VM environment to see how they go about their testing?

Maybe someone will speak up.

why do I get the feeling no-one is going to speak up? :cry:

This is a great guide on how to isolate your virtual network.

VMware Network Isolation for a Malware Analysis Lab