Of course users can install an AV inside de VM. The whole point of the article is, how does the IT manager prevent users from downloading VMs without permission and bring a Trojan into the network?
When a user downloads software without permission, the IT manager at least knows that the AV installed on the host machine will very probably stop a virus or trojan. But the AV will not be able to scan a VM.
And as to the AV seeing inside the VM image, it might detect run of the mill trojans, but it will not detect specially crafted virtual machine trojans, simply because of the low infection levels and thus lack of recognizable patterns.
Did you try out ViMtruder? That's a very simple Python script, yet no AV would detect it, of course. Now imagine a trojan deeply embedded within the Linux operating system of the VM.
You may want to read the full article:
http://www.infosegura.net/VMTthreat.html
Regards,
Sergio
-------- Original Message --------
Subject: Re: [Full-disclosure] Virtual Machine Trojans: a new type of
threat?
From: Peter Ferrie <[email protected]>
Date: Fri, April 17, 2009 2:09 pm
To: [email protected]
> When a user downloads a virtual machine from the Internet, and then
> runs it on his/her computer, the antivirus installed in the host machine
> simply does not have access to the virtual machine, so the virtual machine
> does not get scanned.
That is simply not true. AVs can see inside VM images, and scan the files.
The user can also install the AV inside the VM, which will also see the files.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
