Securely Open Uncertain Files in Virtual Box

BretMan · 19 Nov 2015

Hello,

I regularly receive files by email from new contacts. Although I may trust the sender, I may not trust the PC's or smartphones they're coming from since most people procrastinate with virus scans. On rare occasions I've been victimized by malware in one of the files sent but fortunately my anti-virus has spotted them right away. Yet, I don't want to rely on this detection as antivirus software is always in catch-up mode and one day I may get infected by malware that's not yet recognized.

I've heard about a way to open downloaded files inside a secure virtual environment so if there is malware present it stays inside that virtual environment and can't infect my PC. Also, I'd be able to scan it for malware while in there too.

I don't understand how this works. I've heard of a "sandbox" for browsers, which seem to be kind of the same idea but it's just for isolating potential malware that may be picked up while browsing online. I've also heard of "virtual machines" but I'm not sure that's what I'm looking for as I understand them to work off a network and seem complicated. I don't have a network, just individual PCs

Basically what I want is a virtual space that I would access downloaded files from and scan and open them in there too. Somehow, whatever applicable program is needed to open them will work in there and if there's malware, it won't affect that program or my PC.

If anyone knows about this please give me some guidance and education about how this would work or if it can even be done.

Thank you.

up2trix · 02 Dec 2015

Bret: in short, yes, doing untrusted actions inside a virtual machine is a huge step forward in security. Opening files from dubious sources, doing general web browsing (in that link, scroll down to the "Use of Virtual Machines" section), etc.

You have got to do some background research first, tho, to educate yourself on the basics of virtualization.

I started my own experimentation using VirtualBox on top of a Win 7 host OS. I highly recommend VirtualBox as your first hypervisor.

I run Linux (Xubuntu) inside the VM, and use this for general browsing, as Windows is just too vulnerable.

In the future, I want to play with either VMWare or a Linux base OS with KVM or Xen as the hypervisor.

wasnotwas · 02 Dec 2015

Would a virus written for Windows be detected in a Linux VM ? Would there be a suitable Linux app to open the suspicious Windows files ?

Browsing in a Linux VM might be secure, but the OP needs to test the files in a Windows VM. My preference is VMware Workstation, but the free VMware Player is quite adequate. The OP would, of course, need a separate Win licence for the VM.

VMware Player is at the end of this page

up2trix · 02 Dec 2015

wasnotwas said:

Would a virus written for Windows be detected in a Linux VM ?

"be detected" is ambiguous.

If you mean would a Windows specific ("written for Windows") virus infect Linux, the answer is almost surely no, since by definition such a security hole should be very target specific. That said, not all malware is operating system dependent (e.g. Flash, Java, etc sometimes offer cross platform vulnerabilities).

If you mean could a Linux program, say a malware scanner, somehow detect the presence of Windows malware in a file, then of course it could, if it was written to do that. It looks like ClamAV does precisely this.

wasnotwas said:

Would there be a suitable Linux app to open the suspicious Windows files?

Besides a malware scanner like ClamAV, you could always try to open, say, a word processing doc in something like Libre Office on Linux. The malware probably would not infect Linux, but it might crash your viewing app.

wasnotwas said:

Browsing in a Linux VM might be secure, but the OP needs to test the files in a Windows VM.

Maybe, maybe not--see above.

One awesome thing that you can do with virtual machines is that you can either clone them or reset them to an initial state, so that even if your VM is infected, you either discard that copy or reset it to remove it. (Beware: cloning Windows VM's is sometimes tricky due to licensing.)

By the way, instead of (or in addition to) virtualization, you should always be scanning all untrusted files with something like Malwarebytes anyways. I do that all the time with files that I download.

wasnotwas · 03 Dec 2015

up2trix said:

By the way, instead of (or in addition to) virtualization, you should always be scanning all untrusted files with something like Malwarebytes anyways. I do that all the time with files that I download.

I concur. R click - scan with your usual A/V and R click - scan with Malwarebytes is all I do with downloaded files, although MBAM context menu is not always on by default (it's in the settings). There's also VirusTotal, where you can upload files upto 128MB to be tested by about 50 different scan engines.

https://www.virustotal.com/

up2trix · 03 Dec 2015

wasnotwas said:

up2trix said:

By the way, instead of (or in addition to) virtualization, you should always be scanning all untrusted files with something like Malwarebytes anyways. I do that all the time with files that I download.

I concur. R click - scan with your usual A/V and R click - scan with Malwarebytes is all I do with downloaded files

Agreed. I use AVG paid version as my main malware defense, and then for downloaded files I additionally scan them with Malwarebytes free.

[QUOTE=wasnotwas;3185327]

up2trix said:

There's also VirusTotal, where you can upload files upto 128MB to be tested by about 50 different scan engines.

https://www.virustotal.com/

Thanks, I did not know about that. Great idea for a website. Looks like they use all the major malware detection engines. Only major defect is that they have max fie size limits (<= 32 MiB if you use their convenient Windows right clickable app, <= 128 MiB if you manually upload via their website). This is actually a killer for me, since I need to scan file sharing downloads, such as TV shows.