Is this true?

Diamond_G

Prominent
May 11, 2017
5
0
510
0
I heared that if i have a vm and make a shared folder to read-only,viryses can't escape the guest that easily anymore...should i belive it because i just want to experiment with viruses on a vm.Also please tell me other things to keep in mind when doing this.Thanks.
 

USAFRet

Illustrious
Moderator


The 'chances' are 100% if the virus is written to do that, and has write access to something else.
'Read only' mitigates that possibility a lot. But I still wouldn't trust it. Especially with a system (or VM) I am purposely infecting.

But as said...if the virus detects that it is in a VM...it may just shut itself down. Giving you no real results.
 

mdd1963

Distinguished
Let's not confuse 'virus' with malware....

If you are dealing with true destructive malware designed to spread on networks, it is best to isolate the system you are testing from others, even if intent is only infecting a VM contained within.

Have a full image backup of the host, in case something goes wrong.
 

Diamond_G

Prominent
May 11, 2017
5
0
510
0

1.is using NAT network and no shared folders considered isolating?
2.Is a read-only shared folder safer than no shared folders?
 

USAFRet

Illustrious
Moderator
1. Viruses can absolutely escape a VM.
2. Viruses can also detect being in a VM, and simply shut down. Rendering your investigation and experimentation useless.

Best and safest way to test/investigate/play with viruses and other malware is with a fully airgapped other system.
 

Diamond_G

Prominent
May 11, 2017
5
0
510
0
What would be the chances for a virus to escape the vm?
Also is NAT network and a read only shared folder a safe way to do this?
 

USAFRet

Illustrious
Moderator


The 'chances' are 100% if the virus is written to do that, and has write access to something else.
'Read only' mitigates that possibility a lot. But I still wouldn't trust it. Especially with a system (or VM) I am purposely infecting.

But as said...if the virus detects that it is in a VM...it may just shut itself down. Giving you no real results.
 

ASK THE COMMUNITY