How can you get a file into a VM without creating a potential malware breach? I was told to kill the internet connection, disable any type of sharing with the host, no copy paste, and no sharing disks, but how would I be able to get the files into the VM if it is secure from both sides? The file in question is about 36GB and there is a second file that is 678MB.
Thank you.
Shut down the vm, mount the vm disk, mv the files over, unmount the vm disk, start the vm.
That works because nowadays software doesn’t run itself, the system chooses what to run (sometimes at the users request).
When you shutdown the vm, there is no virtual computer interacting with the files on the vms disk. When you mount the vms disk, you’re just telling your system to treat the file that represents the vms disk as a filesystem. When you move the files to it, you’re just copying the files to the file that represents the vms disk respecting its filesystem then deleting the originals. When you unmount the vms disk you’re telling your system to wrap it up and let go of the file that represents the vms disk. Starting the vm is just telling your system to pretend that it has a fake computer whose disk is that file you mounted and wrote to which just so happens to have some new files in it, imagine that!
There’s another person saying you probably can’t figure out if the files you have are malware. I won’t go that far, but the reason most people don’t setup forensic environments (that’s generally what the computing environment you’ve set up is called when you’re doing what you’re doing) for their warez and instead raw dog it is that they have some security software and process they trust and if they get catch some kind of problem they plan on just restoring from backup.
You do have backups, right?
It’s rare for user targeted malware to have persistence, most of that technology is targeted at infrastructure like switches, edge and servers, so a wipe and restore is almost always a perfect fix.
encode it in base 64 and type it in
I can’t imagine how long it would take to do that with a 32GB file, or how many errors it they would have by the end.
Personally I just copy/paste into the VM over a network share, then disable networking before running (or enable with a firewall rule on the hypervisor to allow only internet access for the VM if it needs it)
Based on our recent interactions, I would say you probably don’t have the expertise necessary to evaluate whether the file’s safe. I very much doubt you’re gonna gain any new knowledge from doing this.
This isn’t a slight against you. I don’t have the expertise, either.
The point is that you isolate the VM after you get the file onto it but before running the potential malware. It’s not going to auto-execute, not if your Windows is patched and modern and up to date, we don’t live in the bad old days of floppy disks and CDs and USBs autorunning anymore (and for good reason).
If you are running a version of Windows (or anything) that is even capable of auto-executing code as it downloads, the malware you’re trying to test is the least of your worries because you’ll already have about a thousand other malware already running.
Create an ISO and mount that.
But really, it doesn’t matter how you get the file in before you open it. It’s extremely unlikely that it malware could be executed just by putting a file on disk.
Thank you. Just to confirm, do I make an ISO from a .7z file?
Sure. Put whatever file into an iso and mount it.
7zip is an archive format - creating an iso requires the raw files (unless you have 7zip installed in the VM to extract the zip file).
All that is unnecessary though, just enable a shared folder via the VM software (I assume they all do it now, VMware has had this feature forever). This isn’t a network share, it’s a virtual network share that only exists within VMware for that specific VM, and by default it’s read only.
Or put the files on a thumb drive, and connect that thumb drive to the VM.
Or enable networking on the VM, copy the files in, then disable the network card in the VM.
Getting the files in doesn’t require any special security, it’s when you’re executing the files that the VM needs to be isolated.
Start off with a clean slate. Windows, freshly installed from a Microsoft provided ISO (Assuming you’re looking at a Windows executable). Try to follow a guide on bypassing the MS account requirement (AtlasOS has a section of their guide telling you how to do this).
When you’re setting things up, there’s no restrictions to internet access, sharing, etc. You just have to be careful not to open/view the files you want to isolate, which is easy enough by for example putting the files in a password protected zip. You can also install any required tools now (like maybe 7zip).
At this stage, there’s a few options:
- The easiest is to put your files into a separate folder, then run a simple webserver, like with
python3 -m http.serveron your host. Then download it on the VM. - Another option is to mount the VMs disk, then copy the files directly. Turn off the VM, mount the disk, copy the files, unmount, then turn it back on.
- You could create a disk image that contains your files, readable by the VM.
When you’re ready to actually open the file, close off all access from the VM to the host. No networking, clipboard sharing, etc. Do this on the hosts VM settings, not inside the VM. Also note that without further tooling, it’s extemely difficult to tell if there’s any advanced malware present.
As soon as you view the potentially malicious files, consider anything coming from that VM as malicious. Don’t try to view/open files on your host, do not give it network access.
Malware can be (but often isn’t) incredibly advanced, and even an isolated VM isn’t a 100% guaranteed method of keeping it contained.
VMware’s shared folders is secure - by default it’s read-only, and it’s only visible to the specific VM on which it’s configured.
The client OS doesn’t even need a network card, VMware emulates the network just for the shared folder.
I assume other virtualization tools have a similar feature.
It’s not. There’s no way to be 100% certain the shared folder daemon on the host has absolutely zero exploits, same thing for the networking stack used for transport. That also includes VM disk I/O, virtual graphics output, and any other communication between guest and host. It’d take some really advanced malware to abuse such exploits, but you’re better off minimizing attack surface as much as possible. That means disabling (or removing) every possible form of communication between host and guest, unless absolutely necessary for operation.
thank you for the in depth responses. Do you know if it is follish to keep internet on my host when I have the VM have no network connections, or is it highly recommended to kill the internet for both host and VM?
If you’re this unsure about running potential malware in a VM, the best method is to just not run it at all.
You should be perfectly fine running with networking on your host, as long as you disable it in the VM configuration before running the potential malware.
It is not going to matter. If the malware can escape the VM, it’s going to do that regardless of host network access.
- The easiest is to put your files into a separate folder, then run a simple webserver, like with
Well the reason the VM is isolated is probably 2 fold,
- prevent a spread of whatever caused the issue in the first place
- protect any data on the isolated device for being manipulated and corrupting any forensic evidence that might be on the VM/machine
so if things are done correctly you shouldn’t copy any file to or from the isolated machine
