Snapshots are points in the history of the virtual machine. It is necessary to take a snapshot of the system prior to unleashing the malware. You can access this feature in VMware Workstation by clicking on VM > Snapshot > Take Snapshot<\/p>\n\n\n\n After you unleash the malware and perform analysis we can revert by clicking on VM > Snapshot > and choosing either Snapshot Manager or clicking on desired snapshot.<\/p>\n\n\n\n Setting up host-only networking<\/strong><\/p>\n\n\n\n Host-only networking sets up an isolated virtual network within the host system. By default this configuration cannot connect to the internet. <\/p>\n\n\n\n To set this up we have to either create a virtual network or use an existing one in the Virtual Network Editor.<\/p>\n\n\n\n By default there is already a virtual network named VMnet1. The screenshot below shows VMnet0 was created after we clicked on \u201cAdd Network\u201d. We enabled Host-only configuration as well. <\/p>\n\n\n\n Afterwards we need to set our virtual machines network adapter to the host-only network. Access the settings for your particular virtual machine through VM >Settings.<\/p>\n\n\n\n In the image below you can choose the default Host-only network VMnet1 or the custom network we created. Make sure your virtual machine is not started when you change this or you would need to restart for the change to take effect.<\/p>\n\n\n\n Ensure your Hypervisor is up to date<\/strong><\/p>\n\n\n\n A hypervisor is the software where you are creating, running, and managing your virtual machines from. Some malware have been known to have the ability to recognize they are inside a virtual machine and will modify their behavior or even escape. Software updates will help prevent this. For this project our group used VMware Workstation 16 and you can check for updates through Help > Software Updates.<\/p>\n\n\n\n Do not connect the laboratory system to the production network<\/strong><\/p>\n\n\n\n Earlier we took care of this by enabling host-only networking.<\/p>\n\n\n\n An additional precaution we can take is disabling \u201cConnect a host virtual adapter to the network\u201d. Per the vmware documentation, if this is enabled then we will connect a physical network on the host system to the virtual network.<\/p>\n\n\n\n Make it harder for the Malware to realize it is in a VM<\/strong><\/p>\n\n\n\n A malware may be able to recognize it is in a virtual machine by the presence of virtual machine related software within the VM. For our configuration we would remove VMWare tools which allows us to copy and paste text or drag and drop files into the VM.<\/p>\n\n\n\n Disable Shared Folders and facilitate Guest Isolation<\/strong><\/p>\n\n\n\n Access the settings for a particular VM through VM > Settings.<\/p>\n\n\n\n Shared Folders facilitate the transfer of files between the physical and virtual machine. However as shown by the warning in settings, this added point of contact could be exploited by malware.<\/p>\n\n\n\n Similarly we can decrease additional points of contact by disabling \u201cdrag and drop\u201d and \u201ccopy and paste\u201d<\/p>\n\n\n\n Sources Cited<\/strong><\/p>\n\n\n\n Last week I demonstrated how to setup a basic virtual network consisting of two windows virtual machines. For this week’s blog I will share some tips I found to prevent malware from escaping your virtual machine and infecting your physical machine. Disclaimer: this list is not an exhaustive list of precautions to take as our […]<\/p>\n","protected":false},"author":12309,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-24","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/posts\/24","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/users\/12309"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/comments?post=24"}],"version-history":[{"count":1,"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/posts\/24\/revisions"}],"predecessor-version":[{"id":25,"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/posts\/24\/revisions\/25"}],"wp:attachment":[{"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/media?parent=24"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/categories?post=24"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/glennf\/wp-json\/wp\/v2\/tags?post=24"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/lh5.googleusercontent.com\/d2ELuADkKzFyI0mOAg1LphdqlaEWNQLmvAZ_CivLMnMxH-s-0Kg31TPsMDap-73SA2SZx4dOs-Wd30GO-pJQFdA2ia31A4F-Oayc0GvHyY530_YC4bNALxVm00x9FW-RDziHHxh7\")
![\"\"](\"https:\/\/lh5.googleusercontent.com\/2QFW61lgdr2fy4xMncpoOgO3pj71CCefBj71vIMx31TeNnJdGlDZ3ndMA6orKHZXMBm5NWuOXsZXmii83GrkV_uYAz7-ZzB_jnHEsSCXQ13cZcPIK_FV7bt_u_bxV1ppRp97FL59\")
![\"\"](\"https:\/\/lh5.googleusercontent.com\/o74s6h2VGC7zuK2Zprp56BUHBt78Kr6sutApla3BkXHLsQiL6RisDFiOMZbWqbgrUOz12wDxqXWi_GKbpcokdTKeTmZ7OJ0DgXZTgAcooazO_ahXqYTgXzRW3KO5GKVpPqpgRCBA\")
![\"\"](\"https:\/\/lh5.googleusercontent.com\/HnBeStRlI3pYcs1euRB2BSKbcP1wJE2FZHJQkMjIV1cBP_x0NKLIm7iu0e2NP_tbD3LZ55yderMuCRhuzn5XpOWiR7g4JvcMjU68pYIAcuTf0l66dAdzCscd9PqQiABvoqkK11V5\")
![](\"https:\/\/lh3.googleusercontent.com\/u08pfvUajZPPq967kOXbaHinwq6EywTwFk3PlcNbxZjcTW9CnV2zwmcWKpH49LepDKi_AlOej5SO7KGmwrH7ArDcKit7A3D63ODbiCvxq-74jMyhNp8Yz70o4Hshm4zpEUl2akyX\")
![\"\"](\"https:\/\/lh4.googleusercontent.com\/vHW-gimrEkRDl_-7gpUsQhlvx3tvqYkBY5qWcpYY22WDtKPL087wYs0famcMZn-7Ns-U3cvC4OnqUTHqSBkya4F3rnCA8_CxeMuQTgyvVdCAgq6Rnqe145WM6DnaFVrLV78GRoqq\")
![\"\"](\"https:\/\/lh3.googleusercontent.com\/yDSf-AiBaFizlBHvDengOKXvVSRijTsfvSzLcWWfiuDcLh7V8-Hb9feIopHYY_nXHrkW6VroOEdTix5jySW-qa-KjobMwLOrQCiovj6P3vA6bkMePE0e4xN0TtW7NnoLKiR1bsz1\")
![\"\"](\"https:\/\/lh6.googleusercontent.com\/pypEoKhsk8fKFEF01CA63Qn72GV49KxDwTVJiNV1lPSJganvUSxL8FGF2WMEWA0nPGolsdwBKr2V3xyRt8VZJj-YaWczS3HLtCs8FJssGAyxgfGBg482zNAwlUJ_BYDd9Sdp4KTj\")
![\"\"](\"https:\/\/lh4.googleusercontent.com\/-riEiRMmEd5UER2LUn_gm7bTdIXipZcsGJJX59TzAmw5pb-bqAoKuOAuw3TRL2bNeIVcHD0PGOSzjC6yQFixrQzTpVK1q7w0N-uXmiOFevKk51Tdccc7kfgUg1_0Bf7SMqH63tKs\")
![\"\"](\"https:\/\/lh4.googleusercontent.com\/kqIUqEiRS2EWLGvzg7zPDR90LDIznDZEfFFbOFtsRWcZREfUas3LtTPvTJcBMNlE8sbdt7fSCb03KWv8vUCKGLt2ucgKUIxc47Gf2YkuQ7EMk89RngjYakxJOQWw0pbfzXEBQfr0\")
![\"\"](\"https:\/\/lh6.googleusercontent.com\/FIQzWZZO6UCINx1YTCuPGWGGMsrcq-ADQ7fHfbtixgJhSPEN6697-Kqza6BMPICZsN2K8F681eqe34Mv2A3IT-nj43REOBZ9PnS7yh4dD_vt8HPd0TFzSskNH6MZSSfW_PzFaCzF\")