[SOLVED] Safest way to create a completely isolated VM for questionable software testing?

[RLarcosPES2]

Basically I am asking on how to setup a completely isolated virtual machine not linked in absolutely no way to my local network while still using the same internet connection. I plan on using Linux on the Virtual Machine. So is there an alternative to Clam AV? Is there a proper antivirus on Linux to check if the software is checked before transferring to the main machine? If there is not I will use Windows without any problem. How to use multiple scanners on the OS without uploading files to virustotal. Basically use a service like virustotal offline without uploading anything which could take months uploading multiple big files.

Also, how will I transfer data from the machine to the host OS? After verifying said software is malware free of course. This is baffling me a lot.

 

[Alabalcho]

If your VM will have access to Internet thru your home network, then it will have access to every device on your home network as well.

When configuring the VM, configure it's network adapter as "NAT", not "bridged" or "host" (different VM hosts use different terminology).

You cannot have completely isolated VM, and transfer files back and forth to it. Use cloud service. There's no 100% sure way to verify "a software is safe".

 

[RLarcosPES2]

If your VM will have access to Internet thru your home network, then it will have access to every device on your home network as well.

When configuring the VM, configure it's network adapter as "NAT", not "bridged" or "host" (different VM hosts use different terminology).

You cannot have completely isolated VM, and transfer files back and forth to it. Use cloud service. There's no 100% sure way to verify "a software is safe".

Thank you for your reply. Do you know any way to use a service like virustotal offline for very big files? Regardless of OS.

 

[NightHawkRMX]

I agree. There is no real way to have a completely isolated VM.

You could look at Wireshark or something to see if it is doing anything malicious on the network and then shut off the internet to the VM.

 

[USAFRet]

Safest way to create a completely isolated VM for questionable software testing?

If it is that questionable, a fully 100% airgapped PC or laptop.
No VM, no ethernet, no WiFi.

 

[mdd1963]

Alas, having questionable software on a system not connected to the internet may not reveal very much, possibly even leading to the erronious conclusion a piece of software appears safe by apparent lack of activity/ill-effects in such testing... Many times, however, payloads may not be activated until /unless a system is connected, and pulls in other malware from 'homebase' file repositories, depending on original instigator's complexity and design...

 

[Alabalcho]

Thank you for your reply. Do you know any way to use a service like virustotal offline for very big files? Regardless of OS.

I have never used said service, but for "files" - any self-respecting anti-virus should do the job.

 

[USAFRet]

Alas, having questionable software on a system not connected to the internet may not reveal very much, possibly even leading to the erronious conclusion a piece of software appears safe by apparent lack of activity/ill-effects in such testing... Many times, however, payloads may not be activated until /unless a system is connected, and pulls in other malware from 'homebase' file repositories, depending on original instigator's complexity and design...

Thisis true.
And the other side of that is some malicious software will detect the presence of being in a VM, and disable itself.

So, you move the wall up a level, and let this little network be walled off from any system you wish to keep safe, but still have its own connection to the outside world.
But you absolutely don't put it on the same LAN as the other systems you wish to keep 'safe'.

A lot depends on what "questionable software" we're testing here.
Known or suspected virus?
Sketchy/cracked licensed software?

Each would be treated differently.

And why are we doing this?

 

[RLarcosPES2]

Is there a way to create a VLAN(virtual Lan) not connected to my main network? If not on a VM on a seperate machine.

Questionable software include sketchy emails, websites, cracked software, software from sources I do not completely trust(I found a virus in HWMonitor once and I search the net it was a common issue).

Does anyone how to keep multiple Antivirus databases in one machine without them conflicting each other?

 

[USAFRet]

sketchy emails - Delete and/or contact the sender out of band "Hey, did you send me this?"
websites - Generally, a Linux VM is good for this. Inspect the site code.
cracked software - Why would you do that? You're on your own with this.
software from sources I do not completely trust - Again, why?

 

[RLarcosPES2]

Essentially what I need is a place to completely sandbox software for testing purposes. I want to obtain skills in security research but I want to be completely safe and completely isolated from my main system where I cannot afford to be compromised. I have some disposable email addresses and I use them as testing against potential scammers and spam mails from main accounts(I basically send them mail through those disposable accounts not from my main ones).

 

[USAFRet]

"completely safe and completely isolated from my main system where I cannot afford to be compromised. "

Then it needs to be completely isolated. Fully airgapped. Fully independent hardware.

 

[RLarcosPES2]

Is it safe to use my 4g network on this?

 

[USAFRet]

Is it safe to use my 4g network on this?

Done correctly, maybe probably.
Done incorrectly, no.

"obtain skills in security research "
There are multiple levels of classes on this.

 

[RLarcosPES2]

Done correctly, maybe probably.
Done incorrectly, no.

"obtain skills in security research "
There are multiple levels of classes on this.

What is the correct way?

Sorry for many questions but security is one area I haven't really touched before.

 

[USAFRet]

What is the correct way?

Sorry for many questions but security is one area I haven't really touched before.

Messing with known (or suspected) malicious software is easy to screw it up if you're not rabidly careful.
'oops, I forgot I had that shared folder'
'oops, I forgot which flash drive had the infected gunk on it'
'oops, I was in a hurry and logged on to my bank/school/TomsHardware website from the wrong system'
'oops, I wiped the wrong drive'

The number of possible 'oops' is many.

Which is why we keep harping on 'fully airgapped separate system'.

I'm in the process of setting up one of my old laptops to do some practice in forensics data recovery.
Complete self contained system, absolutely no connection to other systems in the house.
Whatever happens to this laptop is of no concern. I can't accidentally wipe the wrong drive, or even a shared folder. Or accidentally overwrite something else.
When I'm done with this test (which will take several days), I'll recover the full drive image from before I started.

Investigating known malicious software requires even more delicacy.

 

[RLarcosPES2]

To summarize, I'll have to get an old PC to test the things I want, use my 4g network from my phone, or another separate network. Thank you for your help.

Can I use a service like virustotal offline? Is it even necessary?

 

[USAFRet]

To summarize, I'll have to get an old PC to test the things I want, use my 4g network from my phone, or another separate network. Thank you for your help.

Can I use a service like virustotal offline? Is it even necessary?

PC, yes.
I wouldn't even imagine doing that testing on my main system, VM or otherwise.

virustotal? It would seem that you'd need to upload to them, so...

 

[NightHawkRMX]

really just dont go to shady software sites and yoy have no software or websites to test.

 

[RLarcosPES2]

really just dont go to shady software sites and yoy have no software or websites to test.

No research means no learning. Knowledge is power

PC, yes.
I wouldn't even imagine doing that testing on my main system, VM or otherwise.

virustotal? It would seem that you'd need to upload to them, so...

I will try to install multiple antivirus on the test system.


Thank you all for your time!

 

[USAFRet]

I will try to install multiple antivirus on the test system.

Multiple active AV on one system can create its own issues.

 

[RLarcosPES2]

Multiple active AV on one system can create its own issues.

So how can I achive this? Having multiple antivirus engines canning one file? Apart from using multiple VMs on the test machine something which is not possible since the test PC is complete garbage.

 

[USAFRet]

So how can I achive this? Having multiple antivirus engines canning one file? Apart from using multiple VMs on the test machine something which is not possible since the test PC is complete garbage.

Either increase your hardware, or lessen your investigations, or increase the time it takes (reimage the PC between each test).

Yes, this stuff is hard.

 

[RLarcosPES2]

Either increase your hardware, or lessen your investigations, or increase the time it takes (reimage the PC between each test).

Yes, this stuff is hard.

Will the hard drive die if I keep reinstalling the OS on a regular basis?

 

[NightHawkRMX]

Will the hard drive die if I keep reinstalling the OS on a regular basis?

It shouldn't do anything to a hard drive.

It would eat into read-write count on SSDs, but nothing that really should shorten the drives life significantly even then.