Using VMware on suspect software (possible virus/trojan/rootkit)

[damunzy]

I have a piece of software that I am almost 100% sure is infected (AVG Free 8.5 shows that it is but AVG has quite a few false positives with the software that I deal with). I decided to load up VMware Workstation 6.5.2, installed XP SP2, made a snap shot, and installed the suspected software. I installed UnHackMe 5.00 and it finds some suspect pieces of software, 3 of the 4 are VMware software. The 4th I upload to Kaspry and they verify that it is a virus/trojan (and in Windows\system32\).

All that is good but what worries me is that VMware won't let me install it in itself. Why does that worry me? Well, what is to keep a virus/trojan from do a check like this also and refusing to install on my VM test system. I test it out and think it is clean when it actually isn't- it installs on a non-VM system.

I guess my final question is, is there anyway that I can hide that I am installing the software on a VM> I don't think that going with a less-well known VM is a good idea, even though security by obscurity can work that is still no guarantee.

Thanks in advance!

 

[Till]

The easiest solution is to install and run the software out of a sandbox.
If you really want to play virus hunter, get a dedicated test system, and install the software there. Monitor network traffic and file I/O for questionable activities.

 

[GrandAdmiral]

Yes AVG is terrible. I know it's free but it has so many obvious false positives that any real warning can easily get drowned out. I usually go with NOD32. The detection rate is good and the resource allocation works better on VMs.

If you are concerned about your VW software being well know you aren't limited to VMware. Virtual Box by Sun is very well know and works very well, it's also free. You could get Virtual Box up and running very quickly and see if it will install there.

There is the possibility that your host can be infected. You really shouldn't be testing a virus etc on systems that are not dedicated to that task and expendable so you should create a sandbox on a dedicated machine.

 

[aimeeandbeatles]

Another alternative is to run it through http://www.virustotal.com. This is what I do with nearly everything AVG detects. (I had about 3, two were false positives and the third was a real virus, I downloaded it from a trustworthy site that somehow got hijacked. Or something like that.)

 

[Maniacal]

I havn't had AVG Free detect a virus in a very very long time, but I try to be smart and careful with my browsing habits and use Opera and FF.

I'm not going to pay for anti-virus nor can I afford it (I need to save my money for college and moving out).