Can a virus in a Virtual machine get into the host OS?

[Shammikit]

i want to play around with a pcap file that probably contains malicious objects that can be saved to the pc. i dont want to save it in my OS for obvious reasons but would like to know if i save it in a virtual machine, use it for few hours and delete the VM files will it somehow manage to get into my host OS from the VM?

[j.isaiah.a]

This is actually a really good question... I searched it up and came up with this from SuperUser.com

Quote

What every answer has missed so far is that there are more attack vectors than just network connections and file sharing, but with all the other parts of a virtual machine - especially in regards to virtualizing hardware. A good example of this is shown below (ref. 2) where a guest OS can break out of the VMware container using the emulated virtual COM port.

Another attack vector, commonly included and sometimes enabled by default, on almost all modern processors, is x86 virtualization. While you can argue that having networking enabled on a VM is the biggest security risk (and indeed, it is a risk that must be considered), this only stops viruses from being transmitted how they are transmitted on every other computer - over a network. This is what your anti-virus and firewall software is used for. That being said...

There have been outbreaks of viruses which can actually "break out" of virtual machines, which hasbeen documented in the past (see references 1 and 2 below for details/examples). While an arguable solution is to disable x86 virtualization (and take the performance hit running the virtual machine), any modern (decent) anti-virus software should be able to protect you from these viruses within limited reason. Even DEP will provide protection to a certain extent, but nothing more then when the virus would be executed on your actual OS (and not in a VM). Again, noting the references below, there are many other ways malware can break out of a virtual machine aside from network adapters or instruction virtualization/translation (e.g. virtual COM ports, or other emulated hardware drivers).

Even more recently is the addition of I/O MMU Virtualization to most new processors, which allows DMA. It does not take a computer scientist to see the risk of allowing a virtual machine with a virus direct memory and hardware access, in addition to being able to run code directly on the CPU.

I present this answer simply because all of the other ones allude you to believe that you just need to protect yourself from files, but allowing virus code to directly run on your processor is a much bigger risk in my opinion. Some motherboards disable these features by default, but some don't. The best way to mitigate these risks is to disable virtualization unless you actually need it. If you aren't sure if you need it or not, disable it.

While it is true that some viruses can target vulnerabilities in your virtual machine software, the severity of these threats is drastically increased when you take into account processor or hardware virtualization, especially those that require additional host-side emulation.

Unless you're dealing with some hardcore viruses that haven't been discovered yet, you should be good. Just don't go starting the next Wanna Cry

[NelizMastr]

My recommendation would be to disconnect the VM from the internet (remove the virtual network adapter) or put it in a host only network (vmware workstation/player should support this). It can't suddenly attack the host OS if there is nothing connecting the two.

[zombienerd]

Nothing is better than a sandboxed physical machine.  Grab an old laptop, or throw together a desktop out of scrap parts, play with all your malicious code, then format the drives from a Linux Live USB when you're done.  This won't stop BadUSB though, so be sure to quarantine any suspected USB devices afterwards.

 

If you don't have any scrap hardware laying around, then VM is your safest bet, but just like condoms and birth control, nothing is 100% effective when dealing with viruses.

[dfsdfgfkjsefoiqzemnd]

There are sandbox escapes, but to my knowledge those are only really done at hacker conferences as a proof of concept.  I have yet to see one in the wild.