Video Screencast Help

Detections

Created: 05 Sep 2012 | 2 comments
Fabiano.Pessoa's picture

Dear, good day.

Performing some tests a few days ago based on the operation of virtual machines performed the test regarding the transfer of files from virtual machine to real machine and vice versa.

Aware that when it comes to attacks on companies 80% of them occur within the same company was able to observe that XP Mode (virtual machine with Windows XP OS) can seamlessly receive data transfer etc. to copy a real machine.

Most of the competitors tested antivirus did not detect an intrusion of this type of transfer (copy) to the real machine as treating infection. Can not have this new code in its database or not but it was done and still leaving in fact the same as treating process network.

The test was conducted using a backdoor to open a specific port (15) and make a "Reverse Shell".

Some just because it was only identified with this code in its database to 2 days only but not detected and started to treat this code as the normal PC.

The XP Mode can act as SandBox but the XP mode enables integration with the OS shares the primary disk where the clipboard and some other stuff between the 2 systems which case the virus can install the OS partition primary and detail that comes as initial configuration.

A good solution for this type of case would be to perform a scan antivirus solution in this type of installation and eftuar a correction or tip correction so that the user does not allow this type of integration remains in your system or create a mechanism that detects and demand and any type of real possibility of threat from installations not performed well also ask if the hourly base explanations even want to keep this type of configuration.

The information and no unauthorized entries by types of applications and settings is that many solutions are not to be 99.9% because we know that at most 99%.

SUMMARY: Create a detection system looking for settings outside the security standard to define the best application based on testing the end customer, would be safer.

I appreciate everyone's attention.

Comments 2 CommentsJump to latest comment

.Brian's picture

You should post this as an article or blog.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Fabiano.Pessoa's picture

Hi,

Will do .. hugs

Fabiano Pessoa

Systems Analyst - Forensic Expert