Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: (pacsec bonus) Re: VMWare Detection?
.

  • To: Lance Spitzner <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
  • Subject: Re: (pacsec bonus) Re: VMWare Detection?
  • From: MrDemeanour <[EMAIL PROTECTED]>
  • Date: Fri, 19 Nov 2004 08:59:53 +0000
  • In-reply-to: <[EMAIL PROTECTED]>
  • References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
.
 
Lance Spitzner wrote:

Lots of great discussions and tools demonstrated on detecting the use
 of VMware.  Some pondering, if I may.
- In reference to honeypots, is the detection of VMware a bad thing? Okay, the attacker gains access and identifies the system is using VMware. Lots of legitimate organizations use VMware, the economics of virtualization can be a big motivator. In fact, this will potentially grow. So, I would contend that the detection of VMware does not automatically mean honeypot. 

Indeed. My employer is a software manufacturer; our sales teams use
VMWare extensively.

* Snapshot facility allows them instantly to restore a demo system to a
  known state.

* Demos of pre-release product can be configured once and distributed to
  the field as a working system that will work on any VMWare-equipped
  notebook.

* Notebooks used for demos can also be used for production work
  (business email, document preparation etc.) without risking
  de-stabilising the demo system, by switching to a production
  partition.

* Our software is server software. If it is necessary to demonstrate the
  software as distinct client and server systems, this can be done on a
  single notebook computer.

I'm also informed that VMWare does a *much* better job of memory
management than Windows does. If you are running a large Java VM,
consuming (say) half a gig of memory, as well as a RDBMS and other
special services, it is apparently advantageous to use VMWare to divide
the system in two. I haven't tried this, so I don't know what
partitioning scheme works best.

VMWare wasn't invented for honeypot operators. On the contrary, I'd
expect honeypot operators to be very much in the minority of VMWare users.
- If an attacker does detect VMware, and assume its a honeypot and leaves the system, does this mean that VMware is potentially more secure for production systems? 

I'd say that *potentially* VMWare is more secure anyway, if for no
other reason than the fact that it can be instantly restored to a known
configuration.

--
Jack.
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.