0

I'm by no means a cybersecurity expert but I'm very interested in security and privacy protection for my own good.

I use Windows 10 Pro and there's this cool feature called Hyper-V, which is a Windows native VM so that you can run Windows 10 machine within Windows 10.

I use this Hyper-V VM a lot when I have to access some dubious sites or some sites that demand me to install bloatware in order to proceed. I'm basically expecting to keep them all in a single isolated sandbox so that something malicious in the VM can never affect my host PC that I really care about.

However, I noticed that I can easily download a file to my host PC's C:, which is weird because I thought they were supposed to be separated and unreachable.

So I think there are a few possible reasons for this:

  1. Hyper-V never actually isolates your environment and virus/malware can still penetrate through Hyper-V VM to your host PC.
  2. My Hyper-V setting is wrong.
  3. It's a bug.

I'm guessing that 1 is the most plausible scenario because 2. my settings are mostly default and 3. Microsoft has maintained Hyper-V for like a decade.

Cybersecurity-wise, is it a bad idea to rely on a Hyper-V VM as a sandbox? I even bought an extra Windows 10 license for this.

user8491363
  • 143
  • 1
  • 9
  • Are you actually running a **guest** VM within Hyper-V or are you assuming that Hyper-V "enables" your system to run **as** a VM? – Mokubai May 12 '21 at 14:17
  • Hyper-V is really no different to Virtualbox or VMWare Player for "normal" use. You still have to set up and install a guest VM within the platform, be it Hyper-V, VMWare or Virtualbox. There is a [Windows Sandbox](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) Windows feature that kind-of does what you are describing.. but that is again a VM *within* your main system. Anything you do outside of the sandbox is ipso-facto within your "host" system. Just enabling Hyper-V doesn't suddenly confer any kind of protection. – Mokubai May 12 '21 at 14:22
  • Hyper-V VMs are not considered a sandbox, virtual machines in general, are not considered to be sandboxes. Windows Sandbox (a feature that uses a Hyper-V) has additional protections and isolations. However, what does not make sense is your ability to download a file to your host machine, from within the VM itself. While malicious software theoretically can escape the hypervisor, software that has that capability (or even the capability to detect it's running within a VM, is extremely rare). How exactly did you determine you are writing a file to the host OS? Are you actually asking about WS? – Ramhound May 12 '21 at 14:23
  • @Ramhound No, I'm talking about Hyper-V, default settings since I created it with "quick create" feature. I thought Windows 10 running in Hyper-V is not able to communicate with the host PC's Windows 10 but as I described, I could just casually download a file to a destination in the host PC. I just downloaded a document from Chrome and I could see all the hos PC's file system. Clicked download, and boom - it was downloaded in the host PC destination. – user8491363 May 12 '21 at 14:36
  • @user8491363 To me that still sounds as if you ran Chrome on the host itself and not in the VM. Did you actually install Chrome inside the VM ? It doesn't appear in the VM by magic. – Tonny May 12 '21 at 14:40
  • @Mokubai I just assumed that since Hyper-V is a virtual machine, it would somehow create a safe sandbox for me. I never even knew something like guest VM existed. (I thought all virtual machines were sandboxes) So what you're saying is that Hyper-V running Windows 10 is not enough and I have to use something that's called Windows Sandbox for my purpose? – user8491363 May 12 '21 at 14:41
  • @Tonny Of course I installed Chrome in Hyper-V VM Windows 10. That's what I thought was weird. I was printing a document as PDF and was prompted to select the download location and the prompt was actually showing the file system of my host PC, not the VM I was working on. – user8491363 May 12 '21 at 14:45
  • If all you have done is "created" a machine without running it or actually connecting to it then you are not actually *using* the virtual machine. I've just spun up a VM in Hyper-V and it is effectively isolated from the host. I think you've downloaded a premade VM, but not actually run or connected to it in Hyper-V. – Mokubai May 12 '21 at 14:45
  • @user8491363 - Hyper-V is a Hypervisor. When you downloaded this feature, you are downloading the file within the guest OS, if you are not booting into a Guest OS installed on the VM then it makes complete sense you are downloading a file to the host OS. – Ramhound May 12 '21 at 15:06

1 Answers1

1

It sounds like you are misunderstanding what exactly Hyper-V is and does.

Enabling Hyper-V does not convert your currently running system into a core "host" and safe "guest" system.

Hyper-V is a virtual machine platform, in the same way that Virtualbox and VMWare Player are VM platforms. These programs and services provide the virtual "computer" that surrounds a virtualised CPU, including things like the network hardware, display, and other emulated I/O devices.

If all you did was "enable" Hyper-V then you have not done anything that would confer any kind of virtual machine protections on your system. You would have to configure a VM within the Hyper-V Manager, download a Windows ISO image, attach it to your VM and then install as you would any other computer. You would also need to purchase a Windows licence for that virtualised operating system, Windows licences to not grant unlimited VM use.

When you right click the running machine and select "connect" you should expect to have a Window within your Windows system, something like this:

enter image description here

If you did not do that then you do not have any kind of "sandboxed" system. Any actions you perform in your computer outside of a specifically created VM are on your actual computer.

If you are wanting a throw-away sandbox style system without needing to buy additional Windows licences the you might want to look into the Windows Sandbox feature which creates an incredibly streamlined copy of your existing Windows system inside a virtual machine that is completely discarded the moment you close the sandbox. It acts very much like any normal VM, but is much lower profile. It is not really "secure" though as it has the same access to your network (and any shared devices) as your main machine and malware could potentially scramble or encrypt devices on your network, though your local disk is not directly visible. I do not know what other security implications it may have. It requires Windows 10 Pro as a minimum.

When enabled (see the page I linked above) you will end up with a "Windows Sandbox" application that you run whenever you want a lightweight "computer" to mess about with things. Bear in mind that it is 100% volatile and the moment you close the Sandbox then everything you did within it is lost.

Mokubai
  • 89,133
  • 25
  • 207
  • 233
  • While Windows Sandbox is contained with a virtual machine, and Windows Sandbox can does have security features, and it was designed to run software that would exist temporally it's not a perfectly isolated solution. I personally would not run known malicious software within it, especially if you automatically mount network locations within it, due to malware that use exploits like EternalBlue. WannaCry one of the best well known malware that used that particular exploit, would encrypt ALL files located on any volume or attached network drive, the user had access to. – Ramhound May 12 '21 at 15:11
  • @Ramhound thank you, that was kind of what I guessed but had not looked into in enough detail. Indeed from a quick test I found that Windows Sandbox can see any network devices your host system can see and that is indeed a very big security concern. I would only see it as useful for "mostly trustworthy" software and testing in that case. If I *knew* something was malware then I wouldn't let it anywhere near any machine I valued, and definitely not with any kind of network connection that wasn't physically isolated from the rest of my network. – Mokubai May 12 '21 at 15:17
  • 1
    I kind of get the feeling that Windows Sandbox is primarily of use to software QA testers. People who want to install in a clean environment and prove things work, but not end up with all the garbage cluttering up the main system and potentially conflicting with other things such as older or newer installs. – Mokubai May 12 '21 at 15:20
  • I will be honest, I am not entirely sure what Windows Sandbox is suppose to be used for, I suspect Microsoft saw an opportunity to compete with Sandboxie but that project ended up just going open source. Sandboxie was great, you could use it within a virtual machine, and feel relatively safe. – Ramhound May 12 '21 at 15:29
  • @Mokubai if you are worried about networked devices, you can disable networking in Windows Sandbox as well as enabling "protected client" mode. Windows Sandbox gives you all the options you need to test malware in it without compromising your host. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file . Sandboxie fails to properly contain program files specially those that need admin rights, tested it myself few days ago with Photoshop and some of its files installed outside the sandbox. –  Aug 13 '22 at 21:49