Honeypots mailing list archives
Re: (pacsec bonus) Re: VMWare Detection?
From: MrDemeanour <mrdemeanour () jackpot uk net>
Date: Fri, 19 Nov 2004 08:59:53 +0000
Lance Spitzner wrote:
Lots of great discussions and tools demonstrated on detecting the use of VMware. Some pondering, if I may.- In reference to honeypots, is the detection of VMware a bad thing? Okay, the attacker gains access and identifies the system is using VMware. Lots of legitimate organizations use VMware, the economics of virtualization can be a big motivator. In fact, this will potentially grow. So, I would contend that the detection of VMware does not automatically mean honeypot.
Indeed. My employer is a software manufacturer; our sales teams use VMWare extensively. * Snapshot facility allows them instantly to restore a demo system to a known state. * Demos of pre-release product can be configured once and distributed to the field as a working system that will work on any VMWare-equipped notebook. * Notebooks used for demos can also be used for production work (business email, document preparation etc.) without risking de-stabilising the demo system, by switching to a production partition. * Our software is server software. If it is necessary to demonstrate the software as distinct client and server systems, this can be done on a single notebook computer. I'm also informed that VMWare does a *much* better job of memory management than Windows does. If you are running a large Java VM, consuming (say) half a gig of memory, as well as a RDBMS and other special services, it is apparently advantageous to use VMWare to divide the system in two. I haven't tried this, so I don't know what partitioning scheme works best. VMWare wasn't invented for honeypot operators. On the contrary, I'd expect honeypot operators to be very much in the minority of VMWare users.
- If an attacker does detect VMware, and assume its a honeypot and leaves the system, does this mean that VMware is potentially more secure for production systems?
I'd say that *potentially* VMWare is more secure anyway, if for no other reason than the fact that it can be instantly restored to a known configuration. -- Jack.
Current thread:
- VMWare Detection? Polazzo Justin (Nov 16)
- (pacsec bonus) Re: VMWare Detection? Laurent OUDOT (Nov 16)
- Re: (pacsec bonus) Re: VMWare Detection? Kurt Seifried (Nov 16)
- RE: [in] Re: (pacsec bonus) Re: VMWare Detection? Curt Purdy (Nov 17)
- Re: (pacsec bonus) Re: VMWare Detection? Lance Spitzner (Nov 18)
- Re: (pacsec bonus) Re: VMWare Detection? Stef (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Mike Tremoulet (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? MrDemeanour (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? awalters (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Dave Dittrich (Nov 22)
- Re: (pacsec bonus) Re: VMWare Detection? Kurt Seifried (Nov 16)
- (pacsec bonus) Re: VMWare Detection? Laurent OUDOT (Nov 16)