How VMware helps combat Viruses

I am not talking about a new Anti-virus solution or a new product, even though VMware does offer VMsafe for this exact purpose. image

Today I was hit with a very clever phishing attack.

Details can be found here. In short a customized email that was sent to large number of employees specifically addressed and personalized.The link was to a a site that looked like a Outlook Web Access page with a message telling that the IT support should click on the file to update your settings. Of course the file is a Trojan which does all kinds of nasty things as you can see on this report.

Now how is this connected to VMware? Well I knew this was a virus. But we needed to assess what it was doing, and the only to do that is to run the file. But knowingly infecting your computer with something like this is not the brightest idea to put it mildly, and who can predict what it will do?

But what if you had a machine that you could run the virus on, disconnected from the network, record the actions, export log files etc. and then return it back to the original state?

Do I hear anyone say a VM? Anyone?????

So this is how it went

  1. Workstation VM.
  2. Host-Only Network
  3. Snapshot VM
  4. Disconnect VM network card
  5. Import exe file (virus) with USB key
  6. Start up Wireshark
  7. Start up Procmon
  8. Run exe file
  9. Record all actions
  10. Stop Procmon and Wireshark capture
  11. Save captures for further analysis
  12. Export all to USB key.
  13. Revert VM snapshot to previous state.
  14. Repeat process twice more

Now if I wanted to I could have reverted the snapshot back the previous state before the virus had touched it, and continued to use it, But since this is a test VM that I use for these kind of incidents, I trashed it. Better be safe than sorry.

Logs were analyzed, virus activity was identified and measures were taken to protect the network. Report sent to AV Software provider to provide updated signature files that will identify and remove the virus.

You just gotta love the wonders of Virtualization, don't ya?

Hope you enjoyed the ride!


How to create an exe package in Windows

A colleague (thanks Natan) of mine reminded me of a simple but not very well know feature that exists in Windows.

We all download software from the Internet or install applications off a CD or some other media. This is also true if you need to install/transport information into a VM that is not connected to your network.

Some people package them as Zip files, some as ISO's and some as exe files. Did you ever wonder how these exe files are created??

Expensive Software packagers? Compression utilities? Well, most of us do not know that there is a utility built into the Windows operating system.

The utility is called IEXPRESS, and this is one of the easiest was to make a executable archive.

There is no shortcut available for the utility, but all you need to do is start the search box in Vista/Windows 7 or go to %systemroot%\system32\iexpress.exe


So here we go


Choose your desired option


Name your Package


Fill in your desired text


Add a License if you would like


Choose your files that you would like in the package


Choose some more options



Give the location for the package and some more options


And it does the work


And I now have a package


And of course in reverse - double click on the exe




And as they say, "A picture is worth more than a thousand words!!"

Oh yeah, did I mention that this is available in all Microsoft Operating systems??


VCP 410 Second Shot

Hot off the Twitterverse - thanks to Vlad Nagornyi

VMware will allow for those who have failed their first attempt at the VCP 410 exam to go for a second shot - FREE OF CHARGE!

It is a two part process.

1. Enroll in the 2nd Shot Upgrade Program

2. You should will receive a voucher number from VMware that you will enter when purchasing your exam that will entitle you to the free second shot  - in case you fail.

Below are the details.

Upgrade to VCP4!
VMware is allowing participating candidates who fail a VMware Certified Professional on vSphere 4 exam (exam code – VCP410) to have a free re-take.
Visit www.PearsonVUE.com/VMware/Upgrade for more details.
Click Here to enroll in the 2nd Shot/Upgrade Program.


Of course this has to be completed before December 31. 2009.

Good Luck!


Veeam Monitor 4.5

Veeam have released a new version of their Free Monitoring product


The following is a list of new features in the Veeam Monitor 4.5:

  • Full Veeam Business View integration for business‐centric performance monitoring,reporting and alerting. Please refer to this video for more information on this feature
  • Configurable custom views which represent “intersection” of groups from different Business View categories, for instance: only show VMs with department “Marketing"and purpose “Desktop”.
  • New view showing top loaded ESX hosts below the selected infrastructure node.
  • Uptime and socket count is now shown in ESX host’s summary.
  • Datastore free space alarm now can be set in relative amount (percents) in addition to absolute amount.
  • Support for Microsoft Windows 2008 R2 and Microsoft Windows 7
  • Support for Microsoft SQL Server 2008.

The following is a list of new features in the Veeam Monitor 4.0.1:

  • Backend Microsoft SQL Server load is reduced dramatically comparing to previous Veeam Monitor releases.
  • Multiple enhancements improving product scalability and allowing for support of very large environments (hundreds of ESX hosts).
  • New “Disk Commands Issued” alarm counter representing the sum of read and write requests to a datastore has been added.
  • “Check Database” command in Veeam Monitor Server Settings program now also checks DB integrity and attempts to correct any issues encountered.

Release notes

And of course - there is more for the full version of the product, and for a free product 
it does a very good job!!