[vbox-dev] How malicious or corrupted snapshots are recovered.

Klaus Espenlaub klaus.espenlaub at oracle.com
Tue Oct 16 04:58:06 PDT 2012

On 16.10.2012 07:43, prabhjeet kaur wrote:
> Dear members,
> thanks for reply
> My actual question is:
> 1. Suppose the disk image whose snapshot is taken is affected by some
> malicious content. So, the snapshot we taken is also corrupted.
> Now if this snapshot is used to recover any disk image in future or can
> be used as virtual appliance then it can be dangerous as it effects
> other images.

The general idea is correct - snapshots with malicious content are 
dangerous. But I fail to see an easy solution to fix this problem by any 
kind of patching. The only 100% safe approach is going back to a 
snapshot which is not affected and delete all snapshots which have been 
taken during the period where the malware was around. It is somewhat 
less safe to fix the problem in current state and delete all snapshots 
taken during the period the malware was around.

> How this problem can be overcome. How can we find that snapshot we taken
> 1-2 months before is not malicious.
> This problem can be solved by patching snapshot or we can try some other
> thing to overcome this problem.

How do you intend to patch a snapshot? You seem to assume that this is 
possible without having an idea how it could be achieved. And I have no 
idea either.

For example VDI images simply represent the disk content in 1MB blocks, 
and differencing images similarly represent a single sector change by 
copying the rest of the 1MB block over.

This representation has absolutely no knowledge or direct relationship 
to files as supported by the guest OS, and thus it is not directly 
feasible to patch the images without potentially destroying the 
integrity of all snapshots depending on the patched image. Furthermore, 
patching an old snapshot might not have the desired effect of changing 
all dependent snapshots, as they can have copies of the original content.

So far I see no convincing solution, just a desire to solve a real problem.


> Regards,
> Prabhjeet Kaur

More information about the vbox-dev mailing list