[vbox-dev] How malicious or corrupted snapshots are recovered.
Klaus Espenlaub
klaus.espenlaub at oracle.com
Tue Oct 16 04:58:06 PDT 2012
On 16.10.2012 07:43, prabhjeet kaur wrote:
> Dear members,
> thanks for reply
>
>
> My actual question is:
> 1. Suppose the disk image whose snapshot is taken is affected by some
> malicious content. So, the snapshot we taken is also corrupted.
> Now if this snapshot is used to recover any disk image in future or can
> be used as virtual appliance then it can be dangerous as it effects
> other images.
The general idea is correct - snapshots with malicious content are
dangerous. But I fail to see an easy solution to fix this problem by any
kind of patching. The only 100% safe approach is going back to a
snapshot which is not affected and delete all snapshots which have been
taken during the period where the malware was around. It is somewhat
less safe to fix the problem in current state and delete all snapshots
taken during the period the malware was around.
> How this problem can be overcome. How can we find that snapshot we taken
> 1-2 months before is not malicious.
> This problem can be solved by patching snapshot or we can try some other
> thing to overcome this problem.
How do you intend to patch a snapshot? You seem to assume that this is
possible without having an idea how it could be achieved. And I have no
idea either.
For example VDI images simply represent the disk content in 1MB blocks,
and differencing images similarly represent a single sector change by
copying the rest of the 1MB block over.
This representation has absolutely no knowledge or direct relationship
to files as supported by the guest OS, and thus it is not directly
feasible to patch the images without potentially destroying the
integrity of all snapshots depending on the patched image. Furthermore,
patching an old snapshot might not have the desired effect of changing
all dependent snapshots, as they can have copies of the original content.
So far I see no convincing solution, just a desire to solve a real problem.
Klaus
>
> Regards,
> Prabhjeet Kaur
More information about the vbox-dev
mailing list