I’m currently sitting in the Sophos monthly update webcast.
One of the new attacks they’ve seen was a bad actor gaining remote access to a PC, but instead of installing the malware, they installed VMware Player Qemu and from there they created a new VM with Kali Linux and ran the malware from within the VM, evading the local antivirus software.
Sophos say they managed to pick up the attack based on the activity of the VM, but running the malware in a VM means that normal AV software that doesn’t look for unusual network behaviour wouldn’t be able to deal with the attack, as they cannot scan the VM and installing a VM player and a VM is something many people do, so that isn’t suspicious.
The curse of the default! I don’t understand why mainboard manufacturers ship desktop equipment with virtualization functionality enabled by default. 99% of users won’t ever utilize the feature, and the 1% who do are savvy enough to know where in the firmware to enable it. Another case where the industry is shooting itself in the foot.
Hmmm… all mine default it to off, including every time I update the BIOS. Granted all I have are ASUS and Gigabyte (and one now defunct Asrock.) Maybe server MOBOs are different…?
I’m not sure if all VM software even requires the mainboard virtualization functions turned on to even run, so it really doesn’t matter. There was a time when mobos didn’t have virtualization features, but we still had VMs.
All of the laptops and desktops I’ve bought over the years have had virtualization deactivated by default and I’ve had to explicitly turn them on in order to use the features (Siemens, Lenovo, Asus, HP).
Interestingly, on the Dells we use at work, it is turned on by default.
Thinking on it, I wonder if machines made for Windows 11 have it turned on by default? Would not surprise me if virtualization was also required by Win 11, but the TPM 2.0 was just too big of an issue for anyone to notice virtualization was required as well.