Can I isolate Windows XP in a virtual machine to stay safe?

//

Dear, Leo. All of my legal forms are made with a program called Perform. Unfortunately, the company closed a long time ago so there are no updates and it works only in Windows XP. Now I’m now on Windows 8.1 so I use VMware to run XP, SP3 in a virtual machine. And Perform is the only program that I run in it. There is no network connection between the virtual machine and the host system. My question: Since I do not need to connect to the internet in the virtual machine, if I uninstall IE from it, will I be immune to any malware for the virtual machine, of course? Also, is uninstalling IE the only thing needed to isolate XP from the internet?

Unfortunately, there are a number of issues with what you are proposing. I don’t think you are doing anything wrong, per say, but I don’t think you’ll end up as secure as you think you might be. For example, there’s no way I’d ever say you’d be able to make that XP virtual machine immune from malware.

Running XP in a virtual machine is indeed one of my recommendations for those who are required to use XP for otherwise unsupported legacy software – exactly like you are. So far, so good. But as I said, there remain issues.

Become a Patron of Ask Leo! and go ad-free!

Uninstalling IE

First, Internet Explorer can’t really be uninstalled. You might make the icon disappear but the guts of IE are actually shared components within Windows itself.

So, so-called “uninstalling IE” actually does very, very little. Importantly, it really doesn’t improve your security all that much. Those shared components are used by other applications within Windows.

However, let’s say you somehow manage to uninstall IE. Your machine would likely still connect to the internet. The virtual machine has some kind of virtual network adapter that’s probably acting like a real connection to your local network. And from there on, it can connect out to the internet.

For example, utilities like Windows Update that have nothing to do with Internet Explorer will probably still reach out to the internet even if IE isn’t there. Internet connectivity is really kind of built into the operating system and the applications that run on it.

XP in a VM (on a Mac)

Disable the network?

Now, there is one possibility. As I said, the virtual machine has a virtual network adapter. You can disable that, which would remove the virtual machine from your network completely.

However, I’m guessing you probably have to transfer data between the virtual machine and its host. Or perhaps you print things. Both data transfer and printing are typically implemented using … you guessed it … networking. So turning off the network adapter within the virtual machine might break your ability to easily copy data to and from the virtual machine or to print from it.

Other forms of data transfer

You might think that using USB drives is the way to go: Copy the data to a USB drive on the host machine, then switch the virtual machine connection so that the USB drive is connected to it, and then copy the data off.

Unfortunately, you’ve still broken your protection. Malware can indeed travel via USB drives.

So unless you expect to never, ever transfer data to and from that virtual machine, and never, ever plan to print from within that virtual machine, most of what you’ve described won’t help. And the things that would help will prevent your virtual machine from actually being useful.

My recommendation

My recommendation? Do as little with that virtual machine as possible, of course. And it sounds like you are already doing that by using only your Perform application.

However, do make sure that your virtual machine is running anti-malware tools and that they’re up to date, and that the Windows XP firewall is also turned on.

Uninstall IE if you like and anything else for that matter, but please don’t think that’s buying any significant additional security.

11 comments on “Can I isolate Windows XP in a virtual machine to stay safe?”

  1. “However, do make sure that your virtual machine is running anti-malware tools and that they’re up to date, and that the Windows XP firewall is also turned on.” – That would normally require being connected to the internet or at least plugging in a USB stick. That’s not a criticism. It just shows how difficult will be to properly secure a Windows XP machine when support stops.

    Personally I’d go with the USB options. True, USB is a potential Malware breach, but if autoexec is turned off and you check the USB drive for Malware, I think that might give a reasonable level of protection. Add regular backups of your virtual machine and you’ll have an extra layer of protection. A complete backup of your system will include the virtual machine, but an additional separate backup of the VM XP system would be useful, so that you don’t have to restore your whole machine if XP is infected as a full restore might cause you to lose any changes to your main system.

    The article mentions that Windows will be trying to connect to the internet to get updates. This being XP, there will be no updates available, so Windows automatic updates should also be turned off.

    • Do you have to backup the virtual machine? In Oracle’s Virtual Box, the virtual hard drive (which of course includes the XP installation) resides in a single file on the host machine. Couldn’t you just restore that individual file from your backup of the host machine?

      • When you backup the disk image file in the host you are backing up your virtual machine. Occasionally it might be handy to have a backup within the virtual machine, but one way or another – inside the VM or outside – you want it backed up.

  2. if he is so dependent on that XP based sotware, why no dedicate a standalone computer/printer solely to that?

    • That might be a bit safer, but unless he has an older machine available for that, it might be an expensive way to run one program.

  3. Making your XP machine really secure is tough.

    One point has already been made, limit what is running on it. The general term is called “Hardening” (google it). That means uninstalling anything you do not absolutely need (ie games, printers, ms paint, notepad etc), as well as turning of “Windows Services” you don’t need.

    Another thing you can do is make your “virtual XP machine” read only. Either burn your XP virtual Machine and application to a CD/DVD or put it on a USB drive with a “Write block / lock”. That way, even if your current session is infected by something the infection dies when you shut it down (ie shut down FREQUENTLY). Each time you start the virtual machine/application it is from a known good copy that cannot be written to / updated with malware.

  4. I never tried it, but CAN an XP machine run without a net connection? Considering how much the original poster needed XP (his whole business was on it), and considering how much hassle and exposure a VM would be, wouldn’t the best solution be a dedicated computer running XP and having no net interface? The cost of a computer/KB/mouse/monitor just for XP is not bad at all. Data moved by USB sneakernet could use locked memory, so moving data from the dedicated XP to the net-connected Win8 should be safe. If we assume all data files flow from he XP to the Win8 machine, then that solves it. The only exposure I would see would be if a file was moved from the Win8 to the XP machine. I do like Ron’s suggestion of booting the XP machine from a CD

  5. What about the shared files Virtual Machine features? (guest additions, VMware Tools, VPC integration components, etc.) A lot safer and easier than USB. I’m (truly!) surprised you didn’t bring that up.

    One more thing that I want to throw out there, although it might be too complicated to be appropriate for a site like this:

    Virtual Machines need some sort of virtual hard drive. That hard drive is typically a file on the host. Of course, different programs use different formats. (VPC uses VHD, Virtualbox uses .vdi, etc. [Virtualbox can use .vhd if necessary. It will get the job done, but some special Virtualbox tricks won’t work with them]) Windows (confirmed on 7) natively supports VHDs, so disk management can be used to natively mount VHDs on a host OS, assuming the VHD is either FAT, FAT32 or NTFS of course.

  6. I have a XP Pro laptop that I use remote desktop to connect to my main work computer (Win7 Ultimate) on my LAN. I set my router (Cisco M10) to disable internet access to this laptop’s IP/MAC addy. I am still able to connect to anything on my LAN, but *think* I am safe(r) with this method.

    I can copy/paste files/clipboard contents to/from these computers, and access shares on the LAN.

    I don’t know if this is a better alternative to using VM or not (that’s what I was searching for when finding this thread).

  7. I don’t see any problem with isolating the virtual machine. While (like I think everyone else who has contributed) I haven’t done this in real life, I have just run some quick tests with VMware Player. I am only speaking of threats over the network (mainly the Internet); this will not protect you against running malware you copy onto the machine.

    I simply went into the TCP/IP properties and set the machine’s IP address to 192.168.200.1 (on a 192.168.1.x network!). Also set gateways, DNS addresses to this range. A quick check found (1) I could access a host shared directory as usual (with VMware Tools, of course); (b) no Internet access. The VMware Player Network adapter settings also have some which look as if they should restrict network access.

    An alternative if it is acceptable to “freeze” the VM (any changeable data would have to be transferred before switching off, eg. stored on a shared directory) is to either use a non-persistent VM (it reverts to its initial state on switchoff), or to use Workstation snapshots. To make a VM non-persistent, add to the .VMX:
    scsi0:0.mode = “independent-nonpersistent”
    snapshot.action = “autoRevert”
    snapshot.disabled = “TRUE”
    (I don;t know if these are all required, but the combination works for me). EVERYTHING done in a session (programs installed, data saved on the VM’s drive, etc.; also virus infections, file corruption) is lost on switchoff.

  8. If you need Windows XP (and perhaps older Windows versions), then installing it in a virtual machine is a good option.

    I still run several Windows XP virtual machines in VMware Workstation / VMware Player (I am using VMware Workstation 10.0.5, which supports Windows as all the way up to Windows 7 and Windows 8.1 as guest. The latest version is 11.1.0 at this time.) running under Windows 7 to use old software like Dreamweaver MX and WordPerfect 2000 / 2002 which work fine in Windows XP but will not work or have problems with newer Windows versions. I bought these softwares more than 10 years ago and they still work fine. I use them often and I have no need to upgrade to newer versions. Surely the software companies must hate me, haha.

    If you want to you can disable the virtual machine network adapter to isolate the virtual machine, and Windows XP will continue to run. But personally I find that unnecessary as I normally do not use the virtual machine to surf the internet. Besides as mentioned in the article you may need it if you want to transfer files to and from the virtual machine.

    It is also easy to backup the virtual machine system as it is just a folder containing some files, so you can just copy the folder to another location.

    I also have Windows 95 / Windows 98 / Windows 2000 virtual machines. They are used for testing purposes or running old games that will not work properly in even Windows XP.

Leave a reply: