Is running Windows XP in a virtual machine as risky as running XP natively?

//

I’m replacing all of my computers that operate with Windows XP; I have one laptop that runs Windows 7 Pro; I run one program, a specialty program for Dentistry with the Windows Virtual PC, XP mode, on that Windows 7 Pro laptop. Is running this in Windows XP mode as risky as running Windows XP after support for XP ends?

This is a really good question. I’m glad you asked, because I’m afraid that a number of people might be making some dangerous assumption about virtual machines and XP mode.

It is in fact, one of the common recommendations for folks that have software such as you do, that can’t be run on anything after Windows XP, to use a virtual machine to be able to run Windows XP and that special software. (XP mode is really just a virtual machine.)

Is it as risky as running XP natively? Well, yes and no, but mostly yes.

Become a Patron of Ask Leo! and go ad-free!

Virtual machines

A virtual machine is best thought of as a completely separate machine. So, what that means is that running XP in a virtual machine isn’t technically any less risky.

XP, or any operating system you might run in a virtual machine doesn’t really benefit from being in a virtual machine in any significant way when it comes to security. It’s still connected to your network and to the internet.

Perhaps most importantly, you cannot count on it benefiting from the security software that you might be running on the containing or host machine – your Windows 7 machine in this case. The fact that you’re running anti-malware tools in your Windows 7 machine actually means nothing to the Windows XP virtual machine. The anti-malware tools have no way to peek inside or secure the virtual machine. So you really do have to treat the virtual machine as if it were a completely separate physical machine.

With XP, that means the usual litany: anti-malware tools; turning on the XP firewall, and of course using common sense to keep it as safe and secure as possible.

Windows XP in a Virtual MachineProtecting the host

What the virtual machine does do however is protect the host machine. If the XP machine gets infected, the host is not immediately impacted. It’s just as if a Windows XP machine somewhere on your network is getting infected. Whether it can spread to other machines on the network then depends on the specific malware, the vulnerabilities that it’s exploiting (which are hopefully fixed on your post-Windows XP machines) and of course, your own security measures.

Another advantage to running Windows XP in a virtual machine is that it makes it somewhat easier to back up. Rather than running back up software in the virtual machine – which you can certainly do if you like – it’s actually much simpler to shut down the virtual machine, and back up or make copies of the files that contain the virtual hard disk and the virtual machine definition.

So, mostly so far, all I’ve said is no. No, your XP machine in a virtual machine isn’t really any more secure than XP on a real machine. But I did start by saying yes and no.

The additional security is you

The “yes” part really comes from what I’ll call the change in your usage pattern. By having your Windows 7 operating system as your primary operating system, which is supported, up to date, and secure, you can do one very important thing: use the XP virtual machine only for those things that you can do only in Windows XP. No email, no web surfing. All that should happen in the host operating system; the one that’s supported, secure and up to date.

By restricting what you do inside of that virtual machine to the bare minimum required, you’re actually reducing what security people like to call the “attack surface”. The number of ways that your computer can be compromised is reduced simply because you’re doing your potentially riskier endeavors in a different and supported environment.

5 comments on “Is running Windows XP in a virtual machine as risky as running XP natively?”

  1. Basically, as there will be no more changes to xp, its native vulnerability should remain as at the cut-off date, no better and no worse, after several years of reduction of that vulnerability from the original level when XP was released.

    Depending upon the absolute level of vulnerability of Windows 7 when it was released, is it provably better than XP, both at today’s date?

    Could the virtual XP System be penetrated through the W7 weaknesses – after all they are sharing the same actual physical resources; and presumably, the W7 System is being connected to the Great Outside World, either via the likely Networking facilities; or indirectly via USB Sticks, SD Cards etc?

    As far as I can judge, if anyone has critical applications which will run only on XP, then that person has to retain at least two, stand-alone XP PCs, never connecting them to the outside world directly or indirectly, if XP’s remaining vulnerabilities are of such concern.

    If there is an absolute need for such external connections, absolutely critical to say business progression, then the transfer medium, needs to be thoroughly checked before presenting it to the XP machines.

    AND as XP machines will “die off” etc, suitable replacement S/W etc must be sought, with urgency.

  2. Answer me this, Both my Windows xp virtual machine and my host machine Win 7 Ultimate x64 are running the newest edition of AVG and Malewarebytes (2015) How safe is that?

  3. This article gives little attention to the most important issue.

    I think it is safe to assume that any intelligent person who has a virtual XP system on a 7, 8, 10, or Linux host will never connect the virtual XP to the internet —- and for obvious reasons.

    So the real question to address is whether the virtual XP can become infected under that circumstance.

    Can you answer that question?

    • I don’t believe it’s safe to assume a virtual XP won’t be connected to the internet. There’s simply too many applications and usage scenarios that require it.

      When not connected to the internet, however, then it boils down to this: ANY method by which data can be transferred into the virtual machine has the potential to be a vector for malware. So … how do you get your data into the VM? A network share? A flash drive? Something else? Those can absolutely be vectors for malware.

      • Suppose you transfer data using a shared drive. Then for the malware to make it to that shared drive, the host system is NOT scanning for said malware.

        This is an interesting topic: Do modern malware protection schemes stop looking for Windows XP specific viruses? Do Linux or Mac OS anti-malware programs look for Windows XP exploits or only for their native OS?

        Thanks for the interesting article.

Leave a reply: