VMware vSphere

My friend has a really good IT job.  He was given a laptop by his company and was told up front that they do randomly collect the laptops for auditing of activity and usage.  He is a really smart guy... so I was shocked when he told me that he just uses a virtual machine on the laptop when he wants to do or view anything that's considered "questionable".

I told him that was very stupid, and that he should just use his home PC for that stuff.  They will see all that activity when they eventually audit it.  He claims they won't be able to see anything becuase it's on the virtual machine.  I swear, he is truly an intelligent person, so I thought he was trying to be funny.  He's dead serious.  When they look at reports of applications/software used, VMware is obviously going to show up.  And when software/applications access the internet, don't these monitoring systems log what ip addresses/sites they are accessing?

He has it set to use a custom network.  So the virtual machine is using a virtual gateway on the host to get to the outside world.  How would websites and traffic not show up on a report of the host?   And again, wouldn't traffic generated by software and apps show up on the log as well?

Does VMware just totally go under the radar?  Or is he just being unknowingly careless?

Depends. Consider a VMware guest like any other machine. Network activity can be assigned to that VM or the host, depending on the configuration. What might be kept private is the content of the virtual machine, as long as somebody tries to see it by logging on to that virtual machine. But if they take the plain virtual disk and attach it to another guest or a VMware host...they can see everything.

AWo

Understood.  But my point to my friend is that they may  not be able to see specifically what he is doing, but the log will still pick up on the traffic.  For example, lets say he's on the virtual machine, and he opens up the calculator, or an online game like World of Warcraft.  The log from the employee monitoring system on the host will not show calculator.exe, or World of Warcraft was ever run.  Calculator and World of Warcraft was all run inside the virtual machine.  So the host log will only reflect that the software "VMware" was running instead.  However, since World of Warcraft is accessing the internet, creating traffic to and from... won't the monitoring log on the host reflect that the software (VMware) is generating traffic along with the ip addresses/websites it's contacting?    Just like if I ran updates on a media player from the host, say VLC playef.  Won't the log show that VLC is accessing the internet?  And won't it how the address/site?  So I understand they won't literally "see" what he's doing inside the virtual machine.  But shouldn't the logs still show that the VMware software is accessing questionable sites?

Exactly. Programs running in the guest can't be detected. Traffic leaving/entering the guest can be. Wherever and however they will do that. Depending on the monitoring software they will see the MAC of the VM, showing them it is a VMware virtual machine or the host MAC which also may lead to a closer look at that host. And of course they can see where it has connected to.

And you are right, doing that is not a good idea. If the company polices do not allow certain activities and if they can proof that he has installed a virtualization plattform to circumvent the company's policy he might be faced with some uncomfortable questions.

AWo

Correct me if I am wrong, but only traffic passing through the corporate system can be monitored. If he used a wireless adapter to hop onto a public wifi, or used a mobile hot spot and configured his VM to use only that bridged adapter then the corporate systems would not be able to monitor that traffic?

That is an issue we seem to be experiencing here. Some users are even running portable versions or virtualization platforms so that they do not need administrator privileges at all for software.

TdotPDS schrieb:

Correct me if I am wrong, but only traffic passing through the corporate system can be monitored. If he used a wireless adapter to hop onto a public wifi, or used a mobile hot spot and configured his VM to use only that bridged adapter then the corporate systems would not be able to monitor that traffic?

Yes. No difference to physical machines.

AWo

That is assuming they are only monitoring at the network layer.  If they have monitoring software installed on the machine, they can see anything going to or coming from that machine, regardless of connectivity or if it is inside a VM.  On top of that, some monitoring softwares take periodic screenshots of everything running on the desktop, so regardless of VM presence, your activity will be logged.

The original poster's friend needs to reevaluate his methods before he finds himself reevaluating his employment status.

I would expect that the corporate network has a preferred way to assign IP addresses to network nodes.  If you bridge your network device with vmware virtual machine, or if you choose to not use the host systems IP address, DHCP should automatically assign an IP address to the virtual machine when it connects to the network. 

Essentially, when the user access websites or webservices from the virtual machine, all communication will be between the network controller and the virtual machine IP address.  However, since both the virtual machine and the host are using the same network device to access the network, the MAC address for the communication will be identical, because network device on the host only has one MAC address, regardless of how many vm's are running on the host.  They will all be using that MAC addressed device.

If he is on his home network, then the corporate team will not be able to see/audit any network activity related to the VM.  They will only be able to do that inside the corporate network.

There are various employee monitoring software’s available in market such as keylogger, RHUB remote support appliances etc. which your friends company can use in case they want to remotely monitor his computer; and of course, logs are generated through VMware, which his company can definitely check.

Hi,

In my opinion Employee activity monitoring software is best for your friend,I  totally disagree with virtual machine it's not belivable.

I know about a good Employee activity monitoring software which can help to monitor all employee desktop of a network,This software well know as Kernel for Employee  Desktop Live Viewer software ,Which is designed to keep track of both online  and offline records of employee activities on their computers.

You can try to use this software.

I thought monitoring software can monitor virtual machine.

don't be so stupid, all the computer monitoring software on the market have the screen recorder function, any thing done on the virtual machine can be logs. I have been using Any Keylogger for long time and any thing done on my virtual machine can be recorded.