SPOautos Posted August 26, 2020 Share Posted August 26, 2020 I was planning on using a Windows VM on a regular basis. I'm new to ALL of this and JUST got a unraid trial going so please excuse the ignorance. Do I need to install a good antivirus into a Windows VM just like any other Windows machine? My teen son will be using it for gaming and such. He uses a chat app called Discord for gaming talk and I've read it's pretty easy to get viruses through that. We will be downloading things here and there. I'm trying to gauge how much risk a Windows VM brings to Unraid and the data array. If it contracts a virus can it spread into the Unraid or is it trapped in that VM where I can just kill the VM and start another? Quote Link to comment
Energen Posted August 26, 2020 Share Posted August 26, 2020 It would only be in the VM, provided that you don't have any SMB access to the array within the VM. 1 Quote Link to comment
JonathanM Posted August 26, 2020 Share Posted August 26, 2020 6 minutes ago, Energen said: provided that you don't have any SMB access to the array within the VM. Just wanted to emphasize that portion. Think of a VM as the same as any other machine connected to your internet. If you access Unraid's GUI or storage from inside the VM, chances are a virus can access it as well. If you never have Unraid credentials used inside the VM, and Unraid has good passwords for all access methods, you are fairly safe. If any Unraid shares are set as public, then any machine on the network can get to those shares and wreak havoc, regardless of being a VM or physical box. If any shares are set to secure, then they can be read but not modified. Only private shares require passwords to read. 1 Quote Link to comment
SPOautos Posted August 26, 2020 Author Share Posted August 26, 2020 (edited) 3 hours ago, jonathanm said: Just wanted to emphasize that portion. Think of a VM as the same as any other machine connected to your internet. If you access Unraid's GUI or storage from inside the VM, chances are a virus can access it as well. If you never have Unraid credentials used inside the VM, and Unraid has good passwords for all access methods, you are fairly safe. If any Unraid shares are set as public, then any machine on the network can get to those shares and wreak havoc, regardless of being a VM or physical box. If any shares are set to secure, then they can be read but not modified. Only private shares require passwords to read. What about if apps/documents/media in the VM are saved to the array or a section of the array? So for instance if a game is installed in the VM can it be saved on the drives that make up the array (or a section). I'm sorry, I'm sure I'm using poor terminology so I'm just trying to explain it. I'm no IT guy, I've never done anything like this. Edited August 26, 2020 by SPOautos Quote Link to comment
JonathanM Posted August 26, 2020 Share Posted August 26, 2020 2 hours ago, SPOautos said: What about if apps/documents/media in the VM are saved to the array or a section of the array? So for instance if a game is installed in the VM can it be saved on the drives that make up the array (or a section). If they are saved to the array, then any virus that is on that computer can also modify or read files on the array. Unraid doesn't magically protect files, if the VM or any other computer on the network can see the files, they are vulnerable. For files that should only ever be read and never modified, you can take precautions that eliminate much of the risk, search unraid immutable attribute 1 Quote Link to comment
Energen Posted August 26, 2020 Share Posted August 26, 2020 4 hours ago, SPOautos said: What about if apps/documents/media in the VM are saved to the array or a section of the array? So for instance if a game is installed in the VM can it be saved on the drives that make up the array (or a section). If you mean apps/documents/media that are created/used/stored/saved/accessed/whatever inside of the VM, meaning you have them on your C:\ drive in Windows, those aren't technically "saved to the array".. they are stored as part of the VM disk image on the array --- still completely separated from Unraid. If you mean that you map SMB shares to your VM, like you map D:\ drive to \\unraid\ShareName\, then there is access to your Unraid files and potential for malware. 1 Quote Link to comment
SPOautos Posted August 26, 2020 Author Share Posted August 26, 2020 (edited) 2 hours ago, Energen said: If you mean apps/documents/media that are created/used/stored/saved/accessed/whatever inside of the VM, meaning you have them on your C:\ drive in Windows, those aren't technically "saved to the array".. they are stored as part of the VM disk image on the array --- still completely separated from Unraid. If you mean that you map SMB shares to your VM, like you map D:\ drive to \\unraid\ShareName\, then there is access to your Unraid files and potential for malware. Okay this is shining some much needed light on VM's for me. This is what I wasnt sure about. So I was planning on running my VM and dockers on a 500GB NVME. However, if my son uses the VM for gaming (which is the plan) then 500GB isnt near enough space. So do I understand that what I would do for extra storage is map a drive in Windows to the array and store his games there (called a SMB)? However, this makes the array more vulnerable so with a SMB it's very important to keep a good virus protection running in Windows. With a SMB, does it point to the array in general or would I carve a section out? For instance if I have 3 drives in my array but really only need 2, should I keep one of my drives seperated from the array for SMB storage (really would hate to dedicate an entire 6tb hdd though, 2TB is plenty)? But would this create distance that would protect the array from viruses eventhough it's still mapped to Windows? I want to map a storage for the VM but I dont really want it to be looked at by the parity drive. Theres no need, so doesnt need to actually be part of the array. Edited August 26, 2020 by SPOautos Quote Link to comment
JonathanM Posted August 27, 2020 Share Posted August 27, 2020 Some games don't function over mapped NAS drives, they insist on local storage. For local storage, you have a couple options. You can put another "hard drive" vdisk file on a different disk, and it will show up in the VM just like a local disk. Or you can pass through an entire drive to the VM, which will make the whole disk not appear in Unraid at all. It's easier to manage vdisk files, since you can copy the file to another drive as a backup when the VM isn't running. Either of those options dedicates the space to the VM alone, no other computer can access it through unraid. Mapped share space can be shared with multiple client computers, everybody with valid credentials can read or write there. With regards to the parity array, the latest beta allows multiple cache pools to be defined, so you can easily set up your 500GB SSD as one pool, and add a spinner 4TB as another pool, and use space there for the VM's "D: drive". The current main release 6.8.3 only allows 1 cache pool, so any extra drives you wanted to use outside of the parity array would need to be managed by the Unassigned Devices plugin. Quote Link to comment
Energen Posted August 27, 2020 Share Posted August 27, 2020 17 minutes ago, SPOautos said: So do I understand that what I would do for extra storage is map a drive in Windows to the array and store his games there (called a SMB)? However, this makes the array more vulnerable so with a SMB it's very important to keep a good virus protection running in Windows. With a SMB, does it point to the array in general or would I carve a section out? For instance if I have 3 drives in my array but really only need 2, should I keep one of my drives seperated from the array for SMB storage (really would hate to dedicate an entire 6tb hdd though, 2TB is plenty)? But would this create distance that would protect the array from viruses eventhough it's still mapped to Windows? Now you're understanding it better. Yes to your first question, that is SMB. Anything connected by SMB could technically be vulnerable. Even if you ONLY mapped one specific share, depending on the sophistication of the malware it could travel through all your SMB shares. If one is open, they are all open, essentially. So that should answer your second question too.. theoretically any mapped SMB share could open your entire array to infection. 1 Quote Link to comment
SPOautos Posted August 27, 2020 Author Share Posted August 27, 2020 (edited) 52 minutes ago, Energen said: Now you're understanding it better. Yes to your first question, that is SMB. Anything connected by SMB could technically be vulnerable. Even if you ONLY mapped one specific share, depending on the sophistication of the malware it could travel through all your SMB shares. If one is open, they are all open, essentially. So that should answer your second question too.. theoretically any mapped SMB share could open your entire array to infection. Okay, so the most secure is if the VM is on the NVME and everything is saved only to the NVME. However, since I was also going to use that same NVME for cache then that really ties it back over to the array since the cache has data that's written to the array.....wouldnt that be correct? I guess what I need is a 2TB SSD dedicated to VM and VM storage. BUT I just cant spend any money right now. Wouldnt leaving a hdd unassigned where it's not in the array and using it only for VM storage be more secure than actually mapping the VM to the array? Or does it really not make any difference? And is it even possible to have a hdd storage that's not tied to the array?? When you said "even if you only mapped one specific share".....by "share" is that a piece of the array or does that count for storage not assigned to the array? Edited August 27, 2020 by SPOautos Quote Link to comment
Energen Posted August 27, 2020 Share Posted August 27, 2020 15 hours ago, SPOautos said: Okay, so the most secure is if the VM is on the NVME and everything is saved only to the NVME. However, since I was also going to use that same NVME for cache then that really ties it back over to the array since the cache has data that's written to the array.....wouldnt that be correct? No. You're mixing things up a little bit again. The VM itself is contained in one large file. That file can reside on the cache drive, on the array, wherever you want it. Think of it like a massive archive file (zip, rar, etc).. everything for the VM is inside that file and doesn't leave it, doesn't write to the array directly or anything. If you create a file inside the VM that file is saved within the VM file also, and doesn't touch the array outside of that VM "archive" file. So you can have the NVME acting as cache for the array, and have the VM "archive" on it, and the two don't mix. Nothing is directly written to the NVME from the VM except for the VM file itself. 15 hours ago, SPOautos said: Wouldnt leaving a hdd unassigned where it's not in the array and using it only for VM storage be more secure than actually mapping the VM to the array? I think the above explanation addresses this, unless you mean something else. 15 hours ago, SPOautos said: And is it even possible to have a hdd storage that's not tied to the array?? Sort of yes, sort of no. You can have a drive on it's own passed through to the VM and that's not tied directly to the array. I think that was mentioned already. You can have a drive mounted with Unassigned Devices that's not part of the array storage, but that is "connected" to the array as far as access is concerned. Malware that was able to "run" through the Unassigned Devices mount point would be able to access your entire array. 15 hours ago, SPOautos said: When you said "even if you only mapped one specific share".....by "share" is that a piece of the array or does that count for storage not assigned to the array? The shares that you create in Unraid on the Shares tab. Each one of those shares can be directly accessed through SMB like \\unraid\Share1, \\unraid\Share2 \\unraid\MediaShare, etc... so let's say you had a downloads share, \\unraid\Downloads, and mapped that inside your VM to D:\Downloads, every other share (Share1, Share2, MediaShare, etc) would still be accessible and vulnerable to attack, even if it's not a mapped drive in the VM like the D:\Downloads (\\unraid\Downloads) is. Does that make sense? 1 Quote Link to comment
SPOautos Posted August 29, 2020 Author Share Posted August 29, 2020 (edited) On 8/27/2020 at 1:06 PM, Energen said: No. You're mixing things up a little bit again. The VM itself is contained in one large file. That file can reside on the cache drive, on the array, wherever you want it. Think of it like a massive archive file (zip, rar, etc).. everything for the VM is inside that file and doesn't leave it, doesn't write to the array directly or anything. If you create a file inside the VM that file is saved within the VM file also, and doesn't touch the array outside of that VM "archive" file. So you can have the NVME acting as cache for the array, and have the VM "archive" on it, and the two don't mix. Nothing is directly written to the NVME from the VM except for the VM file itself. I think the above explanation addresses this, unless you mean something else. Sort of yes, sort of no. You can have a drive on it's own passed through to the VM and that's not tied directly to the array. I think that was mentioned already. You can have a drive mounted with Unassigned Devices that's not part of the array storage, but that is "connected" to the array as far as access is concerned. Malware that was able to "run" through the Unassigned Devices mount point would be able to access your entire array. The shares that you create in Unraid on the Shares tab. Each one of those shares can be directly accessed through SMB like \\unraid\Share1, \\unraid\Share2 \\unraid\MediaShare, etc... so let's say you had a downloads share, \\unraid\Downloads, and mapped that inside your VM to D:\Downloads, every other share (Share1, Share2, MediaShare, etc) would still be accessible and vulnerable to attack, even if it's not a mapped drive in the VM like the D:\Downloads (\\unraid\Downloads) is. Does that make sense? Thinking about the entire project, I'm not going to have any way around SMB's because I'm also creating shares for specific users to use. Those shares will be mapped to their pc. I will also be using Nextcloud to save data on their phones to their share. That being the case.....what is the best way to protect? Is there good virus protection that everyone runs on their unraid machine that doesnt slow it down? Or do I need to do all the protecting on the client devices? Edited August 29, 2020 by SPOautos Quote Link to comment
Squid Posted August 29, 2020 Share Posted August 29, 2020 1 minute ago, SPOautos said: Or do I need to do all the protecting on the client devices? This. A virus needs to be executed to have any effect, and that execution is going to happen on the client, and that is where the virus check should happen. That being said, there is ClamAV available within Apps which will scan your server for viruses, but you shouldn't rely upon it exclusively. 1 Quote Link to comment
SPOautos Posted August 29, 2020 Author Share Posted August 29, 2020 (edited) 6 minutes ago, Squid said: This. A virus needs to be executed to have any effect, and that execution is going to happen on the client, and that is where the virus check should happen. That being said, there is ClamAV available within Apps which will scan your server for viruses, but you shouldn't rely upon it exclusively. If I use the ClamAV as backup protection, does it tend to slow the server down? I know with PC's some av programs take a lot of resources and slow things down enough to notice it. For instance if I'm moving a large data file to the server and its scanning it, will it make the transfer slower. Edited August 29, 2020 by SPOautos Quote Link to comment
Squid Posted August 29, 2020 Share Posted August 29, 2020 You would schedule it to scan say monthly during off-hours. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.