{"id":68026,"date":"2017-01-19T11:51:00","date_gmt":"2017-01-19T19:51:00","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=68026"},"modified":"2025-06-05T19:13:14","modified_gmt":"2025-06-06T02:13:14","slug":"stopping-malware-fake-virtual-machine","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/","title":{"rendered":"Stopping Malware With a Fake Virtual Machine"},"content":{"rendered":"<p>As we explained in a <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/overview-malware-self-defense-protection\/\">previous post<\/a>, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats can also detect monitoring tools used for malware analysis. Often such malware will not execute or change their behavior to appear harmless. Because some malware uses these tactics, planting fake virtual machine artefacts or fake analysis tools on a system could stop their malicious behavior. We have created a quick proof of concept (POC) to demonstrate this defensive tactic.<\/p>\n<p>Some malware use a mutex or registry key to avoid re-infecting a machine. For example, a previous version of Locky used a registry key with the string \u201clocky\u201d to check if the machine was already infected. This variant also used a basic check to verify if the <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/locky-ransomware-rampage-javascript-downloader\/\">local language was Russian<\/a>; if it was, the ransomware did not infect the machine. With this kind of information, security analysts can proactively configure these artefacts to boost protection against some malicious software.<\/p>\n<p>The following diagram illustrates this concept:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=68037\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-68037\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20170118-Roccia-fake-vm-1.jpg\" alt=\"20170118 Roccia fake vm 1\" width=\"1321\" height=\"1378\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-1.jpg 1321w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-1-288x300.jpg 288w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-1-768x801.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-1-982x1024.jpg 982w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-1-479x500.jpg 479w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-1-32x32.jpg 32w\" sizes=\"auto, (max-width: 1321px) 100vw, 1321px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Proof of concept functions<\/strong><\/h2>\n<p>Sandboxes and virtual environments are full of artefacts that betray their analysis environment. Malware can protect itself against these by running some checks to detect such environments before performing any malicious actions. Our POC will reproduce a virtual environment on a normal user machine. It is available at <a href=\"https:\/\/github.com\/fr0gger\/RocProtect-V1\">https:\/\/github.com\/fr0gger\/RocProtect-V1<\/a>.<\/p>\n<h2><strong>Creating fake registry keys <\/strong><\/h2>\n<p>A lot of registry keys are created by specific tools or by sandbox emulation. Using the Windows API RegCreateKeyEx we can create all the (fake) keys normally created by a virtual hypervisor.<\/p>\n<p>The following list shows of few of the potential registry keys that malware can detect:<\/p>\n<ul>\n<li>HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\\\u201cIdentifier\u201d;\u201cVMWARE\u201d<\/li>\n<li>HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools<\/li>\n<li>HKLM\\HARDWARE\\Description\\System\\ &#8220;SystemBiosVersion&#8221;;&#8221;VMWARE&#8221;<\/li>\n<li>HKLM\\HARDWARE\\Description\\System\\&#8221;SystemBiosVersion&#8221;;VBOX<\/li>\n<li>HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions<\/li>\n<li>HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__<\/li>\n<\/ul>\n<p>The following function explains in more detail the registry key creation process:<\/p>\n<table width=\"604\">\n<tbody>\n<tr>\n<td width=\"141\">RegCreateKeyEx(<\/td>\n<td width=\"463\"><\/td>\n<\/tr>\n<tr>\n<td width=\"141\"><\/td>\n<td width=\"463\">HKEY_LOCAL_MACHINE, \/\/ registry key<\/td>\n<\/tr>\n<tr>\n<td width=\"141\"><\/td>\n<td width=\"463\">RegValuePath[i], \/\/ subkey<\/td>\n<\/tr>\n<tr>\n<td width=\"141\"><\/td>\n<td width=\"463\">0, \/\/ reserved and must be 0<\/td>\n<\/tr>\n<tr>\n<td width=\"141\"><\/td>\n<td width=\"463\">NULL, \/\/ class type of the key<\/td>\n<\/tr>\n<tr>\n<td width=\"141\"><\/td>\n<td width=\"463\">REG_OPTION_NON_VOLATILE, \/\/ keep the key after reboot<\/td>\n<\/tr>\n<tr>\n<td width=\"141\"><\/td>\n<td width=\"463\">KEY_WRITE, \/\/ registry key security and access right<\/td>\n<\/tr>\n<tr>\n<td width=\"141\"><\/td>\n<td width=\"463\">NULL, \/\/ security attributes<\/td>\n<\/tr>\n<tr>\n<td width=\"141\"><\/td>\n<td width=\"463\">&amp;hKey, \/\/ handle to the opened key<\/td>\n<\/tr>\n<tr>\n<td width=\"141\"><\/td>\n<td width=\"463\">NULL) \/\/ determine weither the key exists or not<\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Other API functions are used to set a value on a previously created key (RegOpenKeyEx, RegSetValueEx).<\/p>\n<h2><strong>Creating fake processes <\/strong><\/h2>\n<p>The hypervisor runs several processes in the virtual machine to perform actions and ensure compatibility with the host machine. For example, VirtualBox uses several processes on a machine that can be spotted by malware.<\/p>\n<p>The following list shows processes created by VirtualBox:<\/p>\n<ul>\n<li>exe<\/li>\n<li>exe<\/li>\n<li>exe<\/li>\n<\/ul>\n<p>The function CreateProcess can be used to load a fake process into memory:<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"604\">\n<table>\n<tbody>\n<tr>\n<td width=\"144\">CreateProcess(<\/td>\n<td width=\"446\"><\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><\/td>\n<td width=\"446\">ProcessName[i], \/\/ name of the fake process<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><\/td>\n<td width=\"446\">NULL, \/\/ additional command line<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><\/td>\n<td width=\"446\">NULL, \/\/ security attributes<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><\/td>\n<td width=\"446\">NULL, \/\/ security attributes<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><\/td>\n<td width=\"446\">FALSE, \/\/ handle are not inherited<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><\/td>\n<td width=\"446\">CREATE_SUSPENDED, \/\/ create the process in suspended mode to avoid resource consumption<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><\/td>\n<td width=\"446\">NULL, \/\/ pointer to the environment block<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><\/td>\n<td width=\"446\">NULL, \/\/ specific directory for the file<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><\/td>\n<td width=\"446\">&amp;si, \/\/ startup info<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><\/td>\n<td width=\"446\">&amp;pi) \/\/ process info<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<h2><strong>Creating fake files <\/strong><\/h2>\n<p>Malware can also try to detect the presence of any files related to virtual environments. A lot of driver or DLL files are created by the hypervisor.<\/p>\n<p>The following list shows a short extract of potential virtual files:<\/p>\n<ul>\n<li>C:\\\\WINDOWS\\system32\\drivers\\VBoxMouse.sys<\/li>\n<li>C:\\\\WINDOWS\\system32\\vboxhook.dll<\/li>\n<li>C:\\\\WINDOWS\\system32\\vboxdisp.dll<\/li>\n<li>C:\\\\Windows\\system32\\drivers\\vmmouse.sys<\/li>\n<li>C:\\\\system32\\drivers\\vmhgfs.sys<\/li>\n<\/ul>\n<p>The function CreateFile can be used to create fake files on the system:<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"604\">\n<table>\n<tbody>\n<tr>\n<td width=\"117\">CreateFile(<\/td>\n<td width=\"473\"><\/td>\n<\/tr>\n<tr>\n<td width=\"117\"><\/td>\n<td width=\"473\">fname[i],\/\/ open file<\/td>\n<\/tr>\n<tr>\n<td width=\"117\"><\/td>\n<td width=\"473\">GENERIC_WRITE, \/\/ open for writing<\/td>\n<\/tr>\n<tr>\n<td width=\"117\"><\/td>\n<td width=\"473\">0, \/\/ do not share<\/td>\n<\/tr>\n<tr>\n<td width=\"117\"><\/td>\n<td width=\"473\">NULL, \/\/ default security<\/td>\n<\/tr>\n<tr>\n<td width=\"117\"><\/td>\n<td width=\"473\">OPEN_ALWAYS, \/\/ open or create<\/td>\n<\/tr>\n<tr>\n<td width=\"117\"><\/td>\n<td width=\"473\">FILE_ATTRIBUTE_NORMAL, \/\/ normal file<\/td>\n<\/tr>\n<tr>\n<td width=\"117\"><\/td>\n<td width=\"473\">NULL) == INVALID_HANDLE_VALUE) \/\/ no attribute template<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong><em>\u00a0<\/em><\/strong><\/p>\n<h2><strong>Creating a fake MAC address <\/strong><\/h2>\n<p>VirtualBox and VMware use default MAC addresses on virtual machines.\u00a0The VirtualBox default address uses the first three bytes 08:00:27.\u00a0The VMware default address uses the first three bytes 00:0C:29, 00:1C:14, 00:50:56, or 00:05:69.\u00a0Malware can detect these MAC addresses by requesting the following registry key:<\/p>\n<p style=\"padding-left: 30px;\">HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\0000\\NetworkAddress<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Proof of Concept<\/strong><\/h2>\n<p>We have tested some samples with \u201cVM aware\u201d capabilities with our tool. In each case the malware did not run and the machine was not infected.<\/p>\n<p>The tool <a href=\"https:\/\/github.com\/a0rtega\/pafish\">Pafish, an open-source project,<\/a> uses similar tricks as malware to identify virtual environments. We used Pafish to observe the difference between a normal machine and a machine set up with our tool emulating a virtual machine.<\/p>\n<p>The following screenshot shows the output of Pafish with few detections of a virtual environment:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=68039\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-68039\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20170118-Roccia-fake-vm-2.png\" alt=\"20170118 Roccia fake vm 2\" width=\"1482\" height=\"1444\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-2.png 1482w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-2-300x292.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-2-768x748.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-2-1024x998.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-2-513x500.png 513w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-2-32x32.png 32w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-2-50x50.png 50w\" sizes=\"auto, (max-width: 1482px) 100vw, 1482px\" \/><\/a><\/p>\n<p>After running our tool, we can clearly see the differences in detection.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=68040\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-68040\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20170118-Roccia-fake-vm-3.png\" alt=\"20170118 Roccia fake vm 3\" width=\"2560\" height=\"1442\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-3.png 2560w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-3-300x169.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-3-768x433.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-3-1024x577.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-3-888x500.png 888w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><\/a><\/p>\n<p>On the left we see the output of RocProtect, our proof of concept, which created fake artefacts on the machine. On the right we see the output of Pafish that shows us the number of detections.<\/p>\n<p>Malware is constantly becoming more advanced. Analysis and detection are become harder and very time consuming. This proof of concept introduces a different way to protect against malware infections by emulating a virtual environment. Of course, this tool cannot replace a real security application, but it can complement your defenses. Sometimes we need to try different tactics to fight malware.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to&#8230;<\/p>\n","protected":false},"author":839,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,4452,338,180],"coauthors":[4688],"class_list":["post-68026","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybersecurity","tag-endpoint-protection","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Stopping Malware With a Fake Virtual Machine | McAfee Blog<\/title>\n<meta name=\"description\" content=\"As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Stopping Malware With a Fake Virtual Machine | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2017-01-19T19:51:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-06T02:13:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1321\" \/>\n\t<meta property=\"og:image:height\" content=\"1378\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Thomas Roccia\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@fr0gger_\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Thomas Roccia\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/\"},\"author\":{\"name\":\"Thomas Roccia\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/84a85fe82c49f836915869700f5168e7\"},\"headline\":\"Stopping Malware With a Fake Virtual Machine\",\"datePublished\":\"2017-01-19T19:51:00+00:00\",\"dateModified\":\"2025-06-06T02:13:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/\"},\"wordCount\":900,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20170118-Roccia-fake-vm-1.jpg\",\"keywords\":[\"computer security\",\"cybersecurity\",\"endpoint protection\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/\",\"name\":\"Stopping Malware With a Fake Virtual Machine | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20170118-Roccia-fake-vm-1.jpg\",\"datePublished\":\"2017-01-19T19:51:00+00:00\",\"dateModified\":\"2025-06-06T02:13:14+00:00\",\"description\":\"As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20170118-Roccia-fake-vm-1.jpg\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20170118-Roccia-fake-vm-1.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Stopping Malware With a Fake Virtual Machine\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/84a85fe82c49f836915869700f5168e7\",\"name\":\"Thomas Roccia\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/219099eb1ee40018f72bf1e381c6bd75\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-1-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-1-96x96.png\",\"caption\":\"Thomas Roccia\"},\"description\":\"Thomas Roccia is senior security researcher on the Advanced Threat Research team. He works on threat intelligence, tracking cybercrime campaigns and collaborating with law enforcement agencies. In a previous role, Thomas worked on the McAfee Foundstone team, performing worldwide incident response, malware hunting, and penetration testing. He has helped customers during major outbreaks and managed highly critical situations. Thomas has developed workshops, training courses, presentations, he leads the Unprotect Project, an open-source database dedicated to malware evasion techniques. His work in security research includes threat intelligence, malware, reverse engineering, vulnerabilities as well as innovation and patenting. He speaks regularly at security conferences.\",\"sameAs\":[\"http:\/\/troccia.tdgt.org\",\"https:\/\/www.linkedin.com\/in\/thomas-roccia\/\",\"https:\/\/x.com\/fr0gger_\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/thomas-roccia\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Stopping Malware With a Fake Virtual Machine | McAfee Blog","description":"As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Stopping Malware With a Fake Virtual Machine | McAfee Blog","og_description":"As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2017-01-19T19:51:00+00:00","article_modified_time":"2025-06-06T02:13:14+00:00","og_image":[{"width":1321,"height":1378,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20170118-Roccia-fake-vm-1.jpg","type":"image\/jpeg"}],"author":"Thomas Roccia","twitter_card":"summary_large_image","twitter_creator":"@fr0gger_","twitter_site":"@McAfee","twitter_misc":{"Written by":"Thomas Roccia","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/"},"author":{"name":"Thomas Roccia","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/84a85fe82c49f836915869700f5168e7"},"headline":"Stopping Malware With a Fake Virtual Machine","datePublished":"2017-01-19T19:51:00+00:00","dateModified":"2025-06-06T02:13:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/"},"wordCount":900,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20170118-Roccia-fake-vm-1.jpg","keywords":["computer security","cybersecurity","endpoint protection","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/","name":"Stopping Malware With a Fake Virtual Machine | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20170118-Roccia-fake-vm-1.jpg","datePublished":"2017-01-19T19:51:00+00:00","dateModified":"2025-06-06T02:13:14+00:00","description":"As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20170118-Roccia-fake-vm-1.jpg","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20170118-Roccia-fake-vm-1.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Stopping Malware With a Fake Virtual Machine"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/84a85fe82c49f836915869700f5168e7","name":"Thomas Roccia","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/219099eb1ee40018f72bf1e381c6bd75","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-1-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-1-96x96.png","caption":"Thomas Roccia"},"description":"Thomas Roccia is senior security researcher on the Advanced Threat Research team. He works on threat intelligence, tracking cybercrime campaigns and collaborating with law enforcement agencies. In a previous role, Thomas worked on the McAfee Foundstone team, performing worldwide incident response, malware hunting, and penetration testing. He has helped customers during major outbreaks and managed highly critical situations. Thomas has developed workshops, training courses, presentations, he leads the Unprotect Project, an open-source database dedicated to malware evasion techniques. His work in security research includes threat intelligence, malware, reverse engineering, vulnerabilities as well as innovation and patenting. He speaks regularly at security conferences.","sameAs":["http:\/\/troccia.tdgt.org","https:\/\/www.linkedin.com\/in\/thomas-roccia\/","https:\/\/x.com\/fr0gger_"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/thomas-roccia\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/68026","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/839"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=68026"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/68026\/revisions"}],"predecessor-version":[{"id":215157,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/68026\/revisions\/215157"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=68026"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=68026"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=68026"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=68026"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}