With your VMware Host fully built, it’s time to create some virtual machines / VMs/ guests or whatever you want to call them. This guide will run through creating a single VM.
- File > New Virtual Machine
- Select Custom (advanced)
- Choose compatibility with Workstation 11.0 – which allows for ESXi compatibility (else if you require backwards compatibility with holder VMware versions choose an older version here). Next >
- Install from iso (select a Windows operating system iso image). Next >
- Specify which Operating System version you are installing. Next >
- Name the VM and check that the location it will install the machine’s virtual disk files into is correct. Next >
- Firmware Type – BIOS. Next >
- Processor Configuration – Processors/Cores as required. If you’re unsure, leave as default and you can change later. Next >
- Memory – Increase this to 4096MB, or a specific number as required. Next >
- Network Type – Use NAT. This is a pretty safe default, but we’ll change this later anyway.Next >
- I/O Controller Types – Choose the recommended option. Next >
- Virtual Disk Type – Choose the recommended option. Next >
- Disk > Create a new virtual disk. Next >
- Disk Capacity – Leave as the recommended size, and select “Split virtual disk into multiple files”. Next >
- Specify Disk File – Leave as default. Next >
- Select Customize Hardware
- Select Network Adaptor – On the right, change the network connection setting to Custom, and then select the correct virtual network you configured previously. If in doubt, select the Customer NAT network and then reconfigure this later. Close >
- Review the settings look correct. Finish.
- The Virtual Machine is now initially configured but needs a bit more fine tuning before we power it on.
VM Fine Tuning
- Select the Virtual Machine tab
- VM > Settings > Options
- Shared Folders – Disabled
- Guest Isolation
- Disable Drag and Drop
- Disable Copy and Paste
- VMware Tools – Synchronize guest time with host
- VNC Connections – Disabled
Snapshots are a way to back up a virtual machine at a frozen point in time (virtual machines can be powered on or off when you take a snapshot). Every time you make a significant change to software, configuration, files or perform a test, take a snapshot. This allows you to revert back to this point in time later should you need to, and make a clone of the snapshot image to do something different. Take snapshots often. They take up disk space but you can delete them later on if you don’t need those individual snapshots anymore.
The most granular way to take snapshots is via VM > Snapshot > Snapshot Manager. From there you can view existing snapshots along with their names and descriptions, which allows you to be consistent in your detailing of any new snapshots. Create a snapshot by selecting “Take Snapshot…”, give it a name and description and press “Take Snapshot”. You can also see the tree of snapshots in the Snapshot Manager and delete or clone them as required. N.B. To clone a snapshot, the snapshot must be of a powered off system. e.g. Windows has been shut down and then the snapshot taken.
Inside the VM
Power on the Virtual Machine to start the Operating System installation. Once it’s complete, go back to VM > Settings, select the CD/DVD drive containing the iso image and remove it. You won’t need that any more.
Now that the virtual machine operating system is built, it’s time to get it ready for introducing malware and making it match your “real” PCs of your organisation.
- Take a snapshot. Maybe name it “Clean O/S Installation”.
- Install software and configurations as per the real world PC you’re replicating, e.g. install the same versions of Microsoft Office and custom applications your organisation uses.
- Update the software and operating system patches to match your real world machines.
- Enable/disable/configure automatic updates accordingly. (You don’t want the virtual machine updating itself to versions you don’t use in the real world.)
- Take a Snapshot. Maybe name this “Real World Gold Image 1” or something that’s relevant for the machine you’re replicating.
- Add configuration items for antivirus testing
- Create directory – C:\malware_included – used for testing malware
- Create directory – C:\malware_excluded – used for hosting malware before testing (AV policy set to excluded all scanning/detection of this folder)
- Install Antivirus of choice
- Set the Antivirus policy to quarantine, and all AV Client & Management alerting/logging enabled
- Update the Antivirus engine/updates to the latest version
- Take a Snapshot, maybe named “Pre-malware Clean Test 1”