How a Whonix Live can be compromised ?

If I download a malicious document in my Whonix Live Live Mode for Kicksecure β„’ - Kicksecure and run it and my Whonix Live gets infected. After I reboot Whonix Live it will be safe as it was before I run the malicious document ? Could malicious document compromise my host machine as well ?
Is there a way to open malicious files in Whonix Live VM and to not be afraid that VM or host will be compromised ?

Whonix Live could be disabled by determined malware that wants to leave traces on your disk. VM snapshots are the way to go to rollback to a non-compromised state (as long as the hypervisor itself is not vulnerable).

Hi Puff

To start, there is no such thing as 100% safety when using security related software. This includes using Whonix.

When using Whonix in β€œlive mode,” all changes are written to RAM i.e. not Virtual HDD. The goal is to prevent malware from gaining a persistent foothold. Whonix live should be unchanged after reboot. It is possible for this design to be bypassed if swap files, core dumps and other relevant configurations are in effect. However, most of these can be disabled.

Whonix uses a model called Security by isolation. This keeps Whonix Workstation completely isolated from the host. For malware to infect your host OS, there would have to be an exploit in the hypervisor itself. This would be very difficult but not impossible. If a skilled (and determined) adversary with the right tools – had a specific target, then the answer is YES – the host could be compromised.

Whonix (live mode) is designed to prevent malware from gaining a persistent foothold and it is very unlikely the host would be compromised. That is unless there was an exploit in the hyperviser.

Keep in mind Whonix is not a silver bullet that will protect you from everything. No security related software will.

Off topic:

There are some things you can do to better protect your system that you may be interested in.

1 Like