isolation accident

I read one of the questions, there’s a man asked. “do i need to use some VPN on host (befor whonix)”. Ego said that this is not necessary. So it meens that all anonymity lies on geteway shoulders. but even whonixcheck written that do not rely on whonix. this is a test development. a little bit I do not understand what is the chance that the insulation is broken and traffic will go directly from the host. did this happens on your memory?

have u remember reports like this? when isolation crashes

This is just a general disclaimer required by law. It does not mean that Whonix is faulty and that we are knowingly distributing it that way!

All versions have been heavily leak tested and shown safe. Relax and use it :slight_smile:

1 Like

what need to do to break the isolation? just wanted to know how to be careful. If i right that even if something is done wrong, the worst what can happen is on workstation will down internet?

Good day,

Well first of all, an attacker would need to find out that he is inside of a hypervisor/virtual machine and not running on “true hardware”. That is quiet a complex process in and of itself though not impossible. A lot of more advanced malware scans for processes and installed files which could hint on this, like running “virtualbox specific processes” or having the VMware Tools installed. Hypervisors like Qubes or KVM however don’t really necessitat such specific files or processes which is why detecting one of them is far more complex for an attacker than on VBox or VMWare.

Most current malware uses the knowledge that it is inside a virtual instance however NOT to execute a specific attack but rather to shut down. Why? Because many malware creators have understood that once they are inside a virtual machine they have lost. They actually will likely not find any interesting information (banking data, etc) since people who use virtual machines on average keep their “real” systems protected anyway. That’s why you can actually use the processes from VBox and VMWare as protection against certain malware even on your “host system”: fake_sandbox.ps1 · GitHub

Now, the malware we are interested in your case however is the one which, when it (somehow) finds out it runs inside a vm doesn’t shut down but then tries to break out of it to gain access to your “real/host IP”. This kind of sofisticated malware hasn’t been spotted in the wild for now. Adding to that, the complexity and skill needed to “break out” of a hypervisor, especially one which is hard to detect in the first place like XEN (used by Qubes) or KVM makes such a virus rather precious and likely not one you’ll ever have to worry about.

If however you want to be fully paranoid, you could perhaps use a VPN and bundle all host traffic through it (not just your virtual machine and programs). Perhaps by putting the VPN directly on your internet router. At that point any attacker is probably going to not bother anymore.

Have a nice day,


I do not mean so much hacking. how much user negligence. accidentally delete something or to push , for example)
It provided?

or is it nonsense?)

Good day,

Oh that. That’s really hardly possible. The design of Whonix, with its sepaerate gateway and workstation makes it near on impossible to yourself break the isolation. You can pretty much delete anything without jeopardizing it. Of course, if you get confused and use the wrong window, that’s another story: Tips on Remaining Anonymous.

Have a nice day,


1 Like


Unfortunately it is trivial for any compromised even non-root process to figure out in which hypervisor it is running. It could just use systemd-detect-virt.

Also without that, virtualizers will probably never defeat detection. There are just too many subtle differences that can be spotted.

Yes, whatever file you delete in Whonix-Workstation does not lead to browsing the internet in the clear.

Even if you mess up Whonix-Gateway, it will be hard to make it enable Whonix-Workstation connections to clearnet. Whonix-Gateway fortunately does not enable IP forwarding and that you can not enable your accidentally.

However, there are loads of subtle ways to shoot your own feet.

That is why we have pages such as:

Generally, there is no shortcut to reading documentation.

The more you know, the safer you can be.