Threat alert while using whonix . Is whonix safe ?

I got a threat alert in my orginal pc while using whonix . There is a security vulnerability in whonix.

You probably mean the host operating system.

That doesn’t follow.

Created a few new wiki chapters to elaborate.
(Whonix is based on Kicksecure.)

Detecting Malware Infections in Kicksecure wiki

could be a false-positive:
False-Positive Antivirus Reports in Kicksecure wiki

To prove that there’s an actual security vulnerability, one would need to provide something listed here:
Proofing an Actual Security Vulnerability in Kicksecure wiki

Just because it shows VirtualBoxVM.exe doesn’t mean you can attribute it to some specific project due to file infecting viruses which can infect other files:
Attribution of Security Vulnerabilities to Software in Kicksecure wiki

I don’t know what antivirus software you’re using (and not sure it would help to know but then performing a web search might be possible). Therefore cannot know how that antivirus software gets such conclusions. There are many possibilities:

  • a false-positive
  • the antivirus software thinks it’s that hostname because a connection was made to an IP address which is or previously was related to that alleged phishing website
  • it’s a shared IP address in some data center which is shared with a Tor entry guard
  • the IP / hostname database of the antivirus software is outdated upstream (meaning, you local database might be up to date but it’s outdated in the vendor’s database so you’ll have the outdated version too)
  • your host computer has an actual virus infection with a file-infecting virus that injects itself into other (executable) files

Since it’s difficult / impossible to talk to someone from the antivirus software company that could shed light on this, we likely won’t find out. (I don’t mean level 1 IT support that neither has access to the antivirus database nor even basic malware analyst skills and just tries to close the ticket by providing some canned reply.)


I use bitdefender antivirus

I suggest not using Windows as your main OS for whonix. If you don’t want to dual boot an OS like Debian or some other linux distro, I found installing it on a usb drive works very well, might take some configuration in your bios. Are you running any other VMs? That is just Bitdefender’s network scanner picking up domains it sees. Were you going to a clearnet site? If so, it could have been a malicious ad or some kind of cross site scripting attack that embedded malicious javascript in a page. Just a guess. Regardless, if you’re on the tor network then Bitdefender won’t be able to see the traffic but regardless, it is sending a lot of data back to the company. I used to use Bitdefender on Windows, still do for my main gaming OS but if you’re going to use Whonix I would stick to open source software as Patrick has pointed out many times. Windows also sends back an insane amount of telemetry data. Fortunately they at least let you edit the host file and block domains.
If you insist on staying on Windows I suggest taking a look at this page:
at the bottom there is a link to their host file that blocks literally every Microsoft domain. But take caution because this can make a lot of things on Windows stop working completely (Microsoft store, xbox app, even online outlook for email). I used an http debugger to figure out which ones were necessary for what I used and just commented them out. Though even then they are probably still sending back some sort of metadata about your pc. Seems like all proprietary software is spyware these days. It’s a shame Microsoft still holds a monopoly on gaming (DirectX rather), that’s really the only reason I still use it.

Sophisticated malware with the capability to exploit an operating system or even included in the operating system by vendor default would likely not just only connect to some obscure phishing website which can be found in an antivirus database. That database is probably just there to defend users from clickjacking, from visiting phishing websites. A phishing website does by definition only that, phishing. It’s not being implied that the website performs vulnerability exploitation.

The point of a phishing website is that a user visits that website with a web browser and enters private information such as for example bank account numbers.

If a torjan horse (malware or “virus”) was reported and confirmed that would be concerning.