This is not a problem I need solved it's just a question out of curiosity
Using Windows 10 as the host I was running Linux in a VM and was surfing the web with Firefox. I clicked on a link and my anti-virus popped up a warning about the site being blocked. My question is how did it know what link I clicked on? The AV was running in Windows.
Most antivirus products use HTTPS interception to overcome this issue. This involves installing a local proxy server that creates fake SSL certificates. When you visit an HTTPS website, your connection is routed through your antivirus’ proxy server, which creates a new SSL certificate and checks the safety of the site you’re trying to access. If your antivirus software judges the website to be safe, the site loads as normal. If the website is unsafe, the proxy will display a warning in your browser.
There are a few ramifications here:
Is Your Antivirus Software Spying On You? | Restore Privacy
Because your antivirus is faking SSL certificates, there’s no way to be 100 percent certain that the website displayed in your browser is the real deal. In late 2017, Google Project Zero researcher Tavis Ormandy discovered a major bug in Kaspersky’s software. In order to decrypt traffic for inspection, Kaspersky was presenting its own security certificates as a trusted authority, despite the fact that the certificates were only protected with a 32-bit key and could be brute forced within seconds. This meant that all 400 million Kaspersky users were critically vulnerable to attack until the company patched the flaw.
Most antivirus products query the safety of a URL server side, which means the company could potentially track your browsing habits if they wanted to.
It increases the risk of phishing attacks and man-in-the-middle exploits.
A team of researchers even published a paper on the troubling security implications of HTTPS interception by popular antivirus companies, where they noted:
As a class, interception products [antivirus solutions that intercept HTTPS] drastically reduce connection security. Most concerningly, 62% of traffic that traverses a network middlebox has reduced security and 58% of middlebox connections have severe vulnerabilities. We investigated popular antivirus and corporate proxies, finding that nearly all reduce connection security and that many introduce vulnerabilities (e.g., fail to validate certificates). While the security community has long known that security products intercept connections, we have largely ignored the issue, believing that only a small fraction of connections are affected. However, we find that interception has become startlingly widespread and with worrying consequences.
What I don't understand is how does a security program running in Windows see what is happening in a program running in VMware. Shouldn't programs running in a VM be isolated from Windows? If not what is stopping a virus launched in a VM from infecting the host Windows 10 OS?
Quote