Posted inHomeLab

Building a Bulletproof Malware Lab on Proxmox: Isolation and Snapshot Guide

HomeLab tutorial - IT technology blog
HomeLab tutorial - IT technology blog

The Danger of ‘Leaky’ Lab Environments

Many researchers start by running malware in a standard Virtual Machine (VM) using NAT or Bridged networking. This is a gamble. While it separates the guest from the host OS, it does nothing to stop a sample from scanning your local 192.168.1.x subnet, targeting your NAS, or joining a botnet via your home router. If you’re detonating a sample of LockBit or Emotet, a basic VM setup isn’t a shield—it’s a liability.

You need a ‘Black Hole’ network. This is a space where malware can execute, hunt for an internet connection, and fail miserably without ever seeing your real gateway. Proxmox is perfect for this. It gives you granular control over Linux Bridges and Open vSwitch, allowing you to create a digital cage that keeps the ‘beast’ contained. I’ve used this setup to analyze hundreds of samples without a single packet escaping to the local LAN.

Core Pillars: Isolation and State Preservation

Before you start clicking through the Proxmox UI, you must master two concepts: Network Isolation and State Preservation.

1. The Isolated Bridge (Host-Only)

A standard Proxmox bridge (vmbr0) usually maps to a physical port like eth0. For a sandbox, we create a new bridge, such as vmbr1, with no physical port attached. VMs on this bridge can talk to each other, but they are physically incapable of reaching the internet or the host. To simulate traffic, we route them through a controlled environment like INetSim rather than a real router.

2. The ‘Golden Image’ Strategy

Malware analysis is inherently destructive. Once a sample runs, the OS is ‘burned.’ You can’t just hit undo. This is where snapshots shine. In a real-world workflow, you build a ‘Golden Image’—a clean Windows 10 instance with 8GB of RAM, 4 vCPUs, and your full toolset—then take a snapshot. Reverting an 80GB disk image takes less than 15 seconds, ensuring every test starts from a pristine state.

Hands-on Practice: Building the Lab

Here is the step-by-step configuration for your network and analysis machines.

Step 1: Creating the Air-Gapped Network

Open your Proxmox web interface and head to System > Network. We are going to build a virtual switch that leads nowhere.

  1. Click Create > Linux Bridge.
  2. Name it vmbr1.
  3. Leave the Bridge ports field completely empty. This is the ‘air-gap.’ Without a physical port, the bridge is an island.
  4. Skip the IP settings. Let your Lab Gateway handle the internal addressing.

Prefer the command line? Edit /etc/network/interfaces via SSH:

auto vmbr1
iface vmbr1 inet manual
        bridge-ports none
        bridge-stp off
        bridge-fd 0
#MALWARE-LAB-ISOLATED

Apply the changes with ifup vmbr1.

Step 2: Configuring the Flare-VM

Mandiant’s Flare-VM is the gold standard for Windows analysis. When creating your VM, use these settings to avoid detection:

  • Bios: OVMF (UEFI).
  • Machine: q35 (supports modern drivers and PCIe passthrough).
  • Network: Set the Bridge to vmbr1.
  • Guest Agent: Disable the QEMU Guest Agent. Advanced malware often checks for the qemu-ga process; if it finds it, the malware will play dead to avoid being analyzed.

Step 3: Simulating the Internet with REMnux

Malware often stays dormant if it can’t ‘phone home.’ We use REMnux on the same vmbr1 bridge to trick the malware. By running INetSim, REMnux spoofs DNS, HTTP, and SMTP services. When the malware tries to reach a C2 server at evil-domain.com, REMnux steps in, says ‘I am that server,’ and provides a fake 200 OK response. This keeps the malware active so you can observe its behavior.

Step 4: The Snapshot Workflow

Once your Windows VM is loaded with tools, shut it down. This is your baseline.

  1. Go to the Snapshots tab.
  2. Click Take Snapshot and name it CLEAN_BASELINE.
  3. Include RAM to allow for instant resumes without a full boot sequence.

Ready to detonate? Boot from the snapshot, drag your malware in, and let it run. Once you have your logs and memory dumps, simply click Rollback. The infection vanishes instantly.

For those automating their labs, use the CLI:

# List existing snapshots
qm listsnapshot 101

# Roll back to the clean state
qm rollback 101 CLEAN_BASELINE

The Bottom Line

A great malware lab is defined by its architecture, not just its tools. By using a disconnected Proxmox bridge, you build a physical barrier software cannot break. This, combined with a disciplined snapshot routine, keeps your home network safe while you tear apart the web’s most dangerous code. Start with one Windows VM and one REMnux instance. Watch the traffic. Once you master the isolation, you can scale to complex Active Directory sandboxes or automated processing pipelines.

Share:
Tags: