Chapter 4g. Malware Mitigation.
One of the most common risks to a secure system that you will encounter is malware.
Despite what some may say about Linux, it is not immune to the threat of malware. The standard
approach for most users to prevent malware is a virus scanner. However, such a method is flawed
since, once malware has found its way on to your computer, it's already been compromised. All a
virus scanner can do is attempt to clean up the mess. Additionally, using a virus scanner only
detects known malware. Any unknown malware will get past it and compromise your system
The method described in this chapter provides a means of limiting the risk of a lasting
compromise of your Whonix Gateway and Whonix Workstation by malware. Rather than relying
on a virus scanner, this method involves creating an additional virtual hard drive for persistant
storage of various files and then restoring the Whonix Gateway and the Whonix Workstation from a
snapshot after each use. The benefit of this method is that, if either the Whonix Gateway or the
Whonix Workstation are compromised by malware during your session, it will simply be erased and
gone the next time you use the Whonix Gateway or Whonix Workstation.
While this method provides a fairly good way to mitigate the risks associated with malware,
do not become overconfident in it and get reckless with your networking habits. This method will
only work against malware that is confined to the Whonix virtual machines. If the malware is
advanced enough to break out of the restrictions of a virtual machine and compromises your host,
then this method will no longer do you any good and your entire system will no longer be secure.
Additionally, standard malware that infects your vm can still compromise communications that you
believed to be encrypted, thus weakening a significant aspect of the security methods discussed
earlier in this guide. Therefore, while this method will mitigate against a persistent install of
malware in your Whonix Gateway or Whonix Workstation, remember that it is still best to avoid
malware compromise entirely.
Also be aware that if you create a snapshot of a either the Whonix Gateway or Whonix
Workstation after it has been compromised, and you are using that snapshot for this method, then
the mitigation techniques described in this chapter will essentially be worthless. Thus, if you've
already used the Whonix Gateway or Whonix Workstation to visit risky internet sites, consider
doing a fresh install of Whonix as described in this guide before implementing the method in this