Processes inside the Docker VM

[Sam Hobbs]

Does Kaspersky look inside the Docker VM? See Hiding malware in Docker Desktop's virtual machine - Atlassian Community. That article says enough to know there is reason to be concerned but not enough for me to know much more. The important thing is that if Kaspersky does not look inside the Docker VM then it is entirely useless protection from that vulnerability.

[Demiad]

Hello

https://www.kaspersky.com/blog/linux-security-hybrid-cloud/41259/

Цитата

<...> We are also aware that a significant share of Linux machines are cloud servers, not physical machines running in clients’ offices. Moreover, thanks to the development of containerization technologies, it is now possible to run applications in containers, enabling admins to solve scalability issues, increasing application stability, and improving computing resource efficiency. Therefore, we focused on scenarios for deploying the solution in public clouds and protecting containerization platforms (Docker, Podman, Cri-O, and Runc). Those apply to both threat detection mode for launched containers, enabling techs to identify particular containers containing threats and specifying paths to malicious files (in a runtime environment), and as a service for checking container images on demand (both local and located in repositories). In the latter scenario, it is possible to launch Kaspersky Endpoint Security for Linux inside a Docker container and use it to scan other containers for threats using the RESTful API, which serves to automate the tasks of scanning container images, for example, in the CI/CD pipeline. <...>

 

[Sam Hobbs]

There are at least three situations here. One is that Linux itself might be infected. Another is that a Linux container might include an infection. I think a third is that something can execute within the VM in Docker independent of containers.

I don't know enough to be sure of any of that. So that article is useless for me. It is too technical to answer my question. If I understand it then it is covering the first two possibilities I describe above but not the third and it is the third that I am concerned about. In other words, I am concerned that systems with Docker installed are vulnerable without the Docker VM (or any portion of Docker) being modified and independent of the containers, including no containers.

Is it possible for something to execute in the Docker VM that does not require Linux itself to be modified and that is not part of any container and that Kaspersky is not monitoring?