[cookiengineer]

> But since WSL 2 it does use a VM.

As a related sidenote: Try doing an apt install metasploit inside a "VM" while an antivirus is running on the host.

You'll soon realize that the "VM" will be bricked by quarantine actions on the NTFS based filesystem, which kind of defeats the reason of the V in VM.

I fear once more people realize this, there'll be NTFS stream based "hidden" malware and other filesystem rights abusing tools everywhere all over again.

[glitchc]

That’s because the VM has hooks into the host filesystem though, isn’t it? Does it still happen if the VM is fully isolated from host resources (files, ports, devices)?

[_0ffh]

Wouldn't simply activating file-level encryption in the Linux subsystem be enough to throw off Windows-based AV scanners?

[cookiengineer]

I didn't test whether or not LUKS or similar filesystem level encryptions are transparently mapped to the Windows kernel.

Might be a good way to avoid this behavior. The default (from the Windows Store) Ubuntu based VM however doesn't use filesystem level encryption, and every folder or file inside the "VM" is available somewhere buried in the Roaming folders.

[_0ffh]

Yeah, you'd have to install LUKS or eCryptfs or something, but I think it would be worth a try. I expect Windows would only see the encrypted files then.