Windows 10 Security and VirtualBox

Discussions related to using VirtualBox on Windows hosts.
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Windows 10 Security and VirtualBox

Post by Oracleiscool »

I submitted a general question to MS Community Forum Windows 10, Security and Privacy about the Hyper-V and Windows Security System in the venue of a standard "Home" Windows OS. The question was to determine if it would be best to allow Windows 10 Security to see VirtualBox and Python (and other open source programs, etc.) or to exclude it from the system scanner(s)

So far, no one has touched the inquiry. Even HP admitted they have very few people on staff that understand the hardware/OS relationships as they are changing.

1. Early on in the ownership of our new HP laptop, I encountered problems with setting up dual-boot with W10, and some reading from MS explained that the "new" recovery partition W10 uses can be dynamically changed by the disk tools to hold larger system updates, and there were rules as to "where" and "what" the partition had to be loaded for W10 to use it for a "load point" (Had to start after the C: drive, or had to be located at the physical end of the drive, can't remember which, or both conditions applied). Also, there are hidden (no drive letters assigned) partitions to maintain a Windows Recovery Environment (RE) for the OS in case of a system failure. Outside of Windows (postings and blogs) there are some writings that discuss using the UNIX dd utility to delete, or pre-format a drive before you install Windows, but I have never seen that work properly since Windows 98 SE. Lots of BSOD with weird coding errors.

2. Once I got the dual boot (Ubuntu) setup properly, about 3 reboots/restarts later, the W10 partition would "stop" allowing the Ubuntu kernel (or Grub) to load Ubuntu, but W10 kept up the Windows bootloader. It just ignored Linux. W10 disk manager showed the ext4 partition as "unknown" (at the end of the drive) and kept wanting to format it. So they were not playing nice. And they still don't.

So fTPM+SecureBoot+W10+HP= very few people really understand all the bits moving to secure the device, and I guess that having Linux outside of the WSL bash shell in W10 is not something MS wants in their environment. HP was honest in saying that this was all outside of their expertise, and each thing had its own vendors/engineers.

3. Yes, there are TPM tools for Linux. Yes, there are Secure Boot Tools for Linux (mok-utils). But, in very few circumstances (unless you really know what you are doing), can you get these tools to stick to the boot devices, and only for that running kernel. If the kernel updates from the vendor on the update channel, then all bets are off. You might brick your OS. (Windows AND Linux)

Update: Since I got no answer from the MS Community, I moved the question to the official support system. As would be expected, Tier 1 had no clue, so on to Tier 2, still way above their head, so now on to Tier 3 (Pro Support). (Heads up, the "new" system is now called "Windows Security" since 21H1 and will be the same for Windows 11. Windows Defender is gone...).

The system now has "enhanced security" since re-load. Is it the Windows Feature Experience Pack? Is it user profile tightening? (Lots of people posting lost password control). Controlled Folders Access is off by default, but can be turned on. I did and the Feature Pack and other Security routines keep popping up in Notifier as a possible security violation when they are just running and checking things (turned that off real quick). Guess they are still working on the exceptions list.

Checked Pro Support and their support division has not yet stood up a support element for Windows 10 Ver 21H1, as it is still in optional status. And they still have not put a team in place to support "Windows Security" under 21H1. And it is a pay by incident service, payment is required before support is offered, and if the incident has multiple issues, each incident is a billable issue.

The only other way to reach out to them is via the MS feedback hub. I have never seen a response ion that system, ever. So I am at an impass with this. As I said to them (MS) at tier 2, I have other machines without MS Windows I can use to run VB, and will probably stick to that until they can get a better support system worked out. Or 2025 rolls around and this will not matter.

As a matter of suggestions for the future, I think (if all things as they are stay as they are in WIndows Pro) that Pro may be the way to go around these issues. At least with Pro you are supposed to have positive authoritative control of Hyper-V, Boot Devices, Windows Security, etc. But that may change with Windows 11 (and Pro 11?)

I think they (MS) are really locking Windows down (because of business requirements for security), and they now own the device if they are on the device. (Remember the old C: drive loading from older Windows installs (DOS) that you MUST have a C: drive for booting to happen? We are going back to absolutes with no wiggle room)
Last edited by Oracleiscool on 25. Sep 2021, 15:27, edited 4 times in total.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Windows 10 Security and VirtualBox

Post by scottgus1 »

Interesting questions.

Forum gurus and myself tend to let Microsoft Windows Defender (the built-in AV in 10) run free-rein on the computer, and we never have trouble with Virtualbox. (Personally, I'm glad that Microsoft noticed that being the number 1 vector for malware was not such a hot marketing point and decided to do something about it. :lol: )

When folks disable Defender and install 3rd-party AV, then Virtualbox might begin to have trouble. 3rd-party AV does not often fully understand Windows like Microsoft does, so it has to use some of the same tricks malware uses to get into Windows processes and scan things. Virtualbox tries to keep a lookout for the malware tricks, and sometimes cannot tell a tricky malware from a tricky AV. In such situations, hardening errors may begin. Under such circumstances, using 3rd-party AV, it may be necessary to set exceptions to prevent 3rd-party AV from scanning Virtualbox processes. This kind of exception is not necessary with Defender.

One situation where setting exceptions whether for 3rd-party or Defender could be good is where the exceptions are on the VM folders and disk files. These files are being used by active OS's in the running VMs. A host virus scanner can read the disk files and memory of the running VM and could reach in and grab a file or process that apparently matches a virus signature. Only thing is, the host AV does not tell the VM's OS it is taking the item, so the VM's OS suddenly is missing an item it for certain knew was there and may have trouble or crash.

So it may be wise to:
  • Whether using Defender or 3rd-party AV, set exceptions for the VM folders and files in the host AV, but also run AV inside each VM. Then the in-VM AV can properly scan the VM OS and report properly when a catch is made.
  • If Windows Defender is used, no need to set exceptions on Virtualbox files.
  • If 3rd-party AV is used, it may be necessary to set exceptions on Virtualbox files.
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Post by Oracleiscool »

Removed by user and added to first post
Last edited by Oracleiscool on 25. Sep 2021, 15:29, edited 1 time in total.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Windows 10 Security and VirtualBox

Post by scottgus1 »

RE HP, personally I'd wipe the drive (after a disk image) or put in a new drive and keep the original one aside if the warranty allowed it, and fresh-install the OS. HP et al installs plenty of bloatware on their PCs that ultimately slow down the PC. And HP's ProtectTools suite interferes with Virtualbox.

Also, the core isolation enables Hyper-V, which can interfere with Virtualbox. So might the enhanced security and protected folder access. See I have a 64bit host, but can't install 64bit guests, posts 2 & 3. Also see VERR_NEM_VM_CREATE_FAILED: What do I do? and HMR3Init: Attempting fall back to NEM (Hyper-V is active) for indications that Hyper-V is interfering with Virtualbox.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Windows 10 Security and VirtualBox

Post by mpack »

I was helping our IT guy set up my new HP computer at our office this week (nice i9 desktop box). Despite deploying a standard company Win10 site-licensed image, the HP ProtectTools crap still surfaced. I get the feeling that on a new PC these tools get downloaded and installed along with hardware drivers, and then have to be explicitly uninstalled/disabled.

I'm not entirely sure of the mechanism. BillG would know this stuff.
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

Hi Team,

Yes to all the above. Here is the real deal, and I do not know it as a fact, just an uneducated guess. (Scott, thank you for the advice on the drive, the machine is just out of warranty and has the A9-9425 R5 AMD chipset/Realtek Audio/Modem stuff, so no Win 11 for me (Linux in 2025!));

Because of the new UEFI/GPT firmware and the newer AMD-V (fTPM and embedded processor cores), there are all kinds of places for OEMs and OS engineers to put tools for Diagnostics. They are in the Bios by default, and I (think) they will communicate with the OS-level OEM tools to provide a recovery system outside of the normal (the way we would fix it sort of thing, I've been around since the Motorola CPM 1.0 from Microsoft) world.

I guess it all comes down to control and access. And who really owns your machine (do you really own it, or do you just get to borrow time on it if you follow the ten most important rules in the customer agreement!). It is a real problem.

I know that when Win 10 loads, it takes a look at update servers from its OEM and OS files, and if it sees updates, they will download (or offer an optional "software component" from the OEM.... (good luck trying use the revision codes to determine what is actually updating from the OEMs)).

And sometimes, these things will upset the core OS, then we get weird system operations, then the AV kicks in, and no messages about what happened, as it was all "approved for realease" and "official". Wow. :o
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

So now we can add this new twist: (It just gets deeper...)

I just turned on the HP machine this morning to see what the "Windows Feature Experience aka SAM" (WinSAM.ex*) was doing in my controlled folders yesterday (That set off the CDROM alert) and I now have the "new" Administrator account icon in the sign-in group. It has no password system, just a box to Sign In. It is setup as only a local account, but I could change it to a MS account if I wanted to, I guess?

This is, I think, part of that new password-less accounts that MS announced this week, brought to you by way of the new Windows Feature Experience Pack. It set up like a newly added account. It must be using the new "enhanced" security system to verify the hardware is official. Now, will this Admin account run be locked down so that no external systems (VirtualBox and Python) can operate? (And it turned on One Drive, their cloud system also).

As of today (25 Sept): The new admin account now auto-signs-in, no radial button to Sign In. No password. Just Administrator (Local Account).

The weirdness continues.... :roll:
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

Dear Forum,

Just an update. Still no answer from MS Community. I think the updates for their new OS (Win 11) has got their attention. And the obvious is why would they want to support open source when you can buy their system parts and turn on their virtualization system (Hyper-V) in the OS and keep it all under their security system.

I have just re-installed VirtualBox on Windows 10, Ver 21H1. Just a few notes about the install, as they pertain to Windows 10;

1). If you have a computer built by an OEM, then you need to get all the features of the hardware "aware" in Win 10.

As I learned the hard way, the OEM load from the factory, recent BIOS/TPM and Secure Boot (UEFI) updates from both the OEM and MS were installed, but not "aware". A fresh re-install (Or a drive backup, and complete wipe) of Win 10 was required to make all the hardware see all the software (and turn on all the enhanced security in Win 10). This is necessary if you want to have complete control over the OS (as a host) and be able to control the system.

In my case, my TPM was not properly setup (So my passwords and security were weak), BIOS was not properly enabled for Virtualization, Secure Boot was also weak (but passing the defaults to the windows bootloader), the Windows Security Suite (Defender) was at standard when it shoud have been displaying enhanced as default (And for 21H1 Windows Security by name was known as Defender previously). You need all this first, then check the OEM and MS for all updates BEFORE you even think about VirtualBox!

I have read in these forums over the years that a proper update, a reboot, a power-off, etc. was the reason VirtualBox failed to run properly. You may think your system (like me) was up to date, but think again. I knew my system should (by specification) be able to run enhanced security, but was only using standard. When I answered the why and fixed it, now I have COMPLETE control over the device (including when and what it scans, which is super important for VirtualBox to run properly).

2. Make a friendly environment for VirtualBox and Python (correct version) when you download the executables. I took the extra precautions of excluding the files before I installed into the Windows Security Exclusion system under Virus and Threat Protection. Then, before any other setups after install, I excluded the folders and files for those installs (VirtualBox, its Host Extension Pack and Python) from Security. Windows tried to stop the VirtualBox console by throwing an error (full stop), but all that was required was a power-off for 2 minutes, then back on, and ta dah! Back in business. Never saw a warning from windows, but we all know they were watching, just could not control the file since it was excluded. :D

3. Give Windows some time to gather all of its bits for a week or so before you load VirtualBox! There were some abnomalies that were encountered after the proper Windows Setup was done, and you want to know if all the stuff you worked on is working properly! Better to fix Windows as Windows before you add VirtualBox and a whole different OS! (I hope you already backed up all you personal files!)

Some setup items I noticed during VirtualBox Guest Setup (I used latest Ubuntu as MS knows their OS and it is like Debian);

Do not touch the OS system settings after you enter the type of guest in the New Guest System! Let VirtualBox probe the guest OS and setup the proper environment. It is really smart software, and can see alot of things and knows what to do, so let it do its thing!

Format the drive using a fixed drive in VHD (MS can see this as a friendly drive space) and you will avoid any possibilty of security glitches from the MS Security System. It will also allow the guest os to have a fixed point to load from every time.

Ubuntu has a glitch in it during install (default VirtualBox System Settings) that effected the VDI/dynamic drive partitioning for the boot partition. I set the partition manually, to look like a Windows partition set with Ubuntu as the main OS (1st part 250MB, Fat32,/Windows then 2nd part 500MB /boot, ext4, then 3rd part ext4 large partition, set as /, then a swap partition) (some space). I know swap is now a file, but old habits die hard, and swap is such a mystery so better safe than sorry.....

You can do what you want here, but I just know that you need to define your own partitions, their automatic feature (boot.efi) is having trouble in a VHD partition setting the boot file (or is hiding it from the user, not sure which). Yes, I tried the auto format, and the OS (Ubuntu) ran, but it was slow to no go (drive errors, like it was in the old Windows 98 MS-DOS compatabilty drive mode, remember those days?). The drive format update solved that issue. I hope this helps those who care to read. If I see any glitches form I will advise, as well as if I ever get an answer from MS Community.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Windows 10 Security and VirtualBox

Post by scottgus1 »

Sounds like you got Virtualbox going on your computer, that's great!

I only want to point out one thing regarding security and Virtualbox:
Oracleiscool wrote:Format the drive using a fixed drive in VHD
This is not necessary. If for some reason the enhanced security balks at a VDI or a VMDK, block the folder containing the drive file in AV, same as when Virtualbox itself was blocked:
scottgus1 wrote:Whether using Defender or 3rd-party AV, set exceptions for the VM folders and files in the host AV
One other forum note:
Oracleiscool wrote:Removed by user and added to first post
Please avoid editing posts after a response has been made. Though this time the path of the conversation may not suffer, it can suffer due to edits, so we frown on editing after the conversation has continued on. Thanks!
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

Dear Team, (And scottgus1),

Thanks for the quick reply, and will comply with the rules on the edits in the future (as in don't) :oops:

Yes, I think that would be preferred (VDI vs VHD) and the type (dynamic or fixed).
As I said, I think it was more of a Ubuntu setup issue than VirtualBox (they have all that new uefi stuff).
If I get any hard errors, I'll let Ubuntu know and send the report, and link it here if it is related to VirtualBox.

I had the VM folder (Main) excluded from Security, but will go back and specifically block the actual OS folder
(i.e. Ubuntu) and see what happens. Over a period of time (I'll watch and see). So far, so good!
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

OK, been a few hours/days, here comes the issues:

First boot today, when start VB program, OK, then start Ubuntu VM. Crash. Here we go....

Failed to open a session for the virtual machine UBUNTU
Details:
Failed to load R0 module C:\Program Files\Oracle\VirtualBox/VMMR0.r0: SUP_IOCTL_LDR_OPEN failed (VERR_LDR_GENERAL_FAILURE).
Failed to load VMMR0.r0 (VERR_LDR_GENERAL_FAILURE).
Result Code:
E_FAIL (0x80004005)
Component:
ConsoleWrap
Interface:
IConsole (Console ID removed for security)

I tried last night to repair. Ran repair on VB program, ran OK. Still crashed VM. Powered off machine, VB program ran fine. VM started. Ubuntu ran fine. Closed. Started VM OK. Shut down Windows powered off. Restarted machine. Hung Boot (Secure Boot) stopped windows bootloader. Ran diagnostics in BIOS. No errors found. Re-ran boot (OK) Windows up, ran VB program, came up, but slow to run. Then loaded VM.... crash. Right now it is 50-50 on working.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Windows 10 Security and VirtualBox

Post by scottgus1 »

That error web-searches to results meaning that Virtualbox is getting blocked by too much or too strong AV. Your computer's security is just too strongly set, I think.

See Diagnosing VirtualBox Hardening Issues and I have a 64bit host, but can't install 64bit guests post #2 & 3.

Also, try uninstalling Virtualbox, then restart the PC. Then run the Virtualbox installer again by right-clicking and choose Run As Administrator.
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

OK here are some new things;

Checked the system tonight and lo and behold, there were .net and 21H1 updates, and another 21H1 optional update. I allowed these to update the OS (one and a half hours) and reboot to compile in the OS, then more security scanning to verify the loads, and then, I cautiously started VB Program. CRASH. Same error as I posted earlier from the program error box (when starting Ubuntu).

So more work required. OK here are the things I tried that seem to help, but may or may not provide a resolution (permanent) as MS is updating lots of patches to fix long known problems in the OS before Win 11 rollout, and anything they don't want in their system is being effected, even though we told the OS to "exclude" or "ignore".

On last successful load out, I took out the restriction in settings for software from the MS Store as any available source. I noticed after I did that the UAC control kept biting on the VB .msi installer as a foreign program, and kept asking (multiple times) for administrative override. I did that as VB loaded, but after reboot, would still not load UBUNTU guest (same console error as above). Power off Win 10, then to UAC slider control, turned off all UAC function (no security warnings in greyed-out desktop), then installed VB Program again, then install and run was flawless. (Everything was good). I think we can all agree that UAC should not effect software loads, but IT DOES!

Shut (Powered down) Ubuntu Guest, VB Program, Win 10 Host. Turned on Win 10, VB, Ubuntu Guest (Crash) same error. Uninstalled VB, reboot.

Went to downloads folder. All software for VB and Python was missing from folder (do not ask me the obvious!) only had Ubuntu .iso . file! :?

Weird. Signed out of account, signed into official administrator account. Security scan (several hours) no errors. sfc scan (another hour) no errors. Checked downloads folder, VB programs re-appeared (not sure where they went). Do not adjust your set, we are in control..... so says the Master Controller...... :twisted:
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Windows 10 Security and VirtualBox

Post by Oracleiscool »

Here is what I have found that works;

On Win 10 Home, Hyper-V is not supposed to be enabled as a service. It is not supposed to be an available feature. It shows on my PC in the Windows Features as not enabled, and if you do enable it, it sends back a message that it is not available in Home Edition.

Just from my own experience, if you turn on your BIOS Virtualization (AMD-V), and reboot, Win 10 Home sees it, and loads some code to turn on Hyper-V, but you never get the memo, and it never turns on the Windows Feature in the List :roll:

So I did the forum search for the specific VB Console failure, and that is here: viewtopic.php?t=90336#p453996
(After I did this, the console and guest operate normally, so I may not do the MS thing below, may not be needed, but still testing) :D

And it led me to this from MS in March 2021: https://docs.microsoft.com/en-us/troubl ... th-hyper-v

Now I feel like an idiot for not searching the MS Docs area better, but in my defense, this document did not appear in search until I searched with the specific console failure code.

Find it SAD that MS list VB as a third-party app. Time to put VB in the Microsoft Store! I do not like Hyper-V, now even less after this experience, as it messed with BOTH Windows and VirtualBox. Time for a GOT Moment..... Shame Shame Shame :evil:
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Windows 10 Security and VirtualBox

Post by mpack »

Oracleiscool wrote: On Win 10 Home, Hyper-V is not supposed to be enabled as a service.
Actually not true. You don't get an obvious way to create VMs, but the Hyper-v "engine" is still there and used for other purposes, mostly security overkill.

The NEM related "WHvCapabilityCodeHypervisorPresent is TRUE" line in the VM log is the easiest way I know of to be sure that the Hyper-v engine is running.
Post Reply