Recently, we've had three clients report that the VM is not working. All three client VMs have been working without issue for at least several months now. All three have SentinelOne Endpoint Security installed on the host system.
The VMs are failing when run using Headless Start, but work fine (as far as I can tell) on Normal Start. The error we're getting in each case is:
The VMs only produce Hardening Logs when run on Normal Start, but not Headless. I gather this means some other software (I suspect SentinelOne) is interfering with the Headless EXE before it has a chance to write to the log. I have attached a version of the logs folder for both Headless and Normal. In a couple of the cases, IT has confirmed that SentinelOne did not report blocking anything to do with VirtualBox. But I think some people on this forum have suggested that - due to the way VBox Hardening works - that doesn't necessarily mean SentinelOne isn't the culprit.Failed to open a session for the virtual machine <name>.
The virtual machine '<name>' has terminated unexpectedly during startup with exit code -1073741819
E_FAIL (0x80004005)
I'm thinking there must have been an update, either to Windows or SentinelOne, that might explain why these clients started failing at the same time. There were no updates to their VirtualBox versions or our VM around the time of the reported issues.
We have tried VBox 6.1.26 and 6.1.34. We also tried VBox 5, but in every case the Manager for version 5 wouldn't even start and gave us an error in the event viewer (apologies I don't have a screenshot of that).
I don't think this gives much more detail, but here's the event viewer error we get for Headless start in VBox 6:
Interestingly, in one case the client IT was willing to temporarily uninstall SentinelOne and restart the host computer. When we tried running the VM in Headless, it gave us a different error. I'm at the attachment limit on this post but I'll copy the description here:Faulting application name: VBoxHeadless.exe, version: 6.1.34.636, time stamp: 0x623a5dfe
Faulting module name: VBoxHeadless.exe, version: 6.1.34.636, time stamp: 0x623a5dfe
Exception code: 0xc0000005
Fault offset: 0x0000000000014e0b
Faulting process id: 0xc28
Faulting application start time: 0x01d881c8945baeb8
Faulting application path: C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe
Faulting module path: C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe
Report Id: 5ffd9d54-b636-45e1-916b-319dc1b60a85
Faulting package full name:
Faulting package-relative application ID:
After getting that new error, we re-imported the VM in VBox and then it worked! The IT even re-installed SentinelOne, rebooted the computer - and we were still able to start from Headless. I don't know if there were other factors at play, but it seems like the temporary uninstall of SentinelOne might have had something to do with it.Failed to open a session for the virtual machine
The VM session was closed before any attempt to power it on
E_FAIL (0x80004005)
In both the other cases, I've requested a temporary uninstall of SentinelOne, but IT has all but refused to do so. Someone on this post (viewtopic.php?f=6&t=104692) suggested some possible exceptions to try, so I can run that by IT, but I'm not sure how likely that is to work or for them to even try it.
I'm wondering if anyone else has had recent issues with SentinelOne that match my issue? Also wondering if there's any new insight on how to get VBox and Sentinel to co-exist. I've been through every post I can find on this forum but so far the only reliable solution seems to be to uninstall SentinelOne completely, which I don't think will pan out in our case unfortunately.
Is this something that Oracle might be looking into resolving in a future patch?
Any info or help would be greatly appreciated!