4.3.14 conflicts with anti-virus packages.

Discussions related to using VirtualBox on Windows hosts.
Locked
kutkloon7
Posts: 3
Joined: 4. Apr 2014, 03:05

Re: 4.3.14 conflicts with anti-virus packages.

Post by kutkloon7 »

Anunes wrote:
kutkloon7 wrote:The test build (VirtualBox-4.3.15-95226-Win.exe) works here as well. When I tried it immediately after the installation I got some of the same errors, but now it seems to work fine, with the exception of: hardware acceleration does not seem to work in the linux mint guest, and I can't mount any shared folders, "No such file or directory" (the path of the shared folder does show up in the log though, 'C:\Users\Ruben\Desktop\OS\kernel'). I know, it's a test-build, but I figured any moderators might want to know.

using windows 64-bit 8.1, avast! free antivirus version 2014.9.0.2021
I installed guest additions
How can it be? I also have 8.1 - 64bit and same Avast version, but Avast prevents VB from startup.
What is your GPU configuration? I have a Dual system , Intel HD4600 and NVidia 740
Hm, after trying some more the behaviour does not seem to be consistent. I have to try about five times before I can get a virtual machine to start. After that the virtual machine seems to boot up fine, until I wait for a long time and try again...

According to http://www.systemrequirementslab.com/my ... er-details, I have a Intel(R) HD Graphics 4600 and a NVIDIA GeForce 825M. I didn't read the first one in the specs, but it might be correct.
jefke
Posts: 21
Joined: 15. Aug 2012, 16:17

Re: 4.3.14 conflicts with anti-virus packages.

Post by jefke »

I'm doing a test install now with the latest test build of VB and running Norton Internet Security plus an NVIDIA GPU on Windows 8.1 pro 64 bit.

Seems to work, the VM is coming up and installing. However, 2 remarks:
1) same remark as some others before: starting the VM takes around 10 seconds, way slower then usually.
2) I refer to my previous remark: I would like to know how they solved this. If they basically removed the ability of my Antivirus solution to monitor the virtualbox processes, then I am done using VB. It just opens up a whole new attack vector on my system if that is the case.
Anunes
Posts: 71
Joined: 17. Jul 2014, 18:49

Re: 4.3.14 conflicts with anti-virus packages.

Post by Anunes »

kutkloon7 wrote:
Anunes wrote:
kutkloon7 wrote:The test build (VirtualBox-4.3.15-95226-Win.exe) works here as well. When I tried it immediately after the installation I got some of the same errors, but now it seems to work fine, with the exception of: hardware acceleration does not seem to work in the linux mint guest, and I can't mount any shared folders, "No such file or directory" (the path of the shared folder does show up in the log though, 'C:\Users\Ruben\Desktop\OS\kernel'). I know, it's a test-build, but I figured any moderators might want to know.

using windows 64-bit 8.1, avast! free antivirus version 2014.9.0.2021
I installed guest additions
How can it be? I also have 8.1 - 64bit and same Avast version, but Avast prevents VB from startup.
What is your GPU configuration? I have a Dual system , Intel HD4600 and NVidia 740
Hm, after trying some more the behaviour does not seem to be consistent. I have to try about five times before I can get a virtual machine to start. After that the virtual machine seems to boot up fine, until I wait for a long time and try again...

According to http://www.systemrequirementslab.com/my ... er-details, I have a Intel(R) HD Graphics 4600 and a NVIDIA GeForce 825M. I didn't read the first one in the specs, but it might be correct.
I can not even Start Virtual Box itself, avast blocks it at once.
For to make sure, please open your "Device Manager" and have look which GPU are there installed. That could be important to Developers.
Drivers I am using:
HD4600 version 10.18.10.3621
Nvidia 340.43 Beta
kutkloon7
Posts: 3
Joined: 4. Apr 2014, 03:05

Re: 4.3.14 conflicts with anti-virus packages.

Post by kutkloon7 »

Anunes wrote:
kutkloon7 wrote:
Anunes wrote:[...]

How can it be? I also have 8.1 - 64bit and same Avast version, but Avast prevents VB from startup.
What is your GPU configuration? I have a Dual system , Intel HD4600 and NVidia 740
Hm, after trying some more the behaviour does not seem to be consistent. I have to try about five times before I can get a virtual machine to start. After that the virtual machine seems to boot up fine, until I wait for a long time and try again...

According to http://www.systemrequirementslab.com/my ... er-details, I have a Intel(R) HD Graphics 4600 and a NVIDIA GeForce 825M. I didn't read the first one in the specs, but it might be correct.
I can not even Start Virtual Box itself, avast blocks it at once.
For to make sure, please open your "Device Manager" and have look which GPU are there installed. That could be important to Developers.
Drivers I am using:
HD4600 version 10.18.10.3621
Nvidia 340.43 Beta
That's weird. I disabled avast for a while, but I don't think I had any issue starting up VirtualBox itself before that (or after I enabled it again, for that matter).
HD Graphics 4600 and a NVIDIA GeForce 825M is correct. I switched to VMware for now, I'm having too much issues and I can't cope with that now.
djk
Posts: 11
Joined: 22. Nov 2008, 18:43

Re: 4.3.14 conflicts with anti-virus packages.

Post by djk »

Upgraded from 4.3.12 to 4.3.15 (VirtualBox-4.3.15-95226-Win.exe) and all guest VMs start up as expected no problems at this point. Great work developers.
Last edited by djk on 25. Jul 2014, 21:48, edited 1 time in total.
jefke
Posts: 21
Joined: 15. Aug 2012, 16:17

Re: 4.3.14 conflicts with anti-virus packages.

Post by jefke »

djk wrote:Upgraded from 4.3.12 to 4.3.15 and all guest VM start up as expected no problems at this point. Great work developers.
You suffering any reduced performance djk?
For me and some others, it takes around 10 seconds to start up a VM.
djk
Posts: 11
Joined: 22. Nov 2008, 18:43

Re: 4.3.14 conflicts with anti-virus packages.

Post by djk »

jefke wrote:You suffering any reduced performance djk? For me and some others, it takes around 10 seconds to start up a VM.
I hadn't notice the delayed start up comments. I just checked and yes there does seem to be a delay before the VM window opens and start to load the OS. Could that be because it is a test build with debugging turned on?
jefke
Posts: 21
Joined: 15. Aug 2012, 16:17

Re: 4.3.14 conflicts with anti-virus packages.

Post by jefke »

djk wrote:
jefke wrote:You suffering any reduced performance djk? For me and some others, it takes around 10 seconds to start up a VM.
I hadn't notice the delayed start up comments. I just checked and yes there does seem to be a delay before the VM window opens and start to load the OS. Could that be because it is a test build with debugging turned on?
No idea, I'll leave it to the admins/devs to answer that.
One thing is for sure: I'm using an i5 with 8 gigs of ram, running nothing else, so it isn't a resource problem, and since you and me aren't the only ones...
I do still wonder how they implemented this though. From the earlier post where they put the link to this test version, I seem to understand that they basically remove all the code injected by AV packages in the VB processes... If this is the case, according to me, your AV product isn't able to check the VB processes for malware, which creates a new attack vector on your system... Inject malware in the vb processes and your antivirus product on windows will never see it.
astrashe
Posts: 2
Joined: 20. Jul 2014, 17:14

Re: 4.3.14 conflicts with anti-virus packages.

Post by astrashe »

I posted earlier about a problem with 4.3.14, Windows 7 Professional 64, and Trend Micro Worry Free Business Security Services AV.

4.3.15 fixes the problem for me. Everything looks good.

Thanks,
Anunes
Posts: 71
Joined: 17. Jul 2014, 18:49

Re: 4.3.14 conflicts with anti-virus packages.

Post by Anunes »

jefke wrote:
djk wrote:
jefke wrote:
...they basically remove all the code injected by AV packages in the VB processes...
Can you please point me where you read that about "remove" the AV function? I am very interested on that
jefke
Posts: 21
Joined: 15. Aug 2012, 16:17

Re: 4.3.14 conflicts with anti-virus packages.

Post by jefke »

[/quote]
...they basically remove all the code injected by AV packages in the VB processes... [/quote]

Can you please point me where you read that about "remove" the AV function? I am very interested on that[/quote]

That would be this post, from page 18 of this thread:


Hi!

Here's a new test build: https://www.virtualbox.org/download/tes ... 26-Win.exe

This build should fix a number of the "terminated unexpectedly during startup with exit code X" issue, though not all of them. (This was a regression in the previous test build that mostly happened on Windows 7. Unfortunately the build was only briefly screened on Windows 8.0 before it was uploaded, and that box didn't show the problem. Sorry about that.)

This build was tested on 64-bit windows 8.0 with symantec endpoint protection installed, as well as windows 7 with AVG internet security 2014.

Avast users (and probably others too) may see a message like "The virtual machine 'insert-vm-name' has terminated unexpectedly during startup with exit code -1073741819 (0xc0000005). More details may be available in '...\VBoxStartup.log'." when starting a VM. This is being worked on and I hope there will be a new test build tomorrow that address this. (The problem is that avast is modifying ntdll in memory, from a kernel driver I believe, making a number of function jump to some new code segment they injected into the process. The above build removes the injected code segment but doesn't restore the ntdll to its original state, thus NtMapViewOfSection jumps into the void and crashes. Thus the STATUS_ACCESS_VIOLATION exit code value.)

Now, if you see a _different_ error and that nobody else has reported yet, it would be cool to get the VBoxStartup.log mentioned in the error message with the report as well as OS version + bit count and the list protective software installed.

Hope this new build brings more enjoyment that the last one,
bird


Pay attention to the part I put in bold, this is apparently specifically for Avast, but I'm wondering if this is their general approach.
"build removes injected code segment" and apparently this code segment is injected in the VB process, jumped to by Avast, they remove it and then try to restore ntdll to its original state...

So to me this seems they block the functioning of an antivirus package, but that's why I'm asking for them to shed some more light on this, I would like to know what they are doing and what the impact is.

I've been looking at the source code myself, but honestly, my coding skills aren't good enough and the codebase is too large to quickly figure it out.

REMARK: I do hope the admins don't delete this post as off-topic moaning or something similar, because honestly, being a security professional myself, I am really interested in how this is done and what the impact is (especially the second part about the impact).
After all, VB is a tool that is often used by security professionals for pentesting, malware analysis etcetera. If they would interfere with AV-packages to get the thing going, so be it, but then I would like to know about it.
If this is indeed considered off-topic for this thread, I would kindly ask that one of the admins contacts me through private message on this forum to discuss further?
Jacob Klein
Posts: 696
Joined: 20. Nov 2013, 01:07

Re: 4.3.14 conflicts with anti-virus packages.

Post by Jacob Klein »

Anunes wrote:
jefke wrote: ...they basically remove all the code injected by AV packages in the VB processes...
Can you please point me where you read that about "remove" the AV function? I am very interested on that
viewtopic.php?f=6&t=62615&start=255#p294202
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: 4.3.14 conflicts with anti-virus packages.

Post by mpack »

@jefke: I'm content to leave your post as-is, it's obviously constructive. However I don't want it to form the root of an off-topic discussion, so be warned guys - any continuation of that discussion here will be ruthlessly pruned. We seem to be making progress, the last thing we need are distractions (flame wars).
unixken
Posts: 1
Joined: 26. Jul 2014, 04:22

Re: 4.3.14 conflicts with anti-virus packages.

Post by unixken »

The latest test build is now working for me, as well.

My system:
Lenovo E531 i5 2.6GHz w/ 16GB RAM
Windows 7 Professional, Service Pack 1, 64-bit with all MS updates current as of today (25 July 2014)

My Anti-Virus products (all running concurrently):
Norton Internet Security version 21.4.0.13
MalwareBytes 2.0.2.1012
SUPERAntiSpyware 5.7.1026
and Microsoft Security Essentials

I do not notice any slow load times that some have observed, as compared to 4.3.12, but with 16GB of RAM and a 1TB SSD, this particular laptop is generally quite snappy with most things it runs. All my guest OS's appear to boot and run without issue. This is my personal system. I can try updating my company system when I get back to the office on Monday.
Yikes2000
Posts: 4
Joined: 21. Jun 2014, 00:37

Re: 4.3.14 conflicts with anti-virus packages.

Post by Yikes2000 »

Latest 4.3.15 didn't work for me. Still same error, couldn't start VMs.

Windows 7 Home, Service Pack 1, 64-bit with current MS updates.
Anti-virus: BitDefender Internet Security 2013.
Locked