Discussion of Problems due to Hardened Security

Discussions related to using VirtualBox on Windows hosts.
Locked
ShaneB
Posts: 6
Joined: 31. May 2011, 21:50
Primary OS: MS Windows 7
VBox Version: OSE other
Guest OSses: winxp

Re: Discussion of Problems due to Hardened Security

Post by ShaneB »

Hasn't worked since hardening started. Rolled back to 4.3.12 with no issues.
Windows 7 32-bit (7601) all patched

McAfee VirusScan Enterprise + AntiSpyware Enterprise
Version number: 8.8.0 (8.8.0.1445)
Build date: 08/21/2015

Appears to all be cert issues.
Attachments
VBoxHardening.zip
(27.89 KiB) Downloaded 63 times
hqngl
Posts: 6
Joined: 6. Jul 2013, 00:18

Re: Discussion of Problems due to Hardened Security

Post by hqngl »

Hi,

since I upgraded from 5.0.4 to 5.0.6, about 50% of the time the state of my virtual machines switches to "aborted" when stopping. I could live with that if it only occurred after shutting down a VM. However, this also happens when saving the state of a running VM, causing the state not to be saved.

Some things that I noticed:
- Normally, stopping takes about 1 second. However, when the "aborted" bug occurs, the VM stops and aborts immediately.
- When the "aborted" bug occurred and I close all VirtualBox windows, VBoxSVC.exe stays in the process list
- VBox.log seems normal to me, while VBoxHardening.log does not: If a VM stopped successfully, the last line of VBoxHardening.log contains 'supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0x0'. When it crashed, the last line contains 'supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0xc0000005'

Host info:
- OS: Windows 7 x64
- Anti-virus: Microsoft Security Essentials
- AppInit_DLLs: Nvidia Optimus Driver (nvinit.dll/nvinitx.dll)
- Windows is running in test-signing mode

I used VirtualBox 5.0.7 r 103382 to create log files of a successfully stopped and an unsuccessfully stopped (i.e. aborted) VM. The VM is a Windows XP 32 Bit VM with default settings. I started it, pressed F12 to show "VirtualBox temporary boot device selection" and stopped it via File -> Close -> Power off the machine.
Attachments
Logs.zip
VBox.log and VBoxHardening.log of successfully and unsuccessfully stopped VM
(76.85 KiB) Downloaded 29 times
Kaliatech
Posts: 4
Joined: 20. Oct 2015, 20:53

Re: Discussion of Problems due to Hardened Security

Post by Kaliatech »

1) Windows 8.1 Pro x64
2) <log file attached>
3) Microsoft Forefront End Point Protection

Virtualbox 5.0.4 was working without issue until a few days ago. The only recent update seen in Windows update history is a routine "Definition Update for Microsoft Endpoint Protection". Not sure if is related. Receiving "kernel32.dll [lacks WinVerifyTrust]" type messages in log and VMs will not start. Tried upgrading to test build 5.0.7r103382, and many other things such, as "sfc /scannow". No results.

Rolled back to Virtualbox 4.3.12 and VMs start again.

UPDATE:[2015-20-27] - Seems the issue was "Cylance PROTECT". After trying all sorts of arcane things to try and get working again, it seems uninstalling "Cylance PROTECT" was the answer. (I didn't realize I was running it.) This is likely not a long term fix as I expect corporate will install it again at some point.
Attachments
VBoxHardening-20151020-5.0.7r103382.zip
(4.56 KiB) Downloaded 57 times
Last edited by Kaliatech on 27. Oct 2015, 19:48, edited 1 time in total.
Nurple
Posts: 3
Joined: 19. Jul 2014, 18:40
Primary OS: MS Windows 8
VBox Version: PUEL
Guest OSses: Ubuntu Trusty x64, Windows 7 / 10 x64

Re: Discussion of Problems due to Hardened Security

Post by Nurple »

I seem to be having the same problem as hqngl, rather than repost I'll link to my post viewtopic.php?f=6&t=73937#p342297

----

Added updated logs from 5.0.8.
Attachments
VBox Logs.zip
(39.44 KiB) Downloaded 23 times
ArtOfDysphoria
Posts: 1
Joined: 27. Oct 2015, 03:46

Re: Discussion of Problems due to Hardened Security

Post by ArtOfDysphoria »

Host OS: Microsoft Windows 7 Professional K(32bit) fully updated without KB30004394(removed)
VirtualBox Version: 5.0.8 r103449 with Extension Pack
Security Software: Hauri ViRobot Internet Security 2011
using default firewall

The state is really ambiguous and unstable, this problem first appeared when I enable VT-x at BIOS due to long mode support(and it didn't work when I disable it).

Code: Select all

1a60.1c2c: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\kernel32.dll [lacks WinVerifyTrust]
1a88.75c: Error (rc=258):
1a88.75c: Timed out after 60001 ms waiting for child request #1 (CloseEvents).
1a88.75c: Error 258 in supR3HardNtChildWaitFor! (enmWhat=5)
1a88.75c: Timed out after 60001 ms waiting for child request #1 (CloseEvents).
This problem makes the process VirtualBox.exe won't terminated. As a result, Windows won't power off unless I forcely turn off it.

Strangely, it works again when I install Windows Virtual PC as a plan B. Until I apply Windows update.
I checked the security software, turned off Windows Defender and ViRobot(I can't disable this due to internal security policy.) and it once worked til reboot the system.

It's not working again. I want to find out more information about ViRobot, but there's not enough info about this.
Attachments
VBoxHardening.zip
(2.64 KiB) Downloaded 27 times
rnewman
Posts: 37
Joined: 11. Sep 2014, 19:58

Re: Discussion of Problems due to Hardened Security

Post by rnewman »

Hello,
No go with the latest builds...

OS - Win7 Professional 64bit - SP1 (patched)
Trendmicro Office Scan - 11.0.4150 sp1

Virtualbox - 4.3.33-103670
Virtualbox - 5.0.9 -103713

Screen shot and startup log attached.

I am happy to assist with debugging. Are there any switches or process that would provide additional diagnostic information?

Thanks,
Richard
Attachments
VirtualBox-4.3.33-103670.zip
(198.99 KiB) Downloaded 31 times
VirtualBox-5.0.9-103713.zip
(223.18 KiB) Downloaded 34 times
MIP1983
Posts: 2
Joined: 5. Nov 2015, 18:56

Re: Discussion of Problems due to Hardened Security

Post by MIP1983 »

OS - Win7 Professional 64bit - SP1 (patched)

McAfee Enterprise

Version 5.0.9 r103922

I've had the issue for 'lacks WinVerifyTrust' with IMachineWrap error message for some time, and have tried version after version with no improvement.

However, I've just discovered after trying various permutations of running as administrator and suchlike, that randomly, maybe 1 time in 30, the VM will actually start.
So whatever this ongoing issue is, it isn't consistent.

I've attached a log file from just after my VM has successfully started on a machine where the vast majority of the time, I get the error. It still mentions 'lacks WinVerifyTrust' at certain points in the log.
VBoxHardening.zip
Log from just after vm has started
(34.5 KiB) Downloaded 38 times
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Discussion of Problems due to Hardened Security

Post by mpack »

@MIP1983: You have many instances of following in the (truncated) log you provided :-
VBoxhardening.log wrote: 2f3c.31b4: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=000007fedcfc0000 'C:\WINDOWS\system32\OPENGL32.dll'
So, it looks like you may have the OpenGL problem, not the AV problem. That is where graphics drivers inject themselves into OpenGL-aware software, translating OpenGL calls into hardware calls. You should look for updated drivers which are signed. You could also try turning off 3D acceleration in the VM settings if you don't really need it.

Unless you have already verified that your problem goes away if you disable the AV?
mikemoate
Posts: 1
Joined: 6. Nov 2015, 01:57

Re: Discussion of Problems due to Hardened Security

Post by mikemoate »

Hi

OS: Windows 7 Enterprise with Service Pack 1
Virtualbox 5.0.2r102096 for the attached logs. The same problem (very similar logs) initially occurred with 5.0.8r103449 and I then tried downgrading.

Zipped log file from 5.0.2 attached.

Antivirus is McAfee VirusScan Enterprise + AntiSpyware Enterprise Version number: 8.8.0 (8.8.0.975) (has never been a problem before).

Recent changes (since this last worked) include the following Windows Updates KB3093503, KB3093513, KB3088195, KB3080446 and KB3093983.
Attachments
VBoxStartup.zip
Log of failed start under 5.0.2
(7.53 KiB) Downloaded 28 times
MIP1983
Posts: 2
Joined: 5. Nov 2015, 18:56

Re: Discussion of Problems due to Hardened Security

Post by MIP1983 »

mpack wrote:@MIP1983: You have many instances of following in the (truncated) log you provided :-
VBoxhardening.log wrote: 2f3c.31b4: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=000007fedcfc0000 'C:\WINDOWS\system32\OPENGL32.dll'
So, it looks like you may have the OpenGL problem, not the AV problem. That is where graphics drivers inject themselves into OpenGL-aware software, translating OpenGL calls into hardware calls. You should look for updated drivers which are signed. You could also try turning off 3D acceleration in the VM settings if you don't really need it.

Unless you have already verified that your problem goes away if you disable the AV?
Thanks for the suggestion. I've just tried updating to the latest intel HD graphics drivers and disabling 2d/3d acceleration on the VM and it's not had an impact on the problem.
Unfortunately I can't disable the enterprise AV as it's locked down.

I've updated to 5.0.10 r104061, and I still get the IMachineWrap error. If I just keep clicking 'Run' on the VM, about 1 time in 30 it will start without the error. I'm happy to provide any additional info I can.
rgrr
Posts: 1
Joined: 13. Nov 2015, 10:21

Re: Discussion of Problems due to Hardened Security

Post by rgrr »

Gloix wrote: ...
where: supR3HardenedWinReSpawn what: 3 VERR_OPEN_FAILED (-101) -
File/Device open failed. Driver is probably stuck stopping/starting. Try 'sc.exe query vboxdrv' to get more information about its state. Rebooting may actually help.[/code]

Executing sc.exe yields:

Code: Select all

SERVICE_NAME: vboxdrv
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 31  (0x1f)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
Same for me on VB 5.0.10 after updating Win10/64 today (precisely: Windows 10 Pro 64bit, Version 1511,10586)

Some googling pointed me to reinstall vboxdrv.inf found in c:/program files/oracle/virtualbox/drivers/vboxdrv (standard installation path) which solves the issue for me.

:evil: SH][T: this has been a one time only solution :( The evil message appeared again (Error in supR3HardenedWinReSpawn) after a reboot. I thought "ok, no prob... reinstall vboxdrv.inf" will solve this. Not this time :evil:

Code: Select all

$ sc query vboxdrv

SERVICE_NAME: vboxdrv
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 31  (0x1f)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

$ sc start vboxdrv
[SC] StartService FAILED with error 3917938463.
So I'm stuck again...

Hardy
jonathandart
Posts: 2
Joined: 16. Dec 2014, 19:06

Re: Discussion of Problems due to Hardened Security

Post by jonathandart »

Hi There,

Vbox since 4.3.12 won't boot a guest:

Host: Windows 7 Enterprise 64bit (SP1)
AV: McAfee VirusScan Enterprise + AntiSpyware Enterprise Version number: 8.8.0 (8.8.0.1247)
Guest: Redhat 6

Error:

Code: Select all

Failed to open a session for the virtual machine ....

The virtual machine '...' has terminated unexpectedly during startup with exit code 1 (0x1).  More details may be available in 'C:\Users\..\VirtualBox VMs\...\Logs\VBoxHardening.log'.

Result Code: E_FAIL (0x80004005)
Component: MachineWrap
Interface: IMachine {f30138d4-e5ea-4b3a-8858-a059de4c93fd}
Log and screenshots of errors attached.

Let me know if any further info needed.
Attachments
info.zip
(245.12 KiB) Downloaded 31 times
chaosphinx
Posts: 1
Joined: 15. Nov 2015, 16:23

Re: Discussion of Problems due to Hardened Security

Post by chaosphinx »

Hi everyone, I got a problem with Virtualbox 5.0.*. At first, it worked fine, but after some win 10 defender updates (I don't remember which one exactly), I can't run any VMs. It says "The virtual machine 'Google Nexus S - 4.1.1 - API 16 - 480x800' has terminated unexpectedly during startup with exit code -1073741819 (0xc0000005). More details may be available in '...\Genymobile\Genymotion\deployed\Google Nexus S - 4.1.1 - API 16 - 480x800\Logs\VBoxHardening.log'."

Below is the VBoxHardening.log.

Thanks in advance for your reply.
Attachments
VBoxHardening.zip
(2.75 KiB) Downloaded 25 times
Shumron
Posts: 5
Joined: 15. Nov 2014, 17:57

Hardening incompatibility with ViPNet CSP (c) InfoTeCS (VB c

Post by Shumron »

VirtualBox 5.0.10 r104061
Host: Windows 2012 R2 x64 with all updates installed
Guest: Windows XP x86

Shortly description of this post:

Found incompatibility with ViPNet CSP (c) InfoTeCS (v4.2.4.33325, http://www.infotecs.ru) -- crypto-provider, popular in Russia, used in government, enterprise and... for common people to sign requests for government services. More details here:
http://infotecs.ru/products/catalog.php ... NT_ID=2096

Detailed description:

Hardened protection again does not allow to boot any VM. Moreover, in this case it was really hard to understand the reason from the VBoxHardening.log.
What I see at the end of log, is only these strings - that says nothing to me, because I do not see the REASON of quitting. What was failed?

When I starting VM, I got an error messagebox:

Code: Select all

---------------------------
VirtualBox.exe - Application Error
---------------------------
The instruction at 0x6d001d80 referenced memory at 0x6d001d80. The memory could not be written.

Click on OK to terminate the program
Click on CANCEL to debug the program
---------------------------
OK   Cancel   
---------------------------
Probably, this is the main answer.

After pressing OK:

Code: Select all

The virtual machine 'Windows XP SP3 (...)' has terminated unexpectedly during startup with exit code 0 (0x0). More details may be available in 'X:\(skipped)\Logs\VBoxHardening.log'.

Result Code: 
E_FAIL (0x80004005)
Component: 
MachineWrap
Interface: 
IMachine {f30138d4-e5ea-4b3a-8858-a059de4c93fd}

Code: Select all

...
11dc.11e0: supR3HardenedScreenImage/Imports: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume22\Windows\System32\msvcrt.dll [lacks WinVerifyTrust]
11dc.11e0: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\Wintrust.dll (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801:<flags> [calling]
11dc.11e0: supR3HardenedScreenImage/NtCreateSection: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume22\Windows\System32\wintrust.dll [lacks WinVerifyTrust]
11cc.11d0: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0xc0000005 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 4976 ms, the end);
11c4.11c8: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0xc0000005 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 5348 ms, the end);
Full log is attached. Probably hardening just waiting a process that... already crashed (see messagebox).

Now I re-checked a hardening logs more detailed, and found following -- the real reason of the problem:

Code: Select all

1354.b78:  *000000006d000000-000000006d000fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume22\Windows\System32\itcspea64.dll.000
1354.b78: supHardNtVpScanVirtualMemory: Unmapping image mem at 000000006d000000 (000000006d000000 LB 0x1000) - 'itcspea64.dll.000'
It seems that hardening protection has unmapped image of itcsprea64.dll, so... it is crashed, of course.
1. Could I ask to mark following strings with something like "WARNING:" or some other marks to search them through logs more easier?
2. Why it had tried to unmap this image module?! No any messages/information about reason for that. I had checked: module is digitally signed, signature is correct (but probably, not cached locally).

Code: Select all

...
CN = VeriSign Class 3 Code Signing 2010 CA
OU = Terms of use at https://www.verisign.com/rpa (c)10
OU = VeriSign Trust Network
O = VeriSign, Inc.
C = US
...
[1]Authority Info Access
     Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
     Alternative Name:
          URL=http://ocsp.verisign.com
[2]Authority Info Access
     Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
     Alternative Name:
          URL=http://csc3-2010-aia.verisign.com/CSC3-2010.cer
...
Revocation Status : OK. Effective Date <‎15 ‎November ‎2015 ‎22:39:34> Next Update <‎22 ‎November ‎2015 22:39:34>
Details from unmapped image at 0x6d001d80:

Code: Select all

 .00000000`6D001D7E: CC                             int         3
 .00000000`6D001D7F: CC                             int         3
 OnImageLoaded:      4885C9                         test        rcx,rcx
 .00000000`6D001D83: 0F848B000000                   jz         .06D001E14
 .00000000`6D001D89: 48895C2408                     mov         [rsp][8],rbx
 .00000000`6D001D8E: 4889742410                     mov         [rsp][010],rsi
 .00000000`6D001D93: 57                             push        rdi
Normally, it must execute code from OnImageLoaded, but... fails, because this code is unmapped already by VB Hardening protection. So, it calls for unmapped region of memory (without code). So... process is crashed.

It is incompatibility with ViPNet CSP (c) InfoTeCS (v4.2.4.33325, http://www.infotecs.ru) -- crypto-provider, popular in Russia, used in government, enterprise and... for common people to sign requests for government services. More details here:
http://infotecs.ru/products/catalog.php ... NT_ID=2096

Very "funny" code from Hardening:

Code: Select all

    if (!pImage->pszName)
    {
        /*
         * Unknown image.
         *
         * If we're cleaning up a child process, we can unmap the offending
         * DLL...  Might have interesting side effects, or at least interesting
         * as in "may you live in interesting times".
         */
#ifdef IN_RING3
        if (   pMemInfo->AllocationBase == pMemInfo->BaseAddress
            && pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION)
        {
            SUP_DPRINTF(("supHardNtVpScanVirtualMemory: Unmapping image mem at %p (%p LB %#zx) - '%ls'\n",
                         pMemInfo->AllocationBase, pMemInfo->BaseAddress, pMemInfo->RegionSize, pwszFilename));
            NTSTATUS rcNt = NtUnmapViewOfSection(pThis->hProcess, pMemInfo->AllocationBase);
            if (NT_SUCCESS(rcNt))
                return VINF_OBJECT_DESTROYED;
            pThis->cFixes++;
            SUP_DPRINTF(("supHardNtVpScanVirtualMemory: NtUnmapViewOfSection(,%p) failed: %#x\n", pMemInfo->AllocationBase, rcNt));
        }
#endif
How to fix this hardening problem? I can't use VirtualBox at all, at this is really annoying :(

Please provide a quick solution. (The best solution, of course, it is to change the policy of non-disabling hardening feature)
Attachments
VBoxHardening.zip
(4.23 KiB) Downloaded 33 times
Giangi
Posts: 43
Joined: 13. Aug 2013, 09:15
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: XP, Seven, Win10

Re: Discussion of Problems due to Hardened Security

Post by Giangi »

jonathandart wrote:Vbox since 4.3.12 won't boot a guest:
Host: Windows 7 Enterprise 64bit (SP1)
AV: McAfee VirusScan Enterprise + AntiSpyware Enterprise Version number: 8.8.0 (8.8.0.1247)
That VSE version should be with Patch4 applied (release date January 2014!)

I'm running VSE with the latest Patch6 applied (release date August 2015) and VB 5.0.10 is running fine on Seven 32bit, upgrade your VSE and give it a try!
VSE release build is 8.8.0.1445
Locked