Discussion of Problems due to Hardened Security

Discussions related to using VirtualBox on Windows hosts.
Locked
wreckwriter
Posts: 29
Joined: 22. Jul 2013, 22:42

Re: Discussion of Problems due to Hardened Security

Post by wreckwriter »

Ran sfc /scannow. It said it fixed some errors. Still the same problem with vbox. Attaching final log, will now wait on devs.
Last edited by wreckwriter on 27. Feb 2016, 20:31, edited 1 time in total.
wreckwriter
Posts: 29
Joined: 22. Jul 2013, 22:42

Re: Discussion of Problems due to Hardened Security

Post by wreckwriter »

OK, did some more testing and research. The only thing installed within the last week was a thing called Ashampoo Music Studio (yes, I should have known better). Tried ripping it with Iobit, no help. Restored Windows from a backup before it was installed. Vbox works again. Appreciate the time spent trying to help me! Volunteer support guys rarely get credit or thanks; you get both!

Edit- I take it back, NOT Music Studio. Instead a free utility called Process Hacker. Too bad, nice little utility, sorta super task manager.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Discussion of Problems due to Hardened Security

Post by mpack »

"Process Hacker" sounds like exactly the sort of tool the hardening feature's bums rush was invented for.
wreckwriter
Posts: 29
Joined: 22. Jul 2013, 22:42

Re: Discussion of Problems due to Hardened Security

Post by wreckwriter »

mpack wrote:"Process Hacker" sounds like exactly the sort of tool the hardening feature's bums rush was invented for.
It might be poorly named but its really a decent tool; expands task manager functionality. I had it a while back and liked it, will be living without going forward.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Discussion of Problems due to Hardened Security

Post by mpack »

I accept that the tool might be useful, but I do wonder why it needs to invade other processes when not being used. Or why it would invade all processes and not just the one you want to analyse. However, this is not the place to discuss the whyfors of a third party tool.
stefan.becker
Volunteer
Posts: 7639
Joined: 7. Jun 2007, 21:53

Re: Discussion of Problems due to Hardened Security

Post by stefan.becker »

dba_chicken wrote:Sorry, cannot verify - my VB-Client still doesn't start.
Furthermore: Avira AV has not patched to 15.0.16 respectively 16.0.16,
my installation (after latest patch) version of Avira is 15.0.15.141

Cheers,
Martin
stefan.becker wrote:The Problem with Avira as AV seems to be solved. With the latest Update its working again.
In our company its working. Avira is installed as 14.0.15.97.
Craig Carboni
Posts: 6
Joined: 28. Feb 2016, 16:30

Re: Discussion of Problems due to Hardened Security

Post by Craig Carboni »

OS: Microsoft Windows [Version 10.0.14271] (FAST RING)
VBOX: 5.0.14r105127

Code: Select all

Failed to open a session for the virtual machine serverldap.

The virtual machine 'serverldap' has terminated unexpectedly during startup with exit code 1 (0x1).  More details may be available in 'V:\serverldap\Logs\VBoxHardening.log'.

Result Code: E_FAIL (0x80004005)
Component: MachineWrap
Interface: IMachine {f30138d4-e5ea-4b3a-8858-a059de4c93fd}


92c.ee0: Log file opened: 5.0.14r105127 g_hStartupLog=0000000000000060 g_uNtVerCombined=0xa037bf00
92c.ee0: \SystemRoot\System32\ntdll.dll:
92c.ee0:     CreationTime:    2016-02-19T13:40:44.373609400Z
92c.ee0:     LastWriteTime:   2016-02-19T13:40:44.373609400Z
92c.ee0:     ChangeTime:      2016-02-25T16:25:42.953818200Z
92c.ee0:     FileAttributes:  0x20
92c.ee0:     Size:            0x1c5138
92c.ee0:     NT Headers:      0xd8
92c.ee0:     Timestamp:       0x56c6e04c
92c.ee0:     Machine:         0x8664 - amd64
92c.ee0:     Timestamp:       0x56c6e04c
92c.ee0:     Image Version:   10.0
92c.ee0:     SizeOfImage:     0x1ca000 (1875968)
92c.ee0:     Resource Dir:    0x162000 LB 0x66370
92c.ee0:     ProductName:     Microsoft® Windows® Operating System
92c.ee0:     ProductVersion:  10.0.14271.1000
92c.ee0:     FileVersion:     10.0.14271.1000 (rs1_release.160218-2310)
92c.ee0:     FileDescription: NT Layer DLL
92c.ee0: \SystemRoot\System32\kernel32.dll:
92c.ee0:     CreationTime:    2016-02-19T13:40:25.420520800Z
92c.ee0:     LastWriteTime:   2016-02-19T13:40:25.420520800Z
92c.ee0:     ChangeTime:      2016-02-25T16:25:42.235012100Z
92c.ee0:     FileAttributes:  0x20
92c.ee0:     Size:            0xa9990
92c.ee0:     NT Headers:      0xf8
92c.ee0:     Timestamp:       0x56c6e0cf
92c.ee0:     Machine:         0x8664 - amd64
92c.ee0:     Timestamp:       0x56c6e0cf
92c.ee0:     Image Version:   10.0
92c.ee0:     SizeOfImage:     0xab000 (700416)
92c.ee0:     Resource Dir:    0xa9000 LB 0x528
92c.ee0:     ProductName:     Microsoft® Windows® Operating System
92c.ee0:     ProductVersion:  10.0.14271.1000
92c.ee0:     FileVersion:     10.0.14271.1000 (rs1_release.160218-2310)
92c.ee0:     FileDescription: Windows NT BASE API Client DLL
92c.ee0: \SystemRoot\System32\KernelBase.dll:
92c.ee0:     CreationTime:    2016-02-19T13:40:44.436109300Z
92c.ee0:     LastWriteTime:   2016-02-19T13:40:44.451733600Z
92c.ee0:     ChangeTime:      2016-02-25T16:25:42.250638100Z
92c.ee0:     FileAttributes:  0x20
92c.ee0:     Size:            0x1f1968
92c.ee0:     NT Headers:      0x100
92c.ee0:     Timestamp:       0x56c6e0cd
92c.ee0:     Machine:         0x8664 - amd64
92c.ee0:     Timestamp:       0x56c6e0cd
92c.ee0:     Image Version:   10.0
92c.ee0:     SizeOfImage:     0x1f4000 (2048000)
92c.ee0:     Resource Dir:    0x1dc000 LB 0x540
92c.ee0:     ProductName:     Microsoft® Windows® Operating System
92c.ee0:     ProductVersion:  10.0.14271.1000
92c.ee0:     FileVersion:     10.0.14271.1000 (rs1_release.160218-2310)
92c.ee0:     FileDescription: Windows NT BASE API Client DLL
92c.ee0: \SystemRoot\System32\apisetschema.dll:
92c.ee0:     CreationTime:    2016-02-19T13:40:38.498620600Z
92c.ee0:     LastWriteTime:   2016-02-19T13:40:38.498620600Z
92c.ee0:     ChangeTime:      2016-02-25T16:25:41.281811800Z
92c.ee0:     FileAttributes:  0x20
92c.ee0:     Size:            0x16b10
92c.ee0:     NT Headers:      0xc0
92c.ee0:     Timestamp:       0x56c6e29c
92c.ee0:     Machine:         0x8664 - amd64
92c.ee0:     Timestamp:       0x56c6e29c
92c.ee0:     Image Version:   10.0
92c.ee0:     SizeOfImage:     0x18000 (98304)
92c.ee0:     Resource Dir:    0x17000 LB 0x400
92c.ee0:     ProductName:     Microsoft® Windows® Operating System
92c.ee0:     ProductVersion:  10.0.14271.1000
92c.ee0:     FileVersion:     10.0.14271.1000 (rs1_release.160218-2310)
92c.ee0:     FileDescription: ApiSet Schema DLL
92c.ee0: NtOpenDirectoryObject failed on \Driver: 0xc0000022
92c.ee0: supR3HardenedWinFindAdversaries: 0x0
92c.ee0: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
92c.ee0: Calling main()
92c.ee0: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2
92c.ee0: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
92c.ee0: SUPR3HardenedMain: Respawn #1
92c.ee0: System32:  \Device\HarddiskVolume4\Windows\System32
92c.ee0: WinSxS:    \Device\HarddiskVolume4\Windows\WinSxS
92c.ee0: KnownDllPath: C:\WINDOWS\system32
92c.ee0: '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
92c.ee0: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe)
92c.ee0: supR3HardNtEnableThreadCreation:
92c.ee0: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007ffe4b8e2ce0 pvNtTerminateThread=00007ffe4b912310
92c.ee0: supR3HardenedWinDoReSpawn(1): New child 17c.3b8 [kernel32].
92c.ee0: supR3HardNtChildGatherData: PebBaseAddress=0000000000341000 cbPeb=0x388
92c.ee0: supR3HardNtPuChFindNtdll: uNtDllParentAddr=00007ffe4b870000 uNtDllChildAddr=00007ffe4b870000
92c.ee0: supR3HardenedWinSetupChildInit: uLdrInitThunk=00007ffe4b8e2ce0
92c.ee0: supR3HardenedWinSetupChildInit: Start child.
92c.ee0: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 0 ms.
92c.ee0: supR3HardNtChildPurify: Startup delay kludge #1/0: 258 ms, 31 sleeps
92c.ee0: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION
92c.ee0:  *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000
92c.ee0:  *0000000000010000-fffffffffffeffff 0x0004/0x0004 0x0020000
92c.ee0:  *0000000000030000-000000000001afff 0x0002/0x0002 0x0040000
92c.ee0:   0000000000045000-0000000000039fff 0x0001/0x0000 0x0000000
92c.ee0:  *0000000000050000-fffffffffff53fff 0x0000/0x0004 0x0020000
92c.ee0:   000000000014c000-0000000000148fff 0x0104/0x0004 0x0020000
92c.ee0:   000000000014f000-000000000014dfff 0x0004/0x0004 0x0020000
92c.ee0:  *0000000000150000-000000000014bfff 0x0002/0x0002 0x0040000
92c.ee0:   0000000000154000-0000000000147fff 0x0001/0x0000 0x0000000
92c.ee0:  *0000000000160000-000000000015dfff 0x0004/0x0004 0x0020000
92c.ee0:   0000000000162000-00000000000c3fff 0x0001/0x0000 0x0000000
92c.ee0:  *0000000000200000-00000000000befff 0x0000/0x0004 0x0020000
92c.ee0:   0000000000341000-000000000033dfff 0x0004/0x0004 0x0020000
92c.ee0:   0000000000344000-0000000000287fff 0x0000/0x0004 0x0020000
92c.ee0:   0000000000400000-ffffffff8081ffff 0x0001/0x0000 0x0000000
92c.ee0:  *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000
92c.ee0:   000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000
92c.ee0:   000000007fff0000-ffff8009fb79ffff 0x0001/0x0000 0x0000000
92c.ee0:  *00007ff704840000-00007ff70481cfff 0x0002/0x0002 0x0040000
92c.ee0:   00007ff704863000-00007ff703f85fff 0x0001/0x0000 0x0000000
92c.ee0:  *00007ff705140000-00007ff705140fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe
92c.ee0:   00007ff705141000-00007ff7051c7fff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe
92c.ee0:   00007ff7051c8000-00007ff7051c8fff 0x0080/0x0080 0x1000000  \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe
92c.ee0:   00007ff7051c9000-00007ff705213fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe
92c.ee0:   00007ff705214000-00007ff705214fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe
92c.ee0:   00007ff705215000-00007ff705215fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe
92c.ee0:   00007ff705216000-00007ff70521afff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe
92c.ee0:   00007ff70521b000-00007ff70521bfff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe
92c.ee0:   00007ff70521c000-00007ff70521cfff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe
92c.ee0:   00007ff70521d000-00007ff705220fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe
92c.ee0:   00007ff705221000-00007ff70526bfff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe
92c.ee0:   00007ff70526c000-00007fefbec67fff 0x0001/0x0000 0x0000000
92c.ee0:  *00007ffe4b870000-00007ffe4b870fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume4\Windows\System32\ntdll.dll
92c.ee0:   00007ffe4b871000-00007ffe4b974fff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume4\Windows\System32\ntdll.dll
92c.ee0:   00007ffe4b975000-00007ffe4b9b6fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume4\Windows\System32\ntdll.dll
92c.ee0:   00007ffe4b9b7000-00007ffe4b9bffff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume4\Windows\System32\ntdll.dll
92c.ee0:   00007ffe4b9c0000-00007ffe4b9cdfff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume4\Windows\System32\ntdll.dll
92c.ee0:   00007ffe4b9ce000-00007ffe4b9cefff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume4\Windows\System32\ntdll.dll
92c.ee0:   00007ffe4b9cf000-00007ffe4b9d1fff 0x0008/0x0080 0x1000000  \Device\HarddiskVolume4\Windows\System32\ntdll.dll
92c.ee0:   00007ffe4b9d2000-00007ffe4ba39fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume4\Windows\System32\ntdll.dll
92c.ee0:   00007ffe4ba3a000-00007ffc97493fff 0x0001/0x0000 0x0000000
92c.ee0:  *00007ffffffe0000-00007ffffffcffff 0x0001/0x0002 0x0020000
92c.ee0: VirtualBox.exe: timestamp 0x569e6712 (rc=VINF_SUCCESS)
92c.ee0: '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
92c.ee0: '\Device\HarddiskVolume4\Windows\System32\ntdll.dll' has no imports
92c.ee0: supR3HardNtChildPurify: Done after 323 ms and 0 fixes (loop #0).
17c.3b8: Log file opened: 5.0.14r105127 g_hStartupLog=0000000000000004 g_uNtVerCombined=0xa037bf00
17c.3b8: supR3HardenedVmProcessInit: uNtDllAddr=00007ffe4b870000
17c.3b8: ntdll.dll: timestamp 0x56c6e04c (rc=VINF_SUCCESS)
17c.3b8: New simple heap: #1 0000000000500000 LB 0x400000 (for 1875968 allocation)
92c.ee0: supR3HardNtEnableThreadCreation:
17c.3b8: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
17c.3b8: System32:  \Device\HarddiskVolume4\Windows\System32
17c.3b8: WinSxS:    \Device\HarddiskVolume4\Windows\WinSxS
17c.3b8: KnownDllPath: C:\WINDOWS\system32
17c.3b8: supR3HardenedVmProcessInit: Opening vboxdrv stub...
17c.3b8: supR3HardenedWinReadErrorInfoDevice: 'ntdll.dll: 4 differences between 0x14adac and 0x14adaf in #4 (.da'
17c.3b8: Error -5600 in supR3HardenedWinReSpawn! (enmWhat=3)
17c.3b8: NtCreateFile(\Device\VBoxDrvStub) failed: Unknown Status -5600 (0xffffea20) (rcNt=0xe986ea20)
VBoxDrvStub error: ntdll.dll: 4 differences between 0x14adac and 0x14adaf in #4 (.da
92c.ee0: supR3HardenedWinCheckChild: enmRequest=2 rc=-5600 enmWhat=3 supR3HardenedWinReSpawn: NtCreateFile(\Device\VBoxDrvStub) failed: Unknown Status -5600 (0xffffea20) (rcNt=0xe986ea20)
VBoxDrvStub error: ntdll.dll: 4 differences between 0x14adac and 0x14adaf in #4 (.da
92c.ee0: Error -5600 in supR3HardenedWinReSpawn! (enmWhat=3)
92c.ee0: NtCreateFile(\Device\VBoxDrvStub) failed: Unknown Status -5600 (0xffffea20) (rcNt=0xe986ea20)
VBoxDrvStub error: ntdll.dll: 4 differences between 0x14adac and 0x14adaf in #4 (.da
Mod note: Please post logs as zipped attachments, don't just hose us with text, which invariably gets truncated anyway.
Last edited by mpack on 28. Feb 2016, 17:06, edited 1 time in total.
Reason: Add code brackets and mod note.
wreckwriter
Posts: 29
Joined: 22. Jul 2013, 22:42

Re: Discussion of Problems due to Hardened Security

Post by wreckwriter »

Well, had it fixed but now its back.

Failed to open a session for the virtual machine BackBox.

The virtual machine 'BackBox' has terminated unexpectedly during startup with exit code 1 (0x1). More details may be available in 'W:\BackBox\Logs\VBoxHardening.log'.

Result Code: E_FAIL (0x80004005)
Component: MachineWrap
Interface: IMachine {f30138d4-e5ea-4b3a-8858-a059de4c93fd}

Again, it started as RBHook.dll showing unsigned, I disabled RBTray, then deleted it and rebooted. Now, yet again, Vbox seems to think multiple Windows files are unsigned.

Host- Windows 10 Pro 10.0.10586 All updates installed
Guest- Multiple Linux guests, file is from is Backbox Linux
Vbox- 5.0.14r105127 Guest additions- latest
Vboxhardening.zip attached
Security apps- Eset Nod32, Malwarebytes, Hitman Pro

Need help please.
Attachments
VBoxHardening.zip
(9.94 KiB) Downloaded 32 times
wreckwriter
Posts: 29
Joined: 22. Jul 2013, 22:42

Re: Discussion of Problems due to Hardened Security

Post by wreckwriter »

Is it possible to downgrade Vbox to before the "hardening" was put in?
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Discussion of Problems due to Hardened Security

Post by mpack »

And still run on a Windows 10 host? No.
wreckwriter
Posts: 29
Joined: 22. Jul 2013, 22:42

Re: Discussion of Problems due to Hardened Security

Post by wreckwriter »

mpack wrote:And still run on a Windows 10 host? No.
Thanks. Didn't think so but had to ask. This is really frustrating, been using Vbox for years with zero problems, now suddenly .....
dba_chicken
Posts: 7
Joined: 5. Jan 2016, 23:01

Re: Discussion of Problems due to Hardened Security

Post by dba_chicken »

stefan.becker wrote:The Problem with Avira as AV seems to be solved. With the latest Update its working again.
In our company its working. Avira is installed as 14.0.15.97.
At least I've got a different error message. It's almost like in Groundhog Day,
everything different is good ...

Code: Select all

Für die virtuelle Maschine ubuntu-server-64_1404 konnte keine neue Sitzung eröffnet werden.

Failed to load unit 'lsilogicscsi' (VERR_SSM_LOADED_TOO_MUCH).

Fehlercode:E_FAIL (0x80004005)
Komponente:ConsoleWrap
Interface:IConsole {872da645-4a9b-1727-bee2-5585105b9eed}
P.S.: Avira (Pro) on my Windows host is still version
15.0.15.141
Attachments
VBoxHardening.zip
Ubuntu-Client does not start, error message:
Failed to load unit 'lsilogicscsi'
(VERR_SSM_LOADED_TOO_MUCH)
(24.11 KiB) Downloaded 33 times
peter.knuts
Posts: 1
Joined: 4. Mar 2016, 09:08

Re: Discussion of Problems due to Hardened Security

Post by peter.knuts »

For TrendMicro, it seems to be the Data Loss Protection (DLP) software that causes VirtualBox malfunctioning. More specifically, it is the file C:\Windows\System32\drivers\sakfile.sys.
To verify this, you can rename the sakfile.sys file and restart the computer. It should then be possible to use the latest version of VirtualBox again. The DLP software will however most likely not work properly.
Not restarting the computer after renaming the file causes a BSOD. The reason for this is that VirtualBox will no longer try to work around the buggy DLP soffware because it can't detect that is is installed.
After downloading the VirtualBox source code I found the following comment about the reason for TrendMicro malfunctioning:

File: SUPHardenedVerify-win.h

/** Replace unwanted executable memory allocations with a new one that's filled
* with a safe read-write copy (default is just to free it).
*
* This is one way we attempt to work around buggy protection software that
* either result in host BSOD or VBox application malfunction. Here the current
* shit list:
* - Trend Micro's data protection software includes a buggy driver called
* sakfile.sys that has been observed crashing accessing user memory that we
* probably freed. I'd love to report this to Trend Micro, but unfortunately
* they doesn't advertise (or have?) an email address for reporting security
* vulnerabilities in the their software. Having wasted time looking and not
* very sorry for having to disclosing the bug here.
* - Maybe one more.
*/

This problem is reported to TrendMicro and they will hopefully fix it in the near future.
wreckwriter
Posts: 29
Joined: 22. Jul 2013, 22:42

Re: Discussion of Problems due to Hardened Security

Post by wreckwriter »

Running out of options here, any hope or ideas?
wreckwriter
Posts: 29
Joined: 22. Jul 2013, 22:42

Re: Discussion of Problems due to Hardened Security

Post by wreckwriter »

Brand new version of Vbox; I got excited for a minute. But wait, same crap as before. Going to VMWare.
Locked