Page 15 of 33

Re: Discussion of Problems due to Hardened Security

Posted: 7. Dec 2015, 23:10
by donteatthebug
mpack wrote:@donteatthebug:

Blame the spammers and hackers for the need for hardening, not the devs. The commercial reality is that VirtualBox can't be seen as a credible vector for malware, because the competition will not.

As to your problem - a glance at your log reveals it.
1244.968: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status -5667 (0xffffe9dd)) on \Device\HarddiskVolume3\Users\Fox\AppData\Local\Temp\ammemb64.dll [lacks WinVerifyTrust]
1244.968: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status -5667 (0xffffe9dd)) on \Device\HarddiskVolume3\Users\Fox\AppData\Local\Temp\ammemb64.dll [lacks WinVerifyTrust]
1244.968: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status -5667 (0xffffe9dd)) on \Device\HarddiskVolume3\Users\Fox\AppData\Local\Temp\ammemb64.dll [lacks WinVerifyTrust]
<and many more like it>
This seems to be a generic DLL loaded by some .NET apps, so the actual faulting app is harder to identify.

I'm curious to know why a legit DLL is being loaded from a temp folder and injected into the VirtualBox execution space, and why so many attempts? Until these questions are answered I suggest that you really shouldn't want to "turn off hardening at your own risk".

Thank you for the reply, I can sympathize.

I can answer that the "ammemb64.dll" is part of software called "Actual Multiple Monitors", used to make the Windows TaskBar act in a useful manner across multiple monitors. I've tried several alternative multi-monitor TaskBar utilities, but they lack functionality.

Re: Discussion of Problems due to Hardened Security

Posted: 8. Dec 2015, 10:15
by mpack
Well, that doesn't really explain why the app is loading from a temp folder, but that's your concern. If it wants to inject itself into the VirtualBox space, it needs to be signed.

Re: Discussion of Problems due to Hardened Security

Posted: 8. Dec 2015, 16:02
by mrineffable
1) Host OS and version - Windows 7 Enterprise 64-bit SP1
2) VBoxStartup.log (zipped) [from VBox 5.0.6 this file is now called "VBoxHardening.log"] -
VBoxHardening.zip
(3.3 KiB) Downloaded 50 times
3) Mention any host anti-virus, firewalls, protection software, and debugging programs etc which might be relevant. - Cylance Protect

After installing Cylance Protect, Oracle Virtualbox will no longer launch any VMs. If I uninstall Cylance it starts working. Is there any way to get Cylance and Virtualbox to work on the same machine at the same time?

Re: Discussion of Problems due to Hardened Security

Posted: 8. Dec 2015, 16:09
by loukingjr
Right now the only way would be to roll back to VB 4.3.12 which does no hardening checks. Of course it also limits some of the newer guests you can run.

Re: Discussion of Problems due to Hardened Security

Posted: 8. Dec 2015, 19:27
by estate67
No more able to Use Virtual Box: 4.2.36.
I have no antivirus.
I tried to repair it reinstalling, but it doesn't fix it.
Please, give me some suggestions.

First message:
WinVerifyTrust failed on stup executable: WinVerifyTrust failed with hrc=Unkonw Status 0x8009200D on '\Device\HarddiskVolume4\ProgramFiles\Oracle\VirtualBox\VirtualBox.exe' (rc=-22919)

Second message:
The virtual machine 'Win XP' has terminated unexpectedly during startup with exit code 1 (0x1). More details may be available in 'C:\Users\Lisa\VirtualBox VMs\Nuovo gruppo\Win XP\Logs\VBoxStartup.log'.

Codice 'uscita: E_FAIL (0x80004005)
Componente: Machine
Interfaccia: IMachine {480cf695-2d8d-4256-9c7c-cce4184fa048}

Re: Discussion of Problems due to Hardened Security

Posted: 8. Dec 2015, 20:06
by estate67
estate67 wrote:No more able to Use Virtual Box: 4.2.36.

First message:
WinVerifyTrust failed on stup executable: WinVerifyTrust failed with hrc=Unkonw Status 0x8009200D on '\Device\HarddiskVolume4\ProgramFiles\Oracle\VirtualBox\VirtualBox.exe' (rc=-22919)

Second message:
The virtual machine 'Win XP' has terminated unexpectedly during startup with exit code 1 (0x1). More details may be available in 'C:\Users\Lisa\VirtualBox VMs\Nuovo gruppo\Win XP\Logs\VBoxStartup.log'.

Codice 'uscita: E_FAIL (0x80004005)
Componente: Machine
Interfaccia: IMachine {480cf695-2d8d-4256-9c7c-cce4184fa048}
SOLVED! getting rid of windows KB3081320 update

Re: Discussion of Problems due to Hardened Security

Posted: 9. Dec 2015, 18:56
by rheingold
Nope, still having this error:

27d0.27d4: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox'
27d0.27d4: Calling main()
27d0.27d4: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2
27d0.27d4: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox'
27d0.27d4: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
27d0.27d4: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe)
27d0.27d4: SUPR3HardenedMain: Respawn #2
27d0.27d4: supR3HardNtEnableThreadCreation:
27d0.27d4: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume2\Windows\System32\apphelp.dll)
27d0.27d4: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\apphelp.dll
27d0.27d4: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\apphelp.dll (rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000000000:<flags> [calling]
27d0.27d4: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\apphelp.dll [lacks WinVerifyTrust]
27d0.27d4: supR3HardenedDllNotificationCallback: load 000007fefd690000 LB 0x00057000 C:\Windows\system32\apphelp.dll [fFlags=0x0]
27d0.27d4: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\apphelp.dll [lacks WinVerifyTrust]
27d0.27d4: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=000007fefd690000 'C:\Windows\system32\apphelp.dll'
27d0.27d4: supR3HardNtDisableThreadCreation: pvLdrInitThunk=0000000077aeb630 pvNtTerminateThread=0000000077b0dee0
27d0.27d4: supR3HardenedWinDoReSpawn(2): New child 2408.2120 [kernel32].
27d0.27d4: supR3HardNtChildGatherData: PebBaseAddress=000007fffffdf000 cbPeb=0x380
27d0.27d4: supR3HardNtPuChFindNtdll: uNtDllParentAddr=0000000077ac0000 uNtDllChildAddr=0000000077ac0000
27d0.27d4: supR3HardenedWinSetupChildInit: uLdrInitThunk=0000000077aeb630
27d0.27d4: supR3HardenedWinSetupChildInit: Start child.
27d0.27d4: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0x1 (rcNtWait=0x2, rcNt1=0x0, rcNt2=0x0, rcNt3=0x0, 1 ms, PurifyChildAndCloseHandles);

Win 7 64b CZE, VirtualBox of version 5.0.10 r104061

Re: Discussion of Problems due to Hardened Security

Posted: 9. Dec 2015, 18:58
by Brickstone
Hi,

I didn't try the avira driver-disable workaround of cornelis' post. Apparently it's a avira bug anyway.
But either way, I'd like to upload my logs in case they help in any way.

I had the same behaviour, as described above. If I don't confirm the error messages, the VM eventually starts to run after some waiting time. Only if I close the last message, it will be closed.
So I provided two logs. One with a confirmed error message and non starting VM and one just ignoring the messages.

Host: Win7 64bit 4GB latest win updates installed
Guest: Ubuntu 64 bit , 3D acceleration enabled, 128MB graphic memory
VB: latest Testbuild from here: https://www.virtualbox.org/wiki/Testbuilds

regards

Re: Discussion of Problems due to Hardened Security

Posted: 9. Dec 2015, 19:01
by rheingold
Other VMs however are quoting another error:

1c40.1ebc: '\Device\HarddiskVolume2\Windows\System32\ntdll.dll' has no imports
1c40.1ebc: ntdll.dll: Differences in section #1 (.text) between file and memory:
1c40.1ebc: 0000000077b0f1c0 / 0x004f1c0: 4c != e9
1c40.1ebc: 0000000077b0f1c1 / 0x004f1c1: 8b != 3b
1c40.1ebc: 0000000077b0f1c2 / 0x004f1c2: d1 != 0e
1c40.1ebc: 0000000077b0f1c3 / 0x004f1c3: b8 != 4c
1c40.1ebc: 0000000077b0f1c4 / 0x004f1c4: 7e != 07
1c40.1ebc: Restored 0x2000 bytes of original file content at 0000000077b0d63e
1c40.1ebc: supR3HardNtChildPurify: cFixes=2 g_fSupAdversaries=0x800 cPatchCount=0
1c40.1ebc: supR3HardNtChildPurify: Startup delay kludge #1/1: 515 ms, 64 sleeps
1c40.1ebc: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION
1c40.1ebc: *0000000000000000-fffffffffffeffff 0x0001/0x0000 0x0000000
1c40.1ebc: *0000000000010000-fffffffffffeffff 0x0004/0x0004 0x0020000
1c40.1ebc: *0000000000030000-000000000002bfff 0x0002/0x0002 0x0040000
1c40.1ebc: 0000000000034000-0000000000027fff 0x0001/0x0000 0x0000000
1c40.1ebc: *0000000000040000-000000000003efff 0x0004/0x0004 0x0020000
1c40.1ebc: 0000000000041000-0000000000031fff 0x0001/0x0000 0x0000000
1c40.1ebc: *0000000000050000-000000000004efff 0x0004/0x0004 0x0020000
1c40.1ebc: 0000000000051000-fffffffffff91fff 0x0001/0x0000 0x0000000
1c40.1ebc: *0000000000110000-0000000000013fff 0x0000/0x0004 0x0020000
1c40.1ebc: 000000000020c000-0000000000208fff 0x0104/0x0004 0x0020000
1c40.1ebc: 000000000020f000-000000000020dfff 0x0004/0x0004 0x0020000
1c40.1ebc: 0000000000210000-ffffffff8895ffff 0x0001/0x0000 0x0000000
1c40.1ebc: *0000000077ac0000-0000000077ac0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1c40.1ebc: 0000000077ac1000-0000000077bbefff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1c40.1ebc: 0000000077bbf000-0000000077bedfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1c40.1ebc: 0000000077bee000-0000000077bf5fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1c40.1ebc: 0000000077bf6000-0000000077bf6fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1c40.1ebc: 0000000077bf7000-0000000077bf7fff 0x0008/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1c40.1ebc: 0000000077bf8000-0000000077bf9fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1c40.1ebc: 0000000077bfa000-0000000077c68fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\ntdll.dll
1c40.1ebc: 0000000077c69000-00000000708f1fff 0x0001/0x0000 0x0000000
1c40.1ebc: *000000007efe0000-000000007dfdffff 0x0000/0x0002 0x0020000
1c40.1ebc: *000000007ffe0000-000000007ffdefff 0x0002/0x0002 0x0020000
1c40.1ebc: 000000007ffe1000-000000007ffd1fff 0x0000/0x0002 0x0020000
1c40.1ebc: 000000007fff0000-ffffffffc020ffff 0x0001/0x0000 0x0000000
1c40.1ebc: *000000013fdd0000-000000013fdd0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1c40.1ebc: 000000013fdd1000-000000013fe57fff 0x0020/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1c40.1ebc: 000000013fe58000-000000013fe58fff 0x0040/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1c40.1ebc: 000000013fe59000-000000013fea3fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1c40.1ebc: 000000013fea4000-000000013feb0fff 0x0004/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1c40.1ebc: 000000013feb1000-000000013fefbfff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe
1c40.1ebc: 000000013fefc000-fffff80380017fff 0x0001/0x0000 0x0000000
1c40.1ebc: *000007feffde0000-000007feffde0fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume2\Windows\System32\apisetschema.dll
1c40.1ebc: 000007feffde1000-000007fdffc11fff 0x0001/0x0000 0x0000000
1c40.1ebc: *000007fffffb0000-000007fffff8cfff 0x0002/0x0002 0x0040000
1c40.1ebc: 000007fffffd3000-000007fffffc9fff 0x0001/0x0000 0x0000000
1c40.1ebc: *000007fffffdc000-000007fffffdafff 0x0004/0x0004 0x0020000
1c40.1ebc: 000007fffffdd000-000007fffffdbfff 0x0001/0x0000 0x0000000
1c40.1ebc: *000007fffffde000-000007fffffdbfff 0x0004/0x0004 0x0020000
1c40.1ebc: *000007fffffe0000-000007fffffcffff 0x0001/0x0002 0x0020000
1c40.1ebc: supR3HardNtChildPurify: Done after 1084 ms and 2 fixes (loop #1).
1c40.1ebc: supR3HardenedEarlyCompact: Removed heap 1 (0x000000002d0000 LB 0x400000)
1c40.1ebc: supR3HardNtEnableThreadCreation:
1c40.1ebc: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0x1 (rcNtWait=0x2, rcNt1=0x0, rcNt2=0x0, rcNt3=0x0, 1 ms, CloseEvents);

Re: Discussion of Problems due to Hardened Security

Posted: 9. Dec 2015, 19:10
by vidy
Hello,
I also have problems with not working virtual machines in VB 5.0.10 - seems that problem is apphelp.dll and kernel32.dll with both "lacks WinVerifyTrust".
-> Problem is now clear ----> Avira is the Problem... Avira knows about this and is already trying to fix the problem

Re: Discussion of Problems due to Hardened Security

Posted: 9. Dec 2015, 21:58
by rheingold
Other update: I have Avira too (avira(dot)com), but I have disabled it using cornelis post.

Re: Discussion of Problems due to Hardened Security

Posted: 12. Dec 2015, 16:20
by Synesthesia34
CornelisJ wrote:Users that are not able to run VirtualBox in combination with Avira Antivirus can use the following workaround, quoted from Avira customer support.
After following these instructions I can use VirtualBox again without uninstalling Avira Antivirus.

==========
Unfortunately, the issue that you are currently experiencing is indeed related to a new bug. We are currently working to solve this bug as soon as possible.
Meanwhile, the solution that I am proposing to you is to simply disable the avipbb driver.
In order to disable avipbb driver, the following procedure can be followed:
• Open Avira configuration and go to General -> Security.
• Disable product protection options (all three).
• Press Ok button to save configuration.
• Press Start->Settings-> Control Panel->System.
• Start "Device Manager" in the tab "Hardware".
• In "View" menu activate the option "Show hidden devices".
• Now select the node "Non-plug and play drivers".
• Right-click on the driver "avipbb" and select "Properties".
• In tab "Driver" select the option "Disabled" and click OK.
• Close all and reboot.
After these manipulations, it is possible that the Mail Protection and Web Protection services will cease to function. Just in case it`s happening, do not worry and rest assured that your computer's security is in no way being jeopardized; the Real-Time Protection will continue to protect you by scanning any files.
==========
This solution helped me too.

Thank you CornelisJ!

Re: Discussion of Problems due to Hardened Security

Posted: 13. Dec 2015, 22:01
by nattsurfaren
I'm coming from this post:
viewtopic.php?f=2&t=75155&p=348572#p348572
After being pointed out to the hardened security issue.

I'm reading Avira antivirus is the problem but I have only windows defender installed
as a protection.
In the beginning of this post it is suggested that I remove KB3004394
I can't find it in installed updates.

Any suggestions?

Re: Discussion of Problems due to Hardened Security

Posted: 13. Dec 2015, 22:47
by loukingjr
nattsurfaren wrote:I'm reading Avira antivirus is the problem but I have only windows defender installed
as a protection.
Not true. See your first post.

Re: Discussion of Problems due to Hardened Security

Posted: 13. Dec 2015, 23:17
by nattsurfaren
I assume the log prints out the host driver for avast and not the guest.
On the guest I checked both c:\program files and the x86 version. There is no avast on the guest.
I will try to uninstall on the host machine now.