Hardened error unable to start VM's

[christopher87]

Then take some pointers of what else might be wrong in the FAQ: Diagnosing VirtualBox Hardening Issues. We might get a hint if you post a ZIPPED VBoxHardening.log

I apologize. Should have clearly included it. See attached. Good chance that this doesn't have everything, but it is the most recent. For what it's worth, I've gone through that FAQ many times.

[socratis]

29f4.292c:     FileDescription: Symantec CMC Firewall SysPlant
29f4.292c:     FileDescription: Symantec CMC Firewall sysfer
29f4.292c:     FileDescription: Symantec Event Library
29f4.292c:     FileDescription: ZoneAlarm Firewalling Driver
29f4.292c:     FileDescription: PowerBroker for Windows
29f4.292c:     FileDescription: BeyondTrust PowerBroker for Windows DLL

The FAQ very specifically was talking about antivirus, firewalls and other 3rd party programs. Start uninstalling one by one all of them, see who's fault it is.

[christopher87]

Symantec's controlled by group policy, so I can't touch that... -_-

But maybe one of the others. It's worth noting that on my Windows 7 machine, I have the same AV. So I'll continue to investigate. Thanks for the reply sir.

[christopher87]

One final follow-up here. Due to my corporate environment, I have no ability to disable or tamper with AV. What's so strange is how this worked before.

Are there any ways of adding application or dll exceptions to the hardening process? Symantec doesn't trust VirtualBox, but VirtualBox doesn't trust Symantec... So no VMs. There's gotta be more workarounds or alternatives than to simply move on.

[mpack]

Are there any ways of adding application or dll exceptions to the hardening process?

No, there isn't. If exceptions could be configured then malware could circumvent the checks by adding an exception. The checks would be a complete waste of time.

Symantec doesn't trust VirtualBox, but VirtualBox doesn't trust Symantec... So no VMs.

The only workaround is to get your IT guys to select better AV. At my place of work we use Defender, which is free (with Windows) and works just fine with VirtualBox (and Windows).

[socratis]

mpack beat me to the second, I had the exact same answers

Just a small note. VirtualBox doesn't trust anyone that tries to inject a DLL into VirtualBox's processes without having a properly signed certificate. That's the problem, the certificate that Symantec has, is not properly signed. If it was, there would be absolutely no problem at all. There are plenty of people that run VirtualBox alongside all sorts of programs, including Symantec. Maybe there's something wrong with your version/setup/enterprise that triggers this. Have your IT people to call Symantec and report this issue.

[christopher87]

the certificate that Symantec has, is not properly signed. If it was, there would be absolutely no problem at all.

Could be! Would you happen to know (and I understand this is outside the realm of virtualbox) if there is a way I can check certificate statuses?

Maybe there's something wrong with your version/setup/enterprise that triggers this. Have your IT people to call Symantec and report this issue.

Will do what I can.

[mpack]

You can right click any executable (exe or dll), open the Propertes and look at the "Digital Signatures" tab. If you don't see a tab then the executable is unsigned. Otherwise you can follow the certification chain and see if its valid.

However I must disagree with my esteemed colleague. An unsigned DLL in the AV suite itself is not the only reason for conflict. Another one I've seen is when the AV is deliberately blocking VirtualBox from examining other executables, which is how VirtualBox checks the signatures.

Step 1 in diagnosing this condition: disable the AV suite and see if VirtualBox VMs work. Yes, some people need help from IT people in order to do this test, that does not make the test less important.

Step 2: Check the executables in the AV suite folder. Make sure they all have valid signatures.

Step 3: See if VirtualBox can be added as an exception to whatever blocking the AV suite does.

[socratis]

Don, you got to stop doing this man, I was about to hit the "Submit" button (damn, I'm a slow typist )

Step 4: The Windows certificate database was corrupt (or something along those lines). Check the interwebs for "corrupt windows certificate database".

Step 5: a program can update its DLLs (via an online update), but forget to update the Windows certificate database. That could trigger the problem as well.

Step 6: something else.

AV is deliberately blocking VirtualBox from examining other executables

Really??? Why would they do that? Interesting to know...

[erdeslawe]

@ christopher87

If you do identify that it is the Symantec software that is 'blocking' VirtualBox, then start from the Guidance Note here: https://support.symantec.com/en_US/arti ... 83201.html

[christopher87]

Quick update here. I've moved onto a different solution. Out of respect for the forum and this community I won't go into detail, but if you're curious feel free to PM me.

TLDR I have no control over my corporate AV. Above my pay grade, and after two weeks of troubleshooting I had to move on.

Cheers everybody. If anyone figures this out, I'd be happy to hear.

[Oliver_999]

In my case the issue were resolved after removing BeyondTrust PowerBroker for Windows.

[vmplex]

Hello,

in my case the issue was resolved by starting VirtualBox with "Run as Administrator".
My HOST runs Win7SP1. VirtualBox version is 5.1.26 and was installed in July 2017. I only created 1 VM with Win7SP1 as guestOS.
Until today I had no problem with this VM. Today I tried to start it and got the famous error described in this post.

[fvrshkkke]

I had this problem and it was fixed by uninstalling citrix

[Baski]

Hi,

I am using corporate laptop with 8 GB RAm and windows 8 . System has symantec AV. I am receiving below error can anyone please help

Code: Select all

788.1a6c: NtOpenDirectoryObject failed on \Driver: 0xc0000022
788.1a6c: supR3HardenedWinFindAdversaries: 0x1003
788.1a6c: \SystemRoot\System32\drivers\SysPlant.sys:
788.1a6c:     CreationTime:    2018-01-03T08:50:53.777535700Z
788.1a6c:     LastWriteTime:   2018-01-03T08:50:53.777535700Z
788.1a6c:     ChangeTime:      2018-01-03T08:50:53.777535700Z
788.1a6c:     FileAttributes:  0x20
788.1a6c:     Size:            0x2f798
788.1a6c:     NT Headers:      0xf8
788.1a6c:     Timestamp:       0x57e42455
788.1a6c:     Machine:         0x8664 - amd64
788.1a6c:     Timestamp:       0x57e42455
788.1a6c:     Image Version:   5.0
788.1a6c:     SizeOfImage:     0x2f000 (192512)
788.1a6c:     Resource Dir:    0x2d000 LB 0x49c
788.1a6c:     [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
788.1a6c:     [Raw version resource data: 0x2d0b8 LB 0x3e4, codepage 0x4e4 (reserved 0x0)]
788.1a6c:     ProductName:     Symantec CMC Firewall
788.1a6c:     ProductVersion:  14.0.1849.0000
788.1a6c:     FileVersion:     14.0.1849.0000
788.1a6c:     FileDescription: Symantec CMC Firewall SysPlant
788.1a6c: \SystemRoot\System32\sysfer.dll:
788.1a6c:     CreationTime:    2018-01-03T08:50:53.777535700Z
788.1a6c:     LastWriteTime:   2018-01-03T08:50:53.777535700Z
788.1a6c:     ChangeTime:      2018-01-03T08:50:53.777535700Z
788.1a6c:     FileAttributes:  0x20
788.1a6c:     Size:            0x7a728
788.1a6c:     NT Headers:      0x100
788.1a6c:     Timestamp:       0x57e42469
788.1a6c:     Machine:         0x8664 - amd64
788.1a6c:     Timestamp:       0x57e42469
788.1a6c:     Image Version:   0.0
788.1a6c:     SizeOfImage:     0x8e000 (581632)
788.1a6c:     Resource Dir:    0x8a000 LB 0x658
788.1a6c:     [Version info resource found at 0xc8! (ID/Name: 0x1; SubID/SubName: 0x409)]
788.1a6c:     [Raw version resource data: 0x8a100 LB 0x3d8, codepage 0x4e4 (reserved 0x0)]
788.1a6c:     ProductName:     Symantec CMC Firewall
788.1a6c:     ProductVersion:  14.0.1849.0000
788.1a6c:     FileVersion:     14.0.1849.0000
788.1a6c:     FileDescription: Symantec CMC Firewall sysfer
788.1a6c: \SystemRoot\System32\drivers\symevent64x86.sys:
788.1a6c:     CreationTime:    2018-01-03T08:51:58.496519400Z
788.1a6c:     LastWriteTime:   2018-01-03T08:51:58.480894200Z
788.1a6c:     ChangeTime:      2018-01-03T08:51:58.480894200Z
788.1a6c:     FileAttributes:  0x20
788.1a6c:     Size:            0x18af0
788.1a6c:     NT Headers:      0xe0
788.1a6c:     Timestamp:       0x576875ca
788.1a6c:     Machine:         0x8664 - amd64
788.1a6c:     Timestamp:       0x576875ca
788.1a6c:     Image Version:   6.2
788.1a6c:     SizeOfImage:     0x21000 (135168)
788.1a6c:     Resource Dir:    0x1f000 LB 0x3c8
788.1a6c:     [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
788.1a6c:     [Raw version resource data: 0x1f0b8 LB 0x310, codepage 0x4e4 (reserved 0x0)]
788.1a6c:     ProductName:     SYMEVENT
788.1a6c:     ProductVersion:  14.0.3.1
788.1a6c:     FileVersion:     14.0.3.1
788.1a6c:     FileDescription: Symantec Event Library
788.1a6c: \SystemRoot\System32\drivers\vsdatant.sys:
788.1a6c:     CreationTime:    2015-11-18T04:18:36.000000000Z
788.1a6c:     LastWriteTime:   2015-11-18T04:18:36.000000000Z
788.1a6c:     ChangeTime:      2018-01-03T08:56:36.164480500Z
788.1a6c:     FileAttributes:  0x20
788.1a6c:     Size:            0x72968
788.1a6c:     NT Headers:      0xe8
788.1a6c:     Timestamp:       0x55c9afa1
788.1a6c:     Machine:         0x8664 - amd64
788.1a6c:     Timestamp:       0x55c9afa1
788.1a6c:     Image Version:   6.1
788.1a6c:     SizeOfImage:     0x96000 (614400)
788.1a6c:     Resource Dir:    0x94000 LB 0x3d0
788.1a6c:     [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)]
788.1a6c:     [Raw version resource data: 0x94060 LB 0x36c, codepage 0x0 (reserved 0x0)]
788.1a6c:     ProductName:     End Point Security
788.1a6c:     ProductVersion:  R80
788.1a6c:     FileVersion:     926000604
788.1a6c:     FileDescription: ZoneAlarm Firewalling Driver
...
788.1a6c: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0x1 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 94 ms, the end);