Hardening issue started today, no obvious changes in environment

Discussions related to using VirtualBox on Windows hosts.
Post Reply
Max393
Posts: 5
Joined: 16. Jan 2018, 22:20

Hardening issue started today, no obvious changes in environment

Post by Max393 »

Host: Windows 10 Enterprise, VirtualBox 5.2.4, Host-Only Network; Guests: RHEL 6.9 + Guest Additions

I used the existing guests yesterday with no issues and closed the sessions (saving the state). This morning, upon trying to restart a session, I received the following error:
(rc=-5460)

Please try reinstalling VirtualBox.

where: supR3HardenedWinReSpawn what: 1
VERR_SUP_VP_THREAD_NOT_ALONE (-5640) - Process Verification Failure: The process has more than one thread.
And then when closing that dialog (slightly redacted):
Failed to open a session for the virtual machine [MY VM NAME].

The virtual machine '[MY VM NAME]' has terminated unexpectedly during startup with exit code 1 (0x1). More details may be available in '[LOG DIRECTORY]\VBoxHardening.log'.

Result Code: E_FAIL (0x80004005)
Component: MachineWrap
Interface: IMachine {85cd948e-a71f-4289-281e-0ca7ad48cd89}
I've tried uninstalling VirtualBox and then re-installing VirtualBox (using Run as Administrator) as well as most of the other suggestions in the "Diagnosing VirtualBox Hardening Issues" topic:
  • I temporarily disabled the real-time antivirus (Symantec Endpoint Protection).
  • I did NOT uninstall the antivirus, as I don't think my employer's IT team would be OK with that.
  • I made sure Hyper-V was disabled.
  • I discarded the saved state for one of the guests and tried to restart it from there.
  • I fully powered down the host and then restarted it.
I seem to get the same results no matter what. As suggested there, I'm posting a question in this forum with the information I have.

As an aside, I was using VirtualBox 5.1.30 when this started this morning and then installed 5.2.4 to see if that would help (it hasn't). The error message above is what I'm currently getting with 5.2.4, but it was largely the same for 5.1.30. (The UUID on the "Interface" line was different.)

According to the hardening log (attached), it's exiting with Exit Code 1, and the last DLL mentioned is ntdll.dll, but I don't know how to interpret the log beyond that. This occurs with all existing guests and a new one I tried to create.

Thanks for any help! I'm happy to try more stuff out, do some debugging, etc. Just not sure where else to look.
Attachments
VBoxHardening.zip
(12.32 KiB) Downloaded 14 times
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Hardening issue started today, no obvious changes in environment

Post by socratis »

Max393 wrote: I temporarily disabled the real-time antivirus (Symantec Endpoint Protection).
As you can see from the linked article, this is not enough sometimes. As evidenced from your log:
2204.3670:     FileDescription: Symantec CMC Firewall SysPlant
2204.3670:     FileDescription: Symantec CMC Firewall sysfer
2204.3670:     FileDescription: Symantec Event Library
2204.3670:     FileDescription: PowerBroker for Windows
2204.3670:     FileDescription: BeyondTrust PowerBroker for Windows DLL
And you should definitely let them know that they shouldn't be injecting themselves into other processes unless they're properly signed and they've updated the Windows certificate database.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Max393
Posts: 5
Joined: 16. Jan 2018, 22:20

Re: Hardening issue started today, no obvious changes in environment

Post by Max393 »

OK, thanks for the quick response! Based on what you see in the log, do you think the antivirus is almost definitely the issue, or just a likely culprit that needs to at least be ruled out? I'd like to be able to explain that to the IT folks.

And you may not have enough information here, but do you have any sense of whether this is more likely a vendor (Symantec or BeyondTrust) issue, or could it be caused by misconfiguration by the IT department (for example in updates they're pushing out)?
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Hardening issue started today, no obvious changes in environment

Post by socratis »

I just realized that in my previous answer I mentioned a "linked article", however there was no linked article. Oops... :shock:

Well, here it is, read it to better understand what's going on: "Diagnosing VirtualBox Hardening Issues". Give it to your IT folks as well, they'll understand the problem. You could have them add an exception to VirtualBox if possible.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Max393
Posts: 5
Joined: 16. Jan 2018, 22:20

Re: Hardening issue started today, no obvious changes in environment

Post by Max393 »

Yep, I read that, thanks! I couldn't link to it in my initial post since I have a new account but I mentioned it by name. :D

To confirm, given what you see, you're pretty sure that it's the antivirus (or possibly PowerBroker)? I suspect the IT department isn't going to want to do a lot of investigating, so the more specifics I can give them, the better.

Thanks again!
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Hardening issue started today, no obvious changes in environment

Post by socratis »

I don't have a clue. Start with the Symantec one, it's had more hits.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Max393
Posts: 5
Joined: 16. Jan 2018, 22:20

Re: Hardening issue started today, no obvious changes in environment

Post by Max393 »

Thanks again; I'm working with my IT department to try to figure out what's going on.

To clarify, the hardening log shows which DLL files have been loaded into the process but not which file is triggering the error?
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Hardening issue started today, no obvious changes in environment

Post by socratis »

There is about 1 1/2 people that can interpret the VBoxHardening.log in full detail, and they're kind of busy.

The rest of us are simply reading the tea leaves with varying success rates, but we're getting better at it; reading the tea leaves, not the VBoxHardening.log that is... ;)
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Max393
Posts: 5
Joined: 16. Jan 2018, 22:20

Re: Hardening issue started today, no obvious changes in environment

Post by Max393 »

Got it, thanks!
Post Reply