VirtualBox v5.2 and hardening issues - cannot launch VMs

[Jedis]

Hello,

After updating to VirtualBox v5.2, I can no longer start my VMs. They refuse to load, with errors about Start8 from Stardock, and Dexpot, a virtual desktop management software.

I've looked at the FAQ about Hardening, and it did not offer any solutions. How do I go about using my VMs and disable this "hardening?" The software I am using is legitimate and VirtualBox needs the ability to turn off this forceful refusing to load the VMs.

Code: Select all

3294.319c: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status -23021 (0xffffa613)) on \Device\HarddiskVolume3\Program Files (x86)\Stardock\Start8\Start8_64.dll [lacks WinVerifyTrust]
3294.319c: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status -23021 (0xffffa613)) on \Device\HarddiskVolume3\Program Files (x86)\Dexpot\hooxpot64.dll [lacks WinVerifyTrust]

[socratis]

How do I go about using my VMs and disable this "hardening?"

You don't. It's not an option.

The software I am using is legitimate and VirtualBox needs the ability to turn off this forceful refusing to load the VMs.

If you read the Hardening FAQ, you'll realize that it's not about legitimacy or not. It's about software wanting to interfere with the VirtualBox process without being properly signed, or the certificate DB not updated correctly. You might want to point the FAQ to the developers of the software that's interfering.

[Jedis]

You don't. It's not an option.

Thanks. That seems to be a huge blunder on the part of the VBox team. There should be a way to whitelist processes for advanced users, knowing that if any potential issues result, they must disable the whitelisted programs. Add a captcha or something on every launch to prevent a process from maliciously adding itself to the list. _Some_ means to allow a VM to load... We are using VBox in a workflow. What version can I revert to, to get around the hardening?

[socratis]

That seems to be a huge blunder on the part of the VBox team.

If by "blunder" you mean "closing security holes", you're 100% right.

There should be a way to whitelist processes for advanced users

No. That would defeat the whole purpose because a trojan could do that as well. Well known tactic that has been successfully applied to antivirus.

Add a captcha or something on every launch to prevent a process from maliciously adding itself to the list.

Or, have those programs behave correctly. You can't expect a program that plays by the rules to cut some slack to programs that don't. It's the 3rd party's responsibility to fix their stuff.

What version can I revert to, to get around the hardening?

When I give you a link to read, I expect you to read said link. First line of the Hardening FAQ.

[Jedis]

This 'hardening' is flagging known Microsoft components, with a digital signature, as lacking WinVerifyTrust:

Code: Select all

2940.2a34: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'user32.dll'...
2940.2a34: supR3HardenedWinVerifyCacheProcessImportTodos: 'user32.dll' -> '\Device\HarddiskVolume3\Windows\System32\user32.dll' [rcNtRedir=0xc0150008]
2940.2a34: supR3HardenedScreenImage/Imports: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume3\Windows\System32\user32.dll [lacks WinVerifyTrust]

[socratis]

The "lacks WinVerifyTrust" is not what this flag is all about. These are not rejected. This for example, might be:

3118.2e04: supR3HardenedWinFindAdversaries: 0x10003
3118.2e04: \SystemRoot\System32\drivers\SysPlant.sys:

That's your Symantec. You also have PowerBroker installed. That's a known trouble maker.

And this is certainly one:

3294.319c: More than one thread in process

That can be your PowerBroker or another 3rd party application, usually web content filtering and/or antivirus.

[Jedis]

Thank you.

Unfortunately, this is a corporate machine that does have Symantec and PowerBroker. VirtualBox was working fine with it, until I tried to update. Now, I don't remember the version to roll back to that was working with my Windows 10 VM. I downgraded to VirtualBox-4.3.12-93733-Win.exe - which was the version before hardening, but it doesn't support loading the Windows 10 VM.

I'm kind of at a loss here of what to try...

[Jedis]

This is spammed over and over in the log, but Stardock support says it is not trying to inject anything:

Code: Select all

1a20.36f4: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status -23021 (0xffffa613)) on \Device\HarddiskVolume3\Program Files (x86)\Stardock\Start8\Start8_64.dll [lacks WinVerifyTrust]
1a20.36f4: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status -23021 (0xffffa613)) on \Device\HarddiskVolume3\Program Files (x86)\Stardock\Start8\Start8_64.dll [lacks WinVerifyTrust]

'Hi. This did not work. Start8 is trying to inject itself into VirtualBox.'

That is just not likely at all as VB is on a different layer altogether.

In the install directory for Start8, and for the properties for start8_32.dll, it should show that it is signed - example (I have Start10 but its the same deal):