VirtualBox VM won't start because of Anti-Virus .dll injection

Discussions related to using VirtualBox on Windows hosts.

VirtualBox VM won't start because of Anti-Virus .dll injection

Postby kbeeson007 » 8. Jul 2018, 04:33

First off, I can't remove BeyondTrust PowerBroker / Symantec Anti-virus. A recent update has added an injection into VirtualBox in which VirtualBox see's it as an intrusion so the VM won't start. Now, VirtualBox itself starts fine, but starting a VM gives me this message:
(rc = -5640) Please try reinstalling VirtualBox.

where: supR3HardenedWinReSpawn what: 1 VERR_SUP_VP_THREAD_NOT_ALONE (-5640) - Process Verification Failure: The process has more than one thread.

Here is the Hardening.log:
Code: Select all   Expand viewCollapse view
2e84.1340: Log file opened: 5.2.14r123301 g_hStartupLog=0000000000000170 g_uNtVerCombined=0xa0383900
2e84.1340: \SystemRoot\System32\ntdll.dll:
2e84.1340:     CreationTime:    2017-10-16T14:10:15.589015400Z
2e84.1340:     LastWriteTime:   2017-09-07T06:03:35.589628500Z
2e84.1340:     ChangeTime:      2018-03-22T16:54:40.122678600Z
2e84.1340:     FileAttributes:  0x20
2e84.1340:     Size:            0x1cccb0
2e84.1340:     NT Headers:      0xd8
2e84.1340:     Timestamp:       0x59b0d03e
2e84.1340:     Machine:         0x8664 - amd64
2e84.1340:     Timestamp:       0x59b0d03e
2e84.1340:     Image Version:   10.0
2e84.1340:     SizeOfImage:     0x1d2000 (1908736)
2e84.1340:     Resource Dir:    0x169000 LB 0x67a50
2e84.1340:     [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)]
2e84.1340:     [Raw version resource data: 0x1690f0 LB 0x398, codepage 0x0 (reserved 0x0)]
2e84.1340:     ProductName:     Microsoft® Windows® Operating System
2e84.1340:     ProductVersion:  10.0.14393.1715
2e84.1340:     FileVersion:     10.0.14393.1715 (rs1_release_inmarket.170906-1810)
2e84.1340:     FileDescription: NT Layer DLL
2e84.1340: \SystemRoot\System32\kernel32.dll:
2e84.1340:     CreationTime:    2017-08-05T12:04:26.342899300Z
2e84.1340:     LastWriteTime:   2017-04-28T00:49:43.332433600Z
2e84.1340:     ChangeTime:      2018-03-22T16:54:38.891444600Z
2e84.1340:     FileAttributes:  0x20
2e84.1340:     Size:            0xab208
2e84.1340:     NT Headers:      0xf0
2e84.1340:     Timestamp:       0x59028368
2e84.1340:     Machine:         0x8664 - amd64
2e84.1340:     Timestamp:       0x59028368
2e84.1340:     Image Version:   10.0
2e84.1340:     SizeOfImage:     0xac000 (704512)
2e84.1340:     Resource Dir:    0xaa000 LB 0x530
2e84.1340:     [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
2e84.1340:     [Raw version resource data: 0xaa0b0 LB 0x3b4, codepage 0x0 (reserved 0x0)]
2e84.1340:     ProductName:     Microsoft® Windows® Operating System
2e84.1340:     ProductVersion:  10.0.14393.1198
2e84.1340:     FileVersion:     10.0.14393.1198 (rs1_release_sec.170427-1353)
2e84.1340:     FileDescription: Windows NT BASE API Client DLL
2e84.1340: \SystemRoot\System32\KernelBase.dll:
2e84.1340:     CreationTime:    2018-03-22T16:27:49.530367800Z
2e84.1340:     LastWriteTime:   2018-03-02T09:07:30.254111800Z
2e84.1340:     ChangeTime:      2018-03-23T12:02:59.582556100Z
2e84.1340:     FileAttributes:  0x20
2e84.1340:     Size:            0x21c780
2e84.1340:     NT Headers:      0xf8
2e84.1340:     Timestamp:       0x5a9906f8
2e84.1340:     Machine:         0x8664 - amd64
2e84.1340:     Timestamp:       0x5a9906f8
2e84.1340:     Image Version:   10.0
2e84.1340:     SizeOfImage:     0x21d000 (2215936)
2e84.1340:     Resource Dir:    0x201000 LB 0x550
2e84.1340:     [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
2e84.1340:     [Raw version resource data: 0x2010b0 LB 0x3c4, codepage 0x0 (reserved 0x0)]
2e84.1340:     ProductName:     Microsoft® Windows® Operating System
2e84.1340:     ProductVersion:  10.0.14393.2125
2e84.1340:     FileVersion:     10.0.14393.2125 (rs1_release.180301-2139)
2e84.1340:     FileDescription: Windows NT BASE API Client DLL
2e84.1340: \SystemRoot\System32\apisetschema.dll:
2e84.1340:     CreationTime:    2018-03-22T16:21:43.172673700Z
2e84.1340:     LastWriteTime:   2018-03-02T09:07:28.044323200Z
2e84.1340:     ChangeTime:      2018-03-23T12:02:57.396184500Z
2e84.1340:     FileAttributes:  0x20
2e84.1340:     Size:            0x18960
2e84.1340:     NT Headers:      0xc8
2e84.1340:     Timestamp:       0x5a990a54
2e84.1340:     Machine:         0x8664 - amd64
2e84.1340:     Timestamp:       0x5a990a54
2e84.1340:     Image Version:   10.0
2e84.1340:     SizeOfImage:     0x19000 (102400)
2e84.1340:     Resource Dir:    0x18000 LB 0x400
2e84.1340:     [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)]
2e84.1340:     [Raw version resource data: 0x18060 LB 0x3a0, codepage 0x0 (reserved 0x0)]
2e84.1340:     ProductName:     Microsoft® Windows® Operating System
2e84.1340:     ProductVersion:  10.0.14393.2125
2e84.1340:     FileVersion:     10.0.14393.2125 (rs1_release.180301-2139)
2e84.1340:     FileDescription: ApiSet Schema DLL
2e84.1340: NtOpenDirectoryObject failed on \Driver: 0xc0000022
2e84.1340: supR3HardenedWinFindAdversaries: 0x12000
2e84.1340: \SystemRoot\System32\drivers\dgmaster.sys:
2e84.1340:     CreationTime:    2018-05-23T15:36:37.521261200Z
2e84.1340:     LastWriteTime:   2018-05-02T22:14:14.000000000Z
2e84.1340:     ChangeTime:      2018-05-23T15:36:37.646276400Z
2e84.1340:     FileAttributes:  0x20
2e84.1340:     Size:            0x2643c8
2e84.1340:     NT Headers:      0x108
2e84.1340:     Timestamp:       0x5aea3ef6
2e84.1340:     Machine:         0x8664 - amd64
2e84.1340:     Timestamp:       0x5aea3ef6
2e84.1340:     Image Version:   6.3
2e84.1340:     SizeOfImage:     0x33f000 (3403776)
2e84.1340:     Resource Dir:    0x2ff000 LB 0x35f68
2e84.1340:     [Version info resource found at 0x270! (ID/Name: 0x1; SubID/SubName: 0x409)]
2e84.1340:     [Raw version resource data: 0x334c30 LB 0x338, codepage 0x0 (reserved 0x0)]
2e84.1340:     ProductName:     Digital Guardian
2e84.1340:     ProductVersion:  7.4
2e84.1340:     FileVersion:     7.4.1.0186
2e84.1340:     FileDescription: Digital Guardian Agent Master
2e84.1340: supR3HardenedWinFindAdversaries: Found newer version: 0x12000 -> 0x14000
2e84.1340: \SystemRoot\System32\drivers\privman.sys:
2e84.1340:     CreationTime:    2018-07-06T11:53:05.369267500Z
2e84.1340:     LastWriteTime:   2018-05-16T17:23:54.000000000Z
2e84.1340:     ChangeTime:      2018-07-07T02:57:42.758964100Z
2e84.1340:     FileAttributes:  0x20
2e84.1340:     Size:            0x115e8
2e84.1340:     NT Headers:      0xf8
2e84.1340:     Timestamp:       0x5afc5ee2
2e84.1340:     Machine:         0x8664 - amd64
2e84.1340:     Timestamp:       0x5afc5ee2
2e84.1340:     Image Version:   6.1
2e84.1340:     SizeOfImage:     0x11000 (69632)
2e84.1340:     Resource Dir:    0xc000 LB 0x32a8
2e84.1340:     [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x0)]
2e84.1340:     [Raw version resource data: 0xc0a0 LB 0x33c, codepage 0x0 (reserved 0x0)]
2e84.1340:     ProductName:     PowerBroker for Windows
2e84.1340:     ProductVersion:  7.5.0.0
2e84.1340:     FileVersion:     7.5.0.0
2e84.1340:     FileDescription: PowerBroker for Windows
2e84.1340: \SystemRoot\System32\privman64.dll:
2e84.1340:     CreationTime:    2018-05-16T17:59:28.000000000Z
2e84.1340:     LastWriteTime:   2018-05-16T17:59:28.000000000Z
2e84.1340:     ChangeTime:      2018-07-07T02:57:42.788041900Z
2e84.1340:     FileAttributes:  0x20
2e84.1340:     Size:            0x3a178
2e84.1340:     NT Headers:      0xf8
2e84.1340:     Timestamp:       0x5afc5e64
2e84.1340:     Machine:         0x8664 - amd64
2e84.1340:     Timestamp:       0x5afc5e64
2e84.1340:     Image Version:   0.0
2e84.1340:     SizeOfImage:     0x3c000 (245760)
2e84.1340:     Resource Dir:    0x3a000 LB 0x578
2e84.1340:     [Version info resource found at 0x80! (ID/Name: 0x1; SubID/SubName: 0x0)]
2e84.1340:     [Raw version resource data: 0x3a0a0 LB 0x37c, codepage 0x4e4 (reserved 0x0)]
2e84.1340:     ProductName:     PowerBroker for Windows
2e84.1340:     ProductVersion:  7.5.0.0
2e84.1340:     FileVersion:     7.5.0.0
2e84.1340:     FileDescription: BeyondTrust PowerBroker for Windows DLL
2e84.1340: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
2e84.1340: Calling main()
2e84.1340: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2
2e84.1340: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
2e84.1340: SUPR3HardenedMain: Respawn #1
2e84.1340: System32:  \Device\HarddiskVolume4\Windows\System32
2e84.1340: WinSxS:    \Device\HarddiskVolume4\Windows\WinSxS
2e84.1340: KnownDllPath: C:\WINDOWS\System32
2e84.1340: '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
2e84.1340: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe)
3338.3344: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume4\Windows\System32\SHCore.dll [lacks WinVerifyTrust]
3338.3344: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\system32\SHCore.dll (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000001:<flags> [calling]
3338.3344: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffdad240000 'C:\WINDOWS\system32\SHCore.dll'
3338.3344: supR3HardenedMonitor_LdrLoadDll: error opening 'C:\WINDOWS\system32\wintab32.dll': 0 (NtPath=\??\C:\WINDOWS\system32\wintab32.dll; Input=C:\WINDOWS\system32\wintab32.dll; rcNtGetDll=0x0
hMod=00007ffdb0790000 'C:\WINDOWS\System32\ntdll.dll'
3338.3344: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume4\Windows\System32\ntdll.dll [lacks WinVerifyTrust]
3338.3344: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\System32\ntdll.dll (Input=ntdll.dll, rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801:<flags> [calling]
3338.3344: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffdb0790000 'C:\WINDOWS\System32\ntdll.dll'
2e84.1340: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0x1 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 79688 ms, the end);

Now I've tried many things.

Reinstalling VirtualBox
This work around:

Completely uninstall any VirtualBox currently installed
Restart the computer
Install the latest version of VirtualBox
After install completes do not restart the computer
Open the registry editor. Start > Run > regedit
Go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VBoxDrv
Edit the key called Start. Change it's value from 1 to 3
Close the registry editor and restart your computer. After your computer restarts you should be able to use VirtualBox without any issues.

Tried older versions.
Basically I need a way tostart VB VM without the Antivirus knowing ( and without adding an exception to the Antivirus program as it is unreachable ). Anyone have any suggestions?
Last edited by socratis on 8. Jul 2018, 10:44, edited 1 time in total.
Reason: Enclosed the information in [quote] tag for better readability
kbeeson007
 
Posts: 3
Joined: 8. Jul 2018, 04:31

Re: VirtualBox VM won't start because of Anti-Virus .dll injection

Postby andyp73 » 8. Jul 2018, 09:46

Firstly, it isn't great to post log files as plain text in the body of a message. The forum guidelines are clear about zipping them and attaching them to the message.

kbeeson007 wrote:First off, I can't remove BeyondTrust PowerBroker / Symantec Anti-virus.
Basically I need a way tostart VB VM without the Antivirus knowing ( and without adding an exception to the Antivirus program as it is unreachable )

AFAIK you can't. Your options are either to get the BeyondTrust / Symantec software sorted so it plays nicely with VirtualBox or you go back to one of the 4.whatever pre-hardening versions.

-Andy.
My crystal ball is currently broken. If you want assistance you are going to have to give me all of the necessary information.
Please don't ask me to do your homework for you, I have more than enough of my own things to do.
andyp73
Volunteer
 
Posts: 1642
Joined: 25. May 2010, 23:48
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Assorted Linux, Windows Server 2012, DOS, Windows 10, BIOS/UEFI emulation

Re: VirtualBox VM won't start because of Anti-Virus .dll injection

Postby socratis » 8. Jul 2018, 10:49

As Andy said, no, bypassing the VirtualBox checks is not an option. Tell your antivirus/filter/any program to NOT go into VirtualBox's memory, and if it does, it better be signed. That's your only option.

And I would try to get this sorted from the AV point, because going back to a really old version of VirtualBox is both unsupported, and a security risk. And you *do* care about security, right? Otherwise you wouldn't need/want all those extra antivirus programs that do nothing more than add weight and create problems.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
socratis
Site Moderator
 
Posts: 26128
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5

Re: VirtualBox VM won't start because of Anti-Virus .dll injection

Postby startergo » 14. Aug 2019, 19:28

I found a workaround to this issue. It was actually described in the BeyoundTrust manual

"Troubleshooting Settings
The following table providesTroubleshooting Settings. You can access these settings at
Computer Configurations>Policies>AdministrativeTemplates>BeyondTrust>PowerBrokerforWindows>System>Troubleshooting

Prevent Privman from being loaded into specified processes
Used for troubleshooting purposes. Set the value to the path of the executable you wish to exclude.
To exclude multiple applications, separate the paths with a semicolon. Environment variables (e.g.
%SystemRoot% or %ProgramFiles%) are allowed. Wildcards are supported. For more
information see the PowerBroker for Windows documentation. Values are written to registry key:
ExcludedApps. Privman will still remain loaded in excluded processes but will not have any effect."

So I enabled that rule and "set to the path of executables is":
Code: Select all   Expand viewCollapse view
%ProgramFiles%\*\VirtualBoxVm.exe
startergo
 
Posts: 1
Joined: 13. Aug 2019, 20:33

Re: VirtualBox VM won't start because of Anti-Virus .dll injection

Postby socratis » 14. Aug 2019, 20:09

Thank you @startergo for the instructions.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
socratis
Site Moderator
 
Posts: 26128
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5


Return to VirtualBox on Windows Hosts

Who is online

Users browsing this forum: No registered users and 30 guests