Hardening error after 5.2.22 to 6.0.0 Upgrade (TrendMicro & Win Oct 1809 Update)

Discussions related to using VirtualBox on Windows hosts.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Hardening error after 5.2.22 to 6.0.0 Upgrade (TrendMicro & Win Oct 1809 Update)

Post by socratis »

TonkleChicken wrote:Teenagers don't tend to follow rules like yours.
My daughter does!!! 8)
But I've been brainwashing her since she started walking! And if she doesn't like my computer access security policy, there always the abacus for her! :lol:

I hear you, but at the same time several users here believe that Win10 has a perfectly working AV built in. That has caused no problems at all so far.

BTW, I just remember to suggest a couple of Microsoft tool for checking the signatures; signtool and sigcheck. The first comes with the Windows SDK. The latter is from the former SysInternals (now Microsoft) and I haven't tried it, but looking at its documentation, I think it does the job.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
wsblackfo
Posts: 4
Joined: 8. Jan 2019, 14:19

Re: Hardening error after 5.2.22 to 6.0.0 Upgrade (TrendMicro & Win Oct 1809 Update)

Post by wsblackfo »

Thanks @socratis for the detailed explanations above about how this thing works, - clearly understandable and comprehensible.

What I'm still wondering is, why can I start any VM in "Headless Start"-Mode (and then "Show") without any problems about hardening and valid certificate of the TrendMicro-Files?

After VM's started this way, they are running perfect (as they did before with VirtualBox 5.x).

Why VirtualBox doesn't care about certified files as strong as it does with normal starting the VM? (replaced by more precise question)
Then what is the difference between "Normal Start" (VM doesn't start) and "Headless Start" (VM does start) with regard to VirtualBox checking signature against Windows certified database?
Attachments
VBoxHardening.log
VBoxHardening.log during normal start of VM
(22.03 KiB) Downloaded 9 times
Last edited by wsblackfo on 15. Jan 2019, 10:40, edited 2 times in total.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Hardening error after 5.2.22 to 6.0.0 Upgrade (TrendMicro & Win Oct 1809 Update)

Post by socratis »

wsblackfo wrote:Why VirtualBox doesn't care about certified files as strong as it does with normal starting the VM?
VirtualBox couldn't care less what's on your system, and if it's signed or not, that's not what it checks for...
VirtualBox checks for a valid signature against the Windows Certificate Database, for any process that want access to the VirtualBox memory space.
That's the whole thing in summary.

So, why the headless/detachable difference? A hint can be found in the User Manual:
Starts a VM with a detachable UI. Technically, it is a headless VM with user interface in a
separate process. This is an experimental feature as it lacks certain functionality, such as
3D acceleration.
So, the 3D acceleration DLLs are not loaded. If you have a problem there (invalid verifiable signatures), then the headless/detachable procedure will have no problems at all; nobody wants to get into VirtualBox's memory...
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Saurbaum
Posts: 11
Joined: 14. Jan 2019, 18:14

Re: Hardening error after 5.2.22 to 6.0.0 Upgrade (TrendMicro & Win Oct 1809 Update)

Post by Saurbaum »

As this thread got a little rambling into the parenting skills of various people I just wanted to check something more specific to the issue.

Is there anything else that can cause the hardening error other than antivirus?

If you have a centrally administered antivirus solution and can't change it are you better off sticking with 5.2.2?
andyp73
Volunteer
Posts: 1631
Joined: 25. May 2010, 23:48
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Assorted Linux, Windows Server 2012, DOS, Windows 10, BIOS/UEFI emulation

Re: Hardening error after 5.2.22 to 6.0.0 Upgrade (TrendMicro & Win Oct 1809 Update)

Post by andyp73 »

Saurbaum wrote:Is there anything else that can cause the hardening error other than antivirus?
There is a lot of guidance in Diagnosing VirtualBox Hardening Issues. We see lots of problems with host video drivers not being properly signed with NVidia being a common culprit, custom / hacked themes, accessibility tools.
Saurbaum wrote:If you have a centrally administered antivirus solution and can't change it are you better off sticking with 5.2.2?
It depends, 5.2.22 might throw the same hardening error. If you have a good anti-virus solution then you may be able to set up an exception to get it to leave the VirtualBox executables alone.

-Andy.
My crystal ball is currently broken. If you want assistance you are going to have to give me all of the necessary information.
Please don't ask me to do your homework for you, I have more than enough of my own things to do.
wsblackfo
Posts: 4
Joined: 8. Jan 2019, 14:19

Re: Hardening error after 5.2.22 to 6.0.0 Upgrade (TrendMicro & Win Oct 1809 Update)

Post by wsblackfo »

andyp73 wrote:It depends, 5.2.22 might throw the same hardening error. If you have a good anti-virus solution then you may be able to set up an exception to get it to leave the VirtualBox executables alone.
If I'm understanding right the contributions above, it's not a matter of setting an exception for the anti-virus solution:
socratis wrote:VirtualBox doesn't have a problem with a specific (your specific) antivirus. It *does* have a problem with applications (like your antivirus) that want to get into VirtualBox's memory, without being properly signed!
So, either you get your antivirus properly signed and registered with the Windows Certificate Database, or live with the consequences.
socratis wrote:A virus update which omits updating the Windows Certificate Database, can definitely cause this.
TonkleChicken wrote:OK, a deeper view into the signing of the 5 TrendMicro DLL's shows that signature signed on 27-Sep-18 (From Microsoft Windows Third Party Component CA 2012) is reporting as OK, but the certificate validity is expired. (2-Nov-18). - This may be the issue!
I suspect that in 5.x the hardening just checks the signing certificate status (is indicating as OK), but possibly in 6.x VirtualBox is drilling down in the certificate path to check additional details (Expired CA Validity, Revocation etc). If 6.x indeed also checks CRL's that may present other issues where the CA can not be contacted.
Last edited by socratis on 15. Jan 2019, 14:25, edited 2 times in total.
Reason: Enclosed the information in [quote] tags for better readability.
Hanzaplast
Posts: 10
Joined: 27. Oct 2017, 21:24

Re: Hardening error after 5.2.22 to 6.0.0 Upgrade (TrendMicro & Win Oct 1809 Update)

Post by Hanzaplast »

If all fail you can try the old contournament:
Completely uninstall any VirtualBox currently installed
Restart the computer
Install the latest version of VirtualBox
After install completes do not restart the computer
Open the registry editor. Start > Run > regedit
Go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VBoxDrv
Edit the key called Start. Change it's value from 1 to 3
Close the registry editor and restart your computer.
My euro cent...
"If we were to employ violent means, we would have nothing left to defend."
(Dalaï Lama)
wsblackfo
Posts: 4
Joined: 8. Jan 2019, 14:19

Re: Hardening error after 5.2.22 to 6.0.0 Upgrade (TrendMicro & Win Oct 1809 Update)

Post by wsblackfo »

@Hanzaplast:

I did exactly the steps you proposed, but then an error message (see attachment) and VirtualBox couldn't start any VM.
Attachments
2019-01-17 10_32_37-VM Oracle VirtualBox-Screenshot.png
2019-01-17 10_32_37-VM Oracle VirtualBox-Screenshot.png (12.8 KiB) Viewed 1962 times
TonkleChicken
Posts: 8
Joined: 8. Jan 2019, 05:39

Re: Hardening error after 5.2.22 to 6.0.0 Upgrade (TrendMicro & Win Oct 1809 Update)

Post by TonkleChicken »

UPDATE. - TrendMicro verifies problem - correction should be available soon

A couple of weeks back I raised a Support call with TrendMicro and highlighted that although Windows reports the Trend Micro (TM*.sys) System files in ../system32/.. files as signed with valid certificates, a look at the certificate chain showed that the Signing CA Certificate was only valid to Nov-2018.

It seems that the Hardening checks in 6.x are more anal retentive 8) about the full validity of the certificates at all points in the certificate chain. (This issue does not exist in VirtualBox 5.x)

Through a number of engagements eventually was was contacted by Trend Micro L3 Support, and we ran a number of tests as well as using Microsoft signtool to verify the TM sys files. (8 files failed the aggressive Cert test)

TrendMicro were able to verify the problem in their Testlab

The outcome of that investigation has now been passed onto to the Development team, and a correction will be made in a future build soon. (I have not had confirmation of exactly when).
Post Reply