Hardening error after 5.2.22 to 6.0.0 Upgrade (TrendMicro & Win Oct 1809 Update)

[TonkleChicken]

Team.

After upgrading from 5.2.22 to 6.0.0 on my Windows 10 (October 1809 updated) host, I can't start any VM's and get the attached Hardening log.

I have tried everything suggested in the hardening issue FAQ, as well as complete de-install and re-installs, and still no progress.

EDIT: I also uninstalled/removed \SystemRoot\System32\drivers\MBAMSwissArmy.sys (Very old MalwareBytes driver) after the attached log was created, and still get same Hardening errors.

For the moment I have reverted back to 5.2.22.

Any other suggestions or pointers?

[socratis]

You noticed MBAMSwissArmy.sys, but you didn't see all the entries about TrendMicro? Please uninstall that too.

BTW, you don't "uninstall a sys driver", you got to do the whole thing, right?

[aquarius1]

I have the same issue.

I do have Symantec Endpoint Protection, but cannot uninstall that (IT requirements mandate certain things!)

Any settings to make Virtualbox 6.0 run with SEP?

[wsblackfo]

I have the same issue under Windows 7 pro Host (version 6.1 Build 7601: Service Pack 1) after 6.0.0 Upgrade

After upgrading to VirtualBox 6.0.0 I could not start any VM.
(after downgrading to VirtualBox 5.2.22 I could start any VM)

Changes in the hardening procedure from 5.2.22 to 6.0.0 ?

Uninstalling TrendMicro is not possible because of enterprise policy.

My current workarround is to start each VM in Headless Mode and then click Show.

Any other suggestions are apprechiated.

[TonkleChicken]

You noticed MBAMSwissArmy.sys, but you didn't see all the entries about TrendMicro? Please uninstall that too.

BTW, you don't "uninstall a sys driver", you got to do the whole thing, right?

Thanks @socratis but TrendMicro is my AntiVirus solution. It is up to date and is the latest version. This is absolutely not something that I should need to uninstall here!

TrendMicro is a widely used Premium End Consumer and Enterprise Grade AV Solution.

Other posts indicate other users with "False Positive" hardening detection on TrendMicro with the new 6.0.0. build.

As long as Virtualbox hardening is detecting a False Positive on TrendMicro, I will need to remain on 5.2.22 until a solution is available in 6.x.x that resolves this problem.

[socratis]

It is up to date and is the latest version. This is absolutely not something that I should need to uninstall here!

You got to understand how this thing works before jumping to conclusions. VirtualBox doesn't have a problem with a specific (your specific) antivirus. It *does* have a problem with applications (like your antivirus) that want to get into VirtualBox's memory, without being properly signed!

So, either you get your antivirus properly signed and registered with the Windows Certificate Database, or live with the consequences. A virus update which omits updating the Windows Certificate Database, can definitely cause this. And we've seen it time and time again; vendors updating their engines, but somehow the updated signatures don't make it in the Certificate Database. For more info, read Diagnosing VirtualBox Hardening Issues for some generic guidelines/ideas.

And BTW, there has been no "false positive" so far. VirtualBox checks the signatures of the files/apps that want to get into its memory space against the Windows Certificate Database. If it's in there? You're rejected. Simple. Works.

Another workaround would be to add an exception to the VirtualBox installation directory and its executables and tell TrendMicro to not mess with VirtualBox. Not until/unless it's properly signed and registered.

[TonkleChicken]

Socratis. The TrendMicro files appear to be signed.

Is 5he problem here?

481c.4770: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume4\Windows\System32\kernel32.dll [lacks WinVerifyTrust]

Why would 6.0.0 think there is a problem, but all other previous 5.x versions are fine (on the same machine)?

[socratis]

The TrendMicro files appear to be signed.

You got to read my previous message again; being signed is one part of the equation. You (actually the app) has to make sure that the signatures match in the Windows Certificate Database. A corrupt database could do that to you.

kernel32.dll [lacks WinVerifyTrust]

No, that's a red herring.

Why would 6.0.0 think there is a problem, but all other previous 5.x versions are fine (on the same machine)?

Because they may have added additional checks.

Just try to uninstall TrendMicro or give VirtualBox an exception. You could have tried that 10 times already in the time that we've been going back and forth...

I'm not saying it might not be an issue necessarily, I'm just trying to run some tests to get to the bottom of this.

[TonkleChicken]

Just try to uninstall TrendMicro or give VirtualBox an exception.

OK, a deeper view into the signing of the 5 TrendMicro DLL's shows that signature signed on 27-Sep-18 (From Microsoft Windows Third Party Component CA 2012) is reporting as OK, but the certificate validity is expired. (2-Nov-18). - This may be the issue!

I have reported this up to TrendMicro (See brief attached) and have yet to hear back from them, but I would expect them to correct this in an update soon as there will a few other solutions where this may present a problem.

I suspect that in 5.x the hardening just checks the signing certificate status (is indicating as OK), but possibly in 6.x VirtualBox is drilling down in the certificate path to check additional details (Expired CA Validity, Revocation etc). If 6.x indeed also checks CRL's that may present other issues where the CA can not be contacted.

I did uninstall TrendMicro to check if this resolved the issue and it did, however I have reinstalled as I will not operate without it. Others above with the same problem will probably also not wish to run without TrendMicro installed (In an enterprise environment, most users would not have the capacity to uninstall or disable AV anyway)

You mention creating an exemption in VirtualBox, how is this done? (I cant find any mention of how this is done)

[andyp73]

I did uninstall TrendMicro to check if this resolved the issue and it did, however I have reinstalled as I will not operate without it. Others above with the same problem will probably also not wish to run without TrendMicro installed (In an enterprise environment, most users would not have the capacity to uninstall or disable AV anyway)

Are you aware that in your case (Windows 10) that the best protection is built in and you don't need to clog your system with an additional third party tool?

You mention creating an exemption in VirtualBox, how is this done? (I cant find any mention of how this is done)

You would put the exemption into TrendMicro to tell it to leave VirtualBox alone. Not all AV tools allow you to do that and it only tells the AV not to poke its nose into VirtualBox's business. If the issue is VirtualBox giving up with the expired certificate then it probably wouldn't help.

-Andy.

[TonkleChicken]

Andy, I love your faith in the default Microsoft AV solution delivered with Windows 10, but most Enterprise (and some consumer) grade AV solutions do provide significantly more capability and security than Windows Defender.

In this case the hardening detection in VirtualBox is throwing an exception to the TM system DLL's so adding an exception in TM has no impact.

[socratis]

but most Enterprise (and some consumer) grade AV solutions do provide significantly more capability and security than Windows Defender.

And a lot more headaches!

And not just in VirtualBox... I've avoided them like the plague for many, many years. The last antivirus I ever installed had a "Scottish" name, and it was on my NT 4.0 Workstation. I think it was before the Y2K boohaha...

[TonkleChicken]

Wow socratis, you must love living on the edge.

In my 30 years of experience in enterprise IT, as well as being the Family & Freinds IT support guy I have seen many sad examples of major disruption and loss of data caused by missing or ineffective AV solutions.

I have a golden rule that I never leave a system unprotected, and at risk. I have seen many tears shed by those who did not have a robust and up to date AV solution.

[socratis]

Same years of experience, same F&F role...

I practice "sensible" practices. I never logged in as Admin, except when absolutely needed. I check for and download software updates as a normal user to a common/shared directory, and I log in as Admin to do the install/update only, never run a program. I never browse where I don't know what is on the other side, and I have several browser blockers, JavaScript on/off switch. Never give permission to anything absolutely needed for incoming connections, firewall on, double NAT.

I have seen many sad examples of major disruption and loss of data caused by missing or ineffective AV solutions.

I've seen plenty of those too. For the F&F though that have followed my lead/instructions however, there was never a mishap. And when I say follow my lead, I mean that friends that I "take care" of their PCs aren't allowed to log in as admin, they have their admin password in a sealed envelope!

[TonkleChicken]

Socratis. Teenagers don't tend to follow rules like yours.