Hardening Error 5673 "Virtual Memory Failed" with TrendMicro

[adamj537]

I recently upgraded VirtualBox from version 5.2.26 to version 6.0.4, and am experiencing a hardening error whenever I attempt to start any VM. Prior to the update my VMs worked as expected. My host is running Windows 10 x64 Pro. My VMs are powered down, not suspended.

Per the post Diagnosing VirtualBox Hardening Issues, I’ve tried the following:

• Reinstalling VirtualBox 6 as administrator (several times).
• Ensuring Hyper-v is disabled (it already was).
• Restarting the host computer.
• Disabling antivirus (TrendMicro) (IT policy prevents fully uninstalling it).
• Running “sfc /scannow” from an elevated command prompt on the host (no errors were found).
• Updating my graphics card (NVIDIA Quadro M1000M) driver to the latest version.

The error message I get says this:

supHardenedWinVerifyProcess failed with VERR_SUP_Vp_REPLACE_VIRTUAL_MEMORY_FAILED: (RC=-5673
Please try reinstalling VirtualBox.
Where: supR3HardNtChildPurify what: 5 VERR_SUP_Vp_REPLACE_VIRTUAL_MEMORY_FAILED (-5673) – Process Purification Failure: NtAllocateVIrtualMemory failed to get us suitable replacement memory for a chunk of executable memory that shouldn’t be present in our process. (You will only see this message if you got potentially fatally buggy anti-virus software installed.).

After acknowledging the error, I get the following message:

Failed to open a session for the virtual machine Windows 10 x64.

The virtual machine 'Windows 10 x64' has terminated unexpectedly during startup with exit code 1 (0x1). More details may be available in 'C:\Users\xxxxxxxx\VirtualBox VMs\Windows 10 x64\Logs\VBoxHardening.log'.

Result Code: E_FAIL (0x80004005)
Component: MachineWrap
Interface: IMachine {5047460a-265d-4538-b23e-ddba5fb84976}

Log file is attached. Thanks for any help.

Adam J.

[socratis]

I believe that the error message couldn't have been any clearer:

You will only see this message if you got potentially fatally buggy anti-virus software installed.

So, the question is, did you look for, and uninstall (completely, not simply disable) any antivirus that you have in your system? Because the VBoxHardening.log tells me otherwise:

1120.1cf0: supR3HardenedWinFindAdversaries: 0x18
1120.1cf0: \SystemRoot\System32\drivers\tmcomm.sys:
1120.1cf0:     FileDescription: TrendMicro Common Module
1120.1cf0: \SystemRoot\System32\drivers\tmactmon.sys:
1120.1cf0:     FileDescription: TrendMicro Activity Monitor Module
1120.1cf0: \SystemRoot\System32\drivers\tmevtmgr.sys:
1120.1cf0:     FileDescription: TrendMicro Event Management Module
1120.1cf0: \SystemRoot\System32\drivers\tmeevw.sys:
1120.1cf0:     FileDescription: Trend Micro EagleEye Driver (VW) (amd64-fre)
1120.1cf0: \SystemRoot\System32\drivers\sakfile.sys:
1120.1cf0:     FileDescription: Trend Micro Data Loss Prevention Driver
1120.1cf0: \SystemRoot\System32\drivers\sakcd.sys:
1120.1cf0:     FileDescription: Trend Micro Data Loss Prevention Driver

I noticed that you said:

• Disabling antivirus (TrendMicro) (IT policy prevents fully uninstalling it).

If you can't completely uninstall TrendMicro (which is apparently the culprit), then you need to exclude all-things-VirtualBox.

And please read the Diagnosing VirtualBox Hardening Issues to better understand why this is actually happening. Point the IT people to the article, they'll have a better understanding of what they're supposed to do; either install a properly signed version, or exclude VirtualBox from the scanning.

[adamj537]

Reverting to VirtualBox 5.2.26 resolved my issue. After reinstalling the older version, my VMs work correctly.

For anyone who stumbles upon this in the future, please see also this post, where others apparently have the same issue: Hardening Error after Upgrade to 6.0 TrendMicro VirusScan

[socratis]

For anyone who stumbles upon this in the future, please see also this post, where others apparently have the same issue: Hardening Error after Upgrade to 6.0 TrendMicro VirusScan

That thread talks about adding an exception to VirtualBox related processes. Why didn't you follow your own advice?

[adamj537]

Our IT team has tried turning TrendMicro off (temporarily), and twice attempted to exclude any VirtualBox related file from real-time scanning, including C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe, and the location where my virtual machines are. The results are the same. I waited to post that here while we were still trying to find more things to exclude.

I notice that Hardening Error after Upgrade to 6.0 TrendMicro VirusScan references TrendMicro OfficeScan. I have "Trend Micro Security Agent;" perhaps that's not the same thing, and the suggestions on that page aren't complete for my situation? Maybe there's some other process than real-time scanning that needs to be excluded. I don't have authority to uninstall TrendMicro per corporate policy. We have another PC in the office which is not under IT support...perhaps I can experiment on that to find a solution.

[socratis]

exclude any VirtualBox related file from real-time scanning, including C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe, and the location where my virtual machines are.

I would suggest to exclude the whole VirtualBox directory, not specific executables. At the same time, you don't need to exclude the Virtual Machines directory, but it doesn't hurt either.

I don't have authority to uninstall TrendMicro per corporate policy.

But the IT guys do. Call them and have them pull the network cable while you're testing this.

Another thing that just came up from another user, is that uninstalling and re-installing their antivirus actually fixed their issues, maybe it will "jolt" your system back to its normal state too...

[adamj537]

Oh...so close! Here's what we tried today:

1. Uninstall Trend Micro.
2. Restart PC.
3. Install VirtualBox v6.
4. Try to boot a VM. It worked!
5. Reinstall Trend Micro (with entire VirtualBox directory excluded from real-time scanning).
6. Try to boot a VM. It worked!

But then a short time later Trend Micro gave me a notice that it needed to restart the PC. After the restart, the error returned (hardening error with error code 1), with Trend Micro all over the VBoxHardening.log file.

Trend Micro really doesn't want to give up its hold! I'll try to think of other things to try.

Adam J.

[adamj537]

For anyone who stumbles upon this post, I thought I'd give an update. Unfortunately, a pessimistic one...we were never able to get VirtualBox v6 and TrendMicro to coexist peacefully. For posterity, we excluded the VirtualBox directory and application from Realtime Scan, Scheduled Scan, Manual Scan, then used this procedure to check whether it worked. Note the multiple PC restarts, because without them things appeared to work for awhile:

1. Uninstall VirtualBox.
2. Uninstall TrendMicro.
3. Reboot PC.
4. Install VirtualBox.
5. Start VirtualBox (but not virtual machines) and check that it runs (which it did for us).
6. Reboot PC.
7. Install Trend Micro.
8. Shutdown PC.
9. Start PC.
10. Start VirtualBox and virtual machines (this step failed for us with a hardening error).

[socratis]

For anyone who stumbles upon this post, I thought I'd give an update.

Much appreciated!

Unfortunately, a pessimistic one...

You know there are two types of doctorate thesis; 1) the kind that proves a theory, 2) the kind that disproves a theory, both are equally useful.

Have you talked to TrendMicro about this? What's their take? Why do their software appears either not signed, or not properly registered with the Windows Certificate Database?


PS. I added the "with TrendMicro" in the thread/posts title to make the issue more specific.