Hardening Failure - new today

Discussions related to using VirtualBox on Windows hosts.
HomeyB
Posts: 4
Joined: 5. Feb 2019, 00:27
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Server 2016, UEL

Hardening Failure - new today

Post by HomeyB »

Hi! Thanks in advance for any guidance you can offer me.

I am running VBox 6.0.14, and have been doing so for a while. Over the weekend, my Win10 host rebooted. My VMs were working on Friday and today, no dice.

Upon start of the VM, I get the following error:
Failed to open a session for the virtual machine FreePBX.

The virtual machine 'FreePBX' has terminated unexpectedly during startup with exit code 1 (0x1). More details may be available in 'D:\Users\jlb\VirtualBox VMs\FreePBX\Logs\VBoxHardening.log'.

Result Code: E_FAIL (0x80004005)
Component: MachineWrap
Interface: IMachine {5047460a-265d-4538-b23e-ddba5fb84976}
The Hardening Log shows, close to the bottom, that I was unable to load a DLL. Here are the very last four lines in the log:
2c80.3484: Fatal error:
2c80.3484: supR3HardenedMainGetTrustedMain: LoadLibrary "C:\Program Files\Oracle\VirtualBox/VirtualBoxVM.dll" failed, rc=1790
3e14.33a4: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0x1 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 1847 ms, the end);
2b7c.25f4: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0x1 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 2641 ms, the end);
I checked, and the DLL is present and accounted for. I went in and "repaired" the installation, and got nothing from that. I even went so far as to turn off my AV software, in case it decided to suddenly block a DLL, and that didn't free up the gears.

Looking to the Wizards out there for guidance and a suggestion about where to look.

j
Attachments
VBoxHardening.zip
(14.54 KiB) Downloaded 66 times
Last edited by socratis on 6. Dec 2019, 07:57, edited 2 times in total.
Reason: Marked as [Resolved].
Martin
Volunteer
Posts: 2560
Joined: 30. May 2007, 18:05
Primary OS: Fedora other
VBox Version: PUEL
Guest OSses: XP, Win7, Win10, Linux, OS/2

Re: Hardening Failure - new today

Post by Martin »

Was the same version of Kaspersky Anti-Virus running beofre the reboot?
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Hardening Failure - new today

Post by socratis »

HomeyB wrote:Over the weekend, my Win10 host rebooted.
Can you see what got updated? As 'Martin' said, can you check on the Kaspersky's modification dates?
HomeyB wrote:I checked, and the DLL is present and accounted for.
What DLL? The "C:\Program Files\Oracle\VirtualBox/VirtualBoxVM.dll" one? Yes, it will be there, but that's not your problem.
HomeyB wrote:I even went so far as to turn off my AV software, in case it decided to suddenly block a DLL, and that didn't free up the gears.
Try to completely uninstall it. Or add an exeption for all VirtualBox related processes/files.

Oh, try to uninstall/shutdown/re-install VirtualBox. That has helped me in a couple of occasions. And I don't have a 3rd party antivirus.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
HomeyB
Posts: 4
Joined: 5. Feb 2019, 00:27
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Server 2016, UEL

Re: Hardening Failure - new today

Post by HomeyB »

I am unsure of the modification dates on the AV code - it just updated definitions as I was looking at it for a version number!

There were four Windows updates that hit over the weekend/this morning:
Security Intelligence Update for Windows Defender Antivirus (KB2267602)
Update for Windows Defender Antivirus antimalware platform (KB4052623)
Security Intelligence Update for Windows Defender Antivirus (KB2267602)
2019-10 Cumulative Update for .NET (KB4522741)

That's all I can see as happening overnight. Maybe this isn't Kaspersky after all, but possibly Microsoft's doing?
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Hardening Failure - new today

Post by socratis »

Could be... What did you try as a countermeasure to the updates? Please read really carefully the following FAQ: Diagnosing VirtualBox Hardening Issues for some generic guidelines/ideas. Remember, these are guidelines, not the exact solution, you have to use your judgement as to which program might be responsible.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
HomeyB
Posts: 4
Joined: 5. Feb 2019, 00:27
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Server 2016, UEL

Re: Hardening Failure - new today

Post by HomeyB »

What I tried was simple: I disabled Kaspersky and I have since disabled WIndows Firewall and Windows Defender. No luck.

Then, I deleted all of the VBox software and re-installed. No luck.

BUT...

I re-read the log file and saw this:
LoadLibrary "C:\Program Files\Oracle\VirtualBox/VirtualBoxVM.dll" failed, rc=1790

Why is there a Unix slash in the file path for the DLL? That's possibly why that DLL is not found, eh? This is the only / in the entire log (at least when it comes down to a file path).

Is this library path someplace in a file that I can check?
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Hardening Failure - new today

Post by socratis »

HomeyB wrote:I disabled Kaspersky
I told you to read the FAQ carefully... ;)
Completely uninstall Kaspersky, don't just disable it. Antivirus that get disabled often keeps on working under the hood.
HomeyB wrote:Is this library path someplace in a file that I can check?
That's not your problem, you can safely ignore that. Just focus on the points made on the FAQ...
HomeyB wrote:Then, I deleted all of the VBox software and re-installed.
Did you right-click on the installer and "Run As Administrator"?
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
HomeyB
Posts: 4
Joined: 5. Feb 2019, 00:27
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Server 2016, UEL

Re: Hardening Failure - new today

Post by HomeyB »

OK. More experimentation today.

All Kaspersky software uninstalled. Gone.
Windows Defender disabled.
Windows Firewall disabled.
VirtualBox uninstalled.
Lots of reboots between everything, of course.

Reinstalled VirtualBox 6.0.14 as administrator. Reinstalled the Add-In package as Administrator.

Tried running a Linux guest, and it dies with the same hardening error. I am attaching a new log file just in case.

So, for the sake/speed of debugging... I have a couple of VMs that I have not started in a while, so the logs there are from when it last ran successfully. If I start the VM and it fails, is it worth sending in both of the logs to see, maybe, we can find where the possible problem might be? I'm getting a bit nervous - hoping that I didn't lose anything (but time, for now).
Attachments
VBoxHardening.zip
(12.61 KiB) Downloaded 26 times
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Hardening Failure - new today

Post by socratis »

32dc.32e0: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0x1 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 3192 ms, the end);
Yeah, you're still have a hardening error.
socratis wrote:Please read really carefully the following FAQ: Diagnosing VirtualBox Hardening Issues for some generic guidelines/ideas. Remember, these are guidelines, not the exact solution, you have to use your judgement as to which program might be responsible.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Hardening Failure - new today

Post by scottgus1 »

A few things I see that aren't happening on my 6.0.14 Win10 host:
33a4.33a8: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffa659d0000 'C:\WINDOWS\System32\rpcrt4.dll'
33a4.33a8: supR3HardNtViCallWinVerifyTrustCatFile: CryptCATAdminEnumCatalogFromHash failed ERROR_NOT_FOUND (1168)
....
33a4.33a8: supR3HardNtViCallWinVerifyTrustCatFile: hFile=0000000000000394 pwszName=\Device\HarddiskVolume2\Windows\System32\cryptnet.dll
33a4.33a8: supR3HardNtViCallWinVerifyTrustCatFile: CryptCATAdminEnumCatalogFromHash failed ERROR_NOT_FOUND (1168)33a4.33a8: Error (rc=0):
......
33a4.33a8: supR3HardNtViCallWinVerifyTrustCatFile: hFile=00000000000004a8 pwszName=\Device\HarddiskVolume2\Windows\System32\opengl32.dll
33a4.33a8: supR3HardNtViCallWinVerifyTrustCatFile: CryptCATAdminEnumCatalogFromHash failed ERROR_NOT_FOUND (1168)
.....
33a4.33a8: supR3HardenedScreenImage/Imports: cached rc=Unknown Status -22900 (0xffffa68c) fImage=1 fProtect=0x0 fAccess=0x0 cHits=2 \Device\HarddiskVolume2\Windows\System32\opengl32.dll
Don't know if these are real problems, but maybe an 'sfc /scannow' as discussed in the tutorial mightn't be amiss.

Also the opengl32.dll thing makes me think video might be an issue. Check if you can start your guest headless or detachable. If you can without a hardening error, then your video drivers aren't signed and need to be by their authors.
hirak
Posts: 6
Joined: 4. Dec 2019, 15:29

Re: Hardening Failure - new today

Post by hirak »

Subscribing.

I have exactly the same issue.
  • Installed Kaspersky few days ago (and also Windows Subsystem for Linux + Ubuntu 18.04)
  • Found that it fails, with the hardening error

    Code: Select all

    LoadLibrary "C:\Program Files\Oracle\VirtualBox/VirtualBoxVM.dll" failed
  • Uninstalled Kaspersky, WSL. Checked I have Hyper-V, Windows Virtualization Platform disabled.
The problem persists.

Since both of us had Kaspersky, it makes me think it probably made a permanent change to the system. But I don't know what exactly it might have done.
Attachments
VBoxHardening.zip
(15.13 KiB) Downloaded 15 times
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Hardening Failure - new today

Post by scottgus1 »

I had Kaspersky on a PC and decided to uninstall it. Uninstall failed. They have a complete Kaspersky cleaner program on their website. The cleaner program cleared Kaspersky completely.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Hardening Failure - new today

Post by socratis »

hirak wrote:Uninstalled Kaspersky
Yet it's still there, you got to adminre their persistence! :evil:
1ff8.3db8: \SystemRoot\System32\drivers\klflt.sys:
1ff8.3db8:     ProductName:     Coretech Delivery
1ff8.3db8:     FileDescription: Filter Core [fre_win7_amd64]
1ff8.3db8: \SystemRoot\System32\drivers\klif.sys:
1ff8.3db8:     ProductName:     Coretech Delivery
1ff8.3db8:     FileDescription: Core System Interceptors [fre_win7_amd64]
1ff8.3db8: \SystemRoot\System32\drivers\klim6.sys:
1ff8.3db8:     ProductName:     Coretech Delivery
1ff8.3db8:     FileDescription: Packet Network Filter [fre_win7_amd64]
1ff8.3db8: \SystemRoot\System32\drivers\klkbdflt.sys:
1ff8.3db8:     ProductName:     Coretech Delivery
1ff8.3db8:     FileDescription: Keyboard Device Filter [fre_win7_amd64]
1ff8.3db8: \SystemRoot\System32\drivers\klmouflt.sys:
1ff8.3db8:     ProductName:     Coretech Delivery
1ff8.3db8:     FileDescription: Mouse Device Filter [fre_win7_amd64]
1ff8.3db8: \SystemRoot\System32\drivers\kneps.sys:
1ff8.3db8:     ProductName:     Coretech Delivery
1ff8.3db8:     FileDescription: Network Processor [fre_win7_amd64]
1ff8.3db8: \SystemRoot\System32\klfphc.dll:
1ff8.3db8:     ProductName:     Kaspersky™ Anti-Virus ®
1ff8.3db8:     FileDescription: Filtering Platform Helper Class
1ff8.3db8: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0x1 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 1796 ms, the end);
Do you happen to have Fast Boot enabled? Make sure that Fast Boot is disabled and do a cold boot (i.e. shut down the host for a minute or two).
hirak wrote:Found that it fails, with the hardening error

Code: Select all

LoadLibrary "C:\Program Files\Oracle\VirtualBox/VirtualBoxVM.dll" failed
I'm afraid that it's just a red herring.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
hirak
Posts: 6
Joined: 4. Dec 2019, 15:29

Re: Hardening Failure - new today

Post by hirak »

Ahh sorry, I had the VBoxHardening.log posted after I reinstalled Kaspersky since uninstalling it didn't cure the problem.

I uninstalled again, and attached the log without it.

There's one instance of

Code: Select all

fWinVerifyTrust=0
in the log, could it be indicative of the problem? It's for msvcr100.dll.

Code: Select all

4a68.4a6c: Detected loader lock ownership: rc=Unknown Status 24202 (0x5e8a) '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\msvcr100.dll'.
4a68.4a6c: supR3HardenedWinVerifyCacheProcessWvtTodos: 24202 (was 24202) fWinVerifyTrust=0 for '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\msvcr100.dll' [rescheduled]
Attachments
VBoxHardening.zip
(13.2 KiB) Downloaded 25 times
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Hardening Failure - new today

Post by scottgus1 »

There's two errors on 'opengl32.dll'. Try a video driver update and that 'sfc /scannow' recommended earlier and in the tutorial.
Post Reply