How to reproduce:
Open Windows Security (or Windows Defender in older versions of Windows 10
Go to Device Security
Go to Core isolation details
Try turning on Memory Isolation
You will get this: in the Action Center
So how did I isolate it to Virtualbox? I used the DGReadiness tool (despite the reference to Device Guard, Device Guard also requires HVCI/Memory Integrity): https://www.microsoft.com/en-us/downloa ... x?id=53337
I got this as a result:
Code: Select all
Incompatible HVCI Kernel Driver Modules found
Module: vboxnetlwf.sys
Reason: execute pool type count: 2
Module: vboxdrv.sys
Reason: execute pool type count: 2
Module: vboxnetadp6.sys
Reason: execute pool type count: 2
In addition, looking at the PE headers for these drivers:
VBoxNetLwf.sys:
vboxdrv.sysFileName : C:\Windows\system32\drivers\VBoxNetLwf.sys
ARCH : AMD64
DotNET : False
ASLR : False
DEP : False
Authenticode : True
StrongNaming : N/A
SafeSEH : N/A
ControlFlowGuard : False
HighentropyVA : False
vboxnetadp6.sys:FileName : C:\Windows\system32\drivers\vboxdrv.sys
ARCH : AMD64
DotNET : False
ASLR : False
DEP : False
Authenticode : True
StrongNaming : N/A
SafeSEH : N/A
ControlFlowGuard : False
HighentropyVA : False
This is disappointing that Virtualbox does not employ many of the anti-exploitation technologies as it can reduce the chances of VM excape even when an attacker uses a vulnerability. That said, these technologies (ASLR, DEP, ControlFlowGuard and HighentropyVA) can be used piecemeal (as in not all drivers need to use it to get the benefit from drivers that do use it). However, for HVCI, all drivers need to be compatible for it to workFileName : C:\Windows\system32\drivers\vboxnetadp6.sys
ARCH : AMD64
DotNET : False
ASLR : False
DEP : False
Authenticode : True
StrongNaming : N/A
SafeSEH : N/A
ControlFlowGuard : False
HighentropyVA : False