[/quote]
...they basically remove all the code injected by AV packages in the VB processes... [/quote]
Can you please point me where you read that about "remove" the AV function? I am very interested on that[/quote]
That would be this post, from page 18 of this thread:
Hi!
Here's a new test build:
https://www.virtualbox.org/download/tes ... 26-Win.exe
This build should fix a number of the "terminated unexpectedly during startup with exit code X" issue, though not all of them. (This was a regression in the previous test build that mostly happened on Windows 7. Unfortunately the build was only briefly screened on Windows 8.0 before it was uploaded, and that box didn't show the problem. Sorry about that.)
This build was tested on 64-bit windows 8.0 with symantec endpoint protection installed, as well as windows 7 with AVG internet security 2014.
Avast users (and probably others too) may see a message like "The virtual machine 'insert-vm-name' has terminated unexpectedly during startup with exit code -1073741819 (0xc0000005). More details may be available in '...\VBoxStartup.log'." when starting a VM. This is being worked on and I hope there will be a new test build tomorrow that address this.
(The problem is that avast is modifying ntdll in memory, from a kernel driver I believe, making a number of function jump to some new code segment they injected into the process. The above build removes the injected code segment but doesn't restore the ntdll to its original state, thus NtMapViewOfSection jumps into the void and crashes. Thus the STATUS_ACCESS_VIOLATION exit code value.)
Now, if you see a _different_ error and that nobody else has reported yet, it would be cool to get the VBoxStartup.log mentioned in the error message with the report as well as OS version + bit count and the list protective software installed.
Hope this new build brings more enjoyment that the last one,
bird
Pay attention to the part I put in bold, this is apparently specifically for Avast, but I'm wondering if this is their general approach.
"build removes injected code segment" and apparently this code segment is injected in the VB process, jumped to by Avast, they remove it and then try to restore ntdll to its original state...
So to me this seems they block the functioning of an antivirus package, but that's why I'm asking for them to shed some more light on this, I would like to know what they are doing and what the impact is.
I've been looking at the source code myself, but honestly, my coding skills aren't good enough and the codebase is too large to quickly figure it out.
REMARK: I do hope the admins don't delete this post as off-topic moaning or something similar, because honestly, being a security professional myself, I am really interested in how this is done and what the impact is (especially the second part about the impact).
After all, VB is a tool that is often used by security professionals for pentesting, malware analysis etcetera. If they would interfere with AV-packages to get the thing going, so be it, but then I would like to know about it.
If this is indeed considered off-topic for this thread, I would kindly ask that one of the admins contacts me through private message on this forum to discuss further?