Hi all.
Sorry for not getting back to any of you in a while, been busy trying to figure out a couple of the difficult bugs here. I'll be uploading test build #4 after some sleep and testing.
There should be one or more test builds over the next few days as issues are considered fixed, we hope to finally push out 4.3.18 next week.
Individual responses to posts after test build #3:
- Hopefully Resolved -
@XCD91: That's the Avast problem with 4.3.16. Please try the test build the first post in this thread points to, that will solve that issue.
@SteKs: That's the comctl32.dll issue. Fixed in test build #2 already.
@Docfxit: The first complaint about detoured.dll should be fixed by test build #4. I don't know which version of UltraVNC you're using, but if it's similar to the most recent one, you shouldn't have any trouble with that either when using test build #4.
Regarding the BSOD, I've found and fixed a related issue. The problem should hopefully be gone with test build #4. Many thanks for the detailed report.
@rexcat: Test build #4 should address your issue. Please check it out.
@dukkymai: I've reproduced that fixed the issue you're seeing. Please check out test build #4. (The problem was a -104 due to ZoneAlarm system call hooks seemingly doing a DuplicateHandle call twice, we expected to see it only once. On a side note, the ZoneAlarm Extreme Security seems to include the core of Kaspersky with some or their own additions.)
@ggambira: You may be experiencing the same issue as @dukkymai, so please check out test build #4 when it's available.
@shewfig: You've got some Sophos Web Intelligence stuff installed, which isn't installed using TrustedInstaller or LocalSystem as owner. A similar issues was reported via bug tracker tick 13292. We've relaxed the requirements starting with test build #4. Please try it out.
@remoses: 4.3.16 extension pack works with 4.3.17 test builds. VBox is generally backwards compatible with older extension packs in the same release series (e.g. 4.3.x).
@kusuriya: Your windows\system32\SHCore.dll seems to have been modified, at least the hash we calculate for it did not match the signature stored in the file. We refuse to load modified DLLs as we have to assume the worst about who modified them. I don't know which service/whatever fix the DLL for you, but I'm glad it works again.
- Unresolved with workaround? -
@JonathanThorpe, @Martasdx: I see. We've only seen this issue twice in the test lab, without being able to analyze it any further. The cure is rebooting as the first message normally suggest. Should that not help: 1. uninstalling VirtualBox, 2. then reboot, 3. install VirtualBox again, 4. then reboot, 5. must work. Now, if even that doesn't help, your AV software is interfering, I fear.
@akujin: You have an old version of Malwarebytes Anti-Malware installed. I'm unable to find that exact version and reproduce the issue. We've tested three different versions here, including the latest one, and they all work fine. Exact version or/and upgrade?
- Need feedback -
@rnewman: We have several positive feedbacks on Trend Micro AV/FW products. So, we need to figure out why your system reboots. Any does it cause any minidump, log event, or similar to be created? If there is a minidump your or we need to take a look at it and see who is the guilty party. If there are only log events or popup messages, the details usually are less helpful than a minidump, but still valuable, the details might provide clues.
@MT: Thanks for extensive and comprehensive testing. We've not been able to reproduce the issue with Trend Micro locally, I'm afraid, so you could please check the event log for crash details? Any chance of a minidump of the process (like rexcat was kind enough to supply)?
@spider38: Looks like someone is messing with the hotpatch locations in RtlFreeHeap (ntdll) and we're reaching an impass of sorts, where I restore the original code and the other party relatively immediately reapplies one of the changes (inserting an invalid instruction for some reason). I doubt this is normal hotpatching machinery behavior, but just in case, do you have any windows hot fixes installed or pending reboot? (Windows 8.1 retires the hot-patching support in the kernel and ntdll.dll, from what I can tell, so I doubt Microsoft is issuing a lot of hot-patch capable fixes and updates.) More importantly, any other protection software in addition to avast? I cannot see my avast installations here doing anything like this...
@khagaroth: Your windows\system32\uxtheme.dll seems to have been modified locally. Do you have any StarDock software installed for modifying the themes or similar?
@mjdbb1: I need your VBoxStartup.log to tell for sure, but it looks like you have the same problem as @khagaroth, i.e. uxtheme.dll has been modified. Same question: Do you have any windows theme software installed? If not, please upload VBoxStartup.log.
@Memiself: WinVerifyTrust fails on crypt32.dll, from the VBox perspective it looks like it may have been modified or replaced, which is a non-continueable error for us. Could you use
sigcheck.exe from SysInternals/Microsoft or some similar tool to verify this? The output of the following would be appreciated: syscheck.exe -i %windir%\system32\crypt32.dll
@sl4syh3r: WinVerifyTrust fails on user32.dll, from the VBox perspective it looks like it may have been modified or replaced, which is not acceptable to us. Could you perhaps use
sigcheck.exe from SysInternals/Microsoft or some similar tool to verify this? The output of the following would be appreciated: syscheck.exe -i %windir%\system32\user32.dll
- Still Pending -
@RelakS: Still not able to reproduce... (PS. If you have a minidump or something from the logs or popups, that could be of help.)
TODO: McAfee crash
@Redbyte, @mcdickey, @Krynos: Same problem, it seems, slightly different SEP versions though. What's more you're all on windows 8.1. We've been testing SEP on w8.0 and w7, hopefully something specific to running on 8.1... Investigating.
TODO: w8.1 + SEP
@lewekleonek: This is a reasonably old release of SEP that I'm afraid we haven't tested against. Any chance you may update to a more recent version? We'll be trying to locate this version and figure out what's going wrong as time permits.
TODO: w7.1 + SEP 12.1.1101.401, RU1 MP1; (symevent64x86.sys from 2011-11-22)
Kind Regards,
bird.
Knut St. Osmundsen
Oracle Corporation