Discussion of Problems due to Hardened Security

Discussions related to using VirtualBox on Windows hosts.
Locked
tlh1138
Posts: 2
Joined: 2. Dec 2016, 02:03

Re: Discussion of Problems due to Hardened Security

Post by tlh1138 »

Hello,

VirtualBox stopped working after upgrading to the Anniversary Edition. It was working with no issues prior to the upgrade. I have tried uninstalling and reinstalling VirtualBox.

1) Host OS and version = Windows 10 64 bit Pro Version 1607 Build 14393.0
2) VBoxHardening.log = Attached
3) Mention any host anti-virus, firewalls, protection software, and debugging programs etc which might be relevant. = Windows Defender
4) VBox version = 5.1.10 r112026 (Qt5.6.2)
Error1.jpg
Error1.jpg (57.27 KiB) Viewed 11649 times
Attachments
VBoxHardening.zip
VBoxHardening Log
(2.57 KiB) Downloaded 42 times
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Discussion of Problems due to Hardened Security

Post by socratis »

tlh1138 wrote:3) Mention any host anti-virus, firewalls, protection software, and debugging programs etc which might be relevant. = Windows Defender
Are you sure you're not using Crowd Strike? Because it sure sounds a lot like you do. See https://www.virtualbox.org/ticket/16196 as well as the topic at the forums that's mentioned.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
tlh1138
Posts: 2
Joined: 2. Dec 2016, 02:03

Re: Discussion of Problems due to Hardened Security

Post by tlh1138 »

socratis wrote:
tlh1138 wrote:3) Mention any host anti-virus, firewalls, protection software, and debugging programs etc which might be relevant. = Windows Defender
Are you sure you're not using Crowd Strike? Because it sure sounds a lot like you do.
Not installed locally on the machine, but it is in use on the network this workstation is attached to. I will investigate both tips. Thank you.

Edit: Following your tips I found someone else who resolved the issue by simply creating a dummy umppc4702.dll file in the System32 folder with a text editor. That worked! Thanks for your help!
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Discussion of Problems due to Hardened Security

Post by mpack »

I see lots of multiple files across the web called UMPPCxxxx.DLL. I'm suspicious of a file with so many variants. Generally programmers embed version info in the content, they don't embed it in the filename. Could someone please manually check for signatures in this file? I see the discussion of CrowdStrike, not an AV package I'm familiar with. The behaviour reminds me of a trojan - a reputable AV provider would sign their DLLs.
Georg_
Posts: 10
Joined: 6. Dec 2016, 12:13

Re: Discussion of Problems due to Hardened Security

Post by Georg_ »

Hi!
After a long time I tried VirtualBox again, but still it has the same old hardening issues...
It simply refuses to run.
The log is attached.

What I find strange is this:
I have 4.3.12 running.
I install 5.1.10
I *can start* my VMs directly after installing VirtualBox. But if i REBOOT, it does not work anymore.
I had problems with the network in the VM before rebooting the Host, but all the rest was working. After reboot of the Host, nothing works anymore...
I install 4.3.12 again, everything is fine...

Does somebody have an idea?

Thanks in advance!

Georg
Attachments
VBoxHardening.zip
(11.11 KiB) Downloaded 74 times
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Discussion of Problems due to Hardened Security

Post by mpack »

@Georg_ it seems to like that you have the classic signs of Win7 certificates database corruption. You will keep having problems with any app that checks certificates, such as VirtualBox post 4.3.12. I'm not an expert on Win7, so I'm afraid I can't tell you how to fix such corruption short of reinstalling the host OS (or installing a new host OS).

Of course you can also try the old standby test: see what happens if you disable your MalwareBytes AV, check for updates to graphics drivers (or disable 3D support in the guest).
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Discussion of Problems due to Hardened Security

Post by scottgus1 »

Georg, Windows 7 Microsoft Updates KB3004394, KB3045999, and KB3081320 have corrupted the certificate database so far at least. Some of these were supposed to have been revoked and replaced by MS. Have you been allowing updates?

Maybe an SFC /SCANNOW in a run-as-admin command prompt might help. Also your log shows an error off what appears to be a video driver file. Update the video drivers?
Georg_
Posts: 10
Joined: 6. Dec 2016, 12:13

Re: Discussion of Problems due to Hardened Security

Post by Georg_ »

Thanks for the quick answers!
I have no antivirus running and I did not do any updates after the inital installation. All I am running is a firewall. Virus scanning is done "on demand", I start the scanner manually before executing any unknown program.
I believe in "never change a running system" and the updates from M$ normally do more harm than they help.
The system is running nicely since nearly 6 years! No problem at all with any software, except VirtualBox.
I am no friend of the "forced hardening", but I do not want to start a discussion. I am only looking for a way to make VirtualBox >4.3.12 run. And installing updates or re-installing the OS is not an option.
There should be something else I can do... (I hope)

Georg
Georg_
Posts: 10
Joined: 6. Dec 2016, 12:13

Re: Discussion of Problems due to Hardened Security

Post by Georg_ »

scottgus1 wrote: Maybe an SFC /SCANNOW in a run-as-admin command prompt might help. Also your log shows an error off what appears to be a video driver file. Update the video drivers?
I did a SFC /VERIFYONLY, but it yielded no error.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Discussion of Problems due to Hardened Security

Post by scottgus1 »

Hardening is here to stay, according to the developers, so you'll have to get the host OS fixed to get later than 4.3.12 to run. (Or get and change the source code and recompile a non-hardened version yourself...)

I also run on the paradigm of "If it ain't broke don't fix it". But Windows Updates aren't the demons they seem to be, if you give them some time to mature and let early adopters do the field testing. I always hold off a month or so before I allow updates to run on my MS PCs, to see if the web blows up over one, which does happen, but which usually gets resolved eventually, then I update. FWIW, Service packs are updates, so if you are on W7sp1, you're already running with updates.

Virtualbox isn't just any "normal" software. Here's the deal on why hardening was implemented: Basically, some programs can use a normal Windows function to inject themselves into other programs to allow cross functionality. This is what causes a theme crack to work in all the windows that appear, or Antivirus to read running programs, or online-meeting software to insert into the windows their extra buttons, etc. Malware can do this too, and with a super-powerful program like Virtualbox punching holes in the security levels to get more than one OS to run on a PC at the same time, bad things can happen.

So Virtualbox checks to see if the program that wants to inject into Virtualbox is signed with an authenticity certificate. If it's not, Virtualbox won't start. Malware developers don't usually like to publish their identities, so their code won't be signed and the code won't get into Virtualbox.

In addition to the possible Windows Updates issues, some legitimate program distributors haven't signed their programs. If they haven't you need to ask them to distribute a signed version. Which ones to ask? Look in the logs for "supR3HardenedError" or "error" or "reject", the end of the line is the unsigned program.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Discussion of Problems due to Hardened Security

Post by mpack »

Georg_ wrote:I have no antivirus running
Your log says otherwise. You have MalwareBytes installed.
VBoxHardening.log wrote: 568.f74: supR3HardenedWinFindAdversaries: 0x80
568.f74: \SystemRoot\System32\drivers\MBAMSwissArmy.sys:
568.f74: CreationTime: 2015-05-19T07:17:59.432409100Z
568.f74: LastWriteTime: 2015-05-19T07:35:29.181389600Z
568.f74: ChangeTime: 2015-05-19T07:35:29.181389600Z
568.f74: FileAttributes: 0x20
568.f74: Size: 0x214d8
568.f74: NT Headers: 0xf0
568.f74: Timestamp: 0x54af40d7
568.f74: Machine: 0x8664 - amd64
568.f74: Timestamp: 0x54af40d7
568.f74: Image Version: 6.1
568.f74: SizeOfImage: 0x26000 (155648)
568.f74: Resource Dir: 0x24000 LB 0x3f0
568.f74: ProductName: Malwarebytes Anti-Malware
568.f74: ProductVersion: 0.2.21.0
568.f74: FileVersion: 0.2.21.0
568.f74: FileDescription: Malwarebytes Anti-Malware
568.f74: \SystemRoot\System32\drivers\mbamchameleon.sys:
568.f74: CreationTime: 2015-05-19T07:17:35.199832600Z
568.f74: LastWriteTime: 2015-05-19T07:35:22.457777800Z
568.f74: ChangeTime: 2015-05-19T07:35:22.457777800Z
568.f74: FileAttributes: 0x20
568.f74: Size: 0x1a4d8
568.f74: NT Headers: 0xd8
568.f74: Timestamp: 0x54c00c44
568.f74: Machine: 0x8664 - amd64
568.f74: Timestamp: 0x54c00c44
568.f74: Image Version: 6.1
568.f74: SizeOfImage: 0x1e000 (122880)
568.f74: Resource Dir: 0x1c000 LB 0xbd8
568.f74: ProductName: Malwarebytes Chameleon
568.f74: ProductVersion: 1.1.13.0
568.f74: FileVersion: 1.1.13.0
568.f74: FileDescription: Malwarebytes Chameleon Protection Driver
Georg_
Posts: 10
Joined: 6. Dec 2016, 12:13

Re: Discussion of Problems due to Hardened Security

Post by Georg_ »

scottgus1 wrote:Hardening is here to stay, according to the developers, so you'll have to get the host OS fixed to get later than 4.3.12 to run. (Or get and change the source code and recompile a non-hardened version yourself...)

I also run on the paradigm of "If it ain't broke don't fix it". But Windows Updates aren't the demons they seem to be, if you give them some time to mature and let early adopters do the field testing. I always hold off a month or so before I allow updates to run on my MS PCs, to see if the web blows up over one, which does happen, but which usually gets resolved eventually, then I update. FWIW, Service packs are updates, so if you are on W7sp1, you're already running with updates.
Hi!
As I said, I do not want to start a discussion about hardening. I do not like it, I would prefer an optional hardening, I think it is *my* decision if I want use it or not. It's just like automatically driving cars: Some people seem to like the I idea, but I would never use it. I am suspect of anything automatic I did not program myself :-)
Your mileage may vary, of course!

It's not that I have a general problem with updates, but I just do not install anything beyond the OS. If a later version of the OS itself contains fixes, that's fine for me.

That said, I would like to know, how to "fix" my OS, or better, make it "VirtualBox" compatible.
I would compile it myself, but setting up the build environment is so much effort that I try other ways first...

Georg
Georg_
Posts: 10
Joined: 6. Dec 2016, 12:13

Re: Discussion of Problems due to Hardened Security

Post by Georg_ »

mpack wrote: Your log says otherwise. You have MalwareBytes installed.
Ah, thanks for the hint.
The log is lying here, as far as I know! Maybe that's the problem?

MalwareBytes is NOT running and NOT installed.
I think I can remember that some years ago there was a new virus that no antivirus software was able to detect and our whole company got infected. We had to use a special scanner from MalwareBytes to remove it. But the antivirus software was never *installed* it was only *started*. Maybe it did install some driver, though?

But there really is not MalwareBytes process, service or application running on my computer... Does VirtualBox check ALL drivers, even the ones not used??

Georg
Georg_
Posts: 10
Joined: 6. Dec 2016, 12:13

Re: Discussion of Problems due to Hardened Security

Post by Georg_ »

scottgus1 wrote: Look in the logs for "supR3HardenedError" or "error" or "reject", the end of the line is the unsigned program.
I checked the logs for these messages:

error:
aec.6c4: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\apphelp.dll (rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000000000:<flags> [calling]
aec.6c4: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\apphelp.dll [lacks WinVerifyTrust]
aec.6c4: supR3HardenedDllNotificationCallback: load 000007fefdbc0000 LB 0x00057000 C:\Windows\system32\apphelp.dll [fFlags=0x0]
aec.6c4: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\apphelp.dll [lacks WinVerifyTrust]
aec.6c4: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=000007fefdbc0000 'C:\Windows\system32\apphelp.dll'
aec.6c4: Error -104 in supR3HardenedWinReSpawn! (enmWhat=5)
aec.6c4: Error relaunching VirtualBox VM process: 5


aec.6c4: supR3HardenedMonitor_LdrLoadDll: error opening 'C:\Windows\system32\nvinitx.dll': 5 (NtPath=\??\C:\Windows\system32\nvinitx.dll; Input=C:\Windows\system32\nvinitx.dll; rcNtGetDll=0x0
aec.6c4: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\nvinitx.dll (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=00000000007bc220:C:\Program Files\Oracle\VirtualBox;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x86;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x64;C:\Program Files\WIDCOMM\Bluetooth Software\;C:\Program Files\WIDCOMM\Bluetooth Software\syswow64;c:\Program Files (x86)\Microsoft SQL Server\90\Tools\binn\ [calling]
aec.6c4: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0xc0000135 'C:\Windows\system32\nvinitx.dll'


aec.6c4: supR3HardenedMonitor_LdrLoadDll: error opening 'C:\Windows\system32\wintab32.dll': 127 (NtPath=\??\C:\Windows\system32\wintab32.dll; Input=C:\Windows\system32\wintab32.dll; rcNtGetDll=0x0
aec.6c4: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\wintab32.dll (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=00000000007bc220:C:\Program Files\Oracle\VirtualBox;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x86;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x64;C:\Program Files\WIDCOMM\Bluetooth Software\;C:\Program Files\WIDCOMM\Bluetooth Software\syswow64;c:\Program Files (x86)\Microsoft SQL Server\90\Tools\binn\ [calling]
aec.6c4: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0xc0000135 'C:\Windows\system32\wintab32.dll'


reject:
no entries

supR3HardenedError:
no entries

Does this mean that
wintab32.dll
nvinitx.dll
apphelp.dll
are corrupted?

Funny thing: I can not find wintab32.dll on my computer at all!

apphelp is a normal Windows-DLL, what could be wrong?

nvinitx.dll is from NVidia, should also be ok.

My problem is, that I do not understand what exactly VirtualBox does not like...

I also can not find any error related to the MalwareBytes drivers, so I would expect that there is no problem with these...

Georg
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Discussion of Problems due to Hardened Security

Post by mpack »

Georg_ wrote:My problem is, that I do not understand what exactly VirtualBox does not like...
I'm pretty sure it's certs database corruption, as I mentioned in my first reply to you.

You still have MalwareBytes drivers present, but I agree that's unlikely to be the problem. That was proposed as a secondary test to try, not as a central feature of the problem.
Locked