virtualbox.org

Host: PCLinuxOS 2009.1
Guest: Windows XP Pro SP3 English
VirtualBox version: 2.2.2

Windows works fine, but I can't seem to install a firewall:

1. Outpost Security Suite Pro 2009 v6.5.4 freeezes the guest during install at the point where it says it's going to install the Visual C++ runtimes -- I can only bail out by closing the guest.

2. Comodo Internet Security current version: installs OK, then needs to reboot, but the guest dies after the reboot -- Windows startup progress bar appears and freezes, as dows the guest. the only recourse is forced closing.

If anybody managed to install any of these successfully, pleas let me know how to do it.
Thanks in advance.

Not enough information to be able to help.
Forum Posting Guideline

Please provide host and guest memory and the values that you have provided the guest.

Also if I may ask, Do you have a firewall in the host, or your router?

Perryg,
Thanks for replying, and sorry for the omission.

Host behind a router/firewall. Connections work as expected. No services offered for the Internet to connect to.

Host
====
RAM: 4GB

Guest
=====
RAM: 764 MB
Video RAM: 12 MB, +D acceleration not enabled
ACPI enabled
IO APIC enabled
VT-x/AMD-V enabled
IDE Controller: PIX4
Hard disk: 8.05 GB, IDE Primary Master
SATA (AHCI) not enabled
Network adapter: PCnet-Fast III
Network attached to: NAT, cable disconnected
Serial ports: none
USB: none

Your settings look fine for the moment (except the cable disconnected part of your network) but if you are behind a firewall and XP has a firewall built in why are you wanting to install another firewall? You can run into problems when running multiple firewalls. Can you install other programs in the guest or is this also something that can not be done?

Can you install other programs in the guest or is this also something that can not be done?

Installing various other software on the guest worked fine.

XP has a firewall built in why are you wanting to install another firewall?

XP's firewall fiters inbound only, and I consider it way inferior to Outpost (or Comodo).
XP Firewall is disabled, so there would only be one firewall on the virtual system.

I have found this while googling for a resolution: Notice the opening date (NINE months ago, re-opened TWO months ago) and the priority (minor). I consider this a major problem...

Sorry, I don't quite agree about it being major. I am a retired Systems Engineer, and was also a network engineer during an earlier period, and have had a lot of issues with viruses and such in that past couple of decades. So my opinion, while strickly my own, is based on experience.

As often reported, your best firewall is probably the one in your router. Unfortunately, many people never password protect the router, so it can be hacked from elsewhere. Your XP install also enables its own internal Firewall by default, but many concede that it lacks the strength and options available in other firewalls.

But what many fail to recognize yet is that any version of Linux as host is creating a whole new interface to the internet, and what VirtualBox is doing is taking what goes back and forth over the host part and making it available in altered form to the guest. So the world might think you are just using XP as your OS, but you have two additional layers that you are passing through (Linux and the VM Manager). Now the combination among these three gets to be quite incredible, and with so few adopters of this technology yet, you are reasonably safe hunkered down on the client side. In fact I've run Windows 2000 Pro on the client side for over a year with no added protection, and have not been assaulted once. I've also noted the fine performance I can now get out of Windows as client without all that layered protection software on it as well.

Another thing that might help is that while each version of Windows may be good as it gets for a few years (aside from some security patches to fix flaws that might drag down the vendor's reputation if left unchecked), any version of Linux is consistently being improved, upgraded, patched, and modified. Not only does Linux represent a moving target then, but it is simultaniously moving in hundreds of directions at once, with every distro relayered to suit someone's emerging needs or wants. AVG came out with a version of itself for Linux, but there is no big rush there, because either the threat is not as big, the number of people that might be impacted is too small, or those concerned are more interested in freebies than in paying out good money for something they don't see a need for yet.

I can't guarantee that it will always be easy going in this regard, but it certainly does not warrant booting this problem or shortcoming to a major rating in terms of trying to address it now. The whole attack scheme is constantly changing, so when something does finally show up, we have no advance idea of what it is going to look like or do. Now if something sneaks through in the meantime and involves your virtual disk image and such, just revert to your last snapshot or saved image of it, and that is the best advice thus far: Make sure you have something to fall back on. In fact, since one VDI is pretty much immune to what happens in another, you could use that as a tool to keep a ready backup in case you need it. Or have variations between VDIs to satisfy other needs and interests. Lots of possibilites here. Take time and think them through.

OldeFoxx,
Thank you for your detailed response.
Yes, VMs used to be reasonably safe, but not any more. The use of, and attacks against, virtual machines are on the rise, and malware already exists that is even able to attack the VM and infect the host.
You say

I've run Windows 2000 Pro on the client side for over a year with no added protection, and have not been assaulted once.

-- If you had, how would you have noticed?
A VM needs the same care and protection as a physical system. If I have a virtual Windows system meant for serious use and not just for play, I want it fully protected, which is currently not possible.

You say you consider this a minor issue. I think it is a major one for two reasons:

1. It shows, to me at least, that there is something in the working of these firewalls that the developers failed to take into account, despite having been warned about it nine moths ago. They don't care? Now it is firewalls -- what next?

2. Sun never said its virtualization software was inferior to those of other vendors' -- in fact, it states that the virtual machine can be used as a full-fledged system. So how can it go on and say in the same breath that not being able to virtualize mainstream firewalls is a minor issue? Especially if those same firewalls run flawlessly on other virtualization vendors' products?
You could say that other vendors charge for ther products, but this is a question of principle: you can either fully use your virtual system, or you can't.
If Sun acknowledges that its product is unable to virtualize certain software, it should say so.
If it doesn't, it should make sure the product performs as stated.

So to say it again: I consider this a major problem, and a dangerous precedent if left unresolved.

Now the question is, are you most concerned about attacks against the host or against the guest? It's not all the same thing, you know, and seeking a software firewall for one is not necessarily the same as having a firewall for each. Now how far in this direction do you want to go? You are already at the point where you are considering multiple firewalls (router and software), but there is no real limit as to the number of software walls and other protection schemes you might then consider.

Why am I reasonable confident in my protection thus far? Partly because I've detected nothing on either side that I feel puts me at risk. I can even download and run certain scan processes, such as Spyware Doctor, and get a clean bill of health, but that has been strickly on the client side. What's also neat, is that for the client, little is visible beyond the VDI and CD-ROM drive unless you take steps to change that. I've even noted in the past that many attacks are based on the assumption that the system and most applications are always situated on the C: drive, but we should know that is only one possibility. However, it is the possibility that is most widely adhered to, since that is the way that PCs come if preloaded when delivered.

Now if I were a hacker, intent on getting into other machines, would i go after the majority of machines which are basically unprotected, or would I insist on hunting about for the elusive ones that are much more difficult to find and penetrate? I would likely have to realize that if I did squirrel into such a machine, that the payback would be relatively small. One reason is that the variations from one complex machine to the next would be difficult to anticipate and somewhat difficult to write a comprehensive program to exploit all the possiblities.

Now say that someone considers that a real challenge, so sets out to try and do it? Would a small program and just a portion of time suffice? Could it evade all the protection schemes that might be implemented on such a machine? And what would the ultimate payoff be? Just the personal satisfaction of proving a point, or possibly the lure of going after machines that front for organizations or resources that once penetrated, might make me rich? Why not instead use the new gained knowledge to try to move into the security field to prove you are even better at this than others that might try the same thing?

Anyone that can achieve this level of capability is not going to be held back by some piece of software called a firewall, or internet security suite, or anything like that. Each of these is vulnerable simply because they are widely used, and if you want to show what you are capable of, pick any one and see what you can do with it. After all, it is a small investment to get a copy for yourself, and some even come in a free version. Beat them, and there are so many more machines that can now fall victum to whatever you plan to do.

It's for these reasons and others that I simply fail to see the same level of threat that you perceive. I could be wrong, of course, but I see little to indicate that this is the major problem you portray it to be. Not that this may not be true someday, but as I said before, if you don't know exactly what the threat will be, then finding a suitable defense for all the unknown threats is really pushing beyond what we know to do or how to do it. And if we prebuild a defense, then the attacker will only engineer a way to get around it as well as any other obsticles. Remember the Maginot Line that was suppose to protect France from another attack by Germany? It looked good on paper, and cost a vast amount of money, but the German forces just went around it. Yet many French people slept comfortably because they were assured that the line would serve to keep the Germans at bay.

zoldefoxx,
We could go on for hours debating the pros and cons of how and why to protect or not protect a virtual machine, but that is not my point.
My point is this:
- I want to use the Windows guest like any 'normal' system, as Sun assures me I can.
- I want to use a mainstream firewall written for Windows platforms to protect it.
- I can't, because the guest can't even install it, let alone run it.
And Sun considers this a minor issue.

This is the very first sentence on the VB site: VirtualBox is a family of powerful x86 virtualization products for enterprise as well as home use. Not only is VirtualBox an extremely feature rich, high performance product for enterprise customers, it is also the only professional solution that is freely available as Open Source Software under the terms of the GNU General Public License (GPL). (highlights by me.)

VirtualBox's inability to run certain off-the-shelf standard Windows programs simply belies everything highlighted above, and not because it has problems running them at the moment, but because the vendor says this shortcoming isn't important. Not important enough to look into and resolve in NNE months.

If you are a serious user, let alone an enterprise customer, would you say this attitude is reassuring?

FWIW:

I had a problem installing Kerio Personal Firewall 2.1.5 (the last free version) on Windows 2000 Professional, using VirtualBox 2.2.2 on a Ubuntu 9.04 host. The Windows 2000 boot process would hang with 100% CPU on the Ubuntu host.

I confirmed it was the firewall driver by renaming the driver in the \winnt\system32\drivers folder. When I did, Windows 2000 booted OK ( but Kerio did not work ...).

By trial and error, I discovered that the hardware virtualization flag - VT-x/AMD-V - was the problem. I turned the flag off, and the problem disappeared. I re-installed Windows 2000 without the flag on, just to make sure there would be no residual effects of the flag.

This might work for you. Or, it may not.

passerby wrote:zoldefoxx,
We could go on for hours debating the pros and cons of how and why to protect or not protect a virtual machine, but that is not my point.
My point is this:
- I want to use the Windows guest like any 'normal' system, as Sun assures me I can.
- I want to use a mainstream firewall written for Windows platforms to protect it.
- I can't, because the guest can't even install it, let alone run it.
And Sun considers this a minor issue.

This is the very first sentence on the VB site: VirtualBox is a family of powerful x86 virtualization products for enterprise as well as home use. Not only is VirtualBox an extremely feature rich, high performance product for enterprise customers, it is also the only professional solution that is freely available as Open Source Software under the terms of the GNU General Public License (GPL). (highlights by me.)

VirtualBox's inability to run certain off-the-shelf standard Windows programs simply belies everything highlighted above, and not because it has problems running them at the moment, but because the vendor says this shortcoming isn't important. Not important enough to look into and resolve in NNE months.

If you are a serious user, let alone an enterprise customer, would you say this attitude is reassuring?

• The original poster is the one that set it to minor not VB.
• Just raise another ticket in bugtracker if this is important to you.
• No one here is going to be able to do anything about this.

Probably the reason that this has not been addressed is because they did not attach the VB log file as stated in the instructions. Without that log they usually do not even look at the complaint.

virtualdon,
Thank you for sharing your solution, I'll try that.

Perryg,
I have raised a bug ticket for this.
Thank you for your last point about the VB log file -- I'll retry and save/attach it.