Symantec Endpoint Protection Prevents VirtualBox Guest From Starting

We were running VirtualBox 4.3.16 on a Windows 7 Enterprise SP1 x64 host. A couple of days ago, our Corporate IT decided they were going to silently install a newer version Symantec Endpoint Protection, 12.1.5337.5000. Previously running v12.1.4013.4013. Since then, when trying to start a VirtualBox guest (doesn't matter what guest), nothing happens. You can see the VirtualBox.exe instance running in the task manager, but if you try and kill it refuses to go away.

I've tried every trick I know to kill the process including: Windows Task Manager -> Processes -> Right click and select Terminate; Process Explorer; pskill; taskkill /f /pid. The worst part, is you cannot even shutdown the PC. When you attempt to initiate a shutdown/reboot, Windows does nothing. If you try to launch any programs after that, nothing will come up. The only option left is to do a 3-second hold on the power button.

I can uninstall Symantec and VirtualBox becomes functional again, but unfortunately, changes to Symantec are not much of an option in fixing this. We're stuck with the version Corporate IT has dished out. I've tried upgrading to VirtualBox 4.3.18 but that has not made a difference. Temporarily disabling Symantec Endpoint also has no affect.

This is what I see in the VBoxStartup.log

ac8.159c: Error (rc=258):
ac8.159c: Timed out after 60001 ms waiting for child request #1 (CloseEvents).
ac8.159c: Error 258 in supR3HardNtChildWaitFor! (enmWhat=5)
ac8.159c: Timed out after 60001 ms waiting for child request #1 (CloseEvents).

Searches online have yielded a few forums talking about the same or similar issues, but as far as I could tell, no real solutions. At this point any help, even it's just a sure fire to kill the process so I don't have kill power to the PC would be much appreciated.

Proactive Threat Protection Settings in Symantec:

SONAR
- Enable SONAR = Checked
- High risk detection = Quarantine
- Low risk detection = Log
- Enable Aggressive Mode = Unchecked
- Show alert upon detection = Checked
- Prompt before terminating a process = Unchecked
- Prompt before stopping a service = Unchecked
Suspicious Behavior Detection
- High risk detection = Block
- Low risk detection = Ignore
System Change Detection
- DNS change detection = Ignore
- Host file change detected = Ignore
- Exceptions = Tried adding VirtualBox directory, makes no difference.

Drew Chapin

Posted 2014-10-23T02:18:52.880

Reputation: 4 839

Would the downvoter care to comment? – Drew Chapin – 2014-10-23T02:48:46.177

I assume you mean Symantec Endpoint Protection? What are your Proactive Threat Protection settings configured as currently. Do your SEP logs show anything relevant; anything listed as blocked? – Robin Hood – 2014-10-23T06:24:05.543

@RobinHood, details added. – Drew Chapin – 2014-10-23T11:59:02.437

What does your IT department say? – Dave M – 2014-12-19T13:33:06.380

@DaveM, yeah... They aren't much help. You may as well give up on that route. – Drew Chapin – 2014-12-19T18:57:42.637

Answers

Hope this thread helps.

https://forums.virtualbox.org/viewtopic.php?t=64111&f=6

I had a similar problem. There seems to be some regression from 4.3.12 onwards. Possible reason seems to be "hardened" security features that does not work well with SEP latest release.

I have reverted to 4.2.x VB release, which solved my problem.

Django

Posted 2014-10-23T02:18:52.880

Reputation: 21

I have also encountered the same problem on my windows 7 (64-bit) PC, but it is my anti-virus Avira that causes the improper startup of VBox (4.3.30). windows errors The VBox could be started up smoothly as before after I uninstalled Avira. It may happen to VBox 4.0 version and onward. Because I had tried the VBox 4.0.36, 4.2.36 and 5.0.10 besides 4.3.30 before I found this post. thx.

Channing Ma

Posted 2014-10-23T02:18:52.880

Reputation: 1

You can remove by going to Programs and Features, selecting "Change" on SEP and set Proactive Threat Protection -> Application and Device control to "Entire Feature will be unavailable". Bear in mind in a Coroprate environment this may be controlled by a password.

The effect of removing it really depends on what policy is being used and unfortunately this is not visible apart from by the SEP admins.

Alex Milford

Posted 2014-10-23T02:18:52.880

Reputation: 1

This is a better answer. You should delete your previous answer. – fixer1234 – 2015-01-07T18:39:23.763

-1

You can resolve this issue by uninstalling Application and Device control component of SEP

Alex Milford

Posted 2014-10-23T02:18:52.880

Reputation: 1

1Can you expand your answer to include what other effects that might have and how to do that? – fixer1234 – 2014-12-19T00:42:46.003

I don't see why the author should explain what other effects this might have, considering the setting is likely controlled by corporate configuration, its likely not even possible without IT department. – Ramhound – 2015-01-02T17:27:13.597