cancel
Showing results for 
Search instead for 
Did you mean: 
DBPhd
Level 8
Report Inappropriate Content
Message 1 of 9

VirtualBox hardening hangs on guest VM startup

VirtualBox 6.10 and 6.12
Windows 10 Enterprise Host
Windows 10 Professional Guest and CentOS 7 Guest

The hardening process hangs here:
ee8.17b0: supR3HardenedDllNotificationCallback: Unload 0000000061c20000 LB 0x0001a000 C:\Program Files\Common Files\McAfee\SystemCore\mfehida.dll [flags=0x0]

I can provide the complete VBoxHardening.log.

McAfee Endpoint Security 10.6

This started happening around September 9. No problems before then.

8 Replies
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: VirtualBox hardening hangs on guest VM startup

Hi @DBPhd 

Thank you for posting here. May I please confirm you are using ENS firewall component as well? If not, then can you confirm if disabling Threat prevention component (disable On-Access Scanning)  helps? The idea here is to isolate what component is causing the issue. Perhaps, this KBA should help you give you the idea behind my suggestion.

Any changes to McAfee products around September 9 that you can recall? Also, May I know the version of ENS you are using - 10.6.?.????. May I request you to try an upgrade to the latest version to see if that helps?

Apologies for the delay in response though, I hope this helps in determining the root cause apart from just the dll name from the logs. This dll is merely an "interceptor" meaning, it would get injected for monitoring purposes. Hence the actual component responsible should help us determine if any exclusions need to be in place. I sincerely hope this helps us!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
DBPhd
Level 8
Report Inappropriate Content
Message 3 of 9

Re: VirtualBox hardening hangs on guest VM startup

Adithyan,
I temporarily disabled ON-ACCESS SCAN but it did not solve the problem. The product is configured and managed by security group and disabling any protections would not be a viable long term solution.

ENDPOINT SECURITY PLATFORM
Version 10.6.1.1449
Hotfix Number 190514
Patch Version 1
McAfee Agent version 5.6.1.308
SystemCore version 19.3.0.203.

ADAPTIVE THREAT PROTECTION
Version 10.6.1.1120
Hotfix number None
Patch version 1
Real Protect engine version 1.1.0.5798

THREAT PREVENTION
Version 10.6.1.5550
Hotfix number 190514
Patch Version 1

FIREWALL
Version 10.6.1.1278
Hotfix number 190514
Patch Version 1

WEB CONTROL
Version 10.6.1.1311
Hotfix number 190514
Patch Version 1

I did find ExploitPrevention_Activity.log dated 09/11/2019. I assume this is what broke VirtualBox.

6/25/2018 8:54:12 PM mfetp(8896.7368) <SYSTEM> TmpLogger.BoBl.Activity: Content update request received. Verifying the content package (C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20180603_08479_ENDP_AM_1000.zip).
6/25/2018 8:54:13 PM mfetp(8896.7368) <SYSTEM> TmpLogger.BoBl.Activity: Content package verified, applying update...
6/25/2018 8:54:19 PM mfetp(8896.7368) <SYSTEM> TmpLogger.BoBl.Activity: Content update succeeded. Exploit Prevention content version: 10.5.0.8479
7/11/2018 11:07:06 AM mfetp(6840.9008) <SYSTEM> TmpLogger.BoBl.Activity: Content update request received. Verifying the content package (C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20180704_08537_ENDP_AM_1000.zip).
7/11/2018 11:07:12 AM mfetp(6840.9008) <SYSTEM> TmpLogger.BoBl.Activity: Content package verified, applying update...
7/11/2018 1:42:45 PM mfetp(6840.9008) <SYSTEM> TmpLogger.BoBl.Activity: Content update succeeded. Exploit Prevention content version: 10.6.0.8537
8/15/2018 4:25:13 AM mfetp(7224.4680) <SYSTEM> TmpLogger.BoBl.Activity: Content update request received. Verifying the content package (C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20180806_08591_ENDP_AM_1000.zip).
8/15/2018 4:25:17 AM mfetp(7224.4680) <SYSTEM> TmpLogger.BoBl.Activity: Content package verified, applying update...
8/15/2018 4:25:24 AM mfetp(7224.4680) <SYSTEM> TmpLogger.BoBl.Activity: Content update succeeded. Exploit Prevention content version: 10.6.0.8591
9/11/2018 8:01:25 PM mfetp(6256.9472) <SYSTEM> TmpLogger.BoBl.Activity: Content update request received. Verifying the content package (C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20180829_08623_ENDP_AM_1000.zip).
9/11/2018 8:01:26 PM mfetp(6256.9472) <SYSTEM> TmpLogger.BoBl.Activity: Content package verified, applying update...
9/11/2018 8:01:34 PM mfetp(6256.9472) <SYSTEM> TmpLogger.BoBl.Activity: Content update succeeded. Exploit Prevention content version: 10.6.0.8623
10/9/2018 8:16:09 PM mfetp(6352.9368) <SYSTEM> TmpLogger.BoBl.Activity: Content update request received. Verifying the content package (C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20181001_08701_ENDP_AM_1000.zip).
10/9/2018 8:16:11 PM mfetp(6352.9368) <SYSTEM> TmpLogger.BoBl.Activity: Content package verified, applying update...
10/9/2018 8:16:18 PM mfetp(6352.9368) <SYSTEM> TmpLogger.BoBl.Activity: Content update succeeded. Exploit Prevention content version: 10.6.0.8701
11/16/2018 4:10:51 PM mfetp(5912.15180) <SYSTEM> TmpLogger.BoBl.Activity: Content update request received. Verifying the content package (C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20181111_08773_ENDP_AM_1000.zip).
11/16/2018 4:10:53 PM mfetp(5912.15180) <SYSTEM> TmpLogger.BoBl.Activity: Content package verified, applying update...
11/16/2018 4:11:00 PM mfetp(5912.15180) <SYSTEM> TmpLogger.BoBl.Activity: Content update succeeded. Exploit Prevention content version: 10.6.0.8773
12/11/2018 8:36:10 PM mfetp(7172.10020) <SYSTEM> TmpLogger.BoBl.Activity: Content update request received. Verifying the content package (C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20181128_08807_ENDP_AM_1000.zip).
12/11/2018 8:36:11 PM mfetp(7172.10020) <SYSTEM> TmpLogger.BoBl.Activity: Content package verified, applying update...
12/11/2018 8:36:17 PM mfetp(7172.10020) <SYSTEM> TmpLogger.BoBl.Activity: Content update succeeded. Exploit Prevention content version: 10.6.0.8807
1/8/2019 5:00:12 PM mfetp(7416.8864) <SYSTEM> TmpLogger.BoBl.Activity: Content update request received. Verifying the content package (C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20190102_08841_ENDP_AM_1000.zip).
1/8/2019 5:00:14 PM mfetp(7416.8864) <SYSTEM> TmpLogger.BoBl.Activity: Content package verified, applying update...
1/8/2019 5:00:16 PM mfetp(7416.8864) <SYSTEM> TmpLogger.BoBl.Activity: Content update succeeded. Exploit Prevention content version: 10.6.0.8841
2/12/2019 4:57:10 PM mfetp(7244.11180) <SYSTEM> TmpLogger.BoBl.Activity: Content update request received. Verifying the content package (C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20190131_08966_ENDP_AM_1000.zip).
2/12/2019 4:57:11 PM mfetp(7244.11180) <SYSTEM> TmpLogger.BoBl.Activity: Content package verified, applying update...
2/12/2019 4:57:16 PM mfetp(7244.11180) <SYSTEM> TmpLogger.BoBl.Activity: Content update succeeded. Exploit Prevention content version: 10.6.0.8966
3/12/2019 8:12:09 PM mfetp(8124.16176) <SYSTEM> TmpLogger.BoBl.Activity: Content update request received. Verifying the content package (C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20190305_09096_ENDP_AM_1000.zip).
3/12/2019 8:12:10 PM mfetp(8124.16176) <SYSTEM> TmpLogger.BoBl.Activity: Content package verified, applying update...
3/12/2019 8:12:13 PM mfetp(8124.16176) <SYSTEM> TmpLogger.BoBl.Activity: Content update succeeded. Exploit Prevention content version: 10.6.0.9096
4/9/2019 8:25:09 PM mfetp(5464.2432) <SYSTEM> TmpLogger.BoBl.Activity: Content update request received. Verifying the content package (C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20190402_09184_ENDP_AM_1000.zip).
4/9/2019 8:25:11 PM mfetp(5464.2432) <SYSTEM> TmpLogger.BoBl.Activity: Content package verified, applying update...
4/9/2019 8:25:13 PM mfetp(5464.2432) <SYSTEM> TmpLogger.BoBl.Activity: Content update succeeded. Exploit Prevention content version: 10.6.0.9184
5/15/2019 10:04:21 AM mfetp(4516.6680) <SYSTEM> TmpLogger.BoBl.Activity: Content update request received. Verifying the content package (C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20190506_09246_ENDP_AM_1000.zip).
5/15/2019 10:04:24 AM mfetp(4516.6680) <SYSTEM> TmpLogger.BoBl.Activity: Content package verified, applying update...
5/15/2019 10:04:27 AM mfetp(4516.6680) <SYSTEM> TmpLogger.BoBl.Activity: Content update succeeded. Exploit Prevention content version: 10.6.0.9246
6/11/2019 8:29:09 PM mfetp(5440.7232) <SYSTEM> TmpLogger.BoBl.Activity: Content update request received. Verifying the content package (C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20190605_09329_ENDP_AM_1000.zip).
6/11/2019 8:29:11 PM mfetp(5440.7232) <SYSTEM> TmpLogger.BoBl.Activity: Content package verified, applying update...
6/11/2019 8:29:13 PM mfetp(5440.7232) <SYSTEM> TmpLogger.BoBl.Activity: Content update succeeded. Exploit Prevention content version: 10.6.0.9329
7/9/2019 5:46:31 PM mfetp(5256.12548) <SYSTEM> TmpLogger.BoBl.Activity: Content update request received. Verifying the content package (C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20190704_09418_ENDP_AM_1000.zip).
7/9/2019 5:46:32 PM mfetp(5256.12548) <SYSTEM> TmpLogger.BoBl.Activity: Content package verified, applying update...
7/9/2019 5:46:34 PM mfetp(5256.12548) <SYSTEM> TmpLogger.BoBl.Activity: Content update succeeded. Exploit Prevention content version: 10.6.0.9418
7/10/2019 12:01:10 PM mfetp(5256.12548) <SYSTEM> TmpLogger.BoBl.Activity: Content update request received. Verifying the content package (C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20190705_09419_ENDP_AM_1000.zip).
7/10/2019 12:01:11 PM mfetp(5256.12548) <SYSTEM> TmpLogger.BoBl.Activity: Content package verified, applying update...
7/10/2019 12:01:14 PM mfetp(5256.12548) <SYSTEM> TmpLogger.BoBl.Activity: Content update succeeded. Exploit Prevention content version: 10.6.0.9419
9/11/2019 8:05:53 AM mfetp(7540.9508) <SYSTEM> TmpLogger.BoBl.Activity: Content update request received. Verifying the content package (C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20190828_09528_ENDP_AM_1000.zip).
9/11/2019 8:05:54 AM mfetp(7540.9508) <SYSTEM> TmpLogger.BoBl.Activity: Content package verified, applying update...
9/11/2019 8:05:56 AM mfetp(7540.9508) <SYSTEM> TmpLogger.BoBl.Activity: Content update succeeded. Exploit Prevention content version: 10.6.0.9528

McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 4 of 9

Re: VirtualBox hardening hangs on guest VM startup

Hi @DBPhd 

Thank you for your detailed response here. Here are my observations on this case:

The ATP version seems to be out of place and it is running an older version than other ENS components in place. Correct version of ATP is: 10.6.1.1311.

Exploit prevention content update may be responsible for the issue, however to identify that we would need to dig into the exploit prevention activity logs that can be found under C:\ProgramData\McAfee\Endpoint Security\Logs.

Also, my apologies for the miscommunication. I would never want to propose a "solution" by asking you to disable on access scanning. This step is very important to understand which component is responsible for the issue. This helps us avoid guesses and narrows down to the point where we can troubleshoot exactly on the root cause to fix it. Please let me know how this goes!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
DBPhd
Level 8
Report Inappropriate Content
Message 5 of 9

Re: VirtualBox hardening hangs on guest VM startup

Adithyan,
I alerted our security group of the older ATP version. I am waiting for a response from them.

The information I provided was the entire contents of ExploitPrevention_Activity.log dated 09/11/2019 08:05. Do you need information from other log files?

McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 6 of 9

Re: VirtualBox hardening hangs on guest VM startup

Hi @DBPhd 

Thank you for your prompt response. I am afraid this information would not be enough to find the root cause. I would guess that Exploit prevention Debug logging is not enabled by default to dig a little further.

However, presuming that the new content update is the cause, I looked into it's release notes and I was not able to find anything that could have possibly caused this.

Is there any possibility to disable components one by one on a sample machine to see if hardening succeeds? Also, It would be interesting to see if Access protection and Self protection had something to do with this. Please send me the log files(from the same location) for them as well if you are okay with the same and maybe we can find some events of interest there.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
DBPhd
Level 8
Report Inappropriate Content
Message 7 of 9

Re: VirtualBox hardening hangs on guest VM startup

Adithyan,
The security group pushed the lastest ENS updates.

Endpoint Security Platform
Version 10.6.1.1449
Hotfix number 190514
Patch version 1

Adaptive Threat Protection
Version 10.6.1.1421
Hotfix number None
Patch version 1

Threat Prevention
Version 10.6.1.1550
Hotfix number 190514
Patch version 1

Firewall
Version 10.6.1.11278
Hotfix number 190514
Patch version 1

Web Control
Version 10.6.1.1311
Hotfix number 190514
Patch version 1

Unfortunately, the VirtualBox hang is still there. I will see what I can do to turn on debug logging.

 

DBPhd
Level 8
Report Inappropriate Content
Message 8 of 9

Re: VirtualBox hardening hangs on guest VM startup

Adithyan,
I have several debug log files. I can send them to you for analysis. Please tell me which debug logs you want to look at and please provide instructions for sending them to you.

McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 9 of 9

Re: VirtualBox hardening hangs on guest VM startup

Hi @DBPhd 

Thank you for your response. I would prefer finding the component first. So we need to disable the components one by one to understand what is the root cause. It's corresponding log will be required to investigate.

For example, by disabling Exploit prevention, if we are able to work around the issue, It would mean that Exploit prevention is the issue here. Then I would look into the Exploit prevention Debug log to understand why it is failing. Please feel free to send me the logs and I shall look into it for you. 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community