Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: Launching a Virtual Machine on Hyper-V is Failing

Endpoint Standard: Launching a Virtual Machine on Hyper-V is Failing

Environment

  • Endpoint Standard Sensor: All Versions below 3.2.x.x
  • Carbon Black Cloud Console: All Versions
  • Microsoft Windows: Windows 10 x64
  • Hyper-V Manager 10.0

Symptoms

Launching a Virtual Machine (VM) on Hyper-V is failing with an error.
"An error occurred while attempting to start the selected virtual machine(s). '{VM name}' failed to start. {VM name} failed to start worker process: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source."

Cause

The sensor's "API hook" to analyze the file is causing conflict which prevents the VM from launching.

Resolution

Sensors 2.0.x.x and lower

  1. Click on ENFORCE and select Policies.
  2. Click on the Policy that the affected (host) machine belongs to.
  3. Under Prevention expand Permissions, create a bypass permission rule for the path: 
    C:\Windows\System32\vmcompute.exe
  4. This will bypass all activity by the process vmcompute.exe.
  5. Certain versions of Hypervisor may also require the following additional policy rules:
    C:\Windows\System32\vmwp.exe
    C:\WINDOWS\System32\virtmgmt.msc

Sensors 2.1.0.x - 3.1.x.x

  1. Click on ENFORCE and select Policies
  2. Click on the Policy that the affected (host) machine belongs to
  3. Under Prevention, expand the Permissions section
  4. Put in the Application Path below with the Bypass box checked for "Performs any API Operation":
    C:\Windows\System32\vmcompute.exe
  5. Certain versions of Hypervisor may also require the following additional Policy Permissions set for "Performs any API Operation" as well:
    C:\Windows\System32\vmwp.exe 
    C:\WINDOWS\System32\virtmgmt.msc

Additional Notes

  • This will only bypass the "API hook" activity for analyzing the file, but will continue to monitor the file like any other normal files.
  • There will still be visibility on file events within the specified path.
  • This is no longer required with Cb Defense Sensor 3.2.x.x and higher.

Related Content



 

Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎06-28-2017
Views:
3501
Contributors