Microsoft Windows Sandbox VM shows a blue screen and crashes (when hosted by vATD or vIS running on Hyper-V)
Last Modified: 2022-10-10 12:37:21 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Microsoft Windows Sandbox VM shows a blue screen and crashes (when hosted by vATD or vIS running on Hyper-V)
Technical Articles ID:
KB91593
Last Modified: 2022-10-10 12:37:21 Etc/GMT Environment
Virtual Advanced Threat Defense (vATD) Virtual Intelligent Sandbox (vIS) Microsoft Windows Server 2016 Hyper-V Problem 1
You set up and configure virtual vATD or vIS to run on a Windows Server 2016 Hyper-V host. You then configure a Microsoft Windows Sandbox VM in vATD or vIS. But, when you reach the activation stage, the VM shows a blue screen and crashes.
Problem 2
Sandbox analysis doesn't report severity on vATD or vIS running on a Windows Server 2016 Hyper-V host.
System Change
You enabled processor compatibility for the vATD or vIS instance in Hyper-V.
CauseA guest operating system on the hypervisor receives the available features and capabilities of the virtual CPU from the hypervisor.
Configuring the hypervisor to restrict CPU capabilities for the guest operating system with limited instruction sets means that your guest operating system only uses the sets that the hardware CPU provides. Microsoft Hyper-V offers the processor compatibility mode for live migration. When the processor compatibility mode is enabled, the Hyper-V hypervisor restricts many advanced CPU capabilities for vATD/vIS use. Because vATD transparently passes through the available CPU capabilities from the hypervisor to the Sandbox VM, the Sandbox VM on vATD/vIS only receives the restricted instruction sets. If binary code in the Sandbox VM happens to call an instruction that the virtual CPU doesn't support, the software crashes. Solution
Disable the compatibility mode in Hyper-V. To check if the compatibility mode is enabled, run the following command in PowerShell and look for the To disable the compatibility mode, run the following command in PowerShell (replace '<VMNAME>' with the actual running vATD/vIS VM name in your setup): IMPORTANT: Trellix doesn't support using the Related InformationAffected ProductsLanguages:This article is available in the following languages: |
|