Incompatible drivers from Windows Update might prevent iVM Profiles from being built on the Malware Analysis Appliance

Products

Malware Analysis Software - MA

Issue/Introduction

Symantec Malware Analysis Appliance's (MAA) iVM might fail to build after Windows Updates are installed. Updated drivers from Windows Update might not be compatible with the existing drivers that came with the Symantec MAA.

The /opt/mag2/log/ivmcontrold.log file should show similar but not necessarily identical messages.

Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify OBJ_WriteProcess" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify OBJ_ReadProcess" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[W] CMD_BUILD_PROFILE - Pattern test "Verify OBJ_CreateEvent" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[W] CMD_BUILD_PROFILE - Pattern test "Verify OBJ_CreateSemaphore" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[I] CMD_BUILD_PROFILE - Pattern test "Verify OBJ_TerminateProcess" - PASSED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify OBJ_Sleep for Sleep()" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify OBJ_Sleep for WaitForSingleObject()" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify OBJ_QueryInformation(SystemPerformanceInformation)" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify OBJ_QueryInformation(SystemProcessorPerformanceInformation)" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify OBJ_QueryInformation(SystemInterruptInformation)" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify OBJ_QueryInformation(SystemExceptionInformation)" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify REG_CreateKey" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify REG_OpenKey" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify REG_SetCreateValue(REG_DWORD)" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify REG_SetCreateValue(REG_SZ)" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify REG_QueryValue" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify REG_ValueChanged" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify REG_DeleteValue" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify REG_DeleteValue" - FAILED'
Nov 5 18:07:22 MAA ivmcontrold[5981]: '[E] CMD_BUILD_PROFILE - Pattern test "Verify REG_DeleteKey" - FAILED'
Nov 5 18:07:23 MAA ivmcontrold[5981]: '---------------------------------------- START OF EXCEPTION ----------------------------------------'
Nov 5 18:07:23 MAA ivmcontrold[5981]: ''
Nov 5 18:07:23 MAA ivmcontrold[5981]: ' LOG MSG         : \'CMD_BUILD_PROFILE - Build step "verify_snapshot_with_basic-events" failed\''
Nov 5 18:07:23 MAA ivmcontrold[5981]: ' EXCEPTION CLASS : norman.vmcontrol.ivm_builder.IvmBuildValidationError'
Nov 5 18:07:23 MAA ivmcontrold[5981]: ' EXCEPTION MSG   : \'Test failed with errors: Pattern test "Verify OBJ_WriteProcess" - FAILED\''
Nov 5 18:07:23 MAA ivmcontrold[5981]: ' TIME            : 2018-11-05T18:07:23.771759'
Nov 5 18:07:23 MAA ivmcontrold[5981]: ' TIME (UTC)      : 2018-11-05T09:07:23.771853'
Nov 5 18:07:23 MAA ivmcontrold[5981]: ' PID             : 5981'
Nov 5 18:07:23 MAA ivmcontrold[5981]: ''
Nov 5 18:07:23 MAA ivmcontrold[5981]: ' CALL STACK:'
Nov 5 18:07:23 MAA ivmcontrold[5981]: ''
Nov 5 18:07:23 MAA ivmcontrold[5981]: '    ./opt/mag2/usr/share/mag2/pyscripts/ivmcontrold-kvm.py                 : 2887 -                  <module> : <code not available>'
Nov 5 18:07:23 MAA ivmcontrold[5981]: '    ./opt/mag2/usr/share/mag2/pyscripts/ivmcontrold-kvm.py                 : 2875 -                      main : <code not available>'
Nov 5 18:07:23 MAA ivmcontrold[5981]: '    ./opt/mag2/usr/share/mag2/pyscripts/ivmcontrold-kvm.py                 : 2761 -                       run : <code not available>'
Nov 5 18:07:23 MAA ivmcontrold[5981]: '    ./opt/mag2/usr/share/mag2/pyscripts/ivmcontrold-kvm.py                 : 935 - handle_cmd_build_profile : <code not available>'
Nov 5 18:07:23 MAA ivmcontrold[5981]: '    ./opt/mag2/usr/share/mag2/pyscripts/ivmcontrold-kvm.py                 : 841 -           _run_ivmbuilder : <code not available>'
Nov 5 18:07:23 MAA ivmcontrold[5981]: '    /usr/local/lib/python2.7/site-packages/norman/vmcontrol/ivm_builder.py : 1149 -                     build : <code not available>'
Nov 5 18:07:23 MAA ivmcontrold[5981]: '    /usr/local/lib/python2.7/site-packages/norman/vmcontrol/ivm_builder.py : 834 -             log_exception : <code not available>'
Nov 5 18:07:23 MAA ivmcontrold[5981]: ''
Nov 5 18:07:23 MAA ivmcontrold[5981]: ' EXCEPTION STACK:'
Nov 5 18:07:23 MAA ivmcontrold[5981]: ''
Nov 5 18:07:23 MAA ivmcontrold[5981]: '    /usr/local/lib/python2.7/site-packages/norman/vmcontrol/ivm_builder.py : 1143 - build : <code not available>'
Nov 5 18:07:23 MAA ivmcontrold[5981]: '    /usr/local/lib/python2.7/site-packages/norman/vmcontrol/ivm_builder.py : 614 -    run : <code not available>'
Nov 5 18:07:23 MAA ivmcontrold[5981]: ''
Nov 5 18:07:23 MAA ivmcontrold[5981]: '---------------------------------------- END OF EXCEPTION ----------------------------------------'
Nov 5 18:07:23 MAA ivmcontrold[5981]: u'[E] CMD_BUILD_PROFILE - build failed 1 times. Aborting.'

Cause

Incompatibility between drivers that came with Symantec MAA and drivers that came with Windows Update.

Resolution

Disable Windows Update from each iVM.
Symantec plans to have iVM drivers released as pattern updates in the future.