SEB detects computer as Virtual machine

[dbuechel]

Discussed in https://github.com/SafeExamBrowser/seb-win-refactoring/discussions/787

^{Originally posted by ThomasL-AP January 17, 2024} Hi, I'm IT support at a school and we have multiple students unable to start their exam with SEB. They all get the error (translated): "This computer appears to be a virtual machine. The selected configuration does not allow SEB to be executed in a virtual machine." I have 6 cases. All got their laptop from the same source: they bought the laptop from their former school (all student come from same school) and kept it after graduation. The laptops should have got a factory reset, as one student told me. I currently can only work on one of them but they should be all the same: HP ProBook 445 G8. The one I have runs Windows 11 22H2

I tried many solutions including:

• disabling all I can find related to virtualisation or Hyper V in Windows components
• reinstalling SEB (version 3.6.0.633)
• disabling virtualisation in BIOS
• installing all windows update.
• removing components in devicemanager related to virtualisation

I'll attach relevant logs and screenshots. Most relevant/similar discussion I've found online is: https://github.com/SafeExamBrowser/seb-win-refactoring/issues/604

Could you help me find out why these computers appear to be virtual machines? And also finding a solution.

Thanks in advance.

Excuse me for the dutch screenshots... Error notification: Windows components: 2024-01-17_11h09m24s_Browser.log 2024-01-17_11h09m24s_Client.log 2024-01-17_11h09m24s_Runtime.log cmd.txt

[mlohnen]

I had this problem and traced it back to being Impero (software to monitor and control pc's remotely). Also had to enable 'ignore errors when validating display configuration' in the security tab.

[dbuechel]

Thanks for the input @mlohnen! This might be another lead for you @Notselwyn?

[Notselwyn]

I looked into the initial report and I can't find a lead. systemInfo.Model, systemInfo.Manufacturer, PNP devices, and the devicecache shouldn't raise any flags (those are the only variables I could extract from the logs).

It seems that the false positive happened due to either a weird MAC addresses (i.e. incorrect detection of MAC address), a false flagged CPU, an historic hardware configuration, or a weird BIOS name.

@ThomasL-AP could you please provide us the output of the following cmd.exe commands? This allows us to investigate what is causing the false flag.

1. List all MAC addresses: wmic nicconfig get DNSHostName,MACAddress,Description
2. List all CPUs: wmic cpu get Caption,DeviceID,Manufacturer,MaxClockSpeed,Name
3. List all hardware configurations to file hwconf.reg: reg export HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig hwconf.reg (please attach hwconf.reg to your message)
4. List the BIOS name: wmic bios get BIOSVersion,Caption,Description,Manufacturer,Name

Thanks

[Notselwyn]

I had this problem and traced it back to being Impero (software to monitor and control pc's remotely). Also had to enable 'ignore errors when validating display configuration' in the security tab.

Thanks for the feedback. Is this VM detection bug caused by Impero already resolved?

[ThomasL-AP]

I had this problem and traced it back to being Impero (software to monitor and control pc's remotely). Also had to enable 'ignore errors when validating display configuration' in the security tab.

This might indeed be a lead (or just coincidence). I recently solved another unrelated issue (replied with my other account: jixopp). But it could've been that the student had a similar setup (hardware/software)...

I'll look into that and provide more info as soon as possible.

[ask4jm]

Any fixes for virtual machine issue. I am having issue on a fresh installation of windows. SafeBrowser version: 3.6 Windows Version (Win32NT 10.0.22631.0 Microsoft Windows NT 10.0.22631.0)

It works with version SafeBrowser 3.5 though.

Thanks and regards

nicconfig.txt cpu.txt hwconf.reg.txt 2024-02-08_02h39m29s_Runtime.log

[dbuechel]

@ask4jm Thanks for your input. I think your issue relates to a bug we accidentally introduced with version 3.6.0. Could you please try the latest beta build for version 3.7.0 to verify whether it fixes your issue?

[dbuechel]

@ThomasL-AP Were you able to look into the issue and also could you please provide the output of the commands listed by @Notselwyn above (see https://github.com/SafeExamBrowser/seb-win-refactoring/issues/789#issuecomment-1912077908)?

[dbuechel]

As a general remark to all involved: We're on the finishing line for the development of SEB 3.7.0, the feature freeze is planned for Friday, 1st of March. Thus, if the issue is not solved until then (and we cannot solve it without the input from the OP and contributors), it'll have to wait for the next release version (3.8.0).

[ThomasL-AP]

I'm trying my best to reach out to the students with the issues. I'll reply as soon as I have more info.

[dbuechel]

I'd like to inform all involved contributors that on this Friday, March 1st, we have the feature freeze for version 3.7.0. After that, functional changes are not possible anymore and we'd need to postpone this issue to version 3.8.0.

[ThomasL-AP]

I understand. On monday I sent a reminder to the students having this issue. So far only one has responded and will be available on thursday. Hopefully I can update the issue with more info. If this can not be added to the features of 3.7.0 so be it. I'll be happy to have a solution or workaround by the next exams, which start around half may or beginning of june. That way we don't have to make an exception for those students.

[dbuechel]

Thanks for your understanding. Version 3.8.0 is currently scheduled for end of Q2 of this year.

[ThomasL-AP]

I finally got in contact with one of our students again.

Below you can find the requested info: hwconf.reg-2.txt (File renamed to txt to bypass upload restrictions)

C:\Windows\System32>wmic nicconfig get DNSHostName,MACAddress,Description Description DNSHostName MACAddress Microsoft Kernel Debug Network Adapter Intel(R) 82574L Gigabit Network Connection WAN Miniport (SSTP) WAN Miniport (IKEv2) WAN Miniport (L2TP) WAN Miniport (PPTP) WAN Miniport (PPPOE) WAN Miniport (IP) A4:90:20:52:41:53 WAN Miniport (IPv6) A6:F3:20:52:41:53 WAN Miniport (Network Monitor) A6:F3:20:52:41:53 Realtek PCIe GbE Family Controller 48:9E:BD:4C:E9:29 Realtek RTL8822CE 802.11ac PCIe Adapter DESKTOP-M4E2IMT 48:E7:DA:6E:C4:F3 Bluetooth Device (Personal Area Network) 48:E7:DA:6E:C4:F2 Microsoft Wi-Fi Direct Virtual Adapter 4A:E7:DA:6E:C4:F3 Microsoft Wi-Fi Direct Virtual Adapter CA:E7:DA:6E:C4:F3

C:\Windows\System32>wmic cpu get Caption,DeviceID,Manufacturer,MaxClockSpeed,Name Caption DeviceID Manufacturer MaxClockSpeed Name AMD64 Family 25 Model 80 Stepping 0 CPU0 AuthenticAMD 2600 AMD Ryzen 3 5400U with Radeon Graphics

C:\Windows\System32>wmic bios get BIOSVersion,Caption,Description,Manufacturer,Name BIOSVersion Caption Description Manufacturer Name {"HPQOEM - 1", "T78 Ver. 01.15.00", "HP - 10F0000"} T78 Ver. 01.15.00 T78 Ver. 01.15.00 HP T78 Ver. 01.15.00

[Notselwyn]

Thank you for providing the information. I will try to look into it this week.

[JoeOfCups]

Apparently the false Virtual Machine detection persists in 3.7 as well. We have at the University of Helsinki a small number of students with laptops usually bought from companies that sell second-hand laptops, so not the original OEM Windows on those. Here are logfiles from a case from the day when SEB 3.7 was released.

Apparently, one student replaced a newer version with an older version (3.3.2) where the virtual detection didn't trigger.

2024-04-03_16h23m49s_Runtime.log 2024-04-03_16h23m49s_Client.log

[dbuechel]

Thanks a lot for the input, that would then also indicate that a false positive detection has indeed been introduced in any of the VM detection improvements we have made since version 3.3.2.

@Notselwyn You might find some hints in the source control history, e.g. https://github.com/SafeExamBrowser/seb-win-refactoring/commits/master/SafeExamBrowser.SystemComponents/VirtualMachineDetector.cs?since=2022-01-31&until=2024-04-11

[Notselwyn]

I finally got in contact with one of our students again.

Below you can find the requested info: hwconf.reg-2.txt (File renamed to txt to bypass upload restrictions)

I believe to have cracked the case. I believe that the student used this Microsoft account to log into a Windows VM, which caused VMware to be logged in the historic hardware configurations.

@dbuechel Do you think we should remove these checks? It was originally intended as an extra way to retrieve hardware descriptions from registry, but I didn't know it logs historic device hardware info.

[dbuechel]

Great work! Yes, then I think it's better to remove the checks or at least filter out the historic device hardware info (if that's even possible).

[Notselwyn]

Created PR containing the fix @dbuechel

I ended up deleting the entire check to prevent any false positives from arising in the future. The original purpose of the check was checking local hardware changes, but (assuming the logfiles are indeed from an physical machine) it syncs across devices based on Microsoft accounts.

[ThomasL-AP]

Will you let me know when there is a (beta) release to test?

[dbuechel]

Yes certainly, the changes can now be tested with the latest beta build: http://sebdev-let.ethz.ch/api/buildjobs/08axvsavj5yqx3oo/artifacts/SEB_3.8.0.685_SetupBundle.exe.

Unfortunately, our build server currently has an issue with HTTPS access, so please do make sure that the setup is correctly signed after downloading it over HTTP.

[ThomasL-AP]

Where can I find the latest beta? I missed the previous comment and couldn't download it. The above link is broken now. Exams start next week at our institution. Any idea when 3.8 will be officially released?

[dbuechel]

Terribly sorry, we renamed our build server from sebdev-let.ethz.ch to sebdev.ethz.ch. You can find the latest beta build of version 3.8.0 here: https://sebdev.ethz.ch/api/buildjobs/uhu49u589dsh8hy9/artifacts/SEB_3.8.0.690_SetupBundle.exe.