Red Screen: Unauthorized SEB version was detected

[ChrisAndrewsSBK]

We have been doing mock exams made by TrelsonAssessment however seemingly at random the program will throw an error that “Unauthorised SEB version was detected” with seemingly no rhyme or reason why. We had downloaded SEB straight from your website 'https://safeexambrowser.org'.

This issue has happens on a variety of different devices and users with different MacOS operating system versions however some students manage to not have the issue yet other students have this issue. However no matter what we try, we can’t reliably find a way to reproduce this issue consistently.

We do have AAC enabled on all of the exams.

We can't see any pattern as to why some students have the issue, or why for some it happens quickly, and for others it can take 10-20 minutes before popping up. I include the log files below, but I can't see the reason why this message pops up.

Can you let me know the criteria that would need to be met for the message to pop up?

org.safeexambrowser.SafeExamBrowser 2024-02-05--12-55-16-253.log

[danschlet]

This error message is displayed when the code signature of the used SEB version doesn't match our original version. You can use SEB Verificator to check if the used SEB version is compromised. Also delete additional SEB versions displayed by SEB Verificator and allow students to only have one installed in the /Applications folder to avoid confusion which one is started.

A wrong code signature could indicate that students are using a hacked SEB version (they would then claim they downloaded it from the original website) or a hack which patches the original version. Also it's possible that those students are using some unusual tool which changes app signatures or their Macs are infected with some malware doing so.

If you find such hacked/manipulated versions, please compress it to a zip file and send it to us, so we can analyze it further.

If you want to prevent students to start an exam with a manipulated SEB version, you would need to use an assessment system supporting the BrowserExamKey (BEK) or SEB Server with the AppSignatureKey (ASK), which both check the SEB application integrity (and display deviations immediately).

The red lock screen with this error message is intentionally shown in a random interval after the application was started (but actually never immediately, maybe they had SEB running already).

[ChrisAndrewsSBK]

Hi Dan,

The version was download by us 5 minutes before the exam and at least 40 % of our students are having the issue, I really don't think there are that many in our school who would be trying cheat or have a malware virus. does the log file I including show anything useful?

[danschlet]

No, the log won't give more information in the current SEB version. That's why it's important to also verify the affected Macs with SEB Verificator and send us an affected version for further investigation.

Are you sure that those students aren't running another SEB version in parallel in a virtual machine? Those can be configured in ways that you won't realize that they switched to the VM. At least unless you know which key shortcut they configured to switch between physical and virtual machine (but the next release will improve VM detection further).

[aurelienb1]

Hi Dan, i've had a few similar cases, and the students took the version from the official website. Recently seen on a mac 13 ventura. I had to ask them to go back to 3.2.5.

Regards

[danschlet]

I really need someone to double check with SEB Verificator (download link).

And if you have a SEB version which reports this error, compress it into a zip file and send it to us.

Until I don't get this information, I have to assume that it's not a SEB issue, but as mentioned before (cheating, malware, some stupid tool manipulating code signatures).

[aurelienb1]

Hello, I understand, I'm doing my best to reach students (it's not easy), 15 new cases today.

[danschlet]

Are your students taking exams remotely? With on-site exams it should be easy to let exam supervisors do these checks with SEB Verificator I assume.

We have only these two reports from you and @ChrisAndrewsSBK as by now. We had exams with more than 1K students and only one single similar issue of a student which used a tool which removed the unused architecture (Intel or Apple Silicon ARM) from the SEB app, which caused a AppSignatureKey mismatch (but even the code signature was unmodified, so the error you encounter wasn't displayed).

So I really suspect some particular issue with specific user groups like yours.

Please note that there are SEB hacks circulating for Windows (all known ones would cause similar errors and can be detected with BEK/ASK and SEB Verificator). So it's NOT an unlikely theory that students might be using some SEB hack.

[aurelienb1]

Ok I have some news:

• It's not coming from the package we provide (which as of yesterday is only a zip) because I just tried it with a student who took the version from the SEB site and ran the verificator before (that seb version being correct).

• Now could this be due to the fact that I'm using a SEB template in moodle (with the use browser exam key and configuration key option). Which is problematic because I didn't have this problem before.

What I do know is that it only affects macs but not all versions.

Regards

[danschlet]

No, this doesn't have anything to do with Moodle SEB templates or any other settings in SEB configuration files. This error is invoked in a very low level code when verifying the code signature of the SEB application. The code signature must be valid and SEB must be signed with our original Apple Developer ID code signing identity. You can do the same check in the Terminal app, see this discussion: https://github.com/SafeExamBrowser/seb-mac/discussions/372#discussioncomment-8531350

The issue in that case seems to have been that the MDM solution they are using didn't remove all resources of the previously installed SEB version (3.2.5) and probably just added the resource files of SEB 3.3.2, overwriting the old resource files with the same name, but keeping the some no longer existing resources of SEB 3.2.5 in the app bundle (I don't understand how this is possible with a professional solution like Jamf Pro, maybe it had to do with the fact that you have to create a .pkg file for Jamf MDM deployment and that pkg installer did a kind of incremental update instead of replacing the whole app bundle (which basically is a folder, but macOS interprets it as an app).

So I'm really still convinced that something on those student Macs messes up the code signature of the SEB version used.

Are you 100% (I mean 100.000000%, not 99.99999% !) sure that you checked the same SEB version with SEB Verificator which the student started for the exam? Use the "Start SEB" button in SEB Verificator and don't let the student do it, do it yourself on their computer! I assure you, it is possible to trick someone with a perfectly installed virtual machine or a hacking tool which manipulates the started SEB version on-the-fly.

[danschlet]

AND TRY TO BOOT THEIR MAC IN SAFE MODE when trying it out. See here how to boot in Safe Mode: https://support.apple.com/en-us/HT201262

[R2D2byBest]

Hi,

So strangely enough, I was able to chat with a student.

So here's the process (I can't be 100% sure that the version it was installed on was clean)

• She installs Seb verificator, and on first scan it tells her signature is invalid. She tells me that SEB is still open in her mac since the last exam (the icon has a little black dot below the icon in the dock).
• She decides to really quit SEB so that it no longer appears in her dock.
• She relaunches SEB verificator and the signature is OK.

The problem here is that she launched SEB verificator even though we hadn't started Teams...

I asked her to do the practice exam and not to close SEB (as she did on her last exam) and to close her computer as she had done before. Then to reopen the computer later in the week to be able to do the practice test again. I told her to contact me if she had the problem again.

It's very difficult to reach students and reproduce the problem.

Thank you