SEB on Windows false positive on VM detection

[Enrico204]

The Virtual Machine detector (https://github.com/SafeExamBrowser/seb-win-refactoring/blob/3.0.0/SafeExamBrowser.SystemComponents/VirtualMachineDetector.cs) has a false positive in case SEB is running on a host PC with VMware products (as it matches VMware NICs used to talk with VMs).

A current workaround is to disable VMware NICs during SEB execution

[dbuechel]

Thanks for your report. Could you elaborate a bit further, I am not quite sure I understand how the false positive happens: Is the manufacturer of your PC VMware, and thus the check linked below is causing the false positive?

https://github.com/SafeExamBrowser/seb-win-refactoring/blob/master/SafeExamBrowser.SystemComponents/VirtualMachineDetector.cs#L38

[Enrico204]

No, the issue is actually in line 43 or 48 (can't check right now) because it matches on the NIC part. In fact disabling or removing VMware NICs is a workaround because disabled NICs either does not count in MAC Address list nor in plug and play devices.

To reproduce this issue it's sufficient to install VMware player or workstation in a Windows host, and run SEB check.

(Sorry for closing/opening, the page shifted when I was tapping on the textbox)

[dbuechel]

Aha, I see. I do have both the player and the workstation installed, but I didn't get the false positive yet. Do I have to start a VM before using SEB?

[dbuechel]

@diegoara96: This is what I meant when I asked whether you are certain that your checks do not produce false positives. Could you also have a look at this?

[diegoara96]

I'm testing it with VMware Workstation 15 player and I don't have the false positive. Do you need anything else besides having it open, maybe start a virtual machine first?

[dbuechel]

I am also not able to reproduce it, even when I have VMs running.

[diegoara96]

I suppose your problem could come from this area https://github.com/SafeExamBrowser/seb-win-refactoring/blob/master/SafeExamBrowser.SystemComponents/SystemInfo.cs#L139

What we do is filter only those adapters that have dns, this makes that even if you have 20 different adapters only the main one we care that is in the end who tells us if you can be a virtual machine or not.

Is it possible that you have configured some dns in the Wmware adapter?

[Enrico204]

Uhm, doing further testing we're not sure that VMware is the "trigger". It seems that another software named "Emby Server" is interfering somehow with the detection. By our tests, when "Emby Server" is open SEB thinks that the current host is a VM, regardless of the state of the VMware adapters.

However sometimes disabling VMware adapters could lead to skip the detection (with "Emby" running), but only on the very first run of SEB after that.

We checked also the DNS settings and there is none in the VMware NICs.

[diegoara96]

If you don't have dns it's not a problem of mac detection. It should be from the plug and play devices. The strange thing about this is that we only capture devices from Virtualbox and qemu that have assigned vendors and this program that you mention does not create any device.

The only thing I see now and it will be a future improvement is that in the case of having a Radeon Pro Duo it could be a false positive because this vendor coincides with qemu.

Could this be your case?

[edoardo10x]

I'm the one having this issue. Initially disabling the VMware network adapters worked to launch SEB, but then it woulnd't work on the next launch.

After further testing i found out that i only get the error when Emby Server (a media server similar to Plex) is running.

Oddly, sometimes disabling the VMware network adapters allows me to run SEB even with Emby Server running, but only for a short period of time (like i said, it wouldn't work on the next launch), and this doesn't always work. My gpu is an Asus 2080 super.

[dbuechel]

Okay, I guess this isn't a very urgent bug then, as you guys appear to have a workaround.

@diegoara96: It would be great if you could fix the issue for version 3.1. Otherwise, I might need to remove the detection via MAC address etc., especially if we get more similar reports from other users.

[diegoara96]

I'm trying to replicate the case with emby server for windows up and running and WMware running a windows VM and SEB doesn't give any false positives.

can you tell me if you have any special configuration on emby server ?

[edoardo10x]

Not sure what's the configuration on Emby we are looking for. But i found out that it creates a device, and it matches "1af4" here https://github.com/SafeExamBrowser/seb-win-refactoring/blob/master/SafeExamBrowser.SystemComponents/VirtualMachineDetector.cs#L18

This is the device https://i.imgur.com/hq4LzOt.png

DeviceID is SWD\DAFUPnPProvider\uuid:4d1af44b3fdc4fd4948bf79cbff72fd8

EDIT: maybe this is the settings in Emby that you were looking for? https://i.imgur.com/N9li1iC.png

[diegoara96]

Okay, that's the problem with the deviceid and how I'm checking. Perfect I can start to fix it thanks

[dbuechel]

I merged the pull request. @edoardo10x / @Enrico204 : Can you verify whether this fixes your issue? The build with the changes can be found here (Platform x86 -> Artifacts -> SetupBundle.exe): https://sebdev-let.ethz.ch/project/AppVeyor/seb-win-refactoring/builds/165

[edoardo10x]

Yeah, the issue is fixed with the new build. Thanks

[dbuechel]

Perfect. @diegoara96: Thanks for the quick fix!