SEB detects computer as Virtual machine about seb-win-refactoring HOT 24 CLOSED

Thanks for the input @mlohnen! This might be another lead for you @Notselwyn?

from seb-win-refactoring.

I'm trying my best to reach out to the students with the issues. I'll reply as soon as I have more info.

from seb-win-refactoring.

I understand. On monday I sent a reminder to the students having this issue. So far only one has responded and will be available on thursday. Hopefully I can update the issue with more info.
If this can not be added to the features of 3.7.0 so be it. I'll be happy to have a solution or workaround by the next exams, which start around half may or beginning of june. That way we don't have to make an exception for those students.

from seb-win-refactoring.

I finally got in contact with one of our students again.

Below you can find the requested info: hwconf.reg-2.txt (File renamed to txt to bypass upload restrictions)

I believe to have cracked the case. I believe that the student used this Microsoft account to log into a Windows VM, which caused VMware to be logged in the historic hardware configurations.

@dbuechel Do you think we should remove these checks? It was originally intended as an extra way to retrieve hardware descriptions from registry, but I didn't know it logs historic device hardware info.

from seb-win-refactoring.

Created PR containing the fix @dbuechel

I ended up deleting the entire check to prevent any false positives from arising in the future. The original purpose of the check was checking local hardware changes, but (assuming the logfiles are indeed from an physical machine) it syncs across devices based on Microsoft accounts.

from seb-win-refactoring.

I had this problem and traced it back to being Impero (software to monitor and control pc's remotely).
Also had to enable 'ignore errors when validating display configuration' in the security tab.

from seb-win-refactoring.

I looked into the initial report and I can't find a lead. systemInfo.Model, systemInfo.Manufacturer, PNP devices, and the devicecache shouldn't raise any flags (those are the only variables I could extract from the logs).

It seems that the false positive happened due to either a weird MAC addresses (i.e. incorrect detection of MAC address), a false flagged CPU, an historic hardware configuration, or a weird BIOS name.

@ThomasL-AP could you please provide us the output of the following cmd.exe commands? This allows us to investigate what is causing the false flag.

1. List all MAC addresses: wmic nicconfig get DNSHostName,MACAddress,Description
2. List all CPUs: wmic cpu get Caption,DeviceID,Manufacturer,MaxClockSpeed,Name
3. List all hardware configurations to file hwconf.reg: reg export HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig hwconf.reg (please attach hwconf.reg to your message)
4. List the BIOS name: wmic bios get BIOSVersion,Caption,Description,Manufacturer,Name

Thanks

from seb-win-refactoring.

I had this problem and traced it back to being Impero (software to monitor and control pc's remotely). Also had to enable 'ignore errors when validating display configuration' in the security tab.

Thanks for the feedback. Is this VM detection bug caused by Impero already resolved?

from seb-win-refactoring.

I had this problem and traced it back to being Impero (software to monitor and control pc's remotely). Also had to enable 'ignore errors when validating display configuration' in the security tab.

This might indeed be a lead (or just coincidence). I recently solved another unrelated issue (replied with my other account: jixopp). But it could've been that the student had a similar setup (hardware/software)...

I'll look into that and provide more info as soon as possible.

from seb-win-refactoring.

Any fixes for virtual machine issue. I am having issue on a fresh installation of windows.
SafeBrowser version: 3.6
Windows Version (Win32NT 10.0.22631.0 Microsoft Windows NT 10.0.22631.0)

It works with version SafeBrowser 3.5 though.

Thanks and regards

nicconfig.txt
cpu.txt
hwconf.reg.txt
2024-02-08_02h39m29s_Runtime.log

from seb-win-refactoring.

@ask4jm Thanks for your input. I think your issue relates to a bug we accidentally introduced with version 3.6.0. Could you please try the latest beta build for version 3.7.0 to verify whether it fixes your issue?

from seb-win-refactoring.

@ThomasL-AP Were you able to look into the issue and also could you please provide the output of the commands listed by @Notselwyn above (see #789 (comment))?

from seb-win-refactoring.

As a general remark to all involved: We're on the finishing line for the development of SEB 3.7.0, the feature freeze is planned for Friday, 1st of March. Thus, if the issue is not solved until then (and we cannot solve it without the input from the OP and contributors), it'll have to wait for the next release version (3.8.0).

from seb-win-refactoring.

I'd like to inform all involved contributors that on this Friday, March 1st, we have the feature freeze for version 3.7.0. After that, functional changes are not possible anymore and we'd need to postpone this issue to version 3.8.0.

from seb-win-refactoring.

Thanks for your understanding. Version 3.8.0 is currently scheduled for end of Q2 of this year.

from seb-win-refactoring.

I finally got in contact with one of our students again.

Below you can find the requested info:
hwconf.reg-2.txt
(File renamed to txt to bypass upload restrictions)

C:\Windows\System32>wmic nicconfig get DNSHostName,MACAddress,Description
Description DNSHostName MACAddress
Microsoft Kernel Debug Network Adapter
Intel(R) 82574L Gigabit Network Connection
WAN Miniport (SSTP)
WAN Miniport (IKEv2)
WAN Miniport (L2TP)
WAN Miniport (PPTP)
WAN Miniport (PPPOE)
WAN Miniport (IP) A4:90:20:52:41:53
WAN Miniport (IPv6) A6:F3:20:52:41:53
WAN Miniport (Network Monitor) A6:F3:20:52:41:53
Realtek PCIe GbE Family Controller 48:9E:BD:4C:E9:29
Realtek RTL8822CE 802.11ac PCIe Adapter DESKTOP-M4E2IMT 48:E7:DA:6E:C4:F3
Bluetooth Device (Personal Area Network) 48:E7:DA:6E:C4:F2
Microsoft Wi-Fi Direct Virtual Adapter 4A:E7:DA:6E:C4:F3
Microsoft Wi-Fi Direct Virtual Adapter CA:E7:DA:6E:C4:F3

C:\Windows\System32>wmic cpu get Caption,DeviceID,Manufacturer,MaxClockSpeed,Name
Caption DeviceID Manufacturer MaxClockSpeed Name
AMD64 Family 25 Model 80 Stepping 0 CPU0 AuthenticAMD 2600 AMD Ryzen 3 5400U with Radeon Graphics

C:\Windows\System32>wmic bios get BIOSVersion,Caption,Description,Manufacturer,Name
BIOSVersion Caption Description Manufacturer Name
{"HPQOEM - 1", "T78 Ver. 01.15.00", "HP - 10F0000"} T78 Ver. 01.15.00 T78 Ver. 01.15.00 HP T78 Ver. 01.15.00

from seb-win-refactoring.

Thank you for providing the information. I will try to look into it this week.

from seb-win-refactoring.

Apparently the false Virtual Machine detection persists in 3.7 as well. We have at the University of Helsinki a small number of students with laptops usually bought from companies that sell second-hand laptops, so not the original OEM Windows on those. Here are logfiles from a case from the day when SEB 3.7 was released.

Apparently, one student replaced a newer version with an older version (3.3.2) where the virtual detection didn't trigger.

2024-04-03_16h23m49s_Runtime.log
2024-04-03_16h23m49s_Client.log

from seb-win-refactoring.

Thanks a lot for the input, that would then also indicate that a false positive detection has indeed been introduced in any of the VM detection improvements we have made since version 3.3.2.

@Notselwyn You might find some hints in the source control history, e.g. https://github.com/SafeExamBrowser/seb-win-refactoring/commits/master/SafeExamBrowser.SystemComponents/VirtualMachineDetector.cs?since=2022-01-31&until=2024-04-11

from seb-win-refactoring.

Great work! Yes, then I think it's better to remove the checks or at least filter out the historic device hardware info (if that's even possible).

from seb-win-refactoring.

Will you let me know when there is a (beta) release to test?

from seb-win-refactoring.

Yes certainly, the changes can now be tested with the latest beta build: http://sebdev-let.ethz.ch/api/buildjobs/08axvsavj5yqx3oo/artifacts/SEB_3.8.0.685_SetupBundle.exe.

Unfortunately, our build server currently has an issue with HTTPS access, so please do make sure that the setup is correctly signed after downloading it over HTTP.

from seb-win-refactoring.

Where can I find the latest beta? I missed the previous comment and couldn't download it. The above link is broken now.
Exams start next week at our institution. Any idea when 3.8 will be officially released?

from seb-win-refactoring.

Terribly sorry, we renamed our build server from sebdev-let.ethz.ch to sebdev.ethz.ch. You can find the latest beta build of version 3.8.0 here: https://sebdev.ethz.ch/api/buildjobs/uhu49u589dsh8hy9/artifacts/SEB_3.8.0.690_SetupBundle.exe.

from seb-win-refactoring.