seb-win-refactoring icon indicating copy to clipboard operation
seb-win-refactoring copied to clipboard
verified publisher icon SafeExamBrowser

Blacklisting non-vm computer as vm

Open 0xnecromancer opened this issue 1 year ago • 7 comments

Enabling the following options on your Windows computer will create the disk 'PROD_VIRTUAL_DISK' which is blacklisted by SEB:

  • Windows Subsystem for Linux
  • Windows Sandbox

This caused me to get flagged each and every exam for 8+ months and I had to attach a debugger to SEB to understand where it is flagging me. Filtering for "PROD_VIRTUAL_DISK" is the most stupid thing I've seen to detect virtual environments.

It is embarrassing that having a virtual disk is a detection vector. Step up your game. EMBARRASSING!

0xnecromancer avatar May 22 '24 09:05 0xnecromancer

@pinkestflamingo Please mind your language. We don't tolerate verbal abuse (this is not Twitter -> X).

danschlet avatar May 22 '24 10:05 danschlet

@pinkestflamingo Try to retain some basic manners, otherwise it is unlikely that you'll make your wishes heard.

@Notselwyn Could you please have a look at the issue and specifically investigate whether there is a way to distinguish between a physical system having a virtual disk installed and a virtual system running on a virtual disk.

dbuechel avatar May 27 '24 10:05 dbuechel

@dbuechel Is there any chance this is a logic bug? "PROD_VIRTUAL_DISK" is stored in DeviceWhitelist, leading me to believe it should not be flagged. Unless of course it is not "PROD_VIRTUAL_DISK" triggering VM-detection.

DeviceBlacklist.Any(d => device.ToLower().Contains(d.ToLower()))
	&& DeviceWhitelist.All(d => !device.ToLower().Contains(d.ToLower()))

https://github.com/SafeExamBrowser/seb-win-refactoring/blame/b3228aedef5c2896a103f990f8bd56170fe2c493/SafeExamBrowser.SystemComponents/VirtualMachineDetector.cs#L74

Notselwyn avatar May 28 '24 10:05 Notselwyn

You are very correct indeed! I doubt that we have a logic error there, I vaguely remember introducing the whitelist which then has been verified by our internal testing.

@Notselwyn Do you happen to have the capacity and time to debug the issue and verify that it can't be PROD_VIRTUAL_DISK triggering the detection?

dbuechel avatar May 29 '24 15:05 dbuechel

I did some fiddling (https://dotnetfiddle.net/eG3JXN) and it seems it should indeed not trigger. Unfortunately I do not have access to devices with Hyper-V or WSL support laying around, so I cannot test for any cases where the literal string is not PROD_VIRTUAL_DISK, however the reporter is claiming that it is.

image

Notselwyn avatar May 29 '24 19:05 Notselwyn

Thanks, this already should prove that the VM detection was not actually triggered because there is a virtual disk installed on a physical machine.

dbuechel avatar May 30 '24 11:05 dbuechel

This issue is stale because it has been open for 28 days with no activity. It will soon be closed automatically if there are no updates.

github-actions[bot] avatar Jun 28 '24 01:06 github-actions[bot]

This issue was closed because it has been inactive for 14 days since being marked as stale.

github-actions[bot] avatar Jul 12 '24 01:07 github-actions[bot]