seb-mac icon indicating copy to clipboard operation
seb-mac copied to clipboard

Published 20 hours ago verified publisher icon SafeExamBrowser

Prohibited Process Locked SEB!

Open FedericoLonghin opened this issue 3 years ago • 25 comments

Hi, I'm currently having the following problem: when I open SEB this window appear. I already saw this problem in the forum #88, but nothing seems to kork. my mac run MacOS Monterey, I also tried installing the 2.3.2 version, but nothing seems to work. 10d88dd4-f485-43d0-a1d1-abfe1e077604

That's the error, but I don't know what is that task! Please, I have an exam in few days and I must have it working.

FedericoLonghin avatar Apr 26 '22 15:04 FedericoLonghin

Please try if this still happens with the release candidate version of SEB 3.1, for the download see the Releases section of the seb-mac repository.

danschlet avatar Apr 27 '22 10:04 danschlet

I have the same issue, using version 2.3.2 and the latest release on macOS Monterey (12.3.1) on a MacBook Pro 2016. No matter which exam is opened, it will freeze with "Prohibited processes detected". Sometimes it shows a random empty process as in the screenshot above, and sometimes it says it can't close Safari (which is required to open the exam!).

IMG_1975 IMG_1976

Moudoux avatar May 23 '22 15:05 Moudoux

SEB 2.3.2 is way outdated, it had another issue regarding prohibited processes. You or your exam provider should use/require the latest SEB version.

danschlet avatar May 23 '22 15:05 danschlet

I have now tested with SEB 3.2 release candidate. Still the same issue. IMG_1977

My school requires the use of 2.3.2, and there is no way for me to change that.

Moudoux avatar May 23 '22 15:05 Moudoux

You're probably using some third party software which isn't compatible with SEB. Unfortunately also the 3.2/3.1 release candidates have an issue not displaying some process names properly, but it will be fixed in the final version of SEB 3.1.

Note that also software which manipulates macOS system files (also viruses) can cause this error message.

danschlet avatar May 23 '22 15:05 danschlet

No such software that I know of that would modify the system, macOS sandboxes installed applications. There are certainly no viruses either. The only software installed on my device are developer tools such as IDEs and xcode.

Are there any log files which contains more info on what is happening so I can try to find what exactly is causing it? After I close SEB the process it flagged is gone as well.

Moudoux avatar May 23 '22 15:05 Moudoux

I encountered users which had viruses on their Macs which caused this error. Also tools which require to disable System Integrity Protection to be installed might cause this issue.

The case where Safari was flagged is strange. Were you using another macOS user account on your Mac at the same time? If so, log out there before running SEB. If Safari is prohibited by your exam provider settings, SEB should be able to terminate it.

Unfortunately the log also doesn't have proper process details because of that bug which will only be fixed in the final 3.1 release. Wait 1-2 days, then it will be released.

danschlet avatar May 23 '22 16:05 danschlet

SIP is not disabled, and no other users are added.

Moudoux avatar May 23 '22 16:05 Moudoux

Actually there might be information in the log files why SEB wants to terminate those processes, please attach some recent log files (when the issue happened) from ~/Library/Logs/Safe Exam Browser/

danschlet avatar May 24 '22 08:05 danschlet

Here is the full log file org.safeexambrowser.SafeExamBrowser_2022-05-24--10-26-20-564.log

Looking at the log, it says the id it couldn't terminate is Safari, which it said terminated. Here's the relevant part extracted:

2022/05/24 12:26:29:201  Successfully terminated application/process: {
    PID = 1178;
    URL = "file:///Applications/Safari.app/";
    bundleID = "com.apple.Safari";
    name = Safari;
}
2022/05/24 12:26:29:206  Couldn't terminate application/process: {
    PID = 1178;
    URL = "= -- file:///";
    name = "";
}, error code: -1

As you can see it's the same PID for both. The message is repeated multiple times in the log file, all the with same PID of Safari. So the issue seems to be related to Safari in some way.

Moudoux avatar May 24 '22 10:05 Moudoux

Ok, that looks like a bug. Thanks for the helpful input!

danschlet avatar May 24 '22 10:05 danschlet

Is there any way I can start my exam without having Safari open, to try to prevent this bug?

Moudoux avatar May 24 '22 10:05 Moudoux

Just use another web browser. Although this might happen with other browsers as well.

You said your school requires SEB 2.3.2, can you still test if the issue also happens with SEB 3.1rc? You probably will not allowed to enter the exam, but it would be helpful to know if this bug still exists in SEB 3.1.

danschlet avatar May 24 '22 10:05 danschlet

Hmm, from some initial testing, it looks like the issue doesn't occur using Firefox. Here is the log file using Firefox org.safeexambrowser.SafeExamBrowser_2022-05-24--10-49-50-239.log

I am testing with SEB 3.2 RC, the Safari bug appears to be present in all versions between 2.3.2 and 3.2 RC. Do you still need me to test with 3.1 RC? It looks like the 3.2 is based on 3.1.

Moudoux avatar May 24 '22 10:05 Moudoux

I can confirm that SEB 2.3.2 also works correctly when using Firefox to start it.

Moudoux avatar May 24 '22 11:05 Moudoux

The bug I anyways need to fix, but I guess your school's SEB settings include Safari as a prohibited process, which isn't necessary and also not really good. SEB includes "Safari Networking" as a default preset prohibited process, which is sufficient to prevent that Safari could interfere during exams. On my main machine I realized that when Safari is completely terminated, this may lead to an issue with iCloud Safari tabs/history/bookmarks sync, so that Safari takes many minutes to be responsive after starting it. Maybe that only happens on some machines, but anyways, they should remove Safari as a prohibited process.

danschlet avatar May 24 '22 13:05 danschlet

I attempted to fix this issue, although I cannot really test if it doesn't happen anymore (as in my case I observed it only randomly and very rarely). At least I added one fundamental improvement in monitoring those prohibited processes plus more logging. So in case it still happens, the according SEB log files should give me more hints.

So please test the release version of SEB 3.1, see direct link (the website will be updated soon). This new fix is not yet contained in SEB 3.2rc.

danschlet avatar Jun 03 '22 15:06 danschlet

I have now tested the release version of SEB 3.1 which you linked, and the issue still occurs. Here is the log file org.safeexambrowser.SafeExamBrowser_2022-06-05--13-36-46-336.log

From a quick look in the logs, it looks like its behaving identically to what it was doing before:

2022/06/05 15:36:52:568  Successfully terminated application/process: {
    PID = 8453;
    URL = "file:///Applications/Safari.app/";
    bundleID = "com.apple.Safari";
    name = Safari;
}
2022/06/05 15:36:52:608  Couldn't terminate application/process: {
    PID = 8453;
    URL = "file:///Applications/Safari.app/";
    bundleID = "com.apple.Safari";
    name = "";
}, error code: -1`

Perhaps some kind of notice should be added to avoid using Safari to launch SEB until the bug is fixed. I should also note that my school uses Inspera to handle the exam. I can see that they are a gold contributor of this project, and they are the ones distributing the outdated version of SEB as well. Perhaps the sponsors should be notified to update their versions when this bug has been resolved as well.

Moudoux avatar Jun 05 '22 13:06 Moudoux

Is the school using Inspera SEB or the regular SEB?

Inspera of course knows that there is a new SEB version, but they decided to continue using the older version of SEB.

Actually in such a case it would always be better to first contact your exam system provider (as we indicate on our support page). They need to know that there is an issue with SEB and their exam system/used SEB config and then they can try to solve the issue together with us (we're in regular contact).

I'll investigate it further. Obviously there is some special combination (your system, Inspera config etc.) causing this issue, because neither we could ever reproduce such an issue nor did we get many reports (maybe 2-3 besides yours).

danschlet avatar Jun 05 '22 14:06 danschlet

According to the log SEB cannot access the code signing certificate of your installed version of Safari:

Couldn't obtain certificate info from executable

So I still think something is wrong with your copy of Safari or your system, either some tool manipulated Safari or you have some malware on your system. Try it on another Mac, it won't happen is my prediction.

danschlet avatar Jun 05 '22 14:06 danschlet

PS: It could theoretically also be some security/anti-malware software blocking SEB from reading the Safari.app bundle. I don't know if that's a feature of some security software (and it wouldn't make sense to prevent read-only access), but who knows. On Windows we had similar issues, because there security software does all kinds of stupid pseudo-security checks.

danschlet avatar Jun 05 '22 14:06 danschlet

There is no malware on my mac. I did have one extension installed previously, called AdGuard for Safari, could it be possible that is what is causing it?

I'll test it on another mac shortly and let you know if it has the same issue.

Moudoux avatar Jun 05 '22 14:06 Moudoux

I was not able to reproduce it on a different mac, however, I did see several other people during my last exam have the same issue.

Moudoux avatar Jun 05 '22 14:06 Moudoux

It's theoretically possible that AdGuard manipulates something inside Safari to be able to decrypt https Internet traffic. Usually such security tools install their own root certificate into the system certificate store, but maybe this requires/required disabling SIP (which is mentioned in some trouble shooting procedures on the AdGuard site as well) during installation so they might have tried another way.

There's a discussion about a similar problem in this issue: https://github.com/SafeExamBrowser/seb-mac/issues/212 If you can post the output of following command executed in Terminal, we might be able to see if your instance of Safari was manipulated: codesign -dv --verbose=4 /Applications/Safari.app The command prints details about the code signature of an application.

danschlet avatar Jun 05 '22 19:06 danschlet

The output given from the command is

Executable=/Applications/Safari.app/Contents/MacOS/Safari
Identifier=com.apple.Safari
Format=app bundle with Mach-O universal (x86_64 arm64e)
CodeDirectory v=20400 size=745 flags=0x2000(library-validation) hashes=13+7 location=embedded
Platform identifier=13
VersionPlatform=1
VersionMin=787200
VersionSDK=787200
Hash type=sha256 size=32
CandidateCDHash sha256=c0f9c27d0cffc2f68b696c76739c646e9d2bd34c
CandidateCDHashFull sha256=c0f9c27d0cffc2f68b696c76739c646e9d2bd34c0071fa42fd5447b2ea16eab3
Hash choices=sha256
CMSDigest=c0f9c27d0cffc2f68b696c76739c646e9d2bd34c0071fa42fd5447b2ea16eab3
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=16384
Executable Segment flags=0x1
Page size=4096
CDHash=c0f9c27d0cffc2f68b696c76739c646e9d2bd34c
Signature size=4442
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=26 Mar 2022 at 10:37:34
Info.plist entries=45
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=1420
Internal requirements count=1 size=64

I also ran csrutil status and the output is

System Integrity Protection status: enabled.

Moudoux avatar Jun 05 '22 23:06 Moudoux

Closed for lack of feedback.

danschlet avatar Dec 05 '22 17:12 danschlet