Microsoft Windows sandbox VM shows blue screen and crashes (when hosted by virtual Advanced Threat Defense running on Hyper-V)

Technical Articles ID: KB91593
Last Modified: 6/6/2019

Environment

McAfee virtual Advanced Threat Defense (vATD) 4.x
Microsoft Windows Server 2016 Hyper-V

Problem

You set up and configure virtual Advanced Threat Defense to run on a Windows Server 2016 Hyper-V host. You then configure a Microsoft Windows sandbox VM in vATD. But when you reach the activation stage, the VM shows a blue screen and crashes.

Problem

Sandbox analysis does not report severity on virtual Advanced Threat Defense running on a Windows Server 2016 Hyper-V host.

System Change

You enabled processor compatibility for the vATD instance in Hyper-V.

Cause

Guest operating system on hypervisor receives the available features and capabilities of the virtual CPU from the hypervisor.

Configuring the hypervisor to restrict CPU capabilities for guest operating system with limited instruction sets means that your guest operating system only uses the sets that the hardware CPU provided.

Microsoft Hyper-V offers processor compatibility mode for live migration. When the processor compatibility mode is enabled, the Hyper-V hypervisor restricts many advanced CPU capabilities for vATD use. Since vATD transparently passes through the available CPU capabilities from hypervisor to sandbox VM, the sandbox VM on vATD only receives the restricted instruction sets.

If binary code in the sandbox VM happens to call an instruction that virtual CPU does not support, the software crashes.

Solution

Disable compatibility mode in Hyper-V.

To check if compatibility mode is enabled, run the following command in PowerShell and look for the CompatbilityForMigrationEnabled column of your vATD row:

Get-VMProcessor

To disable compatibility mode, run the following command in PowerShell (replace '<VMNAME>' with the actual running vATD VM name in your setup):

Set-VMProcessor '<VMNAME>' -CompatibilityForMigrationEnabled 0

IMPORTANT: McAfee does not support using the CompatibilityForMigrationEnabled option in Hyper-V for virtual ATD.

Related Information

Windows 10 and Windows Server 2016 PowerShell: Get-VMProcessor
https://docs.microsoft.com/en-us/powershell/module/hyper-v/get-vmprocessor?view=win10-ps
Windows 10 and Windows Server 2016 PowerShell: Set-VMProcessor
https://docs.microsoft.com/en-us/powershell/module/hyper-v/set-vmprocessor?view=win10-ps

Affected Products

Advanced Threat Defense 4.6.x
Advanced Threat Defense 4.4.x
Advanced Threat Defense 4.2.x
Advanced Threat Defense 4.0.x
Best Practices
Configuration
Install/Uninstall

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Microsoft Windows sandbox VM shows blue screen and crashes (when hosted by virtual Advanced Threat Defense running on Hyper-V)

Environment

Problem

Problem

System Change

Cause

Solution

Related Information

Affected Products

Glossary of Technical Terms

Title

Title

Featured Solutions

Explore Our Portfolio

Security Outcomes

Industries

Products

Featured Solutions

Explore Our Portfolio

MVISION Products

Services & Training

Threat Research

Our Researchers

Threat Landscape Dashboard

Tools

Contact Us

Resources

Downloads

Product Help

Connect with Us

Explore

Our Company

Our Efforts

Other Resources

Careers

Partnerships

Microsoft Windows sandbox VM shows blue screen and crashes (when hosted by virtual Advanced Threat Defense running on Hyper-V)

Environment

Problem

Problem

System Change

Cause

Solution

Related Information

Affected Products

Glossary of Technical Terms

Choose your region

Title

Title