Microsoft Windows sandbox VM shows blue screen and crashes (when hosted by virtual Advanced Threat Defense running on Hyper-V)

Technical Articles ID: KB91593
Last Modified: 7/9/2020

Environment

McAfee virtual Advanced Threat Defense (vATD) 4.x
Microsoft Windows Server 2016 Hyper-V

Problem 1

You set up and configure virtual Advanced Threat Defense to run on a Windows Server 2016 Hyper-V host. You then configure a Microsoft Windows sandbox VM in vATD. But when you reach the activation stage, the VM shows a blue screen and crashes.

Problem 2

Sandbox analysis does not report severity on virtual Advanced Threat Defense running on a Windows Server 2016 Hyper-V host.

System Change

You enabled processor compatibility for the vATD instance in Hyper-V.

Cause

Guest operating system on hypervisor receives the available features and capabilities of the virtual CPU from the hypervisor.

Configuring the hypervisor to restrict CPU capabilities for guest operating system with limited instruction sets means that your guest operating system only uses the sets that the hardware CPU provided.

Microsoft Hyper-V offers processor compatibility mode for live migration. When the processor compatibility mode is enabled, the Hyper-V hypervisor restricts many advanced CPU capabilities for vATD use. Because vATD transparently passes through the available CPU capabilities from hypervisor to sandbox VM, the sandbox VM on vATD only receives the restricted instruction sets.

If binary code in the sandbox VM happens to call an instruction that virtual CPU does not support, the software crashes.

Solution

Disable compatibility mode in Hyper-V.

To check if compatibility mode is enabled, run the following command in PowerShell and look for the CompatbilityForMigrationEnabled column of your vATD row:

Get-VMProcessor

To disable compatibility mode, run the following command in PowerShell (replace '<VMNAME>' with the actual running vATD VM name in your setup):

Set-VMProcessor '<VMNAME>' -CompatibilityForMigrationEnabled 0

IMPORTANT: McAfee does not support using the CompatibilityForMigrationEnabled option in Hyper-V for virtual ATD.

Related Information

Windows 10 and Windows Server 2016 PowerShell: Get-VMProcessor
https://docs.microsoft.com/en-us/powershell/module/hyper-v/get-vmprocessor?view=win10-ps
Windows 10 and Windows Server 2016 PowerShell: Set-VMProcessor
https://docs.microsoft.com/en-us/powershell/module/hyper-v/set-vmprocessor?view=win10-ps

Affected Products

Advanced Threat Defense 4.6.x (EOL)
Advanced Threat Defense 4.4.x (EOL)
Advanced Threat Defense 4.2.x
Advanced Threat Defense 4.0.x (EOL)
Best Practices
Configuration
Install/Uninstall

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Portuguese Brasileiro

Knowledge Center

Microsoft Windows sandbox VM shows blue screen and crashes (when hosted by virtual Advanced Threat Defense running on Hyper-V)

Environment

Problem 1

Problem 2

System Change

Cause

Solution

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Microsoft Windows sandbox VM shows blue screen and crashes (when hosted by virtual Advanced Threat Defense running on Hyper-V)

Environment

Problem 1

Problem 2

System Change

Cause

Solution

Related Information

Affected Products

Languages:

Choose your region

Title

Title