Any way to prevent Hyper-V on Windows 10 from working or being installed when using CE?

  • 2
  • Problem
  • Updated 9 months ago
I am running Windows 10 (Creator's edition) on my MS Surface Pro 3 and I am also using the latest 7.3.8 beta version of Covenant Eyes.  I have come across a serious issue with being able to install Hyper-V that is a Windows 10 feature, creating a virtual switch for it, and then installing an Operating System onto the Hyper-V VM, like Windows 7 Pro with Service Pack 1.  Inside the Windows 7 Hyper-V virtual machine, I am able to completely bypass Covenant Eyes running on my host machine.  Now, I know that one can just install Covenant Eyes onto the virtual machine OS, but someone who is looking to circumvent the protection that CE provides, will not do that.  I am not connected in a network (my home network) that is running a domain controller.

So, my question, is there any way to prevent Hyper-V from being installed in the first place, like completely removing it from my operating system, or at least, if it is installed, make sure that one can't create a virtual switch that will have access to the internet, and bypass CE running on the host machine?

Any help on this would be greatly appreciated.
Photo of Ronald Kanagy

Ronald Kanagy

  • 6 Posts
  • 0 Reply Likes

Posted 9 months ago

  • 2
Photo of drew

drew

  • 6 Posts
  • 0 Reply Likes
I have run into this with Virtualbox and VMware as well. Not sure what CE has to say about this. I suppose they would have to start giving tools to completely block unwanted applications.I would really be intersted in a solution to just that. However you may be able to find solutions to this elsewhere online.

I have in the past added a registry key to block certain programs from running by blocking the .exe file. However, it isnt full proof. To my knowledge you would need to give up your local admin rights, so that you could not change the registey key later on, allowing access. I think they may be some other workarounds too. But I would be extremely careful editing the registry if you haven't before and you decide to try that out. It has potential to cause some bad stuff. You can find the key that I am referncing with a quick Google search.

I have also heard Group Policy Editor is a decent option on Pro versions of Windows, but I have never tried that.

Hope that is helpful in some way...
Photo of Matt Thompson

Matt Thompson

  • 30 Posts
  • 7 Reply Likes
I am fairly certain that all network traffic goes through CE, as long as CE is installed on the host machine. This was discussed in another thread.
Photo of Ronald Kanagy

Ronald Kanagy

  • 6 Posts
  • 0 Reply Likes
When I installed Hyper-V and its virtual switch, CE had already been installed on my host machine.  After I installed Windows 7 Pro into a Hyper-V virtual machine, I was able to completely bypass CE in the virtual machine by accessing sites that CE would normally have blocked if I had accessed those sites on the host machine.  CE was still working on the host machine, since any sites that I have blocked, or CE blocks automatically, were still being blocked after I installed Hyper-V.

So, I can say with certainty that the network traffic coming from my Hyper-V virtual machine is not going through CE.  If it were, then I would think the websites would have been blocked.

I had a similar issue with VirtualBox, that I use for work, but I was able to get around the issue with the Bridged networking driver by completely removing it from my computer, so that VirtualBox no longer has that option available, and using NAT instead.
(Edited)
Photo of Matt Thompson

Matt Thompson

  • 30 Posts
  • 7 Reply Likes
I'm wondering if the reporting still works though, even though the filter may not, which I believe is a proxy server function.
Photo of Ronald Kanagy

Ronald Kanagy

  • 6 Posts
  • 0 Reply Likes
No, there was nothing in the reporting, either.  In a Hyper-V VM using an external virtual switch completely bypasses the CE filtering and reporting, altogether.
Photo of Ronald Kanagy

Ronald Kanagy

  • 6 Posts
  • 0 Reply Likes
The reason this is such a major issue is that anybody who is using Windows 10, and maybe even Windows 7/8/8.1 can bypass CE if they install Hyper-V and have access to an ISO file for any operating system (Windows, Mac OS, Linux).  They can completely bypass the protection and accountability provided by CE, rendering it useless.

At least with Windows 10, Hyper-V is an operating system feature that can be installed from the Add/Remove programs screen in the control panel, unlike VirtualBox where you need to go to their website to download it, which CE has blocked automatically.  There is nothing that I know of that CE itself can prevent one from installing Hyper-V, unless there is a way to remove some part of it from the OS altogether, so that even if it can be installed, it won't be able to access the internet. 

I was able to accomplish this with VirtualBox by completely removing the Bridged networking driver completely from my operating system and disk drive, so that VirtualBox can't use it nor can it be reinstalled. 

I am looking for something similar with Hyper-V so I can prevent access to the internet from the VM.

Any ideas anyone?
(Edited)
Photo of Steel

Steel

  • 55 Posts
  • 7 Reply Likes
Would an on-router monitor with deep packet inspection fill the gap? This is the only solution I've been able to come up with to fill these out of work-arounds (which also includes Linux and other "nonstandard" OSes and OS installations). I don't believe CE offers something like that...
(Mods, comments?)
Photo of Ronald Kanagy

Ronald Kanagy

  • 6 Posts
  • 0 Reply Likes
How would I implement an on-router monitor?  The router I have came from my internet provider (Comcast/Xfinity).
Photo of Steel

Steel

  • 55 Posts
  • 7 Reply Likes
Tap into or utilize built-in hooks for analysis. Ubiquti makes routers that have that capability, and run a version of Linux. I believe some "roll your own" alternative firmwares like tomato or dd-wrt also have filtering options. Your router might have it built in, I wouldn't know without researching your specific model. I'd look for parental filtering on a router if I were to go this route...
Photo of Matt Thompson

Matt Thompson

  • 30 Posts
  • 7 Reply Likes
Most newer Netgear routers have built in filtering through OpenDNS. Very useful.
Photo of Ronald Kanagy

Ronald Kanagy

  • 6 Posts
  • 0 Reply Likes
Assuming I have one of these routers that provide some type of filtering on the packet level, what would I use as my filtering criteria?
Photo of Steel

Steel

  • 55 Posts
  • 7 Reply Likes
Also interested in the reply - there's an open question about routing all traffic to a CE VPN/proxy around here somewhere...

Although I'd have to guess that proper encryption of a VM's network traffic would by its very mature be a "problem"...