VirtualBox 4 and physical NICs

I use Oracle VirtualBox for much of my testing and demos. Yesterday I figured I wanted to connect two machines in a way that enabled the VMs on one talk to the other, while at the same time keeping the traffic isolated. The easiest way I could think of was adding a second NIC in each machine (host) and connecting them with a crossover cable. One of the hosts already had a RealTek Gbps adapter and the adapter I added also used the same chip, and thus the same driver. Windows handled this fine, even though both NICs had the same device name (not connection name). Unfortunately VirtualBox did not. I couldn’t tell the two cards apart. Looking in the config files for VMs configured for bridged networking, I discovered that VirtualBox references physical NICs on the host by name, not GUID etc. So the only way I could think of for fixing this was to rename the second NIC.

Like I said, the connection name was different and easily changed, but the device name required some tweaking. Here’s how I did it:

  1. Look up the Device Instance Path for the NIC in Device Manager.
    This is most easily done by opening properties for the NIC from the Network Connections window, since you will not be able to tell the NICs apart if you use Device Manager (since they have the same device name).
    The Device Instance Path will look something like this:
    PCIVEN_10EC&DEV_8168&SUBSYS_816810EC&REV_014&98ECCA6&0&00E3
  2. Now open regedit as LOCAL SYSTEM
    This is most easily achieved by using PsExec.exe from Sysinternals. The command is:
    psexec.exe -i -s regedit.exe
  3. Navigate to the key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnum.
  4. Under the Enum key you will find the “path” from the Device Instance Path.
  5. Under the last part of the path, 4&98ECCA6&0&00E3 in this case, you will find a value called DeviceDesc. It will probably have a value something like this:
    @oem49.inf,%rtl8168.devicedesc%;Realtek PCIe GBE Family Controller
    The value first makes a reference to the driver INF file and a variable within it. I do not know how this works in detail, but you can just change it to any sting value you want. The INF file will not contain the data you choose anyway. I changed mine to the name of the device with “#2” appended.
  6. Before the data in DeviceDesc can be changed you need to give the local Administrators group (or another security principal of your choice), access to the key. While the last part of Device Instance Path is selected, hit Edit and select Permissions. Add the security principal you want.
  7. Change the value of DeviceDesc.
  8. Exit regedit.
  9. Open or refresh the Network Connections window and check that your device has the new name.
    I did not have to reboot for the change to take effect, but that may be necessary.

After this procedure my “new” NIC instantly showed up in VirtualBox and was available for Bridged Networking. I filed a bug at the VirtualBox site so maybe they will fix it. I have no idea of the consequences for making this change yet. It may break Windows networking in some subtle way, but I doubt it. You may also have trouble if you need to upgrade the device driver for the NIC, but again, I doubt it. To make sure you do not run into trouble, save the previous value of the DeviceDesc value so you can change it back later. You could also change the permissions back to what they were before. Consider this my disclaimer.

Troubleshooting Forefront Endpoint Protection 2010 Installations

I had a hand in rolling out Forefront Endpoint Protection (FEP) for a customer recently. Some of our clients did not get FEP installed even though the SCCM client was installed and working correctly, and they had all prerequisites present and had successfully received the advertisement and downloaded the files from the distribution point (DP). It turned out that these clients were already running Microsoft Security Essentials (MSE), which FEP does not detect or uninstall. The solution was to manually uninstall MSE first and then wait for the next installation attempt from the SCCM client.

For future reference; these are the Anti-Malware products that FEP can detect and uninstall before it installs itself:

  • Symantec Endpoint Protection version 11
  • Symantec Corporate Edition version 10
  • McAfee VirusScan Enterprise version 8.5 and version 8.7
  • Trend Micro OfficeScan version 8.0 and version 10.0
  • Forefront Client Security version 1 including the Operations Manager agent

If you want to troubleshoot FEP deployments here are som interesting logfiles:

  • %WINDIR%%TEMP%FEP-ApplyPolicy-%COMPUTERNAME%.log
  • C:Documents and SettingsAll UsersProgramdataMicrosoftMicrosoft Security ClientSupportEppSetup.log
    (This folder also contains other interesting files regarding the FEP install.)

An overview of all SCCM 2007 logfiles is available here: http://technet.microsoft.com/en-us/library/bb892800.aspx