Faking VM CPU Fan Detection

Malware checks the Win32_Fan WMI class to detect virtual machines and avoid analysis.

Windows retrieves CPU fan information from SMBIOS type 27 (Cooling Device) entries.

Xen’s smbios_firmware option only overrides certain SMBIOS types, so a patch is needed to add type 27 and 28 support.

Both SMBIOS type 27 (fan) and type 28 (temperature probe) structures must be included with proper size prefixes for Windows to report a CPU fan.

QEMU/KVM users can inject SMBIOS data with the -smbios option without adding size prefixes or patching the hypervisor.

Get notified when new stories are published for "General AI News"

No Sign-In needed. One-Click Subscribe.

•

General AI News•June 29, 2025 at 04:57 PM

Malware checks the Win32_Fan WMI class to detect virtual machines and avoid analysis.

Windows retrieves CPU fan information from SMBIOS type 27 (Cooling Device) entries.

Xen’s smbios_firmware option only overrides certain SMBIOS types, so a patch is needed to add type 27 and 28 support.

Both SMBIOS type 27 (fan) and type 28 (temperature probe) structures must be included with proper size prefixes for Windows to report a CPU fan.

QEMU/KVM users can inject SMBIOS data with the -smbios option without adding size prefixes or patching the hypervisor.

Get notified when new stories are published for "General AI News"

No Sign-In needed. One-Click Subscribe.