Unexpected Inventory Computers

Introduction

This topic describes frequently asked questions about why unexpected computers sometimes appear in the Admin By Request inventory and how to detect and identify them.

Frequently Asked Questions (FAQ)

Why do unexpected computers sometimes appear in the ABR inventory?

Unexpected computers can appear in the portal inventory for the following reasons:

  • Cause – security tool sandboxing: Endpoint protection products such as EDR/AV, VPN clients or next‑generation firewalls often download and “explode” (install) the ABR MSI in a virtual sandbox to analyze its behavior. Because the ABR installer embeds its licence, the security software completes the install and registers the sandbox in the portal without requiring manual key entry.

  • Common: This behavior is widespread among major security vendors; new sandboxes continue to emerge despite our ongoing efforts to detect and mitigate them.

  • Typical indicators: These phantom entries frequently report old operating systems (e.g., Windows 7/10), generic hostnames and minimal system activity.

  • Past vs present: In the past, the device’s IP address could be traced back to the security tool vendor, but many modern sandboxes route their traffic through Tor or other anonymizing networks, making the source IP less useful.

  • Remediation: If you see an unknown device with these traits, it’s usually safe to delete it from your inventory. Removing these entries does not impact your real endpoints.

How can I detect and identify a machine that was spun up in a sandbox?

There are a number of ways to check if an unknown computer in the inventory is a sandboxed machine:

  • Check operating‑system details: Sandboxes often use outdated OS images like Windows 7 or early builds of Windows 10; they lack your organization’s naming standards or endpoint management tools.

  • Look for virtual‑machine artefacts: Virtualization platforms leave tell‑tale signs. Examples include:

    • MAC address prefixes – VMware adapters typically start with 00:1C:14, 00:50:56, 00:05:69 or 00:0C:29; VirtualBox uses 08:00:27 and Hyper‑V uses 00:03:FF. Physical NICs from vendors like HP, Dell, Broadcom and Nvidia start with different prefixes.

      Refer to MAC Address Vendors - Data Feed to look-up detailed information on physical NICs used in your environment.

    • Virtualisation registry keys/processes – Windows VMs often contain registry keys or services named after VMware or VirtualBox (e.g. VMTools, VBoxService, VBoxTray.exe). Their presence strongly suggests the machine is running in a virtual environment.

    • Unusual CPU/memory profiles – Sandboxes may have very few CPU cores, small memory or tiny disk sizes. MITRE ATT&CK notes that adversaries use system‑information checks (via WMI/PowerShell) to look for VM artefacts such as network adapter addresses, CPU core count and available memory/drive size; you can use the same checks to identify sandboxes.

  • Hostnames and file locations: Temporary machines may have generic hostnames (e.g. WIN7X64, VMware) or save the installer in paths containing names like sample, malware or long hash strings.

  • Assess user activity: Real endpoints show file changes, backups and user logins; a sandbox often shows no user activity. Malware‑analysis sandboxes also avoid common user actions like scrolling or mouse clicks.

  • Observe network behavior: Sandboxes frequently communicate from data center IP ranges or Tor exit nodes. They may contact the portal once during installation and never check in again.

  • Hardware/BIOS identifiers: CPUs in virtual machines often identify themselves as “VMware...” or “Microsoft HV”. The CPUID instruction can reveal this: bit 31 of the ECX register is 1 on a VM and 0 on physical hardware.

    Refer to Malware Evasion Techniques Part 2: Anti-VM for detailed information on certain malware evasion techniques.

  • Automated heuristics: Using the ABR API, consider building automation into portal lists to flag devices that match multiple sandbox characteristics (e.g. old OS, VM MAC prefixes, generic hostnames, no backups etc.).

Don't hesitate to contact us if you observe behavior different from that described here, or if you have any questions about unknown portal entries.