Hi Christian,
> Now, we suspect that some providers could bypass the protection scheme by simply install many VMs on their servers.
Whether an application runs in a virtual machine should be easy to figure out since many of the drivers are referring to either the manufacturer like VMWare or the selection of available simulated hardware is small. If you can't go the USB dongle route (which should only be visible to one virtual machine at a time), you could prevent your application from running on virtual machines, at all. However, this might cost you some customer, since many IT departments move to virtual platforms even if they only have one instance with your application running.
Inside a VMWare you can still access the network. If all virtual machines can access a single resource, you could use that resource for licensing management. If your application is available from the internet, you could authenticate across the internet periodically, and so on.
If you haven't tested your application in a virtual machine environment that would be the first thing to do, because only this way you find out what is possible to work around your protection scheme.
--
Christof