Bit9 trust propagation interoperability with the Microsoft Enhanced Write Filter
Files written by a trusted installer are not approved.
Trust propagation is not working as expected. Files written by trusted installers are expected to be approved by trust propagation. IO writes within an environment are not being received by the Bit9 agent.
Various vendors (as with Bit9) will make use of filter drivers. Each filter driver will have an altitude associated with it. The higher the altitude the closer to the application the filter driver is and therefore will receive and process kernel activity first. In cases like the Microsoft Enhanced Write Filter (FBWF), write activity is processed by this filter driver and the write action is not passed along to filters at lower altitudes. This means other filter drivers, running at a lower altitude like Bit9 will not receive any write actions. This will cause Bit9 trust propagation to fail by not approving the files written.
In order to view a list of filter drivers you can run 'fltmc' (without the quotes) from the command prompt.
There are two choices, remove the third party filter driver or increase the altitude the Bit9 filter driver beyond that of the offending filter driver.
Changing the altitude of the Bit9 paritydriver you can modify the Bit9 registry hive. Using some distribution mechanism like GPO to make updates across the enterprise can be used. Here are the steps using the registry manually.
Retrieve the CLI password on the Bit9 console by going to Assets > Computers > <computer> > Parity agent tab
On the endpoint in question navigate to the Parity agent installation directory using an admin elevated command prompt. Typically: cd c:\program files (x86)\bit9\parity agent
dascli password <cli password>
dascli tamperprotect off
From the regedit interface navigate to HKLM\SYSTEM\CurrentControlSet\services\paritydriver\Instances\Parity Instance
Modify the key: Altitude value: 329050
sc stop parity
fltmc unload paritydriver
fltmc load paritydriver
sc start parity
This solution does not apply to version 7.2 as the paritydriver already runs at the higher altitude.