logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Bit9 trust propagation interoperability with the Microsoft Enhanced Write Filter

Bit9 trust propagation interoperability with the Microsoft Enhanced Write Filter

Version:

 

6.0.x, 7.0.1.x

 

Issue:

 

Files written by a trusted installer are not approved.

 

Symptoms:

 

Trust propagation is not working as expected.  Files written by trusted installers are expected  to be approved by trust propagation.  IO writes within an environment are not being received by the Bit9 agent. 

 

Cause:

 

Various vendors (as with Bit9) will make use of filter drivers.  Each filter driver will have an altitude associated with it.  The higher the altitude the closer to the application the filter driver is and therefore will receive and process kernel activity first. In cases like the Microsoft Enhanced Write Filter (FBWF), write activity is processed by this filter driver and the write action is not passed along to filters at lower altitudes.  This means other filter drivers, running at a lower altitude like Bit9 will not receive any write actions.  This will cause Bit9 trust propagation to fail by not approving the files written.

 

Solution:

 

In order to view a list of filter drivers you can run 'fltmc' (without the quotes) from the command prompt.

 

There are two choices, remove the third party filter driver or increase the altitude the Bit9 filter driver beyond that of the offending filter driver.

 

Changing the altitude of the Bit9 paritydriver you can modify the Bit9 registry hive.   Using some distribution mechanism like GPO to make updates across the enterprise can be used.  Here are the steps using the registry manually.

 

  1. Retrieve the CLI password on the Bit9 console by going to Assets > Computers > <computer> > Parity agent tab
  2. On the endpoint in question navigate to the Parity agent installation directory using an admin elevated command prompt. Typically: cd c:\program files (x86)\bit9\parity agent
  3. dascli password <cli password>
  4. dascli tamperprotect off
  5. regedit
  6. From the regedit interface navigate to HKLM\SYSTEM\CurrentControlSet\services\paritydriver\Instances\Parity Instance
  7. Modify the key: Altitude value: 329050
  8. sc stop parity
  9. fltmc unload paritydriver
  10. fltmc load paritydriver
  11. sc start parity

 

 

Important Note(s):

 

This solution does not apply to version 7.2 as the paritydriver already runs at the higher altitude.

 

Additional resources for Write Filter Drivers:

  1. http://msdn.microsoft.com/en-us/library/aa940926(v=WinEmbedded.5).aspx
  2. http://msdn.microsoft.com/en-us/library/ms838511(v=winembedded.5).aspx#ewf_winxp_topi
Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
jpillsbury
Creation Date:
‎01-08-2015
Views:
630
Contributors
logo