Version:
6.0.x, 7.0.1.x
Issue:
Files written by a trusted installer are not approved.
Symptoms:
Trust propagation is not working as expected. Files written by trusted installers are expected to be approved by trust propagation. IO writes within an environment are not being received by the Bit9 agent.
Cause:
Various vendors (as with Bit9) will make use of filter drivers. Each filter driver will have an altitude associated with it. The higher the altitude the closer to the application the filter driver is and therefore will receive and process kernel activity first. In cases like the Microsoft Enhanced Write Filter (FBWF), write activity is processed by this filter driver and the write action is not passed along to filters at lower altitudes. This means other filter drivers, running at a lower altitude like Bit9 will not receive any write actions. This will cause Bit9 trust propagation to fail by not approving the files written.
Solution:
In order to view a list of filter drivers you can run 'fltmc' (without the quotes) from the command prompt.
There are two choices, remove the third party filter driver or increase the altitude the Bit9 filter driver beyond that of the offending filter driver.
Changing the altitude of the Bit9 paritydriver you can modify the Bit9 registry hive. Using some distribution mechanism like GPO to make updates across the enterprise can be used. Here are the steps using the registry manually.
- Retrieve the CLI password on the Bit9 console by going to Assets > Computers > <computer> > Parity agent tab
- On the endpoint in question navigate to the Parity agent installation directory using an admin elevated command prompt. Typically: cd c:\program files (x86)\bit9\parity agent
- dascli password <cli password>
- dascli tamperprotect off
- regedit
- From the regedit interface navigate to HKLM\SYSTEM\CurrentControlSet\services\paritydriver\Instances\Parity Instance
- Modify the key: Altitude value: 329050
- sc stop parity
- fltmc unload paritydriver
- fltmc load paritydriver
- sc start parity
Important Note(s):
This solution does not apply to version 7.2 as the paritydriver already runs at the higher altitude.
Additional resources for Write Filter Drivers:
- http://msdn.microsoft.com/en-us/library/aa940926(v=WinEmbedded.5).aspx
- http://msdn.microsoft.com/en-us/library/ms838511(v=winembedded.5).aspx#ewf_winxp_topi