Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Interopability between Bit9 and Write Filter Drivers[1]

Interopability between Bit9 and Write Filter Drivers[1]

Version
6.0.2.x

7.0.1.x

Issue
In environments such as Point Of Sales (POS) the Microsoft Enhanced Write Filter driver (FBWF)  is used to redirect write operations to either protect data from being modified on disk or where no disk storage is available.  Typically the redirect will go to RAM.  Because these write filter drivers reside at a higher altitude (a.k.a closer to the kernel) they will intercept the write operations occurring such that Bit9 will not receive them.  This will mean that Bit9 will not get disposition of the files until execution.

 


Symptoms

Various symptoms occur in these instances such as, rules not working as expected or trust propagation for a trusted installer not approving the files it places down on the disk.

 


Cause
The Microsoft Enhanced Write Filter driver resides at a higher altitude than what Bit9 agents reside at.  You can use the fltmc command to list out the filter drivers and their altitudes by running it within an administrative elevated command prompt.  It has been seen that the write filter, FBWF, altitude is at 329000 while Bit9 agent's altitude is at 80800 as of 7.0.1.x.  This altitude will change for the Bit9 agent in 7.2.0.x to be at 329050.

 


Solution

There are two approaches:

 

1. Is the use of the other write filter needed?  If not it can be removed.

2. Upgrade agents to 7.2.0.x.


 

 

Internal Notes

https://community.bit9.com/docs/DOC-3753

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-22-2015
Views:
469
Contributors