IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Interopability between Bit9 and Write Filter Drivers

Interopability between Bit9 and Write Filter Drivers

Version:

 

6.0.2.x, 7.0.1.x

 

Issue:

 

In environments such as Point Of Sales (POS) the Microsoft Enhanced Write Filter driver (FBWF)  is used to redirect write operations to either protect data from being modified on disk or where no disk storage is available. Typically the redirect will go to RAM. Because these write filter drivers reside at a higher altitude (a.k.a closer to the application) they will intercept the write operations before Bit9 sees them.  This will mean that Bit9 will not get disposition of the files until execution.

 

Symptoms:

 

Various symptoms occur in these instances such as, rules not working as expected or trust propagation for a trusted installer not approving the files it places down on the disk.

 

Cause:

 

The Microsoft Enhanced Write Filter driver resides at a higher altitude than what Bit9 agents reside at.  You can use the fltmc command to list out the filter drivers and their altitudes by running it within an administrative elevated command prompt.  It has been seen that the write filter, FBWF, altitude is at 329000 while Bit9 agent's altitude is at 80800 as of 7.0.1.x.  This altitude has been changed for the Bit9 agent in 7.2 to be at 329050.

 

Solution:

 

There are two approaches:

 

  1. One is to ask the customer if the use of the write filter is needed.  If not it can be removed.
  2. Upgrade agents to 7.2 or later.
Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎01-19-2015
Views:
907
Contributors