Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Interopability between Bit9 and Write Filter Drivers

Interopability between Bit9 and Write Filter Drivers

Version:

 

6.0.2.x, 7.0.1.x

 

Issue:

 

In environments such as Point Of Sales (POS) the Microsoft Enhanced Write Filter driver (FBWF)  is used to redirect write operations to either protect data from being modified on disk or where no disk storage is available. Typically the redirect will go to RAM. Because these write filter drivers reside at a higher altitude (a.k.a closer to the application) they will intercept the write operations before Bit9 sees them.  This will mean that Bit9 will not get disposition of the files until execution.

 

Symptoms:

 

Various symptoms occur in these instances such as, rules not working as expected or trust propagation for a trusted installer not approving the files it places down on the disk.

 

Cause:

 

The Microsoft Enhanced Write Filter driver resides at a higher altitude than what Bit9 agents reside at.  You can use the fltmc command to list out the filter drivers and their altitudes by running it within an administrative elevated command prompt.  It has been seen that the write filter, FBWF, altitude is at 329000 while Bit9 agent's altitude is at 80800 as of 7.0.1.x.  This altitude has been changed for the Bit9 agent in 7.2 to be at 329050.

 

Solution:

 

There are two approaches:

 

  1. One is to ask the customer if the use of the write filter is needed.  If not it can be removed.
  2. Upgrade agents to 7.2 or later.
Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎01-19-2015
Views:
635
Contributors