Access official resources from Carbon Black experts
Version:
6.0.2.x, 7.0.1.x
Issue:
In environments such as Point Of Sales (POS) the Microsoft Enhanced Write Filter driver (FBWF) is used to redirect write operations to either protect data from being modified on disk or where no disk storage is available. Typically the redirect will go to RAM. Because these write filter drivers reside at a higher altitude (a.k.a closer to the application) they will intercept the write operations before Bit9 sees them. This will mean that Bit9 will not get disposition of the files until execution.
Symptoms:
Various symptoms occur in these instances such as, rules not working as expected or trust propagation for a trusted installer not approving the files it places down on the disk.
Cause:
The Microsoft Enhanced Write Filter driver resides at a higher altitude than what Bit9 agents reside at. You can use the fltmc command to list out the filter drivers and their altitudes by running it within an administrative elevated command prompt. It has been seen that the write filter, FBWF, altitude is at 329000 while Bit9 agent's altitude is at 80800 as of 7.0.1.x. This altitude has been changed for the Bit9 agent in 7.2 to be at 329050.
Solution:
There are two approaches:
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.