EldoS | Feel safer!

Software components for data protection, secure storage and transfer

CBFS driver invoked for non cbfs requests?

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#36574
Posted: 04/26/2016 02:56:03
by William Levra-Juillet (Priority Standard support level)
Joined: 09/05/2013
Posts: 49

Hi,

We received a complain from a customer, stating that cbfs driver (cbfs5.sys) is invoked for file requests on drive C: (ntfs)
We confirmed the same behaviour exists also with cbfs6.

For example, a "GetFileAttribute" on drive C: has the following callstack:
ntdll.dll!ZwQueryFullAttributesFile
ntoskrnl.exe!KiSystemServiceCopyEnd
ntoskrnl.exe!NtQueryFullAttributesFile
ntoskrnl.exe!ObOpenObjectByName
ntoskrnl.exe!ObpLookupObjectByName
ntoskrnl.exe!IopParseDevice
- cbfs5.sys!<no symbols>
- - cbfs5.sys!<no symbols>
- - - fltmgr.sys!FltpCreate
- - - - fltmgr.sys!FltpLegacyProcessingAfterPreCallbacksCompleted
- - - - - fltmgr.sys!FltpPerformPostCallbacks
- - - - - Ntfs.sys!NtfsFsdCreate
...
Note that no cbfs drives are mounted on the machine.
Is that expected behaviour?

Thx
#36575
Posted: 04/26/2016 03:28:46
by Eugene Mayevski (EldoS Corp.)

This is a filter driver. It is attached on top of all other filter drivers once a virtual disk is created. The driver is attached for a reason (to prevent deadlocks in badly written filter drivers). Once the filter is attached, it can't be removed until reboot.

There is no way to disable this driver, and no plans to do this, for the reason, that there's a big chance to get a deadlock and CBFS will be blamed for such deadlock (despite the fact that the deadlock comes from the non-reenterable third-party filter driver).


Sincerely yours
Eugene Mayevski
#36576
Posted: 04/26/2016 03:48:27
by William Levra-Juillet (Priority Standard support level)
Joined: 09/05/2013
Posts: 49

Thx Eugene,

Do you mean that if no cbfs drives are mounted (no virtual drives created), after a clean reboot, the filter driver should not be loaded?
Or do we need to uninstall it completely?
#36577
Posted: 04/26/2016 04:03:19
by Eugene Mayevski (EldoS Corp.)

Quote
William Levra-Juillet wrote:
Do you mean that if no cbfs drives are mounted (no virtual drives created), after a clean reboot, the filter driver should not be loaded?


Yes, the filter driver should not be active after a clean reboot if no drives have been created yet.


Sincerely yours
Eugene Mayevski

Reply

Statistics

Topic viewed 1606 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!