EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Preventing rule modification \ driver unload by other application

Posted: 08/20/2011 15:32:17
by Ophir Yoktan (Basic support level)
Joined: 08/20/2011
Posts: 1

I'm considering the use of CallbackFilter for a security related application.

One of the issues I encountered, is that it appears that there's no way to protect the API of the driver.

so if I define some filters, an attacker (assuming he knows i'm using this product) may just issue the relevant API calls to disable the filters or unload the driver.

Is this correct? is there some way to protect the product from such attacks?
Posted: 08/21/2011 07:03:54
by Vladimir Cherniga (Team)

Only users with administrative rights may install or uninstall driver. Unloading is not supported by legacy file system filter drivers.
To protect the user API we may add process restriction mechanism to our future releases.
Posted: 08/21/2011 09:02:17
by Eugene Mayevski (Team)

Addition: currently any application can modify or delete rules set by other application, however, it needs to know what rules have been set.

We will add a function to the next version to track the process that added the rule and prevent other applications from changing this rule. The function will be optional.

Sincerely yours
Eugene Mayevski
Posted: 08/21/2011 13:44:04
by Ophir Yoktan (Basic support level)
Joined: 08/21/2011
Posts: 7


What do you mean by
it needs to know what rules have been set

Wouldn't a call to
clear all filters?

Is there a time line for the new version?

Posted: 08/21/2011 15:10:41
by Vladimir Cherniga (Team)

Each CallbackFilter instance has unique identifier. It is assigned internally during filter initialization (CallbackFilter::AttachFilter()). CallbackFilter API applies to the rules that belongs to specific filter instance, and has not affect on rules assigned with another filter instance.
The new version will be available within a month.



Topic viewed 3008 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!