Endpoint Protection

 View Only

  • 1.  managing Windows embedded write filter

    Posted Jul 21, 2016 09:48 PM

    Hi,

    I have a problem with a bad Windows 7 embedded image. The FBWF, EWF and regfilter were all thought to be disabled however the regfilter service is still started and recording data from the protected zones.

    Since SEP 12.1.6 introduced embedded write filter handling, we experience issues of lost registry data that does not get committed after reboot. The missing data is for the Teefer2 driver that SEP install creates exception for in regfilter under hklm\system\currentcontrolset\services\regfilter\parameters\monitoredkeys\_symcsepexclusion5.

    I am looking for a way to install SEP using the secure properties to remove checks for FBWR,EWF and regfilter or to find out what the SEP installer is looking at to determine that and filters are installed.

     

    The long run we will be deploying a new SOE with the filters correctly removed, this is not an option just yet and having our thin clients randomly lose network and need manual remediation is becoming a pain to manage.

     

    regards

    Cameron



  • 2.  RE: managing Windows embedded write filter



  • 3.  RE: managing Windows embedded write filter

    Posted Jul 22, 2016 12:18 AM

    thanks Brian,

    I am well aware oh how SEP now manages the FBWF and how it supports embedded OS.

    the problem i am running is i have a very unsupported environment, the FBWF is installed but turned off, the EWF is install and turned off, the Regfilter (works with FBWF) is installed and turned on.

    so SEP installs finds the regfilter, adds exclusions for the registry locations, when the embedded OS is rebooted these protected keys should be written to the protected area of the registry and retained.

    the problem i am running into is the regfilter is missing the ramdrive portion of the install so it is a 1MB file that is getting loaded into RAM at each boot, these changes are not getting written to registry at logoff, perhaps because i am missing the FBWF.

    what i would like to know:

    the SEP.msi has properties value of securecustomproperties, one of the actions that runs is filter REGFILTERINSTALLED which ends up with a value of 1 which means the regfilter is installed.

    i would like to know what this action is judged on so i can remove it to prevent SEP from detecting the regfilter, or i would like to run the SEP install with a mst that replaces this value. i have tried with REGFILTERINSTALLED=0 but the action that runs after alters this back to 1.

    cheers



  • 4.  RE: managing Windows embedded write filter
    Best Answer

    Posted Jul 25, 2016 12:27 AM

    in the unlikely event someone else has a similar problem, you can create a transform file with something like Orca.

    i have not fully decided how i will combat the issue but my initial finding was under installExecuteSequence and\or InstallUISequence the condition EMBEDDEDSYSTEM="1"  listed against a bunch of actions.

    changing this to a 0 for instance will mean that action is not performed on a embedded device, but would then run on non embedded which isn't a problem for me as i will be targeting only embedded devices.

    simply calling the MSI install with the TRANSFORM=file.mst

    or perhaps passing it through to the setup.exe install with the /v switch to pass msiexec properties.