BFE dependancy RRS feed

  • Question

  • Does the classify function at XXX_LAYER gets called if the BFE service is not running?

    If not then how to make sure traffic goes through callout driver when BFE service is not running?

    Friday, August 23, 2013 1:14 PM

All replies

  • Hi, W8Lover !

    WFP is high level wrapper over of NDIS. There can be provided some association:

    File System Driver (FSD) => File System Filter Manager (FltMgr) => Third party FS Filters, which are FltMgr clients

    NDIS => BFE (WFP) => Third party network filters, which are BFE clients, implemented on WFP technology

    With out of BFE any WFP actions doesn't had any sense.

    You can use the NDIS filters for the traffic capturing before of BFE get started


    Oleg N

    Friday, August 23, 2013 4:32 PM
  • But the BFE is a user mode service which can be stopped by any program.

    So does that mean the kernel mode driver will not work if the BFE is not running?

    Monday, August 26, 2013 5:17 AM
  • BFE includes kernel mode (Ring 0) and user mode (Ring 3) interfaces.

    Header files are same for both entities, but libraries are different.

    WFP callout kernel mide driver (and UI applications WFP- too) will not work until of BFE running.


    Oleg N

    Tuesday, August 27, 2013 5:11 AM
  • On some machines it is seen that malwares removing the registry entry for BFE service which makes firewall to stop.

    So how should this be handled? if we add boot time filters it will stall the network as there will be no dynamic filters added since BFE is down.

    Thursday, August 29, 2013 7:02 AM
  • Periodical pooling appropriate registry entry from UI service or driver and recovering

    required data. But the better way - install AV software, (BTW, you must clean pained machines previously)

    Friday, August 30, 2013 6:21 AM
  • No.  BFE must be running in order for any non-boottime filters to be evaluated and enforced.

    Dusty Harper [MSFT]
    Microsoft Corporation
    This posting is provided "AS IS", with NO warranties and confers NO rights

    Thursday, October 24, 2013 5:40 PM
  • So does this mean if BFE is not running then boottime filters will be evaluated and enforced?
    Monday, October 12, 2015 6:03 AM