none
Problem with WFP x64 with another WFP present RRS feed

  • Question

  • Hi,

    I'm trying to solve a conflict with another AV product, they are using WFP, and the problem is that on x64 after a reboot my WFP will no longer get any events for ALE_CONNECT_REDIRECT, but if I restart my WFP, it will work again.

    I've done some tests to narrow down the problem and found that it will work after reboot on x86 with the AV present, and will work after reboot on x86 and x64 without the AV present. On x64 when the AV is present there are no boot time errors while loading the driver.

    I can do a work around to stop/start the WFP when this AV is detected but I prefer to find the cause of the problem, do you have ideas/clues where to look for.

    Thanks,

    Barak

    Monday, November 19, 2012 5:29 PM

All replies

  • What do you mean you get no events?  You mean that your callout is no longer getting invoked?  does the other AV redirect before you?

    What are the weights of the filters?  are they all in the same sublayer?  if not, what are the weights of the sublayers?


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Monday, November 19, 2012 11:06 PM
    Moderator
  • The other AV redirects before me, but only after a reboot on x64 which makes everything weird, my driver callout isn't invoked at all. I checked the filter weight and it's FWP_EMPTY, there's no sublayer set.

    Tuesday, November 20, 2012 12:14 AM
  • This is by design then.  ALE_CONNECT_REDIRECT & ALE_BIND_REDIRECT performs for the 1st callout that does redirection.  If you want to be the first, then you should create your own high weighted sublayer, and place your filters in it. Assuming you aren't concerned with competing with your own filters, then the filter weight is irrelevant.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, November 20, 2012 10:04 PM
    Moderator
  • I don't see traffic that comes from their proxy as well, and they don't redirect it, is this by design as well?
    Wednesday, November 21, 2012 2:28 AM
  • It really depends are what they are doing with it.  Is it possible that they are "black holing" the traffic?  How do you know they aren't redirecting it?


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, November 21, 2012 4:31 AM
    Moderator
  • You'll need to explain what's "black holing" the traffic.
    Wednesday, November 21, 2012 11:52 AM
  • Black Holing - sending the traffic to some address / port that is not listening, so the stack drops it.


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, November 21, 2012 5:28 PM
    Moderator
  • I doubt they are doing this, sounds too nefarious for a popular AV to do. Are there any debug tools/techniques available to understand why my callout isn't called?
    Thursday, November 22, 2012 12:06 AM