locked
WFP callout weight . RRS feed

  • Question

  • Hi,

    We have a callout driver that will on occasion decide to block a webpage, and instead inject a template webpage "This page is blocked, etc.."

    We have noticed that when running our callout on a PC that the AVIRA Web Protection is installed, all pages that we inject get block by Avira (I guess they suspect any injected page as a threat).

    We also observed that Avira set the weight of their WFP callout to be as high as possilbe on the TCP Stream layer. In order to overcome this, I also set my Filter to be as high as possible, but I'm still not able to be higher than Avira. 

    1) Is there a way to control manually which callout will be called first?

    2) I assume The upper callout uses FwpsQueryPacketInjectionState uses to detect my injection, is there any way to block this detection? 

    Thanks

    Wednesday, April 2, 2014 5:22 AM

Answers

  • Final filter weight is determined by BFE. BFE takes into account multiple properties of the filter in order to best evaluate a weight. The weight you provide is a suggestion as to the outcome of the actual effective weight.

    Again though, to make sure you are not competing with someone else's filter weighting, you should implement your own sublayer. The highest weighted sublayer will be arbitrated first etc.

    Can you send the output (WFPState.xml) from "NetSh.exe WFP Show State" to DHarper @AT@ Microsoft .Dot. Com, and I can try to assist you further.

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, April 8, 2014 10:01 PM
    Moderator

All replies

  • 1) You can use the arbitration model. putting Your filters in a higher weighted sublayer will allow for your filters and callouts to be invoked first. If Avira has already claimed the highest weighted, then you'd have to remove their product, put yours in place, and reinstall their product.

    2) No.  This is by design.  It is best for you to work with Avira to discover why they are blocking your injected payload.

    Being that this is stream, you would actually want to sit at a lower sublayer than Avira.  when you inject at Stream only filters /callouts below will see your changes (the injection doesn't return to the top).

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Friday, April 4, 2014 5:09 PM
    Moderator
  • Thanks Dusty,

    I made a mistake in my previous post, and stated that Avira have the highest weight. What I meant it that they are the highest up in the TCP stack - due to them having the LOWEST weight.

    So, If i understand correctly, the actual weight of two filters who  both claim the lowest weight, is determined by the installation order on the PC, is this correct?

    Sunday, April 6, 2014 5:12 AM
  • Final filter weight is determined by BFE. BFE takes into account multiple properties of the filter in order to best evaluate a weight. The weight you provide is a suggestion as to the outcome of the actual effective weight.

    Again though, to make sure you are not competing with someone else's filter weighting, you should implement your own sublayer. The highest weighted sublayer will be arbitrated first etc.

    Can you send the output (WFPState.xml) from "NetSh.exe WFP Show State" to DHarper @AT@ Microsoft .Dot. Com, and I can try to assist you further.

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, April 8, 2014 10:01 PM
    Moderator