Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Message 1 of 1

WFP user authentication broken by McAfee Total Protection

Hi, does anyone know how I might be able to work around the following "issue" caused by McAfee Total Protection?

I have a Windows Filtering Platform service and driver that talk to each other.  For security reasons, our service needs to know which user any traffic is associated with (in case there are multiple users logged on the system).

Now, we have two approaches that both seem to work well normally.

  1. We use the AuthenticationId found in the FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_ALE_USER_ID field of our flow-established callout function.
  2. We can use the processId member of the FWPS_INCOMING_METADATA_VALUES struct to get an access token handle, and find the user associated with that handle.

Now, as I said, both options above work fine for us normally.  However, if McAfee Total Protection (MTP) is installed, both options break.

Specifically, with McAfee Total Protection, the AuthenticationId changes from that of the current local user, to the "Local System" account (ie with SID S-1-5-18) instead, so that breaks (1).  Then, the processId is no longer that of the originating application, but instead becomes the "McSvHost.exe" process (aka "McAfee Services" et al), which has no owner, so that breaks (2).

Isn't this a violation of Windows security / WFP?  I mean, what if my WFP driver was making policy / access decisions based on the AuthenticatedId and/or processId etc (which is one of the primary purposes WFP is intended for)?  Surely this amounts to McAfee Total Protection elevating ordinary user's network traffic to "Local System" status as far as WFP is concerned?  I can imagine this causing some WFP drivers to permit (or otherwise treat differently) traffic that it normally wouldn't, which is a pretty significant security risk.

Any comments, and/or suggestions how I can work around this problem would be greatly appreciated!



PS - If there's a better place to ask these questions (some official developers' support forum somewhere?) then please let me know. Thanks.

How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community