Hi, does anyone know how I might be able to work around the following "issue" caused by McAfee Total Protection?
I have a Windows Filtering Platform service and driver that talk to each other. For security reasons, our service needs to know which user any traffic is associated with (in case there are multiple users logged on the system).
Now, we have two approaches that both seem to work well normally.
- We use the AuthenticationId found in the FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_ALE_USER_ID field of our flow-established callout function.
- We can use the processId member of the FWPS_INCOMING_METADATA_VALUES struct to get an access token handle, and find the user associated with that handle.
Now, as I said, both options above work fine for us normally. However, if McAfee Total Protection (MTP) is installed, both options break.
Specifically, with McAfee Total Protection, the AuthenticationId changes from that of the current local user, to the "Local System" account (ie with SID S-1-5-18) instead, so that breaks (1). Then, the processId is no longer that of the originating application, but instead becomes the "McSvHost.exe" process (aka "McAfee Services" et al), which has no owner, so that breaks (2).
Isn't this a violation of Windows security / WFP? I mean, what if my WFP driver was making policy / access decisions based on the AuthenticatedId and/or processId etc (which is one of the primary purposes WFP is intended for)? Surely this amounts to McAfee Total Protection elevating ordinary user's network traffic to "Local System" status as far as WFP is concerned? I can imagine this causing some WFP drivers to permit (or otherwise treat differently) traffic that it normally wouldn't, which is a pretty significant security risk.
Any comments, and/or suggestions how I can work around this problem would be greatly appreciated!
PS - If there's a better place to ask these questions (some official developers' support forum somewhere?) then please let me know. Thanks.