To me this is a very good teachable moment for people who might come to this forum seeking help on how to do something similar. Obviously Tavis explains why attempting to use a blacklist was bad and what can happen, but I’d love to hear from a knowledgeable dev here on why they might have been trying to do this as they did and what the correct way to implement this would have been?
In order to inspect encrypted data streams using SSL/TLS, Kasperky
installs a WFP driver to intercept all outgoing HTTPS connections.
They effectively proxy SSL connections, inserting their own
certificate as a trusted authority in the system store and then
replace all leaf certificates on-the-fly. This is why if you examine a
certificate when using Kaspersky Antivirus, the issuer appears to be
“Kaspersky Anti-Virus Personal Root”.
Regardless if they should have used a filesystem ACL or if it is
pointless protect the file on some scenarios (physical access to the
system you use for surfing), or if they should check a lot of things
more in the minifilter, regardless if is worse the cure than the
disease… I think they did a non negligible amount of work!
2017-01-04 14:16 GMT+01:00 :
> This is a darn interesting post… and should probably be sent to NTFSD > (where the file system devs hang out) and not NTDEV. > > Peter > OSR > @OSRDrivers > > > — > NTDEV is sponsored by OSR > > Visit the list online at: http:> showlists.cfm?list=ntdev> > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and > software drivers! > Details at http: > > To unsubscribe, visit the List Server section of OSR Online at < > http://www.osronline.com/page.cfm?name=ListServer> ></http:></http:>