Komodia's Redirector WFP guide

From Komodia
Jump to: navigation, search

Signature

You can find instructions on how to sign the WFP: Signing and cross signing files.

Which OS to use WFP with

WFP was introduced in Windows Vista, but in our opinions it wasn't mature enough before Windows 8. In Windows 8 there's a feature that allows number of WFPs to co-exist and do cascading proxy (this require the programer to implement it, there's one AV company that decided not to implement this feature, and breaking WFP chains)

Komodia current opinion is that WFP should be used only on Windows 8 (and 8.1, 2012, 2012 R2) and on certain cases where there's a known conflict between LSP and AV on Windows 7, only then to use the WFP (the WFP install advisor can help make the decision)

Windows 7

  • Microsoft has a confirmed bug that two WFPs on the system may BSOD the system ([1] Microsoft KB on the issue)
  • Two WFP will fight over the traffic if they don't BSOD the system since the cascading proxies feature is only available on Windows 8.

Windows 8/8.1

  • WFP is required to intercept Metro apps and IE11 on desktop on Windows 8.1

Installation

Location

The WFP files should be copied to the directory of the service, the installer will copy them to the right place during installation.

Windows differences

There are two sets of WFP, one for Vista/7 and one for Windows 8, when placing the files, make sure to place the correct set based on the current OS.

Installing/Updating

To install/update, run:

WFPInstaller install

Uninstall

To uninstall run:

WFPInstaller uninstall

Return value

For install/uninstall return value of 0 means operation was done successfully.

Checking if WFP is installed

You can check if the WFP is installed by calling the installer with isinstalled parameter:

WFPInstaller isinstalled

Return values are:

  • 0 - Not installed.
  • 1 - Installed but not running.
  • 2 - Installed and running.

WFP advisor

The WFP installer can advise you on whether to install the WFP or LSP, based on the OS and existence of other security products that might prefer the WFP or LSP.

The syntax is:

WFPInstaller getsuggestion

The result will be indicated in the return value:

  • 0 - Can only install WFP (on Win8/Win2012).
  • 1 - Can only install LSP (on Vista SP1 and below).
  • 2 - Suggest to install LSP.
  • 3 - Suggest to install WFP.
  • 4 - No suggestion.

Why conflicts exists?

When two products try to redirect traffic to local proxy it can cause a circular loop, with LSP the SDK gets the traffic first since the AV uses drivers so the LSP is closest to the traffic, and then the AV intercepts the SDK, and everything works great.

With WFP, the AV might get the traffic first, then if the SDK tries to intercept the AV, the AV will again try to intercept the SDK and cause a circular loop.

We have tried to contact some of the vendors, but we can say that in general they don't want to provide any real solution.

AV that conflicts with WFP (Windows Vista/7)

  • Kaspersky
  • Avast
  • Nod32
  • ZoneAlarm

If you feel that you MUST support those AV vendors with WFP on Windows 7, you can try to contact those companies directly, you might have more leverage then we did.

Windows 8 and conflicts

On Windows 8 there's a new method that allows number of WFP drivers to cascade local proxy interception, so in theory if everyone is implementing it by the book, there should not be any conflicts, but there are a few loopholes that some AV vendors chose to use and cause break of the entire chain, currently conflicting AV on Win8:

  • Avira email module

Differences between WFP and LSP

Saving data

With LSP you don't have to save the data for settings to be used, with WFP the data is sent to the WFP only when saving the data.

Using premade ini files

  • The WFP doesn't use the offline files.
  • When creating a premade .ini for the WFP, you need to make sure that you didn't have a WFP installed on the machine, otherwise it will also copy a special internal WFP table.
  • After installing the SDK you need to call save so your custom .ini settings will take place.

Common pitfalls

Not signing the WFP correctly

The 64bit WFP must be cross signed, many time this fails because of various reasons and then the WFP can't be installed. You must verify that the cross sign was completed successful before deploying the WFP. The 32bit WFP must be signed regularly (not cross signed)

Not using the correct WFP version

There are a WFP version for Windows Vista/7 and another version for Windows 8, make sure you deploy the right WFP on the right OS.

Service auto start

Unlike LSP that can auto start the service, with WFP the service will not auto start.

Save settings

You must save settings so they will take affect, unlike the LSP which this step is optional.

Install

The proxy must be installed before the WFP is installed.

Uninstall

The WFP must be uninstalled before the proxy is uninstalled.