»Komodia ยป Third LSP Tip

Retail Products:

Third LSP Tip

Some the most common LSP’s implementation is in the area of content inspection, and the LSP is used to filter various type of content for users such as kids (parental controls), religious people (content filtering) and sometime viruses and phishing sites. A common question I get from clients and prospects is how to protect the LSP against removal by someone other then the installing user.

In a perfect world users would just take advantage of Windows security model, install your software from an administrative user and let the other computer users use an account without privileges to modify the system, but in reality most users in a household are using one or two users and both of the users are administrators which means for example that the kid can easily remove the LSP. There are number of applications which easily remove LSPs and reset the network stack, one of them is MS netsh utility.

There are two ways to protect your LSP:

– First way is from user mode, have a service which constantly monitors if the LSP is installed, when that service detects that the LSP was removed, it will re-register it, it will also protect the LSP file itself, if it detects the file is deleted, the service will restore it from backup. You must also protect the service itself, mostly it’s done using another service so it means two services that backup each other. Advantages of user mode protection is that it’s easy to develop during a short time and it will do the job against 80% of your clients which is also a disadvantage if you must protect against the other 20% more experienced users.

– Second way is to write a kernel driver that oversees calls to system API such as files, registry and process and can filter undesired calls thus protection your LSP and product, this method protects against 99.999% of your users, and the remaining 0.001% that can remove the driver are not your target audience to start with. The advantage of this method is that unless you access the OS from a different OS (live CD, dismantle the HD and connect on another computer) or reformat the drive – you can’t remove the protection, disadvantage is that you need to know how to program drivers.

If this interests you, you can check out our product – Komodia’s Watchdog.