I've ask this question over on the MSDN forums too. But hopefully someone familiar with Norton Internet Security (ie an employee) can shed some light here?
Hi, does anyone know how I might be able to work around the following "issue" caused by Symantec Norton Internet Security 2010?
I have a WFP service and driver that talk to each other. For security reasons, our service needs to know which user any traffic is associated with (in case there are multiple users logged on the system).
Now, we have two approaches that both seem to work well normally.
- We use the AuthenticationId found in the FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_ALE_USER_ID field of our flow-established callout function.
- We can use the processId member of the FWPS_INCOMING_METADATA_VALUES struct to get an access token handle, and find the user associated with that handle.
Now, as I said, both options above work fine for us normally. However, if Norton Internet Security 2010 is installed, both options break.
Specifically, with NIS 2010, the AuthenticationId changes from that of the current local user, to the "Local System" account (ie the one with SID S-1-5-18) instead, so that breaks (1). Then, the processId is no longer that of the originating application, but instead becomes the "ssSvcHst.exe" process (aka "Symantec Service Framework"), which has "no owner", so that breaks (2).
So, two broad questions really...
First off, isn't this a violation of Windows security / WFP? I mean, what if my WFP driver was making policy / access decisions based on the AuthenticatedId and/or processId etc? Surely this amounts to NIS 2010 elevating ordinary user's network traffic to "Local System" status as far as WFP is concerned? I can imagine this causing some WFP drivers to permit (or otherwise treat differently) traffic that it normally wouldn't.
Secondly, is there another (better? more reliable? more correct?) way to determine which user "owns" WFP traffic? Is it possible that I can force my driver to see traffic *before* NIS 2010 mucks with it (assuming NIS 2010 uses WFP itself, that should be possible right?)... perhaps because my driver is registered as "observe only" it get's plugged into WFP later, and if so, is there anyway around that?
Any tips / suggestions / comments on whether Symantec is doing something right / wrong here would be really appreciated! :)
Thanks!
Paul.
PS - If there's a better place to ask this question (some official developers' support forum somewhere?) then please let me know. Thanks.