Search

EP-4738162-A1 - MINIFILTER SQUATTING PROTECTION

EP4738162A1EP 4738162 A1EP4738162 A1EP 4738162A1EP-4738162-A1

Abstract

A method for protecting against minifilter squatting attacks includes installing an endpoint detection and response system on an endpoint device, wherein the endpoint detection and response system includes at least one filesystem minifilter driver, and appending the at least one filesystem minifilter driver with a randomly generated fractional to an assigned integer altitude at a time of loading the at least one filesystem minifilter driver and/or inserting a combination of randomly generated characters into a minifilter instance name at the time of loading the at least one filesystem minifilter driver.

Inventors

  • BECKHERRN, Dietmar Georg
  • KENNING, Emile Marcus

Assignees

  • Sophos Limited

Dates

Publication Date
20260506
Application Date
20251031

Claims (15)

  1. A method for protecting against filesystem minifilter driver squatting attacks comprising: installing at least one filesystem minifilter driver on an endpoint device; and at a time of loading the at least one filesystem minifilter driver, performing at least one of: (a) appending the at least one filesystem minifilter driver with a randomly generated fractional to an assigned integer altitude; and (b) inserting a combination of randomly generated characters into a minifilter instance name of the at least one filesystem minifilter driver.
  2. The method of claim 1, wherein the endpoint detection and response system includes the at least one filesystem minifilter driver, and wherein performing at least one of (a) and (b) comprises inserting the combination of randomly generated characters into the minifilter instance name of the at least one filesystem minifilter driver at the time of loading the at least one filesystem minifilter driver.
  3. The method of claim 2, further comprising: detecting, by the at least one minifilter driver, at least one of a creation of a new file, a modification of an existing file, and a usage of a named pipe.
  4. The method of claim 2 or 3, further comprising: registering the at least one filesystem minifilter driver with a filter manager of the endpoint device with minifilter instance name with the combination of randomly generated characters, wherein the filter manager is configured to intercept requests destined for the filesystem and pass intercepted requests to loaded filesystem minifilter drivers including the at least one filesystem minifilter driver.
  5. The method of any of claims 2 to 4, further comprising: generating the combination of randomly generated characters using an operating system function at the start of loading the at least one filesystem minifilter driver.
  6. The method of any of claims 2 to 5, further comprising: appending the at least one filesystem minifilter driver with a randomly generated fractional to an assigned integer altitude at a time of loading the at least one filesystem minifilter driver, wherein the randomly generated fractional and the combination of randomly generated characters include the same sequence of numbers generated by an operating system function.
  7. The method of any of claims 2 to 6, further comprising: inserting a different combination of randomly generated characters into the minifilter instance name of the at least one filesystem minifilter driver at a second time of loading the at least one filesystem minifilter driver.
  8. The method of any of claims 2 to 7, further comprising: providing the minifilter instance name of the at least one minifilter with the combination of randomly generated characters to a remote threat management system managing the endpoint detection and response system of the endpoint device; and maintaining, by the remote threat management system, a list of current minifilter instance names with the combination of randomly generated characters from a plurality of endpoint devices managed by the endpoint detection and response system.
  9. The method of any preceding claim, wherein performing at least one of (a) and (b) comprises appending the at least one filesystem minifilter driver with the randomly generated fractional to the assigned integer altitude at the time of loading the at least one filesystem minifilter driver.
  10. The method of claim 9, further comprising: detecting, by the at least one minifilter driver, at least one of a creation of a new file, a modification of an existing file, and a usage of a named pipe.
  11. The method of claim 9 or 10, further comprising: registering the at least one filesystem minifilter driver with a filter manager of the endpoint device with the assigned integer altitude appended by the randomly generated fractional, wherein the filter manager is configured to intercept requests destined for the filesystem and pass intercepted requests to loaded filesystem minifilter drivers including the at least one filesystem minifilter driver.
  12. The method of any of claims 9 to 11, further comprising: generating the randomly generated fractional using an operating system function at the start of loading the at least one filesystem minifilter driver.
  13. The method of any of claims 9 to 12, further comprising: inserting a combination of randomly generated characters into a filesystem minifilter driver instance name of the at least one filesystem minifilter driver at a time of loading, wherein the randomly generated fractional and the combination of randomly generated characters include the same sequence of numbers generated by an operating system function.
  14. The method of any of claims 9 to 13, further comprising: appending the at least one filesystem minifilter driver with a different randomly generated fractional to the assigned integer altitude at a second time of loading the at least one filesystem minifilter driver.
  15. The method of any of claims 9 to 14, further comprising: providing the assigned integer altitude appended by the randomly generated fractional to a remote threat management system managing an endpoint detection and response system of the endpoint device; and maintaining, by the remote threat management system, a list of current assigned integer altitudes appended by randomly generated fractionals from a plurality of endpoint devices managed by the endpoint detection and response system.

Description

CROSS-REFERENCE TO RELATED APPLICATION This application claims priority from U.S. Provisional Patent Application Serial No. 63/715,149 filed on November 1, 2024 entitled "MINIFILTER SQUATTING PROTECTION" the entire contents of which are hereby incorporated by reference. FIELD The present disclosure relates generally to endpoint protection and cyber security. More particularly, the present disclosure relates to protecting against minifilter squatting attacks, and in particular altitude and name minifilter squatting. BACKGROUND Microsoft Windows ® utilizes a Filter Manager system for managing filter drivers. In particular, the Filter Manager (FltMgr.sys) is a system-supplied kernel-mode driver that implements and exposes functionality commonly required in file system filter drivers. File system filter developers can use FltMgr's functionality to write filesystem minifilter drivers (i.e. minifilters). FltMgr is a core component of Windows and becomes active from the time of system start. A minifilter attaches to the file system stack indirectly, by registering with FltMgr for the I/O operations that the minifilter chooses to filter. Minifilters attach in a particular order. The operating system determines the order of attachment by load order groups and altitudes. The attachment of a minifilter at a particular altitude on a particular volume is called an instance of the minifilter. In particular, a minifilter's altitude ensures that the instance of the minifilter driver is always loaded at the appropriate location relative to other minifilter instances, and further determines the order in which FltMgr calls the minifilter to handle I/O. Using filesystem minifilters, endpoint security products can learn about the files being created, modified, written to, and deleted. For example, minifilters can observe an attacker's interactions with the filesystem. As a result of their usefulness in endpoint security products, attackers may attempt to evade minifilters. As such, systems and methods for preventing minifilter evasion or attacks would be well received in the art. BRIEF DESCRIPTION OF THE DRAWINGS The above and further advantages of this disclosure may be better understood by referring to the following description in conjunction with the accompanying drawings, in which like reference numerals indicate like elements and features in the various figures. For clarity, not every element may be labeled in every figure. The drawings are not necessarily to scale, emphasis instead being placed upon illustrating the principles of the disclosure. FIG. 1 depicts a block diagram of an environment for threat management, according to an example embodiment.FIG. 2 depicts an architectural schematic view of a legacy filter driver architecture.FIG. 3 depicts an architectural schematic view of a filter manager and minifilter architecture according to one embodiment.FIG. 4 depicts an architectural schematic view of an endpoint detection and response (EDR) system including a central threat management system monitoring a plurality of endpoint devices according to one embodiment.FIG. 5 depicts a flow chart for a method for protecting against filesystem minifilter driver altitude squatting attacks according to one embodiment.FIG. 6 depicts a flow chart for another method protecting against filesystem minifilter driver name squatting attacks according to one embodiment.FIG. 7 depicts a flow chart for a method for protecting against filesystem minifilter driver name and altitude squatting attacks according to one embodiment.FIG. 8 depicts a flow chart for a method for protecting against filesystem minifilter driver squatting attacks with multiple monitored endpoint devices according to one embodiment.FIG. 9 depicts a diagram of an example computing device, according to an example embodiment. SUMMARY According to various embodiments disclosed herein, a method for protecting against filesystem minifilter driver squatting attacks includes installing at least one filesystem minifilter driver on an endpoint device; and appending the at least one filesystem minifilter driver with a randomly generated fractional to an assigned integer altitude at a time of loading the at least one filesystem minifilter driver. According to other embodiments, a computer system, includes a threat management computer system including a centralized endpoint detection and response (EDR) system configured to monitor a plurality of endpoints for threats; and an endpoint device monitored by the centralized threat management computer system, the an endpoint device including a localized EDR system in communication with the centralized EDR system, the an endpoint device including a filter manager. The localized EDR system includes at least one filesystem minifilter driver managed by the filter manager, and the at least one filesystem minifilter driver includes an appended randomly generated fractional to an assigned integer altitude. According to other embodiments, a metho