Search

US-20260129058-A1 - MINIFILTER SQUATTING PROTECTION

US20260129058A1US 20260129058 A1US20260129058 A1US 20260129058A1US-20260129058-A1

Abstract

A method for protecting against minifilter squatting attacks includes installing an endpoint detection and response system on an endpoint device, wherein the endpoint detection and response system includes at least one filesystem minifilter driver, and appending the at least one filesystem minifilter driver with a randomly generated fractional to an assigned integer altitude at a time of loading the at least one filesystem minifilter driver and/or inserting a combination of randomly generated characters into a minifilter instance name at the time of loading the at least one filesystem minifilter driver.

Inventors

  • Dietmar Georg Beckherrn
  • Emile Marcus Kenning

Assignees

  • SOPHOS LIMITED

Dates

Publication Date
20260507
Application Date
20250331

Claims (20)

  1. 1 . A method for protecting against filesystem minifilter driver squatting attacks comprising: installing at least one filesystem minifilter driver on an endpoint device; and appending the at least one filesystem minifilter driver with a randomly generated fractional to an assigned integer altitude at a time of loading the at least one filesystem minifilter driver.
  2. 2 . The method of claim 1 , further comprising: detecting, by the at least one minifilter driver, at least one of a creation of a new file, a modification of an existing file, and a usage of a named pipe.
  3. 3 . The method of claim 1 , further comprising: registering the at least one filesystem minifilter driver with a filter manager of the endpoint device with the assigned integer altitude appended by the randomly generated fractional, wherein the filter manager is configured to intercept requests destined for the filesystem and pass intercepted requests to loaded filesystem minifilter drivers including the at least one filesystem minifilter driver.
  4. 4 . The method of claim 1 , further comprising: generating the randomly generated fractional using an operating system function at the start of loading the at least one filesystem minifilter driver.
  5. 5 . The method of claim 1 , further comprising: inserting a combination of randomly generated characters into a filesystem minifilter driver instance name of the at least one filesystem minifilter driver at a time of loading.
  6. 6 . The method of claim 5 , wherein the randomly generated fractional and the combination of randomly generated characters include the same sequence of numbers generated by an operating system function.
  7. 7 . The method of claim 1 , further comprising: appending the at least one filesystem minifilter driver with a different randomly generated fractional to the assigned integer altitude at a second time of loading the at least one filesystem minifilter driver.
  8. 8 . The method of claim 1 , further comprising: providing the assigned integer altitude appended by the randomly generated fractional to a remote threat management system managing an endpoint detection and response system of the endpoint device.
  9. 9 . The method of claim 8 , further comprising: maintaining, by the remote threat management system, a list of current assigned integer altitudes appended by randomly generated fractionals from a plurality of endpoint devices managed by the endpoint detection and response system.
  10. 10 . A computer system, comprising: a threat management computer system including a centralized endpoint detection and response (EDR) system configured to monitor a plurality of endpoints for threats; and an endpoint device monitored by the centralized threat management computer system, the an endpoint device including a localized EDR system in communication with the centralized EDR system, the an endpoint device including a filter manager, wherein the localized EDR system includes at least one filesystem minifilter driver managed by the filter manager, the at least one filesystem minifilter driver including an appended randomly generated fractional to an assigned integer altitude.
  11. 11 . The computer system of claim 10 , wherein the appended randomly generated fractional assigned to the assigned integer altitude is randomly generated and appended at the time of loading of the at least one filesystem minifilter driver.
  12. 12 . The computer system of claim 10 , wherein the at least one minifilter driver is configured to detect at least one of a creation of a new file, a modification of an existing file, and a usage of a named pipe.
  13. 13 . The computer system of claim 10 , wherein the at least one filesystem minifilter driver includes an inserted combination of randomly generated characters into a filesystem minifilter driver instance name.
  14. 14 . The computer system of claim 13 , wherein the randomly generated fractional and the combination of randomly generated characters include the same sequence of numbers generated by an operating system function.
  15. 15 . The computer system of claim 10 , further comprising: a second endpoint device monitored by the centralized threat management computer system, the second endpoint device including a second localized EDR system in communication with the centralized EDR system, the second endpoint device including a second filter manager, wherein the second localized EDR system includes at least one second endpoint filesystem minifilter driver managed by the second filter manager, the at least one second endpoint filesystem minifilter driver including a different appended randomly generated fractional to the assigned integer altitude, wherein the different appended randomly generated fractional is a different set of numbers than the appended randomly generated fractional of the endpoint device.
  16. 16 . The computer system of claim 15 , wherein the threat management computer system includes a system configured to maintain current assigned integer altitudes appended by randomly generated fractionals from a plurality of endpoint devices managed by the centralized EDR system including the endpoint device and the second endpoint device.
  17. 17 . A method for protecting against filesystem minifilter driver squatting attacks comprising: installing an endpoint detection and response system on an endpoint device, wherein the endpoint detection and response system includes at least one filesystem minifilter driver; generating a random fractional using an operating system function at the start of loading the at least one filesystem minifilter driver; appending the at least one filesystem minifilter driver with the randomly generated fractional to an assigned integer altitude at a time of loading the at least one filesystem minifilter driver; registering the at least one filesystem minifilter driver with a filter manager of the endpoint device with the assigned integer altitude appended by the randomly generated fractional; intercepting a request, by the filter manager, destined for the filesystem; passing, by the filter manager, the intercepted request to the loaded filesystem minifilter driver; and detecting, by the at least one minifilter driver, at least one of a creation of a new file, a modification of an existing file, and a usage of a named pipe.
  18. 18 . The method of claim 17 , further comprising: inserting a combination of randomly generated characters into a filesystem minifilter driver instance name of the at least one filesystem minifilter driver at a time of loading.
  19. 19 . The method of claim 18 , wherein the randomly generated fractional and the combination of randomly generated characters include the same sequence of numbers generated by an operating system function.
  20. 20 . The method of claim 17 , further comprising: appending the at least one filesystem minifilter driver with a different randomly generated fractional to the assigned integer altitude at a second time of loading the at least one filesystem minifilter driver.

Description

CROSS-REFERENCE TO RELATED APPLICATION This application claims priority under 35 U.S.C. § 119 from U.S. Provisional Patent Application Ser. No. 63/715,149 filed on Nov. 1, 2024 entitled “MINIFILTER SQUATTING PROTECTION” the entire contents of which are hereby incorporated by reference. FIELD The present disclosure relates generally to endpoint protection and cyber security. More particularly, the present disclosure relates to protecting against minifilter squatting attacks, and in particular altitude and name minifilter squatting. BACKGROUND Microsoft Windows® utilizes a Filter Manager system for managing filter drivers. In particular, the Filter Manager (FltMgr.sys) is a system-supplied kernel-mode driver that implements and exposes functionality commonly required in file system filter drivers. File system filter developers can use FltMgr's functionality to write filesystem minifilter drivers (i.e. minifilters). FltMgr is a core component of Windows and becomes active from the time of system start. A minifilter attaches to the file system stack indirectly, by registering with FltMgr for the I/O operations that the minifilter chooses to filter. Minifilters attach in a particular order. The operating system determines the order of attachment by load order groups and altitudes. The attachment of a minifilter at a particular altitude on a particular volume is called an instance of the minifilter. In particular, a minifilter's altitude ensures that the instance of the minifilter driver is always loaded at the appropriate location relative to other minifilter instances, and further determines the order in which FltMgr calls the minifilter to handle I/O. Using filesystem minifilters, endpoint security products can learn about the files being created, modified, written to, and deleted. For example, minifilters can observe an attacker's interactions with the filesystem. As a result of their usefulness in endpoint security products, attackers may attempt to evade minifilters. As such, systems and methods for preventing minifilter evasion or attacks would be well received in the art. BRIEF DESCRIPTION OF THE DRAWINGS The above and further advantages of this disclosure may be better understood by referring to the following description in conjunction with the accompanying drawings, in which like reference numerals indicate like elements and features in the various figures. For clarity, not every element may be labeled in every figure. The drawings are not necessarily to scale, emphasis instead being placed upon illustrating the principles of the disclosure. FIG. 1 depicts a block diagram of an environment for threat management, according to an example embodiment. FIG. 2 depicts an architectural schematic view of a legacy filter driver architecture. FIG. 3 depicts an architectural schematic view of a filter manager and minifilter architecture according to one embodiment. FIG. 4 depicts an architectural schematic view of an endpoint detection and response (EDR) system including a central threat management system monitoring a plurality of endpoint devices according to one embodiment. FIG. 5 depicts a flow chart for a method for protecting against filesystem minifilter driver altitude squatting attacks according to one embodiment. FIG. 6 depicts a flow chart for another method protecting against filesystem minifilter driver name squatting attacks according to one embodiment. FIG. 7 depicts a flow chart for a method for protecting against filesystem minifilter driver name and altitude squatting attacks according to one embodiment. FIG. 8 depicts a flow chart for a method for protecting against filesystem minifilter driver squatting attacks with multiple monitored endpoint devices according to one embodiment. FIG. 9 depicts a diagram of an example computing device, according to an example embodiment. SUMMARY According to various embodiments disclosed herein, a method for protecting against filesystem minifilter driver squatting attacks includes installing at least one filesystem minifilter driver on an endpoint device; and appending the at least one filesystem minifilter driver with a randomly generated fractional to an assigned integer altitude at a time of loading the at least one filesystem minifilter driver. According to other embodiments, a computer system, includes a threat management computer system including a centralized endpoint detection and response (EDR) system configured to monitor a plurality of endpoints for threats; and an endpoint device monitored by the centralized threat management computer system, the an endpoint device including a localized EDR system in communication with the centralized EDR system, the an endpoint device including a filter manager. The localized EDR system includes at least one filesystem minifilter driver managed by the filter manager, and the at least one filesystem minifilter driver includes an appended randomly generated fractional to an assigned integer altitude. According to oth