For the next couple (or maybe more) posts I’ll be explaining how WdFilter works. I’ve always been very interested on how AVs work (Nowadays I would say EDRs though) and their development at kernel level. And since, unfortunately I don’t have access to the source code of any, my only chance is to reverse them (or to write my own). And of course what a better product to check than the one written by the company who developed the OS.
For those who don’t know, WdFilter is the main kernel component of Windows Defender. Roughly, this Driver works as a Minifilter from the load order group “FSFilter Anti-Virus”, this means that is attached to the File System stack (Actually, quite high – Big Altitude) and handles I/O operations in some Pre/Post callbacks. Not only that, this driver also implements other techniques to get information of what’s going on in the system. The goal of this series of post is to have a solid understanding on how this works under the hood.
Not for the fain of heart.
Two days later: 0 comments
Conclusion1: OSAlert commenters are fain of heart.
Conclusion2: Thom should improve his spell checking
Conclusion3: Sometimes it is nice to write something silly during a break
1 – Nah, it just means those of us not so faint at heart are less likely to post on a technical article. Unless we feel rather strongly about the subject, anyways. I got all kinds of material on the technical details of OSes of all sorts, and read lots more on the net. I like stuff like this, but commenting on stuff like this isn’t right for a site like this. If where the article appears has comments, the comments are better off there.
If it’s not possible to troll on a pragmatic topic, then there’s no use trying. I would have liked to have such an article on “Dissecting the Linux Defender driver” but there’s no anti-virus out there.
Are you psychic?
https://www.windowscentral.com/microsoft-defender-atp-now-public-preview-linux
Well, this would have interested me in the past, but personally I lost interest in windows kernel development after they began tightening the noose on indy kernel developers with vista. It’s been a cat and mouse game ever since, methods that we used to run our own code would stop working after updates, etc.
https://www.technipages.com/enable-disable-device-driver-signing
https://naijnaira.com/permanently-disable-driver-signature-enforcement-in-windows-10/
(read the comments)
Regardless of one’s opinion of allowing owners to write & run their own drivers, the result is that it created a brain-drain and pushed a lot of developers including myself to favor linux.
Aaaand everyone else who’s commented missed the spelling mistake.
Thom, proofread your articles. Or not, it doesn’t seem to matter to most commenters
The123king,
My post was about why I lost interest in the windows kernel. I didn’t feel avgalen’s joke about spelling required additional commentary. Same goes for “Aaaand”. Not discussing does not mean it wasn’t noticed.