Loading...

Knowledge Center


McAfee Product Management Statement - Impact of NDIS drivers during Host Intrusion Prevention installation
Technical Articles ID:   KB59945
Last Modified:  11/7/2016
Rated:


Environment

McAfee Host Intrusion Prevention 7.0, 8.0

 

Problem

Loss of network connectivity during Host Intrusion Prevention (Host IPS) installation.

Solution

A major component of Host IPS is the host-firewall. Like all modern host-based firewalls, Host IPS 7.x and Host IPS 8.x uses an NDIS intermediate driver to perform network filtering operations at packet level.

Some customers have commented on the fact that when Host IPS is installed, the insertion of the firewall’s NDIS driver causes Microsoft Windows to tear down and rebuild the IP stacks on connected interfaces. This behavior causes some applications to generate error messages or lose connection during the temporary loss of connectivity.

Previous versions of Host IPS used firewall-hook drivers, which did not cause this temporary disruption. However, Microsoft actively discourages use of the older technique in its developer guidance, as described in the following excerpt from http://msdn.microsoft.com/en-us/library/aa504964.aspx:

“It is not recommended to implement a firewall-hook driver (or firewall driver) for Microsoft Windows XP and later versions of the operating system.
… To provide firewall functionality on Windows XP and later, you should create an NDIS intermediate miniport driver to manage packets sent and received across a firewall.”

With NDIS 5.0, supported on XP and prior Windows versions, whenever an NDIS intermediate driver is installed and/or uninstalled, the bindings in the driver stack are torn down and subsequently re-built, which leads to loss of network connectivity across all the network interface cards.

NDIS 6.0, supported on Windows Vista and 2008, provides several enhancements over 5.0 including the following:

“NDIS 6.0 filter drivers can be dynamically inserted into or removed from a driver stack during run time without tearing down bindings.”

NOTE: The quoted text was obtained from: http://msdn.microsoft.com/en-us/library/ms795218.aspx.

NDIS support for Host IPS 7. x and 8.x:

  • Host IPS 7.x uses NDIS 5.0 on all supported Windows operating platforms.
  • Host IPS 8.x uses NDIS 5.0 on Windows XP and Windows Server 2003 (and older) platforms.
  • Host IPS 8.x uses NDIS 6.0 on Windows Vista and Windows Server 2008 platforms.
  • Host IPS 8.x uses Windows Filter Platform (WFP) on Windows 7 and Windows Server 2008 R2 (and later) platforms.

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.