Write filter

Windows write filters are tools specially developed by Microsoft Windows to protect a partition against write accesses. The write accesses are redirected to the RAM and the partition is secured in a preconfigured state as a result. Following a restart, the system is automatically reset to the originally defined state.

A write protection filter can be configured, depending on the use case. In this way the system is protected from undesirable write access. Exclusions define the folders that still allow write accesses.

Significance for IT security

From an operator point of view, it makes sense if the changes made by malware are reversed after a restart and operation can be resumed. As a result of this, however, less information can be collected about the infection or attack, which may occur again.

Also, turning the write filter on and off is not secured. If the user in whose context the attack takes place can change the write filter settings, an attacker can do this, too.

EWF

The EWF (Enhanced Write Filter) protects the entire partition from write accesses without exceptions. If the EWF is active, all write accesses are redirected to the RAM. Following a restart or a power failure, the system is returned to its original state.

The EWF is controlled by the Beckhoff EWF Manager software, which is already installed by default.

Write filter 1: — Beckhoff EWF Manager, user interface.

Key to Beckhoff EWF Manager.
No.	Description
1	Switch EWF on, switch EWF off.
2	Data can be accepted at runtime if the EWF is active.
3	Switch EWF off without a restart.
4	Reset boot command to NO COMMAND.
5	Name of the partition.
6	ID of the partition on which the EWF is executed (in hexadecimal).
7	Indicates which commands are executed after the restart. The following commands exist: NO COMMAND, no changes. ENABLE, the EWF is switched on after the restart. DISABLE, the EWF is switched off after the restart. COMMIT, data are written to the storage medium when shutting down, even though the EWF is switched on.
8	Indicates the current status, i.e. whether the EWF is switched on or switched off.
9	Indicates the EWF mode. In RAM REG mode, all accesses are redirected to the RAM and the EWF settings are stored in the Registry.

Requirements:

Windows Embedded Standard 2009 or
Windows Embedded Standard 7 P

Activate the EWF as follows:

1. Start the Industrial PC or Embedded PC and click Beckhoff EWF Manager under Start < All Programs < Beckhoff EWF Manager.

2. Under Action, click the Enable EWF button.

3. Confirm the settings so that the changes become effective.

The changes are only active after a restart. You have successfully activated the EWF.

FBWF

As opposed to the EWF, the FBWF operates at file level. This makes it possible to define possible exceptions and to allow write accesses to individual files or folders. All other write accesses are redirected to the RAM. Following a restart, the system is returned to its original state.

As soon as the FBWF is activated, some folders are released for direct write access. For example, the folder C:\Data is available for writing permanent data. Through the release of the folder C:\TwinCAT\Boot, a new TwinCAT boot project can be loaded to the computer without having to deactivate the FBWF first

EWF vs. FBWF

	Do not run EWF and FBWF at the same time If both write filters are activated, the FBWF exceptions will be intercepted by the EWF and will be lost when the computer is restarted. Do not activate the two write filters EWF and FBWF at the same time.

In most cases the FBWF is the better choice, as it is simpler to operate and allows direct write accesses. However, there are scenarios in which the EWF is indispensable, e.g. HORM (Hibernate Once/Resume Many) is not supported by the FBWF. In addition, the use of compressed NTFS volumes is not possible with the FBWF.

Control with the Beckhoff FBWF Manager

The FBWF is controlled by the Beckhoff FBWF Manager software, which is already installed by default.

Write filter 3: — Beckhoff FBWF Manager, user interface.

Key to Beckhoff FBWF Manager.
No.	Description
1	The FBWF is switched on or off by the Change State button. The current and next states are displayed. Changes are only ever accepted after a restart.
2	Compression can only be activated when the FBWF is active. Indicates whether the compression of the FBWF overlay is active.
3	PreAllocation can only be activated when the FBWF is active. Indicates whether the PreAllocation is activated.
4	Exclusions are created on the Exclusion Settings tab. When an FBWF is active, folders are added to the exclusion list by default.

Requirements:

Windows Embedded Standard 2009 or
Windows Embedded Standard 7 P

Activate the FBWF as follows:

1. Start the Industrial PC or Embedded PC and click Beckhoff FBWF Manager under Start < All Programs < Beckhoff FBWF Manager.

2. Click the Change Settings button on the General Settings tab.

3. The Next State display changes and the message FBWF ENABLED appears.

4. Restart the Industrial or Embedded PC.

The changes are only active after a restart. The display Current State changes after the restart to FBWF ENABLED. You have successfully activated the FBWF.