Hi, is there a way that I can prevent a program from using a hardware device by restricting driver access using Defense+?
I have a Hauppauge TV tuner and I know the driver that is being used C:\Windows\System32\drivers\hcw72ATV.sys. I know this because if I remove it and load windows, I cannot access the TV tuner from any program.
Given that I know the filenames, I would like only the Windows Media Center executables to access the TV tuner and no other program.
I know that Hauppauge installed some DLLs in C:\Windows\System32 but even if I remove them, other programs can still access the TV tuner. Any help would be appreciated.
Are you wanting Nothing BUT that application to access the TV tuner? or are you wanting only certain applications not to access it; Reason i ask is because If you just want certain applications to have no access to the driver you may go to CIS > D+ > Computer Security Policy > Defense+ Rules > Select An Application which you want to block the access to the TV Tuner > Customize > Protected Files and Folders > Modify > Blocked Files and Folders > Add the Driver > Ok > Ok > Apply > OK > Close
You may also do so with the registry or DLL Hooks etc etc,
Hi, I want nothing BUT that application to access the TV tuner. But even before I get to that point I am not able to block the hcw72ATV.sys driver. I selected CIS > D+ > Computer Security Policy > Defense+ Rules > Add > > Customize > Protection Settings > selected all Active.
The reason why I know the TV software uses that driver is that when I remove it and then reboot windows, I can no longer access the TV tuner from any software.
I think the following can do what you are looking for :
In Defense+ > Computer Security Policy > Defense+rules go to “all applications” ==> edit > customize > Protected Files & Folders > modify > blocked files/folders >add and here add manually the path to your TV drivers
Drag the rule of the application that you want to access the driver upon the “all applications” rule. Do the same as above but instead of putting the drivers in the blocked files/folders, put it in the allowed ones.
Hi, in your first paragraph you mention " add manually the path to your TV drivers". The path is C:\Windows\System32\drivers so I don’t want to block the whole folder. So I selected C:\Windows\System32\drivers\hcw72ATV.sys. I assume that the point of the first paragraph is to global block the driver. It does not seem to have an effect because I can still access the tuner.
In your 2nd paragraph you mention “Drag the rule of the application that you want to access the driver upon the “all applications” rule”. Where and how do I define it?
You also mention “Do the same as above but instead of putting the drivers in the blocked files/folders, put it in the allowed ones”. Could you detail how and where I do this?
So I selected C:\Windows\System32\drivers\hcw72ATV.sys.
Correct, that’s what I meant by the path to your TV driver.
It does not seem to have an effect because I can still access the tuner.
What do you mean? With an application?
In your 2nd paragraph you mention "Drag the rule of the application that you want to access the driver upon the "all applications" rule". Where and how do I define it?
If you haven’t remove it, there is, by default, a rule for “all applications” in Defense+ >Computer Security > Defense+ rules just below %windir%\explorer.exe.
You also mention "Do the same as above but instead of putting the drivers in the blocked files/folders, put it in the allowed ones". Could you detail how and where I do this?
As you want Windows Media Center executables to access the TV driver and as you have denied all applications to access it (by the 1st rule), you must do a rule for Media Center allowing the access to the driver. If you have already a rule in Defense+ for the group a files of Media center, just allow the access to the driver as I explain in my previous post. If you haven’t already that rule, do it like this :
Go to Defense+ >Computer Security Policy > Protected Files and Folders > Groups > add > a new group and name it Media Center for example. You’ll see that at the end of the list a new entry “Media Center” and below it “add files here”, right click on that and then add. Scroll in the existing items till you find the Windows Media Center folder, drag the executables needed to Selected Items, then apply, apply, ok.
Now go to Defense + > Computer Security Policy > Defense+ rules > add > select > Files group and chose the Media Center one. Drag it above the “all applications” one and edit it to allow C:\Windows\System32\drivers\hcw72ATV.sys.
Hi, I have not gotten to the stage to allow Windows Media Center. I still have the All Applications rule under Defense+ Rules. I select that, then I click on Edit, Customize, and then select Modify next to Protected Files/Folders. Under the Blocked Files/Folders tab I enter C:\Windows\System32\drivers\hcw72ATV.sys. However, I can still run from any application my TV tuner.
Hi Boris, I just put it under Protected Files and Folders as you last suggested but that did not work.
Then I also, in addition, added it to Protected Files/Folders by selecting the All Applications rule, then Customize, Modify. But that did not work either; the application still had access to the tuner. I am in Safe Mode. I have attached some pictures.
While in Paranoid Mode, I tried with the rule but it does not seem to be fired. Both with and without the rule in paranoid mode I get the attached alert.
Well, I’m at a loss there and don’t see what else could be done to prevent the access to the driver by all applications except one. I’m afraid the only solution left is to block this access application by application. I’m sorry, maybe someone else will have a better idea.
With Boris idea you need to make a rule for Windows Media Center that is somewhere above the “All Applications” rule. Rules get read top-down.
So, with the rule for WMC first then WMC is allowed to load that driver where all other applications are not. That is assuming the application rules are all under the “All Applications” rule. See attached image and the rule I made for Pot Player; it is above the “All Applications” rule.
I think we were at the stage where we could not block the driver altogether. We had not gotten to the point to allow or disallow certain applications to access the driver.
I am not too familiar as to how drivers get loaded. This seems to be a kernel driver. Does anything special have to be done for it?
I now see that the loading of the driver is trying to be intercepted by blocking access to it. See what happens when you block the driver under Device Driver’s Installation.
There are two ways to load a a driver. You can load a driver and that’s what I assume gets intercepted with the above method.
The other method is by a service. One would need to block the particular service from running.