Bitdefender Hypervisor Memory Introspection
|
Describes options for this guest. More...
#include <guests.h>
Data Fields | |
QWORD | Original |
The original options as received from GLUE_IFACE.NewGuestNotification. This is updated when GLUE_IFACE.ModifyDynamicOptions is used. More... | |
QWORD | Current |
The currently used options. More... | |
QWORD | ForceOff |
Options that are forcibly disabled. More... | |
QWORD | Beta |
Options that were forced to beta (log-only) mode. More... | |
QWORD | Feedback |
Options that will be forced to feedback only mode. More... | |
Describes options for this guest.
Every field in this structure must be a combination of Activation and protection flags values.
QWORD _INTRO_PROT_OPTIONS::Beta |
Options that were forced to beta (log-only) mode.
This can be done by the CAMI mechanism. These are the CAMI_PROT_OPTIONS.ForceBeta options. Detections triggered by the protection mechanism enabled by these flags will never block, the action taken will always be introGuestAllowed, and an alert will be generated.
Definition at line 248 of file guests.h.
Referenced by IntPolicyCoreIsOptionBeta().
QWORD _INTRO_PROT_OPTIONS::Current |
The currently used options.
These are the Original flags, but introcore may decide to disable some of them. For example, if both INTRO_OPT_IN_GUEST_PT_FILTER and INTRO_OPT_VE are provided, one of them will be disabled.
Definition at line 236 of file guests.h.
Referenced by DbgLogCoreOptions(), DbgSetCoreOptions(), IntGetCurrentIntroOptions(), IntGuestInit(), IntGuestUninitOnBugcheck(), IntGuestUpdateCoreOptions(), IntGuestUpdateShemuOptions(), IntHandleTimer(), IntInjectFileAgentInGuest(), IntInjectProcessAgentInGuest(), IntLixApiHookAll(), IntLixApiUpdateHooks(), IntLixCredAdd(), IntLixCredCheckIntegrity(), IntLixCredsVerify(), IntLixDrvActivateProtection(), IntLixDrvSendEvent(), IntLixDrvUpdateProtection(), IntLixGuestActivateProtection(), IntLixKernelReadUnprotect(), IntLixKernelWriteUnprotect(), IntLixNetIterateTaskConnections(), IntLixNetSendGuestConnections(), IntLixPatchSwapgs(), IntLixTaskActivateProtection(), IntLixTaskAdjustProtections(), IntLixTaskHandleExec(), IntLixTaskSendExceptionEvent(), IntLixTaskSendTaskEvent(), IntLixTaskShouldProtect(), IntLixVmaHandlePageExecution(), IntPtiHandleGuestResumeFromSleep(), IntSwapgsStartMitigation(), IntVeCompleteLoader(), IntVeDumpStats(), IntVeHandleGuestResumeFromSleep(), IntWinApiUpdateHooks(), IntWinBcSendBsodEvent(), IntWinDpiGatherDpiInfo(), IntWinDpiHandleDpiAclEdit(), IntWinDpiHandleDpiDebug(), IntWinDpiHandleDpiHeapSpray(), IntWinDpiHandleDpiPivotedStack(), IntWinDpiHandleDpiSecDesc(), IntWinDpiHandleDpiStolenToken(), IntWinDpiHandleDpiThreadStart(), IntWinDpiHandleDpiTokenPrivs(), IntWinDrvForceDisableReadNtEat(), IntWinDrvHeadersInMemory(), IntWinDrvIsProtected(), IntWinDrvObjIsProtected(), IntWinDrvSendEvent(), IntWinGuestActivateProtection(), IntWinGuestFinishInit(), IntWinHalCreateHalData(), IntWinHalFindPerformanceCounterInternal(), IntWinHalUpdateProtection(), IntWinInfHookProtect(), IntWinNetSendProcessConnections(), IntWinPowHandleEventCommon(), IntWinProcAddProtectedProcess(), IntWinProcChangeProtectionFlags(), IntWinProcCreateProcessObject(), IntWinProcDeleteProcessObject(), IntWinProcGetProtectedInfo(), IntWinProcGetProtectedInfoEx(), IntWinProcHandleCopyMemory(), IntWinProcSendDllEvent(), IntWinProcSendProcessEvent(), IntWinProcSendProcessExceptionEvent(), IntWinProcValidateSystemCr3(), IntWinSDCheckIntegrity(), IntWinSelfMapGetAndCheckSelfMapEntry(), IntWinSelfMapProtectSelfMapIndex(), IntWinSelfMapValidateSelfMapEntries(), IntWinSudCheckIntegrity(), IntWinTokenCheckIntegrity(), IntWinTokenPrivsProtectOnProcess(), IntWinTokenProtectPrivs(), IntWinTokenUnprotectPrivs(), and IntWinVadIsExecSuspicious().
QWORD _INTRO_PROT_OPTIONS::Feedback |
Options that will be forced to feedback only mode.
This can be done by the CAMI mechanism. These are the CAMI_PROT_OPTIONS.ForceFeedback options. Detections triggered by the protection mechanism enabled by these flags will never block, the action taken will always be introGuestAllowed, an alert will be generated, but it will have the ALERT_FLAG_FEEDBACK_ONLY; the user will not be notified, the event will generate feedback.
Definition at line 255 of file guests.h.
Referenced by IntLixVmaHandlePageExecution(), IntPolicyCoreTakeAction(), IntPolicyIsCoreOptionFeedback(), IntPolicyProcTakeAction(), IntWinDpiForceFeedbackIfNeeded(), and IntWinVadIsExecSuspicious().
QWORD _INTRO_PROT_OPTIONS::ForceOff |
Options that are forcibly disabled.
This can be done by the CAMI mechanism. These are the CAMI_PROT_OPTIONS.ForceOff options. This allows us to disable problematic options, overriding a protection policy.
Definition at line 242 of file guests.h.
Referenced by IntGuestUpdateCoreOptions(), IntGuestUpdateShemuOptions(), and IntShcIsSuspiciousCode().
QWORD _INTRO_PROT_OPTIONS::Original |
The original options as received from GLUE_IFACE.NewGuestNotification. This is updated when GLUE_IFACE.ModifyDynamicOptions is used.
Definition at line 231 of file guests.h.
Referenced by IntCamiSetCoreOptions(), IntCamiSetShemuOptions(), IntGuestInit(), IntGuestUpdateCoreOptions(), and IntGuestUpdateShemuOptions().