Getting Started
Trust CenterTourStatusPageSupport

What is Windows Kerneless Mode?

Suggest Edits

Summary

Windows Forwarder 1.6.6 and above supports disabling the forwarder driver and running without any kernel presence.

This mode results in limited visibility, but may be required in certain environments. When the driver is disabled, the forwarder will continue to sight process execution and DLL loads. However, file modifications are no longer visible.

The driver status can be changed per-policy, via the Windows kernel driver setting. For auditing purposes, forwarders report their driver status (enabled or disabled), and this is visible on a forwarderโ€™s asset page.

Key Considerations

  1. Visibility is reduced in kerneless mode.
    1. When the driver is disabled, the forwarder will only see process executions.
    2. For example, if a user launches notepad.exe, the forwarder will see notepad.exe and all associated .dll files as they are loaded.
  2. File-related activity is no longer directly visible.
    1. The forwarder will no longer see file data modifications, new files, file deletes, or file renames.
    2. This will likely lead to missed sightings in your environment. For example, if a batch file is created, executed, and deleted in a short amount of time, the forwarder will no longer sight the file.
  3. Mitigation with Daily Backscan
    1. To partially mitigate missed sightings in kerneless mode, Stairwell recommends that you enable a daily backscan. This way, any new or modified persistent files will be sighted.

Changing the Driver Status from the Server

The forwarder driver status can be set from the server by modifying the Windows kernel driver policy setting. Keep in mind that a forwarder can be part of multiple policies, and the forwarder driver will be disabled if any of the policies are set to Do not use kernel driver

There are three choices for the Windows kernel driver setting:

  1. Use local setting (default):

    1. In this case, the policy contains no information about the driver status, allowing the forwarder to decide based on its local configuration.




  1. Use kernel driver:

    1. This forces the forwarder to use the kernel driver, overriding and overwriting any local configuration.




  1. Do not use kernel driver:

    1. This forces the forwarder to disable the kernel driver, overriding and overwriting any local configuration.





Detailed Steps

To change the Windows kernel driver setting:

  1. Choose the policy to modify on the Assets --> _Policies _page.

  2. Selected your desired setting for Windows kernel driver.

  3. Click the Save button in the top-right corner.

  4. If you selected Do not use kernel driver , acknowledge the risks associated with disabling the forwarder driver by clicking the Confirm Changes button.



Installing the Windows Forwarder with the Driver Disabled

By default, the forwarder installs with the driver enabled. To install with the driver disabled , pass the DRIVEROVERRIDES=1 command-line parameter to the installer. For example:

.\\StairwellForwarderBundle.exe TOKEN="TOKENHERE" ENVIRONMENT_ID="ENVIRONMENTIDHERE" DRIVEROVERRIDES=1 /quiet /norestart /log C:\\stairwell.log

๐Ÿ“˜

Note: This setting will be overwritten if the policy received from the server specifies a conflicting value for the driver status. To prevent this, ensure that the Windows kernel driver setting is set to either:

  • Use local setting (this is the default value) or
  • Do not use kernel driver

Enabling Daily Backscan

When the forwarder is first installed, it crawls all local volumes, sighting and uploading files as needed. If the forwarder driver is disabled, Stairwell recommends running a daily backscan to pick up any new persistent files. This can be configured per-policy.

  1. Enable the Daily Backscan toggle and select the time you wish the backscan to run, in the forwarders local time zone.





  1. Click the Save Changes button. If the forwarder driver is not enabled in this policy, you will also have to acknowledge the risks associated with disabling the forwarder driver by clicking the Confirm Changes button.

Known Issues

When the driver is disabled, the forwarder still attempts to sight files when they are executed. File sightings may be missed on volumes added after the forwarder starts, for example, on removable USB. In some cases, the OS provides the forwarder an unexpected path, and the forwarder skips the file. (FOR-521)

Updated about 14 hours ago