New findings show that malicious actors could leverage a sneaky malware detection technique and bypass endpoint security solutions by manipulating the Windows Container Isolation Framework.
The Windows Container Integrity Manager driver helps to manage file system separation between Windows containers and their hosts.
Microsoft’s container architecture uses a dynamically generated image to separate the file system from each container to the host and at the same time avoid duplication of system files.
This is where the WindowsContainer Isolation FS (wcifs.sys) minifilter driver comes into play.
The driver’s main purpose is to take care of the file systems separation between clusters.
Two such reparse tag data structures used by the Windows Containment Isolation filter, according to Microsoft, are IO_REPARSE_TAG_WCI_1 and IO_RECASE_TAG/WCI-LINK_1.