Methods of content filtering on Windows platform

What is content filtering, how could it be implemented on Windows platform, and why it is so important? Let’s review all these aspects of content management together.

Content filtering is a process or technology that selectively screens or blocks digital content, such as websites, emails, or online materials, based on specific criteria or rules. The primary purpose of content filtering is to control and manage what users can access or view on the internet or within a computer network. Content filtering typically relies on predefined rules, blacklists, whitelists, and various algorithms to make decisions about what content to allow or block. Advanced content filtering systems may use machine learning and artificial intelligence to adapt and identify new threats or trends.

There are several reasons why content filtering is so important in the modern world:

• Cybersecurity: Content filtering helps organizations and individuals protect themselves from malicious content, malware, and phishing attempts.
• Privacy Concerns: Content filtering allows users to control and limit the collection of their personal data by websites and online services.
• Child Safety: Parents and guardians use content filtering to ensure that children have a safe online experience by blocking access to age-inappropriate or harmful content.
• Productivity: In a professional context, content filtering helps businesses boost employee productivity by restricting access to distracting or non-work-related websites during working hours.
• Compliance and Regulations: Many industries and sectors have regulatory requirements for content filtering to ensure data protection, compliance with laws, and adherence to industry standards.
• Data Loss Prevention: Content filtering plays a crucial role in preventing sensitive information or intellectual property from being leaked or shared inadvertently.
• Resource Optimization: It helps optimize network resources by reducing the load on servers and networks, resulting in improved performance and reduced bandwidth consumption.
• Online Reputation Management: Organizations use content filtering to monitor and manage their online reputation by filtering out negative or harmful content.

In summary, content filtering is vital today because it addresses various aspects of cybersecurity, privacy, safety, productivity, and compliance in our increasingly digital and interconnected world.

Recently, we conducted research on achieving high-quality content filtering while allowing the operating system to function normally. Our main requirements included:

• HTTP/HTTPS, but Protocol Agnostic in the future: The primary goal at the first stage was filtering of HTTP/HTTPS traffic, but the solution should be adjustable to handling other types of protocols as well.
• Windows OS.
• Application agnostic: We should be able to filter not only browser content.
• Performative: We should avoid delays and latency increases while working with online content.
• Works in background: Users shouldn’t notice that the solution works excluding its main purpose.
• Filtering options: The solutions should be able to filter only traffic related to a specific process, web resource, user account, etc.
• Secure: The solution should guarantee that filtered content stays secure.

We began with research, checked many options and solutions, and eventually developed a demo for Windows platform.

1 Content Blocking Browser extensions

A Content Blocking Browser extension is a software add-on for web browsers that filters and blocks unwanted content on web pages, such as ads, pop-ups, and tracking scripts. The main idea of the method is to inject your filtering logic in the form of an extension into a browser. The extension logic is called every time content appears in a browser, so filtering rules can be applied.

Implementation: browser-specific extension; usually written in JavaScript, HTML/CSS.

Advantages:

• Cross-platform: Extensions execute inside a browser ecosystem.
• Security: Traffic is analyzed and filtered inside a browser. The browser is responsible for decrypting HTTPS traffic in this case.
• Easy to implement: There are a lot of open-source examples of similar extensions, for example, uBlock origin.
• Easy to release, install, and update: Major browsers have extensions’ stores.

Disadvantages:

• Browser-specific: Filtering is limited only to a specific browser.
• Limited to browser functionality: Blocking has to follow rules and limitations that browsers apply. By the way of example, lately, Chrome introduced Extension Manifest v3, that changes how content is blocked in Chrome. This change led to a drastic change in source code base.

Examples: AdBlock Plus, AdGuard, uBlock Origin, Ad Remover

Conclusion: The method is suitable only if traffic blocking inside a browser is applicable. It doesn’t match our requirements.

2 Windows System Proxy

Windows System Proxy content filtering is a method of filtering and controlling internet access on a Windows computer by configuring the system’s proxy settings. The core concept of this approach involves setting up the system’s SOCKS or HTTP proxy to ensure that applications exclusively access the network through the proxy server. Here, the proxy manages TCP connections from clients and establishes its own connections with remote servers. All data traffic between TCP clients and the intended servers is routed through the proxy. Typically, all applications utilize the system’s proxy settings, which are stored in the Windows registry.

Implementation: a user space application; it can be written in any language that allows execution on Windows platform, i.e. C++, C#, Python, etc.

Advantages:

• System-wide blocking: It blocks almost all traffic sent via SOCKS or HTTP protocol including traffic of browsers and other applications.
• Straight-forward implementation: Easier to implement than driver-based or any other system-wide approach.
• Third parties: There are robust libraries that can be used to build the solution. For example, fiddler-core.

Disadvantages:

• Not comprehensive: Not all traffic gets blocked. To be filtered, traffic must pass through the system proxy. However, this doesn’t always happen as applications can have their individual proxy settings and disregard the system settings, meaning that we cannot ensure that all traffic will be filtered.
• Man-in-the-middle scheme for HTTPS data: The approach employs a man-in-the-middle scheme where user traffic is decrypted/encrypted at the proxy server layer. To achieve this, the application must install a trusted root certificate for encrypting traffic. However, all content received in the destination application will be encrypted with a certificate different from the original one. This introduces potential security risks and necessitates user awareness of the approach.
• Protocol dependent: Can filter only SOCKS and HTTP traffic.
• Overwritable: System proxy settings need to be continuously monitored, as they can be changed by code or by a user.
• Only one system proxy at a time: It’s impossible to build a chain of proxies. Only one system proxy per user account is allowed.
• Performance: System proxy slows down the whole system. The code should be very well optimized to meet users’ expectations.

Example: Fiddler.

Conclusion: Is not a good match, if you need background content blocking with a high rate of filtering.

3 Driver-based Filtering

A driver-based filter in the context of Windows is a software component or driver that is used to filter, monitor, or intercept various types of data or events at the driver level within the Windows operating system.

Driver-based solutions are low level but usually, they provide developers with the highest level of control. Examples of driver-based filters are NDIS drivers, WFP callout drivers, etc.

Advantages:

• Protocol agnostic: NDIS drivers are not limited to specific network protocols, allowing them to filter and block traffic across various communication protocols, including TCP/IP, UDP, ICMP, etc.
• Application agnostic: NDIS drivers are not tied to specific applications, which means they can filter traffic for all applications and services running on the system.
• Efficiency: NDIS drivers can intercept and process network packets directly, minimizing overhead and latency associated with higher-level filtering methods. This efficiency is crucial for real-time content blocking.

Disadvantages:

• Complexity: Driver development requires specific professional skills. Kernel debugging and development require specialized knowledge and tools.
• Certification and compliance: All drivers should be certified and signed properly in order to be installed on a PC.
• Compatibility: Ensuring driver compatibility with different versions of Windows (e.g., Windows 10, Windows 11) and service packs requires rigorous testing and adaptation.
• Performance: Driver that is installed in the system and affects its performance, stability, and security. The driver should be very well optimized in all aspects.
• System stability: A single mistake or bug in a driver can lead to a blue screen of death or invalid behavior of the whole system.
• Man-in-the-middle scheme for HTTPS data: Filtered traffic is encrypted with an intermediate certificate, not the original one.

Conclusion: In summary, while drivers offer powerful content-blocking capabilities at the network level, their development and deployment require careful consideration of the complexities, security risks, and maintenance challenges associated with kernel-mode drivers. Organizations considering driver-based content filtering should assess whether the advantages outweigh these disadvantages and ensure they have the necessary expertise and resources for successful implementation.

3.1 NDIS Filter Drivers

The Network Driver Interface Specification, or NDIS, is a network driver API that allows catching network traffic at the lowest possible level. Microsoft Windows network drivers implement the bottom four layers of the OSI model. NDIS provides interfaces for connections between driver protocols (for example, TCP/IP) and miniport drivers that control network cards. NDIS 6.0 introduced NDIS filter drivers. Filter drivers can monitor and modify the interaction between protocol drivers and miniport drivers.

Implementation: Kernel mode driver, usually written in C.

Advantages:

• Low level: Allows catching of network traffic at the lowest possible level.
• Performance: Traffic is caught at low level, so because no other default processing is done at OS level, processing performance can be pretty high.

Disadvantages:

• Complexity: Complex filtering algorithms especially for encrypted traffic.

Conclusion: Complex low-level implementation that allows background high-performative content filtering. Suitable only if you really need that level of detail, specific features of the technology, or for some reason you need to support Windows versions prior to Windows Vista.

3.2 Windows Filtering Platform Callout Driver

A Windows filtering platform callout driver extends the capabilities of the Windows Filtering Platform by processing network data in ways that are beyond the scope of the simple filtering functionality. See details in the next section.

4 Windows Filtering Platform

The Windows Filtering Platform, or WFP, is a Microsoft technology introduced in Windows Vista and Windows Server 2008 and designed to replace outdated techniques for traffic filtration. WFP has an understandable architecture and allows for monitoring and/or changing data at various levels of the Windows network stack. WFP consists of user mode and kernel mode APIs. However, lots of its functions can only be accessed from the kernel. WFP works on Layer 2 and higher.

Implementation: kernel mode driver, usually written in C/C++; user mode application or service, usually written in C/C++ or C#.

Speaking of the WFP callout driver, all advantages and disadvantages from the kernel driver section apply here as well.

Advantages:

• Recommended by Microsoft: It is Microsoft’s recommendation for traffic filtering tasks.
• User-mode and kernel-mode support: some simple tasks like firewall hooks can operate in user-mode. User-mode solutions are easier to develop, support, and release. If something goes wrong in a user-mode application, the whole system stability is not affected in comparison with kernel-mode implementations. A developer can choose appropriate solutions and filtration levels for a project’s needs.
• Filter-oriented: That’s the main purpose of a WFP driver, so its architecture and API are adjusted to the purpose.
• Code simplicity: Implementation is simpler in comparison with NDIS drivers, but still as powerful.

Disadvantages:

• Compatibility: Some features are only available on the most recent Windows versions.
• Documentation: Documentation isn’t descriptive enough and can contain mistakes. There are not many examples of open-source solutions for complex WFP drivers. But it becomes better with time.

Examples: AdGuard

Conclusion: WFP is recommended by Microsoft for content filtering tasks. It has many options for different tasks and complexity. It is a good choice for content filtering and data modification on Windows platform.

5 DNS-filtering

All DNS queries go to a DNS resolver. Specially configured DNS resolvers can also act as filters by refusing to resolve queries for certain domains that are tracked in blocklists.

Implementation: DNS-server solution.

Advantages:

• Fast: No overhead or slowdown on end-users PCs.
• Can be mixed with other approaches: It can be mixed with other approaches like driver, system proxy, etc.
• OS agnostic.
• Application agnostic.

Disadvantages:

• No data modification: Blocking works by IP address or domain name, no traffic change is available.
• No path for HTTP/HTTPS traffic: the full resource path is not available.
• High-load DNS solution setup: The DNS solution will require ongoing costs depending on user base volume.
• DNS settings change: DNS-server options on users’ devices should be adjusted.

Applications: AdGuard DNS, NextDNS, Nord VPN.

Conclusion: DNS filtering is a good option, but traffic cannot be modified. That’s why many sophisticated filtering algorithms cannot be applied.

6 Deprecated Windows Technologies for Content Filtering

There are also some technologies that were used on earlier versions of Windows, but are deprecated nowadays and shouldn’t be used for new development. Microsoft published instructions regarding migration strategy here. By providing a simpler development platform, WFP is designed to replace previous packet filtering technologies such as Transport Driver Interface (TDI) filters, Network Driver Interface Specification (NDIS) filters, and Winsock Layered Service Providers (LSP).

6.1 LSP

LSP stands for Layered Service Provider. The majority of apps use the Winsock library for socket programming on Windows. It provides a set of functions and data structures for creating and managing network sockets. The main idea behind the LSP technology is the idea of injecting a code between the user network calls and the Winsock API, thus allowing inspection, modification, or blocking of those network calls. Winsock LSP is a DLL that is loaded when a process uses Winsock API, the LSP is loaded inside the context of the process that loads the LSP. The main advantage of the technology is that we have access to a data stream and not a set of packages in comparison with NDIS drivers.

6.2 TDI

TDI stands for Transport Driver Interface. It is a low-level kernel mode networking stack interface to access the transport layer functionality in Windows. TDI provides standard methods for protocol addressing, sending, and receiving datagrams, writing and reading streams, initiating connections, and detecting disconnects and has been supported by Windows since its inception.

7 Conclusion

We explored various approaches mentioned earlier but ultimately opted for the implementation of a WFP Callout driver in conjunction with a user-mode application. Specifically, for filtering HTTPS traffic, the demo application decrypts the traffic, removes blocked content from the data, and then re-encrypts the data. The encryption is done using a newly generated trusted root installed on a target PC. The solution demonstrated promising potential and delivered strong performance outcomes.