By-design AV bypass with "dev drive" 😅
I really like this feature!
Update your detection rules if you want to spot this...
And what fsutil devdrv actually does? Here you have it:
1. devdrv enable -> FsEnableDevDrive=1 in CCS\Control\FileSystem
2. disallowAv -> FltmgrDevDriveAllowAntivirusFilter=0 in CCS\Control\FilterManager
3. clearFiltersAllowed -> FsFlags + FsGuid in CCS\Control\FileSystemVolumes\{VOLUME_GUID}
4. trust -> DeviceIoControl(FSCTL_SET_PERSISTENT_VOLUME_STATE, PERSISTENT_VOLUME_STATE_TRUSTED_VOLUME)
And you can enjoy the bypass without even touching fsutil.exe 😎

@engarneering thank you! Enjoy and feel free to ask if you need any help understanding my work :)

Short video showing you how to play with application-based conditional ACLs on your own: https://youtu.be/4Lm0UWWa1gY

Conditional ACLs, making the same file allowed for one app, denied for another one... 😮
I guess I know where I will dig during next weeks... 😎

🤔

@kobziarz dziękuję i polecam się :)

After some "over lunch reversing" magic by
@x86matthew, I have modified his code a bit, and I am ready to send a byte or two with DeviceIoControl().
If for any reason you want to see my version, it's here: https://github.com/gtworek/PSBits/blob/master/Misc/HttpCommunicationOpenHandle.c

Do you know any piece of code successfully opening \Device\Http\Communication device?
Is "UlOpenPacket000" EA necessary? Something else? I didn't succeed so far, and couple of IOCTLs still waits on my list ;)