Base Filtering Engine (BFE) service is missing: why did it happen and how to restore it

Written by Haim Gelfenbeyn Posted on 07 Feb 2012 Tags: dumeter, troubleshooting, bfe
Share |

What is Base Filtering Engine?

Base Filtering Engine Service (BFE) is a service that controls the operation of the Windows Filtering Platform. Windows Filtering Platform (WFP) is a network traffic processing platform that allows software to “hook” into Windows networking stack and perform such functions as firewall, traffic shaping, filtering, accounting, etc.

This service is essential for operation of many firewall products: Windows built-in firewall, Norton Internet Security, Trend Micro Internet Security, and many others.

DU Meter also depends on BFE for network traffic accounting, and will display “service data is stale” error if BFE is not working properly.

Why BFE is missing or disabled on my computer?

There are viruses/trojans in active circulation that disable and remove the BFE service as a first step in the infection process.

In January 2012, I followed some link from Google, and immediately my Microsoft Security Essentials antivirus popped up and warned that real-time protection caught and disabled several viruses and trojans (Trojan:Win64/Sirefef.B, DDoS:Win32/Fareit.gen!A, Rogue:Win32/FakeRean, PWS:Win32/Karagany.A).

However, this was too late. The damange is already done. My BFE service and Windows firewall service were disabled and deleted from the registry.

Apparently, the malware that does this is exploiting a Flash vulnerability, therefore if you have Adobe Flash in your browser and it is not updated to the latest version, you could be infected by just visiting a wrong web page. I have User Account Control (UAC) enabled on my Windows 7 computer, but it didn’t prevent the infection.

How to restore Base Filtering Engine after it went missing?

Since BFE is needed for proper firewall operation, it is important to restore it as soon as possible. The following steps are the easiest way to solve this problem:

  • If BFE disappeared recently, use System Restore and roll back to a pre-infected state. However, if you don’t know when Base Filtering Engine was deleted, or if it was deleted before your System Restore points were created, skip this step.
  • Scan and disinfect your whole system with an antivirus. No point restoring BFE if it is going to be deleted again by a resident malware.
  • If the System Restore didn’t restore BFE for you, follow these steps:
  1. Open Control Panel, search for “Services” and open “View Local Services”. Double-check that “Base Filtering Engine” is missing from the list. The steps below are pretty invasive, and should not be followed if BFE is listed in the list of services.
  2. If you don’t have a third-party firewall: check if “Windows Firewall” is available in the list of services. You’ll need to restore it too, if it is missing.
  3. If BFE or Firewall services are missing: download the following Registry files (make sure you download the correct one for your operating system — Windows 7 or Vista):
  1. Create a System Restore Point (just in case something goes wrong).
  2. Double-click on the downloaded BFE and (optionally) firewall repair registry files, extract the .reg file from the downloaded .zip file (usually by just double-clicking it), say “Yes” to the Registry Editor to add the data to the registry.
  3. Fix permissions in the registry:
    1. Open Registry Editor (type regedit in Start Menu):
    2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Parameters\Policy
    3. Right-click and select Permissions
    4. Click Add, enter “Everyone” and click OK
    5. Click on Everyone in the list at the top, and check the “Allow Full Control” checkbox below.
    6. Ckick OK to dismiss this dialog.
  4. Reboot and verify that the services were restored.
  5. Update your Adobe Flash so you wouldn’t get infected again.

Important

  • I hope this information is helpful for you. However, proceed with the advice above at your sole risk. All information in this article is provided “as -is”, without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose.
  • This blog post contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. Always have a recent backup, so you can restore the registry if a problem occurs.