Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Get response from user in driver

santosh_menonsantosh_menon Member Posts: 3

iam creating a real time mini filter driver for a anti-virus
these are the events i have registered

{ IRP_MJ_CREATE,
0,
ScannerPreCreate,
ScannerPostCreate},

{ IRP_MJ_WRITE,
0,
NULL,
PostOperationIrpWrite },

{ IRP_MJ_SET_INFORMATION,
0,
PreOperationIrpInfo,
NULL },

{ IRP_MJ_CLEANUP,
0,
PreOperationIrpCleanup,
PostOperationIrpCleanup },

{ IRP_MJ_OPERATION_END}

is it possible to find from driver that user is going to delete file ?.
like if there is a user prompt for delete file ,
i want to ignore that file, plz help

Comments

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,090

    You have no visibility on what the user does or sees.

    You can find out if the file is marked for delete (FileStandardInformation) but there are many ways to delete a file which do not involve marking for delete. I believe that there is a sample which demonstrates this.

  • santosh_menonsantosh_menon Member Posts: 3

    @rod_widdowson said:
    You have no visibility on what the user does or sees.

    You can find out if the file is marked for delete (FileStandardInformation) but there are many ways to delete a file which do not involve marking for delete. I believe that there is a sample which demonstrates this.

    Hi Rod,

    Thanks for sharing information.

    Actually I am developing an "on access driver" for our anti malware application.

    What exactly we need is when user access file, we will scan with our engine and if found malware do quarantine operation.

    Now in case I shared, even when I press Shift+Delete, driver give file access notification and my engine quarantine that particular file.

    I want to ignore this step as if user is going to delete any file it is no harmful action, this is the common behavior of all antiviruses real time protection.

    Can you please help me to achieve same. Thanks.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,220

    It's complicated...Play with the Delete sample that Rod mentioned to start understanding the problems:

    https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/delete

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE