Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


AV catching FltSetSecurity ABOVE us?

Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 463
via Email in NTFSD
Hello,

I have a peculiar situation, and I sure hope I am missing something.

When we send a create request to instances below us (new file, same
volume), an AV filter above us is able to catch an FltSetSecurity on that
file object and denies is.

In this particular case it is Sophos AV, but I get the feeling this
won't be unique to it.

Our altitude is in 8x000 range, all Sophos filters are in the 3xx000
range, so above us for sure. The instance I pass to Flt API is ours, so
that should only send it below us.

Is there some other callback for setting object security that I
completely forgot about? Or any idea what could be up here?
Win10 x64, so SSDT patching is definitely not it.


Regards, Dejan.
FS lead, https://www.alfasp.com
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online
Writing WDF Drivers 12 September 2022 Live, Online