Hello,
I have a peculiar situation, and I sure hope I am missing something.
When we send a create request to instances below us (new file, same
volume), an AV filter above us is able to catch an FltSetSecurity on that
file object and denies is.
In this particular case it is Sophos AV, but I get the feeling this
won’t be unique to it.
Our altitude is in 8x000 range, all Sophos filters are in the 3xx000
range, so above us for sure. The instance I pass to Flt API is ours, so
that should only send it below us.
Is there some other callback for setting object security that I
completely forgot about? Or any idea what could be up here?
Win10 x64, so SSDT patching is definitely not it.
Regards, Dejan.
FS lead, https://www.alfasp.com