Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Extended attributes and reparse points
GarethGriffiths
Member Posts: 2
We have a filter providing an HSM via reparse point but we are finding increasing use of EAs by some anti-malware products. We propose to remove the EA when we 'stub' a file (remove primary data, and add reparse point) but replace the EA if the file is accessed causing us to 'unstub' the file (restore primary data and remove reparse point). Has anyone else tried this or see major issues with this.
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Kernel Debugging | 16-20 October 2023 | Live, Online |
| Developing Minifilters | 13-17 November 2023 | Live, Online |
| Internals & Software Drivers | 4-8 Dec 2023 | Live, Online |
| Writing WDF Drivers | 10-14 July 2023 | Live, Online |
Comments
cases.
Whatever can go wrong, will go wrong at the worst time - no logging, but
data loss.
I am surprised AVs/AMs use EAs. Does it remove a reparse tag?
I can see quite a few reentry issues with AVs here, if you remove their
tags even momentarily.
Dejan.
Are they normal EAs or Kernel Purge EAs (c.f. https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/kernel-extended-attributes)?
-scott
OSR
@Scott_Noone_(OSR) We are seeing both. Kernel ones on Azure, but regular ones set by a security product (am I allowed to name vendors here?)
Kernel Purge EAs are generally used by A/V's to avoid scanning files that haven't changed (e.g. across reboots). IMO it doesn't make sense to restore these given that the file may have changed "in the cloud" since the last local scan.
For normal EAs there's no right answer...They're a pretty fragile mechanism for storing anything important given that they're lost when copying to file systems that don't support them (e.g. FAT32). I'd be inclined to just leave them on the local stub file/reparse point and not bother saving/restoring them.
And, FWIW, having written two HSM filters we've never saved/deleted/restored EAs. This also appears to be the policy of the Cloud Filter, which doesn't necessarily mean it's "right" but just another example.
-scott
OSR