One thing to note on this type of implementation, interoperating with
certain other AV products could be problematic. There could be, say, two
products of this sort on a system, where one of them actually holds a
serialization lock on the file until it has completed its’ scan. Thus if
your filter were below this filter, and when you receive the open, it is the
original open that the first AV product is using to scan the file, when your
service re-enters the stack from user mode, the first AV product will block
the open since it is waiting on the original open to complete to perform
its’ scan.
Not that it is ever nice to hold any sort of lock across a call down the
stack, but then again when have ‘they’ ever cooperated?
Pete
Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jamey Kirby
Sent: Wednesday, October 19, 2005 10:06 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] AntiVirus Architecture - What is the best design?
It should have been scanned on the first open that has it locked.
Jamey
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Cook, Mark
Sent: Wednesday, October 19, 2005 7:48 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] AntiVirus Architecture - What is the best design?
Just a thought but if the process that originally opened the file opened
it with exclusive access, (ie share none), how would the user mode
service be able to scan it ??
Regards
Mark
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: 19 October 2005 15:28
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] AntiVirus Architecture - What is the best design?
I think 2) is better. Smaller logic in the kernel.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “MM”
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, October 19, 2005 3:09 PM
Subject: [ntfsd] AntiVirus Architecture - What is the best design?
> What is the best architecture for an antivirus like app? How are most
> anti-virus products designed, do the majority scan files in kernel
mode
> or have a user mode app do the scanning?
>
> I have two models I’m working off, which way should I go?
>
> 1. Let the driver load a dat file with virus signatures and preform
the
> scan itself;
>
> or,
>
> 2. Have the driver signal an event for files that need to be checked
and
> let the user mode service open the file and preform the scan. Upon the
> re-entry, the driver could ignore Creates generated by my user service
> via ProcID. If the file is clean, the user service could signal the
> driver to continue the IRP, or deny it. I’m thinking this method would
> be easier to thread…
>
> I figure scenario 1 would have less overhead, but signature updates
> would be a little trickier if the driver managed the dat files.
However,
> with scenario 2, that seems like it would be easier to code and
updates
> to signatures would be easier, plus I have to verify x.509 certs
(which
> would have to be done in user mode). Kinda thinking it would be best
to
> put all the file reading/scanning stuff in a single service (user
mode).
>
> What advice regarding architecture could you’ll offer me?
>
> Or, is there a better way I’m just not thinking of?
>
> M.
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: mark.cook@ca.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com