AntiVirus Architecture - What is the best design?

What is the best architecture for an antivirus like app? How are most
anti-virus products designed, do the majority scan files in kernel mode
or have a user mode app do the scanning?

I have two models I’m working off, which way should I go?

1. Let the driver load a dat file with virus signatures and preform the
   scan itself;

or,

2. Have the driver signal an event for files that need to be checked and
   let the user mode service open the file and preform the scan. Upon the
   re-entry, the driver could ignore Creates generated by my user service
   via ProcID. If the file is clean, the user service could signal the
   driver to continue the IRP, or deny it. I’m thinking this method would
   be easier to thread…

I figure scenario 1 would have less overhead, but signature updates
would be a little trickier if the driver managed the dat files. However,
with scenario 2, that seems like it would be easier to code and updates
to signatures would be easier, plus I have to verify x.509 certs (which
would have to be done in user mode). Kinda thinking it would be best to
put all the file reading/scanning stuff in a single service (user mode).

What advice regarding architecture could you’ll offer me?

Or, is there a better way I’m just not thinking of?

M.

I think 2) is better. Smaller logic in the kernel.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “MM”
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, October 19, 2005 3:09 PM
Subject: [ntfsd] AntiVirus Architecture - What is the best design?

> What is the best architecture for an antivirus like app? How are most
> anti-virus products designed, do the majority scan files in kernel mode
> or have a user mode app do the scanning?
>
> I have two models I’m working off, which way should I go?
>
> 1. Let the driver load a dat file with virus signatures and preform the
> scan itself;
>
> or,
>
> 2. Have the driver signal an event for files that need to be checked and
> let the user mode service open the file and preform the scan. Upon the
> re-entry, the driver could ignore Creates generated by my user service
> via ProcID. If the file is clean, the user service could signal the
> driver to continue the IRP, or deny it. I’m thinking this method would
> be easier to thread…
>
> I figure scenario 1 would have less overhead, but signature updates
> would be a little trickier if the driver managed the dat files. However,
> with scenario 2, that seems like it would be easier to code and updates
> to signatures would be easier, plus I have to verify x.509 certs (which
> would have to be done in user mode). Kinda thinking it would be best to
> put all the file reading/scanning stuff in a single service (user mode).
>
> What advice regarding architecture could you’ll offer me?
>
> Or, is there a better way I’m just not thinking of?
>
> M.
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Just a thought but if the process that originally opened the file opened
it with exclusive access, (ie share none), how would the user mode
service be able to scan it ??

Regards

Mark

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: 19 October 2005 15:28
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] AntiVirus Architecture - What is the best design?

I think 2) is better. Smaller logic in the kernel.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “MM”
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, October 19, 2005 3:09 PM
Subject: [ntfsd] AntiVirus Architecture - What is the best design?

> What is the best architecture for an antivirus like app? How are most
> anti-virus products designed, do the majority scan files in kernel
mode
> or have a user mode app do the scanning?
>
> I have two models I’m working off, which way should I go?
>
> 1. Let the driver load a dat file with virus signatures and preform
the
> scan itself;
>
> or,
>
> 2. Have the driver signal an event for files that need to be checked
and
> let the user mode service open the file and preform the scan. Upon the
> re-entry, the driver could ignore Creates generated by my user service
> via ProcID. If the file is clean, the user service could signal the
> driver to continue the IRP, or deny it. I’m thinking this method would
> be easier to thread…
>
> I figure scenario 1 would have less overhead, but signature updates
> would be a little trickier if the driver managed the dat files.
However,
> with scenario 2, that seems like it would be easier to code and
updates
> to signatures would be easier, plus I have to verify x.509 certs
(which
> would have to be done in user mode). Kinda thinking it would be best
to
> put all the file reading/scanning stuff in a single service (user
mode).
>
> What advice regarding architecture could you’ll offer me?
>
> Or, is there a better way I’m just not thinking of?
>
> M.
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: mark.cook@ca.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

MM,

I am still a learner, but I *did* work on a similar project. I few months
back, there was a thread by me asking a similar question, the experts
advised me to use the inverted call model and keep the virus checking
libraries in the user mode instead of the kernel mode.

It helps in keeping the kernel mode logic simple and the added advantage is
that debugging in user mode is far far simpler than the kernel mode.

Best,

amitrajit

Mark,

Good question. I’m still a beginner, but I was thinking that the
‘exclusive open’ flag wouldn’t matter until
that original IRP Create was completed. In the mean time, the create
generated by my service app would
be able to do whatever it wanted. Or am I wrong in my assumption?

M.

Cook, Mark wrote:

Just a thought but if the process that originally opened the file opened
it with exclusive access, (ie share none), how would the user mode
service be able to scan it ??

Regards

Mark

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: 19 October 2005 15:28
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] AntiVirus Architecture - What is the best design?

I think 2) is better. Smaller logic in the kernel.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “MM”
>To: “Windows File Systems Devs Interest List”
>Sent: Wednesday, October 19, 2005 3:09 PM
>Subject: [ntfsd] AntiVirus Architecture - What is the best design?
>
>
>
>
>>What is the best architecture for an antivirus like app? How are most
>>anti-virus products designed, do the majority scan files in kernel
>>
>>
>mode
>
>
>>or have a user mode app do the scanning?
>>
>>I have two models I’m working off, which way should I go?
>>
>>1. Let the driver load a dat file with virus signatures and preform
>>
>>
>the
>
>
>>scan itself;
>>
>>or,
>>
>>2. Have the driver signal an event for files that need to be checked
>>
>>
>and
>
>
>>let the user mode service open the file and preform the scan. Upon the
>>re-entry, the driver could ignore Creates generated by my user service
>>via ProcID. If the file is clean, the user service could signal the
>>driver to continue the IRP, or deny it. I’m thinking this method would
>>be easier to thread…
>>
>>I figure scenario 1 would have less overhead, but signature updates
>>would be a little trickier if the driver managed the dat files.
>>
>>
>However,
>
>
>>with scenario 2, that seems like it would be easier to code and
>>
>>
>updates
>
>
>>to signatures would be easier, plus I have to verify x.509 certs
>>
>>
>(which
>
>
>>would have to be done in user mode). Kinda thinking it would be best
>>
>>
>to
>
>
>>put all the file reading/scanning stuff in a single service (user
>>
>>
>mode).
>
>
>>What advice regarding architecture could you’ll offer me?
>>
>>Or, is there a better way I’m just not thinking of?
>>
>>M.
>>
>>
>>
>>—
>>Questions? First check the IFS FAQ at
>>
>>
>https://www.osronline.com/article.cfm?id=17
>
>
>>You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: mark.cook@ca.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>—
>Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

Good point - I guess if you’re filtering the IRP on the PreCreate you
should be OK (and you probably want to do this anyway so that you can
fail the open if the file has a virus in it). The downside to filtering
here of course is that the file system or a lower level filter may fail
the open anyway in which case you’ve scanned the file for no reason.

Regards

Mark

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of MM
Sent: 19 October 2005 16:09
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] AntiVirus Architecture - What is the best design?

Mark,

Good question. I’m still a beginner, but I was thinking that the
‘exclusive open’ flag wouldn’t matter until
that original IRP Create was completed. In the mean time, the create
generated by my service app would
be able to do whatever it wanted. Or am I wrong in my assumption?

M.

Cook, Mark wrote:

Just a thought but if the process that originally opened the file
opened
it with exclusive access, (ie share none), how would the user mode
service be able to scan it ??

Regards

Mark

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: 19 October 2005 15:28
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] AntiVirus Architecture - What is the best design?

I think 2) is better. Smaller logic in the kernel.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “MM”
>To: “Windows File Systems Devs Interest List”
>Sent: Wednesday, October 19, 2005 3:09 PM
>Subject: [ntfsd] AntiVirus Architecture - What is the best design?
>
>
>
>
>>What is the best architecture for an antivirus like app? How are most
>>anti-virus products designed, do the majority scan files in kernel
>>
>>
>mode
>
>
>>or have a user mode app do the scanning?
>>
>>I have two models I’m working off, which way should I go?
>>
>>1. Let the driver load a dat file with virus signatures and preform
>>
>>
>the
>
>
>>scan itself;
>>
>>or,
>>
>>2. Have the driver signal an event for files that need to be checked
>>
>>
>and
>
>
>>let the user mode service open the file and preform the scan. Upon the
>>re-entry, the driver could ignore Creates generated by my user service
>>via ProcID. If the file is clean, the user service could signal the
>>driver to continue the IRP, or deny it. I’m thinking this method would
>>be easier to thread…
>>
>>I figure scenario 1 would have less overhead, but signature updates
>>would be a little trickier if the driver managed the dat files.
>>
>>
>However,
>
>
>>with scenario 2, that seems like it would be easier to code and
>>
>>
>updates
>
>
>>to signatures would be easier, plus I have to verify x.509 certs
>>
>>
>(which
>
>
>>would have to be done in user mode). Kinda thinking it would be best
>>
>>
>to
>
>
>>put all the file reading/scanning stuff in a single service (user
>>
>>
>mode).
>
>
>>What advice regarding architecture could you’ll offer me?
>>
>>Or, is there a better way I’m just not thinking of?
>>
>>M.
>>
>>
>>
>>—
>>Questions? First check the IFS FAQ at
>>
>>
>https://www.osronline.com/article.cfm?id=17
>
>
>>You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: mark.cook@ca.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>—
>Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: mark.cook@ca.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

It should have been scanned on the first open that has it locked.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Cook, Mark
Sent: Wednesday, October 19, 2005 7:48 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] AntiVirus Architecture - What is the best design?

Just a thought but if the process that originally opened the file opened
it with exclusive access, (ie share none), how would the user mode
service be able to scan it ??

Regards

Mark

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: 19 October 2005 15:28
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] AntiVirus Architecture - What is the best design?

I think 2) is better. Smaller logic in the kernel.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “MM”
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, October 19, 2005 3:09 PM
Subject: [ntfsd] AntiVirus Architecture - What is the best design?

> What is the best architecture for an antivirus like app? How are most
> anti-virus products designed, do the majority scan files in kernel
mode
> or have a user mode app do the scanning?
>
> I have two models I’m working off, which way should I go?
>
> 1. Let the driver load a dat file with virus signatures and preform
the
> scan itself;
>
> or,
>
> 2. Have the driver signal an event for files that need to be checked
and
> let the user mode service open the file and preform the scan. Upon the
> re-entry, the driver could ignore Creates generated by my user service
> via ProcID. If the file is clean, the user service could signal the
> driver to continue the IRP, or deny it. I’m thinking this method would
> be easier to thread…
>
> I figure scenario 1 would have less overhead, but signature updates
> would be a little trickier if the driver managed the dat files.
However,
> with scenario 2, that seems like it would be easier to code and
updates
> to signatures would be easier, plus I have to verify x.509 certs
(which
> would have to be done in user mode). Kinda thinking it would be best
to
> put all the file reading/scanning stuff in a single service (user
mode).
>
> What advice regarding architecture could you’ll offer me?
>
> Or, is there a better way I’m just not thinking of?
>
> M.
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: mark.cook@ca.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Antivirus FS filter can add some notions of its own to “exclusive access”,
like “exclusive for all except the antivirus service”.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Cook, Mark” <mark.cook>
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, October 19, 2005 6:47 PM
Subject: RE: [ntfsd] AntiVirus Architecture - What is the best design?

Just a thought but if the process that originally opened the file opened
it with exclusive access, (ie share none), how would the user mode
service be able to scan it ??

Regards

Mark

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: 19 October 2005 15:28
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] AntiVirus Architecture - What is the best design?

I think 2) is better. Smaller logic in the kernel.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “MM”
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, October 19, 2005 3:09 PM
Subject: [ntfsd] AntiVirus Architecture - What is the best design?

> What is the best architecture for an antivirus like app? How are most
> anti-virus products designed, do the majority scan files in kernel
mode
> or have a user mode app do the scanning?
>
> I have two models I’m working off, which way should I go?
>
> 1. Let the driver load a dat file with virus signatures and preform
the
> scan itself;
>
> or,
>
> 2. Have the driver signal an event for files that need to be checked
and
> let the user mode service open the file and preform the scan. Upon the
> re-entry, the driver could ignore Creates generated by my user service
> via ProcID. If the file is clean, the user service could signal the
> driver to continue the IRP, or deny it. I’m thinking this method would
> be easier to thread…
>
> I figure scenario 1 would have less overhead, but signature updates
> would be a little trickier if the driver managed the dat files.
However,
> with scenario 2, that seems like it would be easier to code and
updates
> to signatures would be easier, plus I have to verify x.509 certs
(which
> would have to be done in user mode). Kinda thinking it would be best
to
> put all the file reading/scanning stuff in a single service (user
mode).
>
> What advice regarding architecture could you’ll offer me?
>
> Or, is there a better way I’m just not thinking of?
>
> M.
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: mark.cook@ca.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com</mark.cook>

One thing to note on this type of implementation, interoperating with
certain other AV products could be problematic. There could be, say, two
products of this sort on a system, where one of them actually holds a
serialization lock on the file until it has completed its’ scan. Thus if
your filter were below this filter, and when you receive the open, it is the
original open that the first AV product is using to scan the file, when your
service re-enters the stack from user mode, the first AV product will block
the open since it is waiting on the original open to complete to perform
its’ scan.

Not that it is ever nice to hold any sort of lock across a call down the
stack, but then again when have ‘they’ ever cooperated?

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jamey Kirby
Sent: Wednesday, October 19, 2005 10:06 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] AntiVirus Architecture - What is the best design?

It should have been scanned on the first open that has it locked.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Cook, Mark
Sent: Wednesday, October 19, 2005 7:48 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] AntiVirus Architecture - What is the best design?

Just a thought but if the process that originally opened the file opened
it with exclusive access, (ie share none), how would the user mode
service be able to scan it ??

Regards

Mark

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: 19 October 2005 15:28
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] AntiVirus Architecture - What is the best design?

I think 2) is better. Smaller logic in the kernel.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “MM”
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, October 19, 2005 3:09 PM
Subject: [ntfsd] AntiVirus Architecture - What is the best design?

> What is the best architecture for an antivirus like app? How are most
> anti-virus products designed, do the majority scan files in kernel
mode
> or have a user mode app do the scanning?
>
> I have two models I’m working off, which way should I go?
>
> 1. Let the driver load a dat file with virus signatures and preform
the
> scan itself;
>
> or,
>
> 2. Have the driver signal an event for files that need to be checked
and
> let the user mode service open the file and preform the scan. Upon the
> re-entry, the driver could ignore Creates generated by my user service
> via ProcID. If the file is clean, the user service could signal the
> driver to continue the IRP, or deny it. I’m thinking this method would
> be easier to thread…
>
> I figure scenario 1 would have less overhead, but signature updates
> would be a little trickier if the driver managed the dat files.
However,
> with scenario 2, that seems like it would be easier to code and
updates
> to signatures would be easier, plus I have to verify x.509 certs
(which
> would have to be done in user mode). Kinda thinking it would be best
to
> put all the file reading/scanning stuff in a single service (user
mode).
>
> What advice regarding architecture could you’ll offer me?
>
> Or, is there a better way I’m just not thinking of?
>
> M.
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: mark.cook@ca.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

On Oct 19, 2005, at 10:26 PM, Peter Scott wrote:

One thing to note on this type of implementation, interoperating with
certain other AV products could be problematic. There could be,
say, two
products of this sort on a system

As a practical matter, the situation is so bad that the major AV
companies uninstall each other’s packages during install. We’ve run
into numerous interop problems over the years between AV products.
The real killer is when their old installers miss new versions of
competitive products (e.g. McAfee 2004 can’t remove Norton 2006).

Really makes you appreciate the minifilter model.

Steve Dispensa
MVP - Windows DDK
www.kernelmustard.com

I thank everyone for their responses. Just wana respond to a couple here.

Thank you to *Mark Cook*:
"The downside to filtering here of course is that the file system or a
lower
level filter may fail the open anyway in which case you’ve scanned the file
for no reason. " - The upside is, in the environment this “thing” I’m
working
on will run definitely will have FS encryption filters running, scanning
in usermode
seems like it would have the advantage of not worrying whether my filter
was
above or below the FSEF. - Any problems there??? Thinking even if my
filter is below a FSEF it won’t matter if it only see gibberish because
once in
usermode everything will be decrypted.

Thank you *Maxim Shatskih*:
"Anti virus FS filter can add some notions of its own to “exclusive access”,
like “exclusive for all except the anti virus service”. - Did not know that,
don’t recall seeing that in the IFS; waiting for Rajeev’s book to be
re-released.
Thanks for sharing your experience and know-how with me.

Thank you *Steve Dipensa and Peter Scott*(for both your comments):
“The real killer is when their old installers miss new versions of
competitive
products (e.g. McAfee 2004 can’t remove Norton 2006).” - I’ve built a
component
this morning that will check online for what needs to be killed before
my install
begins, and have created a crude way of detecting installsheild, wise,
inno setups
within my pre-create(with multiple checks). Hope to implement other
install package
sigs soon(can only do so much at a time). -If my install checker can’t
access the
web, it will go ahead and install, hoping there wont be a conflict (this
is more than
most AV products do)…

Regards,
M.

> The upside is, in the environment this “thing” I’m working on will run

definitely will have FS encryption filters running, scanning in usermode
seems like it would have the advantage of not worrying whether my filter
was above or below the FSEF. - Any problems there???

See below

Thinking even if my filter is below a FSEF it won’t matter if it only see
gibberish because once in usermode everything will be decrypted.

“Up to a point Lord Copper” (Google for it).

Remember *you* are sending the data to usermode and if you are below the
FSEF the data you send it will be gibberish and so it won’t spot the
viruses. AV’s have to be above Encryption (and Compression) in order to
work.

… But don’t fall into the trap of assuming that you are *guaranteed* at
the top of any stack. You aren’t.

/rod