minifilter, prevent file execution while It is sended to webserver and get response

I am making program which detect new files from external source such as web download, usb.

after detecting file, I send it to webserver that has anti virus program and get the result whether the file is malicious or not.

and If it is malicious I move that file to other folder.

I made detecting file using IRP_MJ_SET endoffileinformation. but I don’t make preventig file execution perfectly.

Program that I made can prevent file execution. but some files are not prevented from execution.

and some install file doesn’t work well.

I just implemented preventing file execution by watching fileinfoclass. but It is not perfect.

Is there a way to distinguish copy from execution in IRP_MJ_CREATE?

or how to make that program?

To my knowledge, you cannot determine that a file is going to be executed from IRP_MJ_CREATE.

The method we are using is to hook IRP_MJ_ACQUIRE_SECTION_FOR_SYNCHRONIZATION, and check Data->Iopb->Parameters.AcquireSectionForSynchronization.PageProtection for PAGE_EXECUTE.

Execute AccessMode can save you some time as well

Thanks, Rod! I was not using that method, and I see from my logs that I could prevent most (all?) of these from even opening by checking Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess for FILE_EXECUTE

In case it’s not obvious - EXECUTE access is a necessary, but not sufficient condition. Some applications can (and do) ask for all sorts of things that they don’t need. On the other had, this might not matter for you, but pre-create is a lot nice place to be when you want to do something.

I quickly found that to be the case, Rod. I already knew that many apps request write access when they don’t need it. Seems they also request execute access when they don’t intend to execute.

Thanks for the advice.

@rod_widdowson said:
EXECUTE access is a necessary, but not sufficient condition.