I am making program which detect new files from external source such as web download, usb.
after detecting file, I send it to webserver that has anti virus program and get the result whether the file is malicious or not.
and If it is malicious I move that file to other folder.
I made detecting file using IRP_MJ_SET endoffileinformation. but I don't make preventig file execution perfectly.
Program that I made can prevent file execution. but some files are not prevented from execution.
and some install file doesn't work well.
I just implemented preventing file execution by watching fileinfoclass. but It is not perfect.
Is there a way to distinguish copy from execution in IRP_MJ_CREATE?
or how to make that program?
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Writing WDF Drivers||21 Oct 2019||OSR Seminar Space & ONLINE|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|
|Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||27 Apr 2020||OSR Seminar Space & ONLINE|