iam creating a real time mini filter driver for a anti-virus
these are the events i have registered
{ IRP_MJ_CREATE,
0,
ScannerPreCreate,
ScannerPostCreate},
{ IRP_MJ_WRITE,
0,
NULL,
PostOperationIrpWrite },
{ IRP_MJ_SET_INFORMATION,
0,
PreOperationIrpInfo,
NULL },
{ IRP_MJ_CLEANUP,
0,
PreOperationIrpCleanup,
PostOperationIrpCleanup },
{ IRP_MJ_OPERATION_END}
is it possible to find from driver that user is going to delete file ?.
like if there is a user prompt for delete file ,
i want to ignore that file, plz help
You have no visibility on what the user does or sees.
You can find out if the file is marked for delete (FileStandardInformation) but there are many ways to delete a file which do not involve marking for delete. I believe that there is a sample which demonstrates this.
@rod_widdowson said:
You have no visibility on what the user does or sees.
You can find out if the file is marked for delete (FileStandardInformation) but there are many ways to delete a file which do not involve marking for delete. I believe that there is a sample which demonstrates this.
Hi Rod,
Thanks for sharing information.
Actually I am developing an “on access driver” for our anti malware application.
What exactly we need is when user access file, we will scan with our engine and if found malware do quarantine operation.
Now in case I shared, even when I press Shift+Delete, driver give file access notification and my engine quarantine that particular file.
I want to ignore this step as if user is going to delete any file it is no harmful action, this is the common behavior of all antiviruses real time protection.
Can you please help me to achieve same. Thanks.
It’s complicated…Play with the Delete sample that Rod mentioned to start understanding the problems:
https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/delete