I am working on minifilter and currently want to block some malicious downloads opening. Whenever a user downloads and tries to open the file, send the file path to user-mode, and then the user-mode scans the file content and reverts to the kernel part.
If the file is malicious then block the opening file.
I know that I can block the file open/create in IRP_MJ_CREATE but the problem is that when chrome downloads a file then it makes .tmp->.crdownload->.actualFIleExtenion → modifies
I need to block/allow it once the file is opened just after download.
Any help will be much appreciated.
Thanks to the great community.