How can I scan every file accessed from kernel to user mode ?

I am working on a minifilter. I am making a program that checks whether a file is malicious or not on access. I know I can do it by using minifilter but not sure about how to do it effectively because the file is accessed too frequently in a system. Whenever a file is being accessed send the file path to user-mode and then the user-mode application will respond after checking the file. I want to know from your experience and understanding as I am not much familiar with it.

Very curious to know from your experience.
Thanks & regards,
Jay

https://github.com/microsoft/windows-driver-samples/tree/main/filesys/miniFilter/avscan

@“Scott_Noone_(OSR)” How can I ignore file open in kernel minifilter when user-mode takes too much time for scanning part. Once the scanning part is complete then if someone accesses the file again then allows or blocks based on the result.
While scanning if someone accesses the file then just block or ignore it silently.

I will make a hash of which path is currently being scanned/done scanning when first time someone accesses the file.

Your design is wrong.

Have you gone through the avscan sample? If you’re trying to learn you should install that, set breakpoints, and learn what it’s doing. You’ll learn a lot more that way than feeling around in the dark.

1 Like

@“Scott_Noone_(OSR)” Thank you so much. I will go through it and ask if anything I didn’t understand. Thank you very much for the help & support. :slight_smile:

@“Scott_Noone_(OSR)” I came across about avscan. It basically examines data in a file. I followed the code and executed both the user mode and filter part. It basically checks for the string “message to be found” in a file. if it is found then block the opening of the file.

It works fine for text files but when I open a pdf file with the same string then it doesn’t block. I don’t understand why?

Could you please help me out?
Will be very thankful :slight_smile:

Sorry, are you asking how to interpret the content of a PDF? Or are you blocking the open but Acrobat can read the file anyway?

@“Scott_Noone_(OSR)” The way we are checking msg in the text file, can’t check the same way in every file?

https://en.m.wikipedia.org/wiki/PDF A PDF file is often a combination of vector graphics, text, and bitmap graphics. The basic types of content in a PDF are Typeset text stored as content streams (i.e., not encoded in plain text);