antivirus filter

NTFSD
1

Hi to all members,
I have been some time on this list and working with a filter driver. This list has been very useful to me. I have been working on an antivirus filter driver which I started to build from Rajeev Nagar sample as my thesis project. I read Nagar’s book too.
Well, I made the entire project already. And I have used the following technique :

  • I intercept create calls before passing the driver below.
  • I get the file’s name and if it should be scanned I save the name of the file in the driver’s memory (in some list or in a variable), set event A and stay waiting on event B (they are just a couple of events which I have named here A and B).
  • I have a service which has been waiting on event A. Then it wakes up.
  • The service scans the file for viruses using a dll. This dll was given to me and takes care of all the code to decide whether there is a virus in the file or not.
  • When the result of the scan is ready the service gives it to the driver and then sets event B.
  • The driver then wakes up and according to the result given by the driver it decides whether it should allow the openning of the file or not.

I had to make it this way because the code to scan is in a dll, and I cannot call a user mode dll from kernel mode, besides this dll uses CreateFile to open the file to scan, that’s another reason why it can not be called in kernel mode.
I don’t like it this way because the whole system depends on a single process. So every process that has to open a file has to wait for my process to scan it.
I made the driver and the service so only file is scanned at a time, so this is even worse. I have made adjustments so when a file is tried to open it is scanned right away and it doesn’t have to wait the scanning process is free. Now the system is hanging when passing a create call to the lower driver, just when I call IoCallDriver. Why can that be happening?

Can anyone tell me of the best technique at desining antivirus filter drivers?
I guess a good one would be to intercept read calls, letting create and read calls passthrough, and when the read has been completed access the read buffer and scan for viruses in memory. I guess that would be very efficient.

Well thanks.