I have recently posted a thread about my filesystem minifilter driver. In general it displayes virtual files that are
stationed on remote server and downloads them when the user tries to open them.
I have somehow managed to make stable version, but I have problems when I test the driver with antivirus software installed. Generally It introduces huge lag when the user is operating on the driver my driver is attached to. I presume it tries to scan the buffers that I exchange with the user32 application. The lag is present no metter if I register the driver above Antivirus drivers altitude - tried with FSFilter Activity Monitor 360000-389999
And tried to register it below antivirus:
FSFilter HSM 180000-189999
(I think my driver most probably is part of this group)
I am currently trying to figure out exactly what the anti-virus is doing but if someone can give me advice it will be super.
Hi.
I presume it tries to scan the buffers that I exchange with the user32
application.
Unfortunately AV filters don’t work like that. They pend IRP_MJ_CREATE and
read the file (possibly in whole). That would explain the lag you noticed.
So, altitude doesn’t matter.
do you set FILE_ATTRIBUTE_OFFLINE flag ?
wrote in message news:xxxxx@ntfsd…
> I have recently posted a thread about my filesystem minifilter driver. In
> general it displayes virtual files that are
> stationed on remote server and downloads them when the user tries to open
> them.
> I have somehow managed to make stable version, but I have problems when I
> test the driver with antivirus software installed. Generally It introduces
> huge lag when the user is operating on the driver my driver is attached
> to. I presume it tries to scan the buffers that I exchange with the user32
> application. The lag is present no metter if I register the driver above
> Antivirus drivers altitude - tried with FSFilter Activity Monitor
> 360000-389999
> And tried to register it below antivirus:
> FSFilter HSM 180000-189999
> (I think my driver most probably is part of this group)
> I am currently trying to figure out exactly what the anti-virus is doing
> but if someone can give me advice it will be super.
>
Yes I am setting FILE_ATTRIBUTE_OFFLINE flag for all the files that are not present on the HDD. The files that are present (already downloaded) donesn’t have this flag. Also don’t the antivirus programs scan the file only before reading? Trying to read the file on Create seems to me like overkill (and pending Create is not good) . Also the driver works fine with some Antivirus like Avast, I guess they have different bechaviour
I work for alwil software company, the makers of avast! antivirus. We also
read the file content during Create, but we use different scanning method
for the files with FILE_ATTRIBUTE_OFFLINE flag.
wrote in message news:xxxxx@ntfsd…
> Yes I am setting FILE_ATTRIBUTE_OFFLINE flag for all the files that are
> not present on the HDD. The files that are present (already downloaded)
> donesn’t have this flag. Also don’t the antivirus programs scan the file
> only before reading? Trying to read the file on Create seems to me like
> overkill (and pending Create is not good) . Also the driver works fine
> with some Antivirus like Avast, I guess they have different bechaviour
>
This will explain a lot. But as far as I can see when the anti-virus software is present
all creates are lagged even if they are not for files (trying to enter empty directory). Also I deduced that the problem is not in the communication with the user32. Actually I am also holding Create with the FltSendMessage() for a short time. I edit the Directory listing on post operation, so the anti-virus driver shouldn’t be aware of the virtual files (I am currently at the highest altitude)
also will the anti-virus driver introduce lag if I use ZwWrite, FltCreate , and ZwSetInformation?
Perhaps if you tell us which antivirus are you talking about we can help more.
Inaki.
-----Mensaje original-----
De: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] En nombre de xxxxx@abv.bg
Enviado el: jueves, 27 de septiembre de 2007 16:18
Para: Windows File Systems Devs Interest List
Asunto: RE:[ntfsd] Antivirus software problem
This will explain a lot. But as far as I can see when the anti-virus software is present
all creates are lagged even if they are not for files (trying to enter empty directory). Also I deduced that the problem is not in the communication with the user32. Actually I am also holding Create with the FltSendMessage() for a short time. I edit the Directory listing on post operation, so the anti-virus driver shouldn’t be aware of the virtual files (I am currently at the highest altitude)
also will the anti-virus driver introduce lag if I use ZwWrite, FltCreate , and ZwSetInformation?
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: xxxxx@pandasecurity.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
- Since, the system is trying to open a directory - there’s nothing to scan
in the FileObject, our driver ignores such open requests (maybe not all
antivirus drivers) - Do you mean FltWrite/FltCreate/FltSetInformation? These requests comes
from kernel-mode, so they may not be interested; FltWrite/FltSetInformation
are not usually handled (well, since they’re called at higher irql and it’s
problematic to call additional i/o - which would lag).
Did you try kernrate? It would find out what driver/fncs lags.
wrote in message news:xxxxx@ntfsd…
> This will explain a lot. But as far as I can see when the anti-virus
> software is present
> all creates are lagged even if they are not for files (trying to enter
> empty directory). Also I deduced that the problem is not in the
> communication with the user32. Actually I am also holding Create with the
> FltSendMessage() for a short time. I edit the Directory listing on post
> operation, so the anti-virus driver shouldn’t be aware of the virtual
> files (I am currently at the highest altitude)
> also will the anti-virus driver introduce lag if I use ZwWrite, FltCreate
> , and ZwSetInformation?
>