correct sequence to deny access

folks,

this is for an educational project where we are trying to create an
antivirus scanner.

We have a legacy FS filter for scanning and it only works for FAT32 as of
now.

Here is what we are trying to do:

the app sends an open request, which gets translated to an IRP_MJ_CREATE.

In the completion routine og Create the AV filter we made scans for the
malware.

Upon finding the malware we deny access to that file and fail the create.

However, the FS below us (FAT) has returned us an FO. So does the Driver
need to cancel this open request? Or would it be done automatically by the
Iomanager?

My spwcific qn is if I deny access to this file, for which an FO has been
created, what should the driver specifically do?

thanks

B

The correct way of denying file access is to deny in PreCreate.

On Mon, Jan 18, 2010 at 6:35 PM, Bedanto wrote:

> folks,
>
> this is for an educational project where we are trying to create an
> antivirus scanner.
>
> We have a legacy FS filter for scanning and it only works for FAT32 as of
> now.
>
> Here is what we are trying to do:
>
> the app sends an open request, which gets translated to an IRP_MJ_CREATE.
>
> In the completion routine og Create the AV filter we made scans for the
> malware.
>
> Upon finding the malware we deny access to that file and fail the create.
>
> However, the FS below us (FAT) has returned us an FO. So does the Driver
> need to cancel this open request? Or would it be done automatically by the
> Iomanager?
>
> My spwcific qn is if I deny access to this file, for which an FO has been
> created, what should the driver specifically do?
>
> thanks
>
> B
> — NTFSD is sponsored by OSR For our schedule of debugging and file system
> seminars (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars To unsubscribe, visit the List Server section
> of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> The correct way?of denying file access?is to deny?in PreCreate.

Not really. Although in MOST of the situations it should be done in
PreCreate, but in case of A/Vs filters you can actually do it in PostCreate.
Again, the correctness of the approach (precreate vs. postcreate) really
depends on the situation.

Regards,
Ayush Gupta
AI Consulting

I assume you are still running in legacy filter. I would suggest create a duplicate?file object for doing the scan — before you?forward the user’s request to lower FS.

Then you can send an IRP (create?one)?down for your create, you can set up your completion routine which can returns STATUS_MORE_PROCESSING_REQUIRED and do the scan. After the scan –> you will have an idea if to allow the original IRP to proceed.
Then you can free the IRP you created and dereference the file object you created.

Then you can either complete the original IRP with status_access_denied or forward it down the stack based on the decision.

This way the state of the original IRP and file object will be consistent. Returning a failure status for the a successfully opened file object can be confusing to the upper drivers – they may even do some tricks to avoid certain bugs (like zeroing out the FsContext and FsContext2 in the file object) which can lead to memory leak and worse, inconsistency in the lower file system.

Also, in this way you can coneptually have more control over the parameters for the create (desired access, sharing access) from the original create.

Lijun


From: Bedanto
To: Windows File Systems Devs Interest List
Sent: Mon, January 18, 2010 8:05:39 AM
Subject: [ntfsd] correct sequence to deny access

folks,

this is for an educational project where we are trying to create an antivirus scanner.

We have a legacy FS filter for scanning and it only works for FAT32 as of now.

Here is what we are trying to do:

the app sends an open request, which gets translated to an IRP_MJ_CREATE.

In the completion routine og Create the AV filter we made scans for the malware.

Upon finding the malware we deny access to that file and fail the create.

However, the FS below us (FAT) has returned us an FO. So does the Driver need to cancel this open request? Or would it be done automatically by the Iomanager?

My spwcific qn is if I deny access to this file, for which an FO has been created, what should the driver specifically do?

thanks

B— NTFSD is sponsored by OSR For our schedule of debugging and file system seminars (including our new fs mini-filter seminar) visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Yes, you need to do some special handling IF you are doing this from the completion routine (Legacy Filter) or the Post Operation routine (Mini Filter).

Check the following APIs relevant to your filter.

  • IoCancelFileOpen (legacy)
  • FltCancelFileOpen (mini filter)

Look at the scanner mini-filter example in Windows DDK.

>However, the FS below us (FAT) has returned us an FO. So does the Driver need to cancel this open

request?

Yes.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com