Create Options Parameter

NTFSD
1

Hi, I am making a FileSystem Driver for an antivirus. I deny access to infected files. It is working OK until now but it also deny access when trying to delete infected files. I intercept the IRP_MJ_CREATE call. How can I avoid this?
Thanks.

2

Presumably it is your anti-virus software that is trying to delete the infected file, in which case you shouldn’t deny IRP_MJ_CREATE for that process. This seems pretty straightforward.

-----Original Message-----
From: Ratmil Torres [mailto:xxxxx@seg.inf.cu]
Sent: Wednesday, September 18, 2002 1:50 AM
To: File Systems Developers
Subject: [ntfsd] Create Options Parameter

Hi, I am making a FileSystem Driver for an antivirus. I deny access to infected files. It is working OK until now but it also deny access when trying to delete infected files. I intercept the IRP_MJ_CREATE call. How can I avoid this?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

3

You need to also capture the IRP_MJ_SET_INFORMATION/SetDisposition
request.

Pete

Peter Scott
xxxxx@KernelDrivers.com
www.KernelDrivers.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ratmil Torres
Sent: Wednesday, September 18, 2002 12:50 AM
To: File Systems Developers
Subject: [ntfsd] Create Options Parameter

Hi, I am making a FileSystem Driver for an antivirus. I deny access to
infected files. It is working OK until now but it also deny access when
trying to delete infected files. I intercept the IRP_MJ_CREATE call.
How can I avoid this?

Thanks.

You are currently subscribed to ntfsd as: xxxxx@KernelDrivers.com
To unsubscribe send a blank email to %%email.unsub%%

4

Sorry, a little communication breakdown there.

In order for you to recognize the deletes issued from your filter
driver, there are several methods you can use. My favorite is the shadow
device method. Essentially you are attempting to recognize reentrancy
into your driver. See the OSR FAQ for more information on this subject.

Pete

Peter Scott
xxxxx@KernelDrivers.com
www.KernelDrivers.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Scott
Sent: Tuesday, September 17, 2002 10:17 AM
To: File Systems Developers
Subject: [ntfsd] RE: Create Options Parameter

You need to also capture the IRP_MJ_SET_INFORMATION/SetDisposition
request.

Pete

Peter Scott
xxxxx@KernelDrivers.com
www.KernelDrivers.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ratmil Torres
Sent: Wednesday, September 18, 2002 12:50 AM
To: File Systems Developers
Subject: [ntfsd] Create Options Parameter

Hi, I am making a FileSystem Driver for an antivirus. I deny access to
infected files. It is working OK until now but it also deny access when
trying to delete infected files. I intercept the IRP_MJ_CREATE call.
How can I avoid this?

Thanks.

You are currently subscribed to ntfsd as: xxxxx@KernelDrivers.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@KernelDrivers.com
To unsubscribe send a blank email to %%email.unsub%%

5

No, I’m trying to delete the infected file from Windows Explorer. I click on the file, then I get a message from my antivirus software telling of the presence of a virus, I close the message window and press shift-del, but I get access deny. I guess the delete operation makes a CREATE call.
----- Original Message -----
From: Fuller, Rob
To: File Systems Developers
Sent: Tuesday, September 17, 2002 9:07 AM
Subject: [ntfsd] RE: Create Options Parameter

Presumably it is your anti-virus software that is trying to delete the infected file, in which case you shouldn’t deny IRP_MJ_CREATE for that process. This seems pretty straightforward.
-----Original Message-----
From: Ratmil Torres [mailto:xxxxx@seg.inf.cu]
Sent: Wednesday, September 18, 2002 1:50 AM
To: File Systems Developers
Subject: [ntfsd] Create Options Parameter

Hi, I am making a FileSystem Driver for an antivirus. I deny access to infected files. It is working OK until now but it also deny access when trying to delete infected files. I intercept the IRP_MJ_CREATE call. How can I avoid this?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to %%email.unsub%%

6

I already solved the problem related to reentrancy by a method I learned from Tony Mason. I guess it’s that one you are talking about.
----- Original Message -----
From: Peter Scott
To: File Systems Developers
Sent: Tuesday, September 17, 2002 10:07 AM
Subject: [ntfsd] RE: Create Options Parameter

Sorry, a little communication breakdown there.

In order for you to recognize the deletes issued from your filter driver, there are several methods you can use. My favorite is the shadow device method. Essentially you are attempting to recognize reentrancy into your driver. See the OSR FAQ for more information on this subject.

Pete

Peter Scott
xxxxx@KernelDrivers.com
www.KernelDrivers.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Peter Scott
Sent: Tuesday, September 17, 2002 10:17 AM
To: File Systems Developers
Subject: [ntfsd] RE: Create Options Parameter

You need to also capture the IRP_MJ_SET_INFORMATION/SetDisposition request.

Pete

Peter Scott
xxxxx@KernelDrivers.com
www.KernelDrivers.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Ratmil Torres
Sent: Wednesday, September 18, 2002 12:50 AM
To: File Systems Developers
Subject: [ntfsd] Create Options Parameter

Hi, I am making a FileSystem Driver for an antivirus. I deny access to infected files. It is working OK until now but it also deny access when trying to delete infected files. I intercept the IRP_MJ_CREATE call. How can I avoid this?

Thanks.

You are currently subscribed to ntfsd as: xxxxx@KernelDrivers.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@KernelDrivers.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to %%email.unsub%%

7

Delete always involves create. That IS the NT model. First open the object, then use the handle to manipulate it.

There are two basic types of delete. One method is IRP_MJ_CREATE with FILE_DELETE_ON_CLOSE create option. The other method is IRP_MJ_CREATE with DELETE access followed by IRP_MJ_SET_INFORMATION of FileDispositionInformation where DeleteFile == TRUE.

-----Original Message-----
From: Ratmil Torres [mailto:xxxxx@seg.inf.cu]
Sent: Wednesday, September 18, 2002 4:40 AM
To: File Systems Developers
Subject: [ntfsd] RE: Create Options Parameter

No, I’m trying to delete the infected file from Windows Explorer. I click on the file, then I get a message from my antivirus software telling of the presence of a virus, I close the message window and press shift-del, but I get access deny. I guess the delete operation makes a CREATE call.

----- Original Message -----
From: Fuller, mailto:xxxxx Rob
To: File Systems Developers mailto:xxxxx
Sent: Tuesday, September 17, 2002 9:07 AM
Subject: [ntfsd] RE: Create Options Parameter

Presumably it is your anti-virus software that is trying to delete the infected file, in which case you shouldn’t deny IRP_MJ_CREATE for that process. This seems pretty straightforward.

-----Original Message-----
From: Ratmil Torres [mailto:xxxxx@seg.inf.cu]
Sent: Wednesday, September 18, 2002 1:50 AM
To: File Systems Developers
Subject: [ntfsd] Create Options Parameter

Hi, I am making a FileSystem Driver for an antivirus. I deny access to infected files. It is working OK until now but it also deny access when trying to delete infected files. I intercept the IRP_MJ_CREATE call. How can I avoid this?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%


You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to %%email.unsub%%


You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%</mailto:xxxxx></mailto:xxxxx>

8

Yep, DELETE does send IRP_MJ_CREATE before an actual
IRP_MJ_SET_INFORMATION/SetDisposition call.
You MIGHT want to check if only DELETE access is asked for, and
allow the open to proceed - then just deny read/write in IRP_MJ_READ /
IRP_MJ_WRITE handlers.


Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32
developers.

9

I suspect that Explorer is attempting to open the file if it is a know type for previewing. Delete it with a CMD box.
----- Original Message -----
From: Ratmil Torres
To: File Systems Developers
Sent: Wednesday, September 18, 2002 5:39 AM
Subject: [ntfsd] RE: Create Options Parameter

No, I’m trying to delete the infected file from Windows Explorer. I click on the file, then I get a message from my antivirus software telling of the presence of a virus, I close the message window and press shift-del, but I get access deny. I guess the delete operation makes a CREATE call.
----- Original Message -----
From: Fuller, Rob
To: File Systems Developers
Sent: Tuesday, September 17, 2002 9:07 AM
Subject: [ntfsd] RE: Create Options Parameter

Presumably it is your anti-virus software that is trying to delete the infected file, in which case you shouldn’t deny IRP_MJ_CREATE for that process. This seems pretty straightforward.
-----Original Message-----
From: Ratmil Torres [mailto:xxxxx@seg.inf.cu]
Sent: Wednesday, September 18, 2002 1:50 AM
To: File Systems Developers
Subject: [ntfsd] Create Options Parameter

Hi, I am making a FileSystem Driver for an antivirus. I deny access to infected files. It is working OK until now but it also deny access when trying to delete infected files. I intercept the IRP_MJ_CREATE call. How can I avoid this?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@yoshimuni.com
To unsubscribe send a blank email to %%email.unsub%%

10

Surely. CREATE, then SetInformationFile/FileDispositionInformation, then close.

Max

----- Original Message -----
From: Ratmil Torres
To: File Systems Developers
Sent: Wednesday, September 18, 2002 1:39 PM
Subject: [ntfsd] RE: Create Options Parameter

No, I’m trying to delete the infected file from Windows Explorer. I click on the file, then I get a message from my antivirus software telling of the presence of a virus, I close the message window and press shift-del, but I get access deny. I guess the delete operation makes a CREATE call.
----- Original Message -----
From: Fuller, Rob
To: File Systems Developers
Sent: Tuesday, September 17, 2002 9:07 AM
Subject: [ntfsd] RE: Create Options Parameter

Presumably it is your anti-virus software that is trying to delete the infected file, in which case you shouldn’t deny IRP_MJ_CREATE for that process. This seems pretty straightforward.
-----Original Message-----
From: Ratmil Torres [mailto:xxxxx@seg.inf.cu]
Sent: Wednesday, September 18, 2002 1:50 AM
To: File Systems Developers
Subject: [ntfsd] Create Options Parameter

Hi, I am making a FileSystem Driver for an antivirus. I deny access to infected files. It is working OK until now but it also deny access when trying to delete infected files. I intercept the IRP_MJ_CREATE call. How can I avoid this?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to %%email.unsub%%