Hi All,
I have made a file system filter driver based on sfilter, and want to encrypt and decrypt the files apparently, while i met a problem, that is, the file will be encrypted or decrypted several times randomly during virus scan, so can you give me any advice? Thanks a lot!
Thanks and Regards
zhao yong
Hi,
I have made a file system filter driver based on sfilter
Just for curiosity. What types of requests do you change? Are there all read/write IRPs, or only paging and non cached?
so can you give me any advice
Do not try to encrypt/decrypt data steram in a filter, it is impossible to do correctly if an underlying FSD communicates with the Cache Manager.
–
Slava Imameyev, xxxxx@hotmail.com
“zymoonstone” wrote in message news:xxxxx@ntfsd…
Hi All,
I have made a file system filter driver based on sfilter, and want to encrypt and decrypt the files apparently, while i met a problem, that is, the file will be encrypted or decrypted several times randomly during virus scan, so can you give me any advice? Thanks a lot!
Thanks and Regards
zhao yong
?? ?? ?? ?֣??? ?? Ȥ ?? ?? ?? ?? ȯ
30 ?? ?? ?? ?? = ?? ?? 30 Ԫ , 50 Ԫ , 99 Ԫ ?? ?? ?? ?? > >
Hi All,
Thanks for you repley. My filter only changes the read/write IRP with the following flag:IRP_NOCACHE,IRP_PAGING_IO,IRP_SYNCHRONOUS_PAGING_IO.
Another problem i don’t understand is why the file will be encrypted or decrypted more than one time during virus scan, in the devicetree, the virus scan filter is on the top of us, so even if it communicate with the Cache Manager, it can not overleap me, in addition, why all of the files will be writed back again, i can not understand.
Thans and Regards
zhaoyong
>My filter only changes the read/write IRP with the following flag:IRP_NOCACHE,IRP_PAGING_IO,IRP_SYNCHRONOUS_PAGING_IO.
Common mistake. But this works for most cases, if you want to know why this doesn’t work in some other cases then search the archive or try to imagine the case of an FSD which does not use the Cache Manager.
… virus scan filter … if it communicate with the Cache Manager
It doesn’t communicate with the Cache Manager, only the FSD can do this.
why all of the files will be writed back again
What does this mean?
–
Slava Imameyev, xxxxx@hotmail.com
“zymoonstone” wrote in message news:xxxxx@ntfsd…
Hi All,
Thanks for you repley. My filter only changes the read/write IRP with the following flag:IRP_NOCACHE,IRP_PAGING_IO,IRP_SYNCHRONOUS_PAGING_IO.
Another problem i don’t understand is why the file will be encrypted or decrypted more than one time during virus scan, in the devicetree, the virus scan filter is on the top of us, so even if it communicate with the Cache Manager, it can not overleap me, in addition, why all of the files will be writed back again, i can not understand.
Thans and Regards
zhaoyong
?? ?? ?? ?֣??? ?? Ȥ ?? ?? ?? ?? ȯ
30 ?? ?? ?? ?? = ?? ?? 30 Ԫ , 50 Ԫ , 99 Ԫ ?? ?? ?? ?? > >
Thank you very much, but i don’t have any idea to resolve my problem yet, can you give me any concrete advice? In addtion, is it sure that the virus scan software write some files directly to the disk overleaping me?
>is it sure that the virus scan software write some files directly to the
disk overleaping me
Only if the author of the virus scan software was mad.
Please, concretize a problem-
The underlying FSD?
What happened( the file was not changed or changed several times )?
How do you decide that the request must be processed or skipped?
Do you change a file size( e.g. add a header or a tail ) or an offset for
requests?
For example. You change requests only for file objects for which you have
observed the create requests, but FSD uses stream file objects or you do not
recognize file objects opened by the virus scan software as the objects for
which you must change requests.
And there is a flaw in your design, about which I mentioned.
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
> Thank you very much, but i don’t have any idea to resolve my problem yet,
> can you give me any concrete advice? In addtion, is it sure that the
> virus scan software write some files directly to the disk overleaping me?
>
I record the fscontext of the file, then in read/write routine, i decide whether to process the request or not based on fileobject->fscontext. In addition I never change the file size.
As the example, i think, i can correctly process the read/write request based on fscontext, although i can not get the stream file object, because i have a record of its fscontext.
I’d like to describe my phenomena in detail again, my filter work correctly in most case, while, it will encrypt or decrypt the files several times randomly(include 0,1,2,3) during virus scan, and now, i have no idea with this phenomena, on the other hand, i don’t know why all of the files (have been encrypted, in a fixed directory) will be written again when the virus scan is going on?
Does the virus scan software work in the user mode( i.e. use Win32 API ) or
kernel mode( have a driver, which creates read IRPs ) ?
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
>I record the fscontext of the file, then in read/write routine, i decide
>whether to process the request or not based on fileobject->fscontext. In
>addition I never change the file size.
> As the example, i think, i can correctly process the read/write request
> based on fscontext, although i can not get the stream file object, because
> i have a record of its fscontext.
> I’d like to describe my phenomena in detail again, my filter work
> correctly in most case, while, it will encrypt or decrypt the files
> several times randomly(include 0,1,2,3) during virus scan, and now, i have
> no idea with this phenomena, on the other hand, i don’t know why all of
> the files (have been encrypted, in a fixed directory) will be written
> again when the virus scan is going on?
>
The virus software is Kaspersky, it has a filter driver named klif.sys, while i am not sure that it read/write files by creating rip.