Filter Driver with antivirus

Hello,

I have been working on a prototype filter driver and have recently been testing it on systems with different antivirus products installed. I haven’t seen any issues until I tested against Avast Antivirus on Windows XP.

Here is a little description of the prototype and the how it has been working.

I have a control app which first communicates with the driver and tells it what file to track. The control app then opens the file and the driver recognizes that the control app is opening the file and so it sets a completion routing for the IRP_MJ_CREATE to try and flush the cache for the file:

if (pfileObject->SectionObjectPointer != NULL)
{

CcFlushCache(pfileObject->SectionObjectPointer, NULL, 0, NULL);

if (pfileObject->SectionObjectPointer->ImageSectionObject != NULL)
{
MmFlushImageSection(pfileObject->SectionObjectPointer, MmFlushForWrite);
}

if (pfileObject->SectionObjectPointer->DataSectionObject != NULL)
{
CcPurgeCacheSection(pfileObject->SectionObjectPointer, NULL, 0, TRUE);
}

CcUninitializeCacheMap(pfileObject, 0, NULL);
}

The controlling app then launches another process which will open up the tracked file. Under normal circumstances, including on systems with Norton, Mcafee, or AVG running, the driver will then see IRP_MJ_READ with IRP_NOCACHE and IRP_PAGING_IO flags set.

This is not the case with Avast on Windows XP. I do not see any IRP_MJ_READS nor any FastIO reads. Note, that it works fine on Windows 2000 with Avast running.

On XP if I stop Avasts “Standard Shield” provider, then it works as normal. Once the “Standard Shield” is restarted, the driver does not see the reads for the tracked file.

Can anyone help shed some light as to what is going on or tips on how to debug this issue further.

Any help would be greatly appreciated.

Sincerely,

Steve

Steve,

For a start you should not be calling CcUninitializeCacheMap. You
didn’t create the cache map for the file object and so should not be
tearing it down.

Regards

Ben Curley
Data Encryption Systems Ltd.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Steve Sharman
Sent: 27 March 2006 19:04
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Filter Driver with antivirus

Hello,

I have been working on a prototype filter driver and have recently been
testing it on systems with different antivirus products installed. I
haven’t seen any issues until I tested against Avast Antivirus on
Windows XP.

Here is a little description of the prototype and the how it has been
working.

I have a control app which first communicates with the driver and tells
it what file to track. The control app then opens the file and the
driver recognizes that the control app is opening the file and so it
sets a completion routing for the IRP_MJ_CREATE to try and flush the
cache for the file:

if (pfileObject->SectionObjectPointer != NULL)
{

CcFlushCache(pfileObject->SectionObjectPointer, NULL, 0, NULL);

if (pfileObject->SectionObjectPointer->ImageSectionObject != NULL)
{
MmFlushImageSection(pfileObject->SectionObjectPointer,
MmFlushForWrite);
}

if (pfileObject->SectionObjectPointer->DataSectionObject != NULL)
{
CcPurgeCacheSection(pfileObject->SectionObjectPointer, NULL, 0,
TRUE);
}

CcUninitializeCacheMap(pfileObject, 0, NULL);
}

The controlling app then launches another process which will open up the
tracked file. Under normal circumstances, including on systems with
Norton, Mcafee, or AVG running, the driver will then see IRP_MJ_READ
with IRP_NOCACHE and IRP_PAGING_IO flags set.

This is not the case with Avast on Windows XP. I do not see any
IRP_MJ_READS nor any FastIO reads. Note, that it works fine on Windows
2000 with Avast running.

On XP if I stop Avasts “Standard Shield” provider, then it works as
normal. Once the “Standard Shield” is restarted, the driver does not
see the reads for the tracked file.

Can anyone help shed some light as to what is going on or tips on how to
debug this issue further.

Any help would be greatly appreciated.

Sincerely,

Steve

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@des.co.uk To unsubscribe
send a blank email to xxxxx@lists.osr.com

Thanks for both of your replies…I really appreciate it. Ben, thanks for the tip.

Steve

----- Original Message -----
From: Ben Curley
Date: Tuesday, March 28, 2006 0:49 am
Subject: RE: [ntfsd] Filter Driver with antivirus

>
> Steve,
>
> For a start you should not be calling CcUninitializeCacheMap. You
> didn’t create the cache map for the file object and so should not be
> tearing it down.
>
> Regards
>
> Ben Curley
> Data Encryption Systems Ltd.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [xxxxx@lists.osr.com] On Behalf Of Steve Sharman
> Sent: 27 March 2006 19:04
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] Filter Driver with antivirus
>
> Hello,
>
> I have been working on a prototype filter driver and have recently
> beentesting it on systems with different antivirus products
> installed. I
> haven’t seen any issues until I tested against Avast Antivirus on
> Windows XP.
>
> Here is a little description of the prototype and the how it has been
> working.
>
> I have a control app which first communicates with the driver and
> tellsit what file to track. The control app then opens the file
> and the
> driver recognizes that the control app is opening the file and so it
> sets a completion routing for the IRP_MJ_CREATE to try and flush the
> cache for the file:
>
> if (pfileObject->SectionObjectPointer != NULL)
> {
>
> CcFlushCache(pfileObject->SectionObjectPointer, NULL, 0, NULL);
>
> if (pfileObject->SectionObjectPointer->ImageSectionObject !=
> NULL) {
> MmFlushImageSection(pfileObject->SectionObjectPointer,
> MmFlushForWrite);
> }
>
> if (pfileObject->SectionObjectPointer->DataSectionObject !=
> NULL) {
> CcPurgeCacheSection(pfileObject->SectionObjectPointer,
> NULL, 0,
> TRUE);
> }
>
> CcUninitializeCacheMap(pfileObject, 0, NULL);
> }
>
> The controlling app then launches another process which will open
> up the
> tracked file. Under normal circumstances, including on systems with
> Norton, Mcafee, or AVG running, the driver will then see IRP_MJ_READ
> with IRP_NOCACHE and IRP_PAGING_IO flags set.
>
> This is not the case with Avast on Windows XP. I do not see any
> IRP_MJ_READS nor any FastIO reads. Note, that it works fine on
> Windows2000 with Avast running.
>
> On XP if I stop Avasts “Standard Shield” provider, then it works as
> normal. Once the “Standard Shield” is restarted, the driver does not
> see the reads for the tracked file.
>
> Can anyone help shed some light as to what is going on or tips on
> how to
> debug this issue further.
>
> Any help would be greatly appreciated.
>
>
> Sincerely,
>
> Steve
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@des.co.uk To unsubscribe
> send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
> You are currently subscribed to ntfsd as: unknown lmsubst tag
> argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

I have found that if my control app first makes a copy of the file to the temp directory and then launches the other process to open the temp file, my driver sees the reads properly.

??

----- Original Message -----
From: Steve Sharman
Date: Tuesday, March 28, 2006 8:37 am
Subject: Re: RE: [ntfsd] Filter Driver with antivirus

>
> Thanks for both of your replies…I really appreciate it. Ben,
> thanks for the tip.
>
> Steve
>
>
> ----- Original Message -----
> From: Ben Curley
> Date: Tuesday, March 28, 2006 0:49 am
> Subject: RE: [ntfsd] Filter Driver with antivirus
>
> >
> > Steve,
> >
> > For a start you should not be calling CcUninitializeCacheMap. You
> > didn’t create the cache map for the file object and so should
> not be
> > tearing it down.
> >
> > Regards
> >
> > Ben Curley
> > Data Encryption Systems Ltd.
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [xxxxx@lists.osr.com] On Behalf Of Steve Sharman
> > Sent: 27 March 2006 19:04
> > To: Windows File Systems Devs Interest List
> > Subject: [ntfsd] Filter Driver with antivirus
> >
> > Hello,
> >
> > I have been working on a prototype filter driver and have
> recently
> > beentesting it on systems with different antivirus products
> > installed. I
> > haven’t seen any issues until I tested against Avast Antivirus on
> > Windows XP.
> >
> > Here is a little description of the prototype and the how it has
> been> working.
> >
> > I have a control app which first communicates with the driver
> and
> > tellsit what file to track. The control app then opens the file
> > and the
> > driver recognizes that the control app is opening the file and
> so it
> > sets a completion routing for the IRP_MJ_CREATE to try and flush the
> > cache for the file:
> >
> > if (pfileObject->SectionObjectPointer != NULL)
> > {
> >
> > CcFlushCache(pfileObject->SectionObjectPointer, NULL, 0, NULL);
> >
> > if (pfileObject->SectionObjectPointer->ImageSectionObject
> !=
> > NULL) {
> > MmFlushImageSection(pfileObject->SectionObjectPointer,
> > MmFlushForWrite);
> > }
> >
> > if (pfileObject->SectionObjectPointer->DataSectionObject !=
> > NULL) {
> > CcPurgeCacheSection(pfileObject->SectionObjectPointer,
> > NULL, 0,
> > TRUE);
> > }
> >
> > CcUninitializeCacheMap(pfileObject, 0, NULL);
> > }
> >
> > The controlling app then launches another process which will
> open
> > up the
> > tracked file. Under normal circumstances, including on systems with
> > Norton, Mcafee, or AVG running, the driver will then see IRP_MJ_READ
> > with IRP_NOCACHE and IRP_PAGING_IO flags set.
> >
> > This is not the case with Avast on Windows XP. I do not see any
> > IRP_MJ_READS nor any FastIO reads. Note, that it works fine on
> > Windows2000 with Avast running.
> >
> > On XP if I stop Avasts “Standard Shield” provider, then it works as
> > normal. Once the “Standard Shield” is restarted, the driver
> does not
> > see the reads for the tracked file.
> >
> > Can anyone help shed some light as to what is going on or tips
> on
> > how to
> > debug this issue further.
> >
> > Any help would be greatly appreciated.
> >
> >
> > Sincerely,
> >
> > Steve
> >
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@des.co.uk To
> unsubscribe> send a blank email to xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
> > You are currently subscribed to ntfsd as: unknown lmsubst tag
> > argument: ‘’
> > To unsubscribe send a blank email to leave-246249-
> xxxxx@lists.osr.com>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
> You are currently subscribed to ntfsd as: xxxxx@shaw.ca
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Hi, I work as a program manager for ALWIL Software, the makers of avast!
antivirus.

If you need further assistance with this issue, it would probably make sense
to move to private email - if you’re interested, I can explain to you how
our
filter driver works and what might be causing the issue you’re seeing…

Thanks,

Ondrej Vlcek
lead program manager
ALWIL Software

-----Original Message-----
From: Steve Sharman
> Sent: Thursday, March 30, 2006 6:15 PM
> To: ‘Ondrej Vlcek’
> Subject: Re: RE: Filter Driver with antivirus
>
> I have found that if my control app first makes a copy of the
> file to the
> temp
> directory and then launches the other process to open the
> temp file, my
> driver
> sees the reads properly.
>
> ??
>
> ----- Original Message -----
> From: Steve Sharman
> Date: Tuesday, March 28, 2006 8:37 am
> Subject: Re: RE: [ntfsd] Filter Driver with antivirus
>
> >
> > Thanks for both of your replies…I really appreciate it. Ben,
> > thanks for the tip.
> >
> > Steve
> >
>