fltmc unload

OSR_Community_User · November 14, 2005, 10:44pm

In FLT_REGISTRATION you can set flags to
FLTFL_REGISTRATION_DO_NOT_SUPPORT_SERVICE_STOP. This blocks ‘net stop
’ no problem. The problem is you can just use ‘fltmc unload
’ and it will unload. Now if this driver is a virus scanner or
providing some other type of security this becomes a major problem. Is there
anyway to make sure the driver can remain loaded and not be able to be
circumvented in such an easy fashion?

Thanks,

Jason

OSR_Community_User · November 14, 2005, 10:48pm

Man I really hate sounding like and idiot figuring out something 20 seconds
later, it appears return STATUS_FLT_DO_NOT_DETACH in the unload function
will prevent this. Is this the best method for stop such actions?

On 11/14/05, Jason T wrote:
>
> In FLT_REGISTRATION you can set flags to
> FLTFL_REGISTRATION_DO_NOT_SUPPORT_SERVICE_STOP. This blocks ‘net stop
> ’ no problem. The problem is you can just use ‘fltmc unload
> ’ and it will unload. Now if this driver is a virus scanner or
> providing some other type of security this becomes a major problem. Is there
> anyway to make sure the driver can remain loaded and not be able to be
> circumvented in such an easy fashion?
>
> Thanks,
>
> Jason
>