hi ratmil,
though i have developed a couple of filter drivers, i havent developed an
anti-virus one, monitoring boot sectors, floppies and all that stuff. I may
not be the right person to advice you regarding this. So people who have
REALLY developed anti-virus drivers can help you regarding the real issues
they encountered. You can also search the archives for similar
problems/topics. As you are following this list, you might be already
knowing that there is a nice “searchable” archive, recently put up in
http://www.ntfsd.org
But still, as for your question, AFAIK the best time to check for viruses
in floppy disks is during the mount operation. To put it in a sequence of
steps… 1) Attach to a device called “FAT”. 2) have a handler for
IRP_MJ_FILE_SYSTEM_CONTROL & IRP_MN_MOUNT_VOLUME. 3) in this set a
completion routine. 4) in the completion routine, if mount was SUCCESSful
then you will have a device object created by “FAT” file system which you
should to attach to, if needed, in a worker thread after returning
STATUS_MORE_PROCESSING_REQUIRED from the completion routine. Or at this
time, in a worker thread, simply open \device\floppy0 and through a series
of deviceIOCTL calls to fileobject->vpb->RealDevice , you get boot
information to check for virus
BTW why do you need to attach to \CDFS for virus checking? boot viruses
generally affect WRITABLE_MEDIA device only. hope this little outline helps
thanks & regds
GOOD LUCK !!
alex
----- Original Message -----
From: Ratmil Torres
To: File Systems Developers
Sent: Tuesday, May 30, 2000 12:08 PM
Subject: [ntfsd] Re: Get pointer to device \Device\Floppy0
>
> Thank you, Alexander. I will try now your solution. But let me tell you
why
> I need that, because maybe there’s a more elegant or safer solution. I’m
> making a resident antivirus program, a File System Filter driver. The
driver
> attaches to Harddisks, LanmanRedirector and File System Recognizers.
Because
> I was testing it, my driver is started by an application, not automatic.
So
> when somebody accesses a diskette , my driver get called to check boot
> sector or file viruses, something like it with the CDROM. For some reasons
I
> need that my driver start automatically, but when I set it to automatic
> start, it crashes after attaching to “\Cdfs” (this happens when the user
> mode application is not loaded yet).
>
> >From: “Alexander Suresh”
> >Reply-To: “File Systems Developers”
> >To: “File Systems Developers”
> >Subject: [ntfsd] Re: Get pointer to device \Device\Floppy0
> >Date: Tue, 30 May 2000 10:24:53 -0400
> >
> >ratmil,
> >After a succesfull IoGetObjectPointer(…) you get a fileobject.
> >if ( fileobject->vpb )
> > then fileobject->vpb->RealDevice IS what u want
> >else
> > fileobject->DeviceObject->Vpb->RealDevice COULD be what u want
> >
> >regds
> >alexander suresh
> >
> >----- Original Message -----
> >From: Ratmil Torres
> >To: File Systems Developers
> >Sent: Monday, May 29, 2000 2:39 PM
> >Subject: [ntfsd] Get pointer to device \Device\Floppy0
> >
> >
> > > Hello,
> > > I want to get a pointer to the device “\Device\Floppy0”. I’m using
> > > IoGetObjectPointer but if it has a File System device attached, I get
a
> > > pointer to the File System device instead of the “\Device\Floppy0”.
What
> >do
> > > I have to do?
> > > Thanks in advance.
> > >
> > > Get Your Private, Free E-mail from MSN Hotmail at
http://www.hotmail.com
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@mobiliti.com
> > > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
> > >
> > >
> >
> >
> >—
> >You are currently subscribed to ntfsd as: xxxxx@hotmail.com
> >To unsubscribe send a blank email to $subst(‘Email.Unsub’)
> >
>
>
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@mobiliti.com
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
>