Hi All:
we are developing a file system filter driver performing encryption/description,it works very well before installed anti-virus software.anti-virus software scans file system as booting,this time my filter drvier is not effective.so those files have been scaned can not be opened properly after OS booting,and show in encryption form.
why is it happen? i think whether or not those files be scaned are still stored in memory in encryption form,it reads from memory instead from hard disk,so my filter driver can not descryption those files and show Ciphertext,it is not what i want.
anyone can tell me how to clear memory cache after OS finishs booting.
Any suggestions are welcome,thanks a lot.
i think dismounting (and then mounting again) the volumes might flush the
cache.
On Mon, Mar 10, 2008 at 8:23 PM, <liao_jh> wrote:
> Hi All: > we are developing a file system filter driver performing > encryption/description,it works very well before installed anti-virus > software.anti-virus software scans file system as booting,this time my > filter drvier is not effective.so those files have been scaned can not be > opened properly after OS booting,and show in encryption form. > > why is it happen? i think whether or not those files be scaned are still > stored in memory in encryption form,it reads from memory instead from hard > disk,so my filter driver can not descryption those files and show > Ciphertext,it is not what i want. > > anyone can tell me how to clear memory cache after OS finishs booting. > Any suggestions are welcome,thanks a lot. > > — > NTFSD is sponsored by OSR > > For our schedule debugging and file system seminars > (including our new fs mini-filter seminar) visit: > http://www.osr.com/seminars > > You are currently subscribed to ntfsd as: xxxxx@gmail.com > To unsubscribe send a blank email to xxxxx@lists.osr.com ></liao_jh>
In that case the only way to achieve what you have asked is to reboot the machine. This has been touched on once or twice in the archives and the answer remains frustratingly the same: “dismount or reboot”.
It would appear that your architecture has a fundamental flaw. I must admit that I find myself surprised that you want to do encryption on the system volume but leave getting started so late, this feels like it indicates a pretty obvious attack vector.
“liao_jh” <liao_jh> wrote in message news:xxxxx@ntfsd… Thanks , I think it is can work if volumes are not installed with OS, but I can’nt dismount OS volumes.
The problem is that some users are used to place theirs files(.doc .ppt etc.) on Desktop.
发件人: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] 代表 Shriganesh Shintre 发送时间: 2008年3月11日 11:35 收件人: Windows File Systems Devs Interest List 主题: Re: [ntfsd] how to clear memory cache?
i think dismounting (and then mounting again) the volumes might flush the cache.
On Mon, Mar 10, 2008 at 8:23 PM, <liao_jh> wrote:
Hi All: we are developing a file system filter driver performing encryption/description,it works very well before installed anti-virus software.anti-virus software scans file system as booting,this time my filter drvier is not effective.so those files have been scaned can not be opened properly after OS booting,and show in encryption form.
why is it happen? i think whether or not those files be scaned are still stored in memory in encryption form,it reads from memory instead from hard disk,so my filter driver can not descryption those files and show Ciphertext,it is not what i want.
anyone can tell me how to clear memory cache after OS finishs booting. Any suggestions are welcome,thanks a lot.
— NTFSD is sponsored by OSR
For our schedule debugging and file system seminars (including our new fs mini-filter seminar) visit: http://www.osr.com/seminars
— NTFSD is sponsored by OSR For our schedule debugging and file system seminars (including our new fs mini-filter seminar) visit: http://www.osr.com/seminars You are currently subscribed to ntfsd as: liao_jh@126.com To unsubscribe send a blank email to xxxxx@lists.osr.com</liao_jh></liao_jh>
This sounds like a terrible design, what happens if the USB key is pulled
while the OS is running, do you cache the key, or do you just crash the
system on a surprise remove of the key. What is your plan if someone does
not install the key initially, again do you crash or what?
“liao_jh” <liao_jh> wrote in message news:xxxxx@ntfsd… Rod Widdowson:
Thank you for your suggestions. The reason why encryption/decryption function starts so late is that encryption key is stored in USB Key, so the encryption function can not be start as OS booting.
If there is no other easy way to clear memory cache, I think I should consider changing my foundation structure.
The compromise means is that requiring users plug in USB key before OS start, and encryption function can be start as OS booting.
·¢¼þÈË: xxxxx@lists.osr.com [mailto:xxxxx@lists. osr.com] ´ú±í Rod Widdowson ·¢ËÍʱ¼ä: 2008Äê3ÔÂ11ÈÕ 17:16 ÊÕ¼þÈË: Windows File Systems Devs Interest List Ö÷Ìâ: Re: [ntfsd] how to clear memory cache?
In that case the only way to achieve what you have asked is to reboot the machine. This has been touched on once or twice in the archives and the answer remains frustratingly the same: “dismount or reboot”.
It would appear that your architecture has a fundamental flaw. I must admit that I find myself surprised that you want to do encryption on the system volume but leave getting started so late, this feels like it indicates a pretty obvious attack vector.
“liao_jh” <liao_jh> wrote in message news:xxxxx@ntfsd…
Thanks , I think it is can work if volumes are not installed with OS, but I can¡¯nt dismount OS volumes.
The problem is that some users are used to place theirs files(.doc .ppt etc.) on Desktop.
Hehe
·¢¼þÈË: xxxxx@lists.osr.com [mailto:xxxxx@lists. osr.com] ´ú±í Shriganesh Shintre ·¢ËÍʱ¼ä: 2008Äê3ÔÂ11ÈÕ 11:35 ÊÕ¼þÈË: Windows File Systems Devs Interest List Ö÷Ìâ: Re: [ntfsd] how to clear memory cache?
i think dismounting (and then mounting again) the volumes might flush the cache.
On Mon, Mar 10, 2008 at 8:23 PM, <liao_jh> wrote:
Hi All: we are developing a file system filter driver performing encryption/description,it works very well before installed anti-virus software.anti-virus software scans file system as booting,this time my filter drvier is not effective.so those files have been scaned can not be opened properly after OS booting,and show in encryption form.
why is it happen? i think whether or not those files be scaned are still stored in memory in encryption form,it reads from memory instead from hard disk,so my filter driver can not descryption those files and show Ciphertext,it is not what i want.
anyone can tell me how to clear memory cache after OS finishs booting. Any suggestions are welcome,thanks a lot.
— NTFSD is sponsored by OSR
For our schedule debugging and file system seminars (including our new fs mini-filter seminar) visit: http://www.osr.com/seminars
— NTFSD is sponsored by OSR For our schedule debugging and file system seminars (including our new fs mini-filter seminar) visit: http://www.osr.com/seminars You are currently subscribed to ntfsd as: liao_jh@126.com To unsubscribe send a blank email to xxxxx@lists.osr.com
— NTFSD is sponsored by OSR
For our schedule debugging and file system seminars (including our new fs mini-filter seminar) visit: http://www.osr.com/seminars
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com</liao_jh></liao_jh></liao_jh>
> anyone can tell me how to clear memory cache after OS finishs booting.
This can’t be done if the volume can’t be unmounted.
You can try the sequence CcFlushCash-MmFlushImageSection-CcPurgeCacheSection
but you must somehow acquire the internal FSD’s lock before doing this( or
at least provide some syncronization with the requests from IO, Memory and
Cache Managers ) and there is no 100% guarantee that the cahe will be
flushed and purged, but if your filter works pretty well without AV software
then you have a good chance for success.
The second option is to redesign you filter and process all requests in your
filter without passing them down - this means write an FSD over the system
FSD.
<liao_jh> wrote in message news:xxxxx@ntfsd… > Hi All: > we are developing a file system filter driver performing > encryption/description,it works very well before installed anti-virus > software.anti-virus software scans file system as booting,this time my > filter drvier is not effective.so those files have been scaned can not be > opened properly after OS booting,and show in encryption form. > > why is it happen? i think whether or not those files be scaned are still > stored in memory in encryption form,it reads from memory instead from hard > disk,so my filter driver can not descryption those files and show > Ciphertext,it is not what i want. > > anyone can tell me how to clear memory cache after OS finishs booting. > Any suggestions are welcome,thanks a lot. ></liao_jh>