Hi,
What IOCTL or FSCTL is sent when a disk is being formated?
Can I detect that a format is requested in a file filter?
Thank You!
cheers,
vincent
Take a break! Find destinations on MSN Travel. http://www.msn.com.sg/travel/
Filter and block FSCTL_LOCK_VOLUME.
vincent gambit wrote:
Hi,
What IOCTL or FSCTL is sent when a disk is being formated?
Can I detect that a format is requested in a file filter?Thank You!
cheers,
vincent
Take a break! Find destinations on MSN Travel.
http://www.msn.com.sg/travel/
You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
- Nick Ryan (MVP for DDK)
No way
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of vincent gambit
Sent: Monday, July 07, 2003 3:06 AM
To: File Systems Developers
Subject: [ntfsd] how to detect “format” in a file filter
Hi,
What IOCTL or FSCTL is sent when a disk is being formated?
Can I detect that a format is requested in a file filter?
Thank You!
cheers,
vincent
Take a break! Find destinations on MSN Travel.
http://www.msn.com.sg/travel/
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Ahhhh… The empirical method!
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nick Ryan
Sent: Monday, July 07, 2003 10:22 AM
To: File Systems Developers
Subject: [ntfsd] Re: how to detect “format” in a file filter
Filter and block FSCTL_LOCK_VOLUME.
vincent gambit wrote:
Hi,
What IOCTL or FSCTL is sent when a disk is being formated?
Can I detect that a format is requested in a file filter?Thank You!
cheers,
vincent
Take a break! Find destinations on MSN Travel.
http://www.msn.com.sg/travel/
You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
- Nick Ryan (MVP for DDK)
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
All the above are true for some cases, but not complete. If I am an
administrator, you can’t stop me from formatting a drive. You might slow me
down or force me to think for a minute or two, but you can’t stop me.
Normally during a format, the volume has to be locked, but with the use of a
filter at the storage or file system level, I can get around your
“security”.
I keep seeing messages from you and it appears that as your security product
is being written and tested, someone asks about something new and do you
protect against it. Good guess? Any one asked how you plan to protect
encrypted data from being accessed from the page file or direct memory
access, yet? Design and document first. List each user data item you want
to protect, first. Then determine if and how it can be protected. Good
design always beats hacking in each protection.
“Jamey Kirby” wrote in message news:xxxxx@ntfsd…
>
> Ahhhh… The empirical method!
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Nick Ryan
> Sent: Monday, July 07, 2003 10:22 AM
> To: File Systems Developers
> Subject: [ntfsd] Re: how to detect “format” in a file filter
>
> Filter and block FSCTL_LOCK_VOLUME.
>
> vincent gambit wrote:
>
> > Hi,
> >
> > What IOCTL or FSCTL is sent when a disk is being formated?
> > Can I detect that a format is requested in a file filter?
> >
> > Thank You!
> >
> > cheers,
> > vincent
> >
> > _________________________________________________________________
> > Take a break! Find destinations on MSN Travel.
> > http://www.msn.com.sg/travel/
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@nryan.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
> –
> - Nick Ryan (MVP for DDK)
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
Hi,
Thanks for your advice.
Well, actually during my own testing, I wanted to detect the format process.
I am still in testing phase.
But I will definitely put in proper deisgn and document as what you have
suggested.
So you said you can get around my security?
What do you mean?
Can you give an example to enlighten me?
So you were saying I can’t block format at file system or storage level?
Even if I filter at the IRP_MJ_WRITE or IRP_MJ_CREATE?
Thannk you!
cheers,
vincent
From: “David J. Craig”
>Reply-To: “File Systems Developers”
>To: “File Systems Developers”
>Subject: [ntfsd] Re: how to detect “format” in a file filter
>Date: Mon, 7 Jul 2003 16:23:25 -0400
>
>All the above are true for some cases, but not complete. If I am an
>administrator, you can’t stop me from formatting a drive. You might slow
>me
>down or force me to think for a minute or two, but you can’t stop me.
>Normally during a format, the volume has to be locked, but with the use of
>a
>filter at the storage or file system level, I can get around your
>“security”.
>
>I keep seeing messages from you and it appears that as your security
>product
>is being written and tested, someone asks about something new and do you
>protect against it. Good guess? Any one asked how you plan to protect
>encrypted data from being accessed from the page file or direct memory
>access, yet? Design and document first. List each user data item you want
>to protect, first. Then determine if and how it can be protected. Good
>design always beats hacking in each protection.
>
>“Jamey Kirby” wrote in message
>news:xxxxx@ntfsd…
> >
> > Ahhhh… The empirical method!
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Nick Ryan
> > Sent: Monday, July 07, 2003 10:22 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Re: how to detect “format” in a file filter
> >
> > Filter and block FSCTL_LOCK_VOLUME.
> >
> > vincent gambit wrote:
> >
> > > Hi,
> > >
> > > What IOCTL or FSCTL is sent when a disk is being formated?
> > > Can I detect that a format is requested in a file filter?
> > >
> > > Thank You!
> > >
> > > cheers,
> > > vincent
> > >
> > >
> > > Take a break! Find destinations on MSN Travel.
> > > http://www.msn.com.sg/travel/
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@nryan.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> >
> > –
> > - Nick Ryan (MVP for DDK)
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
> >
>
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
Keep track of Singapore stock prices. http://www.msn.com.sg/money/
> So you were saying I can’t block format at file system or storage
level?
Even if I filter at the IRP_MJ_WRITE or IRP_MJ_CREATE?
Yes you cannot, since people will be able to switch your filter off,
reboot and do format.
Max
Hi,
okie
i understand that if that person is an administrator he can switch off the
filter and do a reboot.
other then this, are there other ways?
thank you!
cheers,
vincent
From: “Maxim S. Shatskih”
>Reply-To: “File Systems Developers”
>To: “File Systems Developers”
>Subject: [ntfsd] Re: how to detect “format” in a file filter
>Date: Tue, 8 Jul 2003 05:51:03 +0400
>
> > So you were saying I can’t block format at file system or storage
>level?
> > Even if I filter at the IRP_MJ_WRITE or IRP_MJ_CREATE?
>
>Yes you cannot, since people will be able to switch your filter off,
>reboot and do format.
>
> Max
>
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
_________________________________________________________________
Find gifts, buy online with MSN Shopping. http://shopping.msn.com.sg/
Add another filter to bypass yours. Activate the kernel debugger and just
bypass your blocks. Get a handle to the device you are filtering and send
the format requests around your driver. Some of these require more
knowledge than others, but if you get someone with the knowledge and
determination your solution is dead.
“vincent gambit” wrote in message
news:xxxxx@ntfsd…
>
> Hi,
>
> okie
> i understand that if that person is an administrator he can switch off the
> filter and do a reboot.
> other then this, are there other ways?
>
> thank you!
>
> cheers,
> vincent
>
>
> >From: “Maxim S. Shatskih”
> >Reply-To: “File Systems Developers”
> >To: “File Systems Developers”
> >Subject: [ntfsd] Re: how to detect “format” in a file filter
> >Date: Tue, 8 Jul 2003 05:51:03 +0400
> >
> > > So you were saying I can’t block format at file system or storage
> >level?
> > > Even if I filter at the IRP_MJ_WRITE or IRP_MJ_CREATE?
> >
> >Yes you cannot, since people will be able to switch your filter off,
> >reboot and do format.
> >
> > Max
> >
> >
> >
> >—
> >You are currently subscribed to ntfsd as: xxxxx@hotmail.com
> >To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> _________________________________________________________________
> Find gifts, buy online with MSN Shopping. http://shopping.msn.com.sg/
>
>
>
>
hi,
thanks.
hmm…this is another way.
But in order to add another filter does that person also needs to be an
administrator?
Thank You!
cheers,
vincent
From: “David J. Craig”
>Reply-To: “File Systems Developers”
>To: “File Systems Developers”
>Subject: [ntfsd] Re: how to detect “format” in a file filter
>Date: Mon, 7 Jul 2003 22:23:01 -0400
>
>Add another filter to bypass yours. Activate the kernel debugger and just
>bypass your blocks. Get a handle to the device you are filtering and send
>the format requests around your driver. Some of these require more
>knowledge than others, but if you get someone with the knowledge and
>determination your solution is dead.
>
>“vincent gambit” wrote in message
>news:xxxxx@ntfsd…
> >
> > Hi,
> >
> > okie
> > i understand that if that person is an administrator he can switch off
>the
> > filter and do a reboot.
> > other then this, are there other ways?
> >
> > thank you!
> >
> > cheers,
> > vincent
> >
> >
> > >From: “Maxim S. Shatskih”
> > >Reply-To: “File Systems Developers”
> > >To: “File Systems Developers”
> > >Subject: [ntfsd] Re: how to detect “format” in a file filter
> > >Date: Tue, 8 Jul 2003 05:51:03 +0400
> > >
> > > > So you were saying I can’t block format at file system or storage
> > >level?
> > > > Even if I filter at the IRP_MJ_WRITE or IRP_MJ_CREATE?
> > >
> > >Yes you cannot, since people will be able to switch your filter off,
> > >reboot and do format.
> > >
> > > Max
> > >
> > >
> > >
> > >—
> > >You are currently subscribed to ntfsd as: xxxxx@hotmail.com
> > >To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> > Find gifts, buy online with MSN Shopping. http://shopping.msn.com.sg/
> >
> >
> >
> >
>
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
Keep track of Singapore stock prices. http://www.msn.com.sg/money/
Format utility just opens a volume for direct access and writes data into
it. chkdsk /f does exactly the same thing. You have no way to distinguish
those utilities by there behavior from the kernel.
Alexei.
“vincent gambit” wrote in message
news:xxxxx@ntfsd…
>
> Hi,
>
> What IOCTL or FSCTL is sent when a disk is being formated?
> Can I detect that a format is requested in a file filter?
>
> Thank You!
>
> cheers,
> vincent
>
> _________________________________________________________________
> Take a break! Find destinations on MSN Travel.
http://www.msn.com.sg/travel/
>
>
>
>