I have an HSM minifilter (unstubber) which, upon PreCreate, overwrites a sparse reparse point (stub) with data from a network archive. As I understand it, this is a very standard design, similar to that included with MS Remote Storage Service, etc.
The filter works well. However, one problem is that antivirus software does not respect the offline bit (for good reason), and causes my filter to “unstub” files during a virus scan. Ideally, I would like the filter to recognize a virus scan and just pass the request on to the rest of the stack without doing anything. My first thought was that it would be nice if we could have a runtime configurable list of executables to ignore. However, I don’t see a very obvious way to determine the executable responsible for the Create request.
Given that there are a few similar HSM filters out there, I thought there might be a standard design for this sort of thing. Anyone have any thoughts or pointers?
Thanks in advance,
Brent
Hi Brent,
I am working on a mini filter very similar to what you are doing. Only, I try to unstub in postCreate if the status from lower driver says STATUS_REPARSE [Data->IoStatus.Status].
One of my requirements has been to avoid unstubbing on antivirus & search softwares too. on receiving STATUS_REPARSE, I forward the request to a user process where I gather the process name [OpenProcess, EnumProcessModules & GetModuleBaseNameW calls) & do a check against it to determine whether or not to let the create go through.
I run into similar problems…
However, it’s a bit strange to unstub files during the Create Phase… Wouldn’t be better to do this only at IRP_MJ_READ / WRITE ? But maybe your design requires this…
Nevertheless, antiviruses are an inssue… The only possible way I found was to maintain a list of process names that will not trigger the unstub operation. You can check the Current Process Name in Kernel too via PsGetCurrentProcess() which returns PEPROCESS. However, this structure is not published in NTIFS, but you can find on Internet how to extract the process name inside it…
This method works well, but requires that the scan process triggered by Antivirus be initiated within their own specific process. This is usually the case… However, not all work this way and there are cetrain antiviruses that trigger the scan operations from their own driver’s threads (like NOD) which run inside the “System” kernel process. But here, I found also a little trick how to identify such request… But, sorry I can’t post this…
Moreover, there are some antiviruses that allow the user to disable scanning of Offline or Reparse Point files, which is a nice feature for HSM…