Hello,
In case of IRP_MJ_CREATE file request issued by driver( AV driver for
example ), how FS filter driver can discover what driver issued the request?
Thanks,
Alex.
Express yourself instantly with MSN Messenger! Download today it’s FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
This is a question which senior technical management ask me on a regular
basis. The motivation is classification (perhaps modification) of i/o
operations on the basis of which product has issued the i/o.
“Alex Korthny” wrote in message news:xxxxx@ntdev…
> Hello,
>
> In case of IRP_MJ_CREATE file request issued by driver( AV driver for
> example ), how FS filter driver can discover what driver issued the
> request?
>
> Thanks,
> Alex.
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it’s FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>
Mats,
If I’m virus writter, then according to my post, I’m already penetrated the
system and installed my FS filter driver 
After it, need to identify AV
driver sending FS IRP_MJ_CREATE won’t be of much worry to me - there are
easier ways to “disable” any driver…
You can find some information about the product that I’m working on at next
link:
http://www3.ca.com/Solutions/Product.asp?ID=154
I hope that it will also answer your question, why I’m looking for
information on the topic…
Auditing file access activity and properly writing log requires to identify
software component
that initiated file access request…
This particular question was initiated by an issue, reported to our support
team and related to certain AV program that have driver component which
access files in context of other applications.
Customer noticed that audit log contains huge amount of records of
unexpected file access activity and reported it.
Thanks,
Alex.
Alex,
Not sure what you’re after, and maybe I’m being paranoid, but why would
this make any sort of >difference. Why would it make any difference to you
(or anyone else) which driver sent the >request? It sounds like the answer
to this question is only really useful if you’re a virus writer…
If you can expand on why you’re asking this, maybe one of the members of
this mailing list can >come up with an answer…
–
Mats
xxxxx@lists.osr.com wrote on 05/09/2005 02:40:04 PM:
>Hello,
>
>In case of IRP_MJ_CREATE file request issued by driver( AV driver for
>example ), how FS filter driver can discover what driver issued the
>request?
>
>Thanks,
>Alex.
>
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
So, I’m overly paranoid… 
Appologies, but I’d rather ask once too many
than once too little…
Thanks for the reply and explanation.
Unfortunately, I don’t know the answer to your question. I think there are
others who do, however.
–
Mats
xxxxx@lists.osr.com wrote on 05/10/2005 05:09:06 AM:
Mats,
If I’m virus writter, then according to my post, I’m already penetrated
the
system and installed my FS filter driver
driver sending FS IRP_MJ_CREATE won’t be of much worry to me - there are
easier ways to “disable” any driver…You can find some information about the product that I’m working on at
next
link:
http://www3.ca.com/Solutions/Product.asp?ID=154
I hope that it will also answer your question, why I’m looking for
information on the topic…Auditing file access activity and properly writing log requires to
identify
software component
that initiated file access request…This particular question was initiated by an issue, reported to our
support
team and related to certain AV program that have driver component which
access files in context of other applications.
Customer noticed that audit log contains huge amount of records of
unexpected file access activity and reported it.Thanks,
Alex.>Alex,
>Not sure what you’re after, and maybe I’m being paranoid, but why would
>this make any sort of >difference. Why would it make any difference to
you
>(or anyone else) which driver sent the >request? It sounds like the
answer
>to this question is only really useful if you’re a virus writer…>If you can expand on why you’re asking this, maybe one of the members of
>this mailing list can >come up with an answer…
>–
>Mats>xxxxx@lists.osr.com wrote on 05/09/2005 02:40:04 PM:
>>Hello,
>>
>>In case of IRP_MJ_CREATE file request issued by driver( AV driver for
>>example ), how FS filter driver can discover what driver issued the
>>request?
>>
>>Thanks,
>>Alex.
>>
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
ForwardSourceID:NT00012A7A