Hello everybody,
i have developed a file system filter driver, which attaches to some
specified file system devices to check the user’s rights in case of an
IRP_MJ_CREATE.
The filter driver works well as long as i don’t have a virus scanner
(McAfee, NAV, …) installed.
If my filter driver starts AFTER the virus scanner, it works.
If my filter driver starts BEFORE the virus scanner, it stops working as
soon as the virus scanner’s filter driver attaches to the same devices
objects.
I tried to find out, why this happens and came to this: the virus scanner’s
filter driver doesn’t use the pointer returned by
IoAttachDeviceToDeviceStack() (or IoAttacheDevice() respectively) but sends
all requests with IoCallDriver() directly to the file system driver
itsself, i.e. skips all underlying filter drivers.
Does anybody know, if my assumption is true? Is there another way to filter
the file system or to force the virus scanner to send the requests the
right way?
Alternatively: is there a way to start my filter driver right after the
virus scanner loaded and attached to all devices?
Thanks in advance.
Lothar
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com