Hi,
i’ve developed a filesystem filter which acts (more or less) as
russinovich’s filemon. It just traps IRP_MJ_CREATE and IRP_MJ_CLOSE on the
devices
it filters, and signal an usermode app when they happens.
All works well except when an antivirus (or, i presume, any other filesystem
filter) is active. That’s why i attach myself on the last device in chain
(the antivirus filter), and i trap irps coming from its device and not from
the real FS itself.
In this case, i obviously receive other irps too … i.e. when the
antivirus open/close the file to check it against AV signatures. This doesnt
disturb me for IRP_MJ_CREATE, since i trap only file creations and not file
opens, but it does for closes 
I receive usually 4-5 more closes than the
normal.
Is there a way to discern which IRPs belongs from open/closes coming from
the AV filter device and which really comes from the FS ?
(i know all comes from the AV device since it filters the underlying FS, but
well … hope u got the point)
I tried many ways, basically messing with some FileObject fields i succeeded
in fixing the problem with Norton AV 2003, but i bet what i did is not
general for all filters i could encounter.
Regards,
Valerio