> Based on your description, it sounds like they have a rule that says, "if
the user opens a file of a certain type and modifies it, in pre-cleanup we
will scan the file".
I expect this behavior in more antiviruses. The reason
why they do it is simple: imagine malware being downloaded from the
internet. At the moment of IRP_MJ_CREATE, it is not a malware yet,
because it’s new, empty file. Then a series on InternetReadFile
and WriteFile follows, but the file is still not a malware.
At the moment when all data have been fetched and written
to the local file (which can only be determined if the local
file is being closed), the AV engine scans a file to be able
to tell the user “Hey, you have downloaded a virus !!!”
L.
I agree the behavior makes sense in the situation you just laid out.
I’m a little fuzzy on why opening a file, setting an RP, and closing it
would trigger a scan. Are there virii that try to hide stuff in reparse
points? I am writing data to the file (or at least its metadata), but
I’m not sure I understand the threat. Or for that matter why it would
apply only to .exe files (haven’t noticed this with other executable
extensions, it may happen) and not to .dlls. I guess I ought to try
some of the others. Anybody know where I can get some non-virus .com
and .pif (and others too, of course) files?
~Eric
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ladislav Zezula
Sent: Wednesday, July 09, 2008 2:35 AM
To: Windows File Systems Devs Interest List
Subject: Re[2]: [ntfsd] HSM/antivirus interop problem
Based on your description, it sounds like they have a rule that says,
“if the user opens a file of a certain type and modifies it, in
pre-cleanup we will scan the file”.
I expect this behavior in more antiviruses. The reason why they do it is
simple: imagine malware being downloaded from the internet. At the
moment of IRP_MJ_CREATE, it is not a malware yet, because it’s new,
empty file. Then a series on InternetReadFile and WriteFile follows, but
the file is still not a malware.
At the moment when all data have been fetched and written to the local
file (which can only be determined if the local file is being closed),
the AV engine scans a file to be able to tell the user “Hey, you have
downloaded a virus !!!”
L.
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars (including our new
fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
> I agree the behavior makes sense in the situation you just laid out.
I’m a little fuzzy on why opening a file, setting an RP, and closing it
would trigger a scan.
I would say this is a bug. Also the fact that they don’t
care about DLLs. However, I don’t work for Symantec so
I can only speculate.
L.