> I think AV probably returns success to satisfy the initial
operation even though they think its malicious and later on isolate
that file and shows their message.
No. Doing this would lead to confusing applications, resulting
in totally unexpected behavior. When an AV blocks access to a file
(due to the file being malware), it needs to inform the calling
application.
Let me do a little experiment:
I downloaded and installed free edition of Kaspersky Antivirus
to a VMWARE machine. Then I turned off the resident scanner,
and uploaded a sample of malware. Then I turned the resident
scanner on, and used FileTest to open the file using FileTest
tool. As expected, CreateFile returned INVALID_HANDLE_VALUE
and GetLastError() returned ERROR_ACCESS_DENIED. Simultaneously,
Kaspersky’s control application (AVP.exe) showed an information
window about that the file contains malware and has been blocked.
When I tried to open the file using Total Commander’s File Viewer,
Kaspersky showed the window again (because at last attempt, I chose
to ignore the infection and just to block access to the file).
Simultaneously, Total commander showed message “Access to the file
has been denied”.
When I double clicked on the file in Explorer, I got the same error
message like in the subject of this topic.
When I opened the file in Notepad, I got “Access is denied” message.
End of experiment. Feel free to check any other AV or security
product.
This should convince the OP that if you prevent access to a file,
from whatever reason, you will not prevent applications from showing
error messages.
L.