See this article:
http://service1.symantec.com/SUPPORT/ent-security.nsf/d04e6f2f2dfad5de88256c910079502c/10eaa5fc1148e6f888256bf40056e227?OpenDocument&src=bar_sch_nam
At 07:23 AM 9/13/2003 -0400, you wrote:
Perfect Filter,NAV.Come in,discuess its IRP_MJ_CREATE
handling.
I have developed my filter.it’s below NAV.
Oh,I will make my IRP_MJ_CREATE,OK,it’s a recursive
IRP_MJ_CREATE.
NAV received my IRP_MJ_CREATE,but he will IGNORE it!!!
And,even if I Send an IRP_MJ_CREATE for different
filename from original IRP_MJ_CREATE.
NAV also will IGNORE it.
IGNORE,my means is that NAV will not scan this file.
Normally,NAV will scan the file because of the
IRP_MJ_CREATE.
God.I think NAV perhaps use a tech that will detected
this is a recursive IRP_MJ_CREATE.
So,this IRP_MJ_CREATE must be from other filter. NAV will
ignore it.
Of course,my minds is so simply.
anybody call tell me the secret about that tech?Or the tech NAV used.thank
you very much.I need it.Thank you!
You are currently subscribed to ntfsd as: xxxxx@privtek.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
No,it’s not stack overflow.
See this article:
http://service1.symantec.com/SUPPORT/ent-security.nsf/d04e6f2f2dfad5de88256c910079502c/10eaa5fc1148e6f888256bf40056e227?OpenDocument&src=bar_sch_nam
At 07:23 AM 9/13/2003 -0400, you wrote:
>Perfect Filter,NAV.Come in,discuess its IRP_MJ_CREATE
>
>handling.
>I have developed my filter.it’s below NAV.
>Oh,I will make my IRP_MJ_CREATE,OK,it’s a recursive
>
>IRP_MJ_CREATE.
>NAV received my IRP_MJ_CREATE,but he will IGNORE it!!!
>And,even if I Send an IRP_MJ_CREATE for different
>
>filename from original IRP_MJ_CREATE.
>NAV also will IGNORE it.
>IGNORE,my means is that NAV will not scan this file.
>Normally,NAV will scan the file because of the
>
>IRP_MJ_CREATE.
>
>God.I think NAV perhaps use a tech that will detected
>
>this is a recursive IRP_MJ_CREATE.
>So,this IRP_MJ_CREATE must be from other filter. NAV will
>
>ignore it.
>Of course,my minds is so simply.
>
>anybody call tell me the secret about that tech?Or the tech NAV used.thank
>you very much.I need it.Thank you!
>
>—
>You are currently subscribed to ntfsd as: xxxxx@privtek.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
Oh,Sorry.I’m so uncareful.Yes,NAV will ignore all Ring0 Create.
That’s all.
So simple.
No,it’s not stack overflow.
> See this article:
>
> http://service1.symantec.com/SUPPORT/ent-security.nsf/d04e6f2f2dfad5de88256c910079502c/10eaa5fc1148e6f888256bf40056e227?OpenDocument&src=bar_sch_nam
>
> At 07:23 AM 9/13/2003 -0400, you wrote:
> >Perfect Filter,NAV.Come in,discuess its IRP_MJ_CREATE
> >
> >handling.
> >I have developed my filter.it’s below NAV.
> >Oh,I will make my IRP_MJ_CREATE,OK,it’s a recursive
> >
> >IRP_MJ_CREATE.
> >NAV received my IRP_MJ_CREATE,but he will IGNORE it!!!
> >And,even if I Send an IRP_MJ_CREATE for different
> >
> >filename from original IRP_MJ_CREATE.
> >NAV also will IGNORE it.
> >IGNORE,my means is that NAV will not scan this file.
> >Normally,NAV will scan the file because of the
> >
> >IRP_MJ_CREATE.
> >
> >God.I think NAV perhaps use a tech that will detected
> >
> >this is a recursive IRP_MJ_CREATE.
> >So,this IRP_MJ_CREATE must be from other filter. NAV will
> >
> >ignore it.
> >Of course,my minds is so simply.
> >
> >anybody call tell me the secret about that tech?Or the tech NAV used.thank
> >you very much.I need it.Thank you!
> >
> >—
> >You are currently subscribed to ntfsd as: xxxxx@privtek.com
> >To unsubscribe send a blank email to xxxxx@lists.osr.com
If you actually read the article, you would see that NAV has a mechanism to
prevent stack overflow by ignoring creates from kernel mode.
At 06:36 AM 9/14/2003 -0400, you wrote:
No,it’s not stack overflow.
> See this article:
>
>
http://service1.symantec.com/SUPPORT/ent-security.nsf/d04e6f2f2dfad5de88256c910079502c/10eaa5fc1148e6f888256bf40056e227?OpenDocument&src=bar_sch_nam
>
> At 07:23 AM 9/13/2003 -0400, you wrote:
> >Perfect Filter,NAV.Come in,discuess its IRP_MJ_CREATE
> >
> >handling.
> >I have developed my filter.it’s below NAV.
> >Oh,I will make my IRP_MJ_CREATE,OK,it’s a recursive
> >
> >IRP_MJ_CREATE.
> >NAV received my IRP_MJ_CREATE,but he will IGNORE it!!!
> >And,even if I Send an IRP_MJ_CREATE for different
> >
> >filename from original IRP_MJ_CREATE.
> >NAV also will IGNORE it.
> >IGNORE,my means is that NAV will not scan this file.
> >Normally,NAV will scan the file because of the
> >
> >IRP_MJ_CREATE.
> >
> >God.I think NAV perhaps use a tech that will detected
> >
> >this is a recursive IRP_MJ_CREATE.
> >So,this IRP_MJ_CREATE must be from other filter. NAV will
> >
> >ignore it.
> >Of course,my minds is so simply.
> >
> >anybody call tell me the secret about that tech?Or the tech NAV used.thank
> >you very much.I need it.Thank you!
> >
> >—
> >You are currently subscribed to ntfsd as: xxxxx@privtek.com
> >To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to ntfsd as: xxxxx@privtek.com
To unsubscribe send a blank email to xxxxx@lists.osr.com