Gentlefolk
I am seeing a functional interop problem with the filter driver of a major
antivirus product.
In a filter *above* the antivirus filter I am never seeing IRP_MJ_CLOSE with
SectionObjectPointers null despite having seen several IRP_MJ_CLOSE with
SectionObjectPointers not null. I am however seeing the FCB address reused
for a second file which (eyeballs) can not be the same file; and the first
file has been deleted. This causes errors in the traditional context
tracking algorithm.
In a filter below the antivirus filter I am seeing IRP_MJ_CREATE, CLEANUP
and CLOSE for an extra file object (with the same fcb address) which is
never seen above the antivirus filter. It so happens the IRP_MJ_CLOSE for
the “hidden” file object is the last IRP_MJ_CLOSE seen for the FCB (just a
moment before the fcb appears reused); this is the one with
SectionObjectPointers null.
If anyone from Sophos is tuned into these groups I would real grateful if
you could pop me a line xxxxx@neverfailgroup.com
Kind regards
Lyndon
I find that the “hidden” file object at the bottom of this issue has
FO_FILE_OBJECT_HAS_EXTENSION set in FileObject->Flags so this file object
should have been created with IoCreateFileSpecifyDeviceObjectHint. I also
find that I can write a simple piece of test code which generates the
situation.
The crux of the matter is that the file object created in
IoCreateFileSpecifyDeviceObjectHint is the first file object with which
there is cached access (read) to the file.
“Lyndon J Clarke” wrote in message
news:xxxxx@ntfsd…
> Gentlefolk
>
> I am seeing a functional interop problem with the filter driver of a major
> antivirus product.
>
> In a filter above the antivirus filter I am never seeing IRP_MJ_CLOSE
> with SectionObjectPointers null despite having seen several IRP_MJ_CLOSE
> with SectionObjectPointers not null. I am however seeing the FCB address
> reused for a second file which (eyeballs) can not be the same file; and
> the first file has been deleted. This causes errors in the traditional
> context tracking algorithm.
>
> In a filter below the antivirus filter I am seeing IRP_MJ_CREATE, CLEANUP
> and CLOSE for an extra file object (with the same fcb address) which is
> never seen above the antivirus filter. It so happens the IRP_MJ_CLOSE for
> the “hidden” file object is the last IRP_MJ_CLOSE seen for the FCB (just a
> moment before the fcb appears reused); this is the one with
> SectionObjectPointers null.
>
> If anyone from Sophos is tuned into these groups I would real grateful if
> you could pop me a line xxxxx@neverfailgroup.com
>
> Kind regards
> Lyndon
>
>
>