Hi,
I am developing a file system filter driver for Windows 2K/XP, the filter
driver blocks IRP_MJ_READ calls communicates to our usermode application
about the file access, now the user mode application tryies to validate the
file by reading the file. I have observed that one of the AV software does
the same thing to scan but they do it in IRP_MJ_CREATE.
When my solution is installed along with AV driver I am seeing a deadlock as
our driver is also blocking the requests that are part of virus scan. Here
if my driver is on top of the AV driver then I can use
IoGetBaseFileSystemDeviceObject() and avoid lower AV driver for the requests
that come from our user mode application.
But we feel that the problem here is that virus scan will be skipped for
files that are accessed by our application. Could any one say if this is a
right approach?
In one of the OSR articles ((File System Filter-to-Filter Interaction) code
I have seen using the function IoGetBaseFileSystemDeviceObject()
And if my driver is below the AV driver then the above approach will not
work as our application calls also will come through the AV driver and I
have to find solution for this and I feel that only shadow device mechanism
can help here. Is my idea correct?
Any information is helpful.
Thanks,
Kedar.