ZwCreateFile being called at raised IRQL

Hi All,

I am experiencing a problem with Symantec “Norton Internet Security 2003”
when our filter is in the stack, actually even if our driver is not in the
stack it bugchecks with:

a) Other active filter drivers
b) Checked build
c) Driver Verifier

The problem seems to emanate from SYMTDI.SYS. If I look through the stack
dump everything seems to stem from there. The problem is that ZwCreateFile
is being called at DISPATCH_LEVEL and I have an assert in my IRP_MJ_CREATE
handler to let me know (while debugging) if we are being called illegally.

Interestingly it is only a problem with the firewall component, it doesn’t
seem to cause a problem with just the AV component.

According to the DDK documentation ZwCreateFile should only be called at
PASSIVE_LEVEL, so I consider the calling of ZwCreateFile by this component
to be in violation of a pretty fundamental OS requirement.

Has anyone else experienced this problem?

Regards

Ben Curley
Data Encryption Systems Ltd.
Email: xxxxx@des.co.uk
Web: http://www.deslock.com