EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Use process restrictions to block anti-virus and MSSearch

Posted: 01/30/2014 09:09:40
by Richard Hauer (Basic support level)
Joined: 12/05/2013
Posts: 26

I have noticed a lot of activity from Windows anti-virus and MSSearch (indexing). Is it possible to use the Process Restrictions system to block these.

I can probably record a list of the anti-virus executables then programatically discover the Process IDs as required; but I wonder if Windows/Anti-Virus tools will see this as virus-like behaviour which will lead to other problems.

I would like to prevent the unnecessary reads. I think re-implementing as a Shell Namespace Extension rather than a disk would do the job but I will lose other features that way.

Anyone with any thoughts? Anyone tried it?
Posted: 01/30/2014 09:37:17
by Volodymyr Zinin (Team)

The problem with the process restriction mechanism can be if some of these utilities work on the kernel mode level in the context of the "SYSTEM" process (which PID is 4). Many other kernel components also perform I/O requests in the context of this process. So blocking of it can cause some problems.

Perhaps it's better to analyze what a process is opening a file/directory in the OnCreate/OnOpen callback (see the GetOriginatorProcessName and similar CBFS methods) and throw the access denied error. This causes the process won't obtain a handle to the file and won't be able to do any other operations.

You can take Process Monitor from syinternals.com and investigate what behavior these utilities have.
Posted: 01/30/2014 09:39:22
by Richard Hauer (Basic support level)
Joined: 12/05/2013
Posts: 26

Thanks for the advice - I will have a go.
Posted: 01/30/2014 10:18:25
by Richard Hauer (Basic support level)
Joined: 12/05/2013
Posts: 26

How do I throw an Access Denied error? What is the error code, do you know?
Posted: 01/30/2014 10:23:02
by Volodymyr Zinin (Team)




Topic viewed 2811 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!