EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Use process restrictions to block anti-virus and MSSearch

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
Posted: 01/30/2014 09:09:40
by Richard Hauer (Basic support level)
Joined: 12/05/2013
Posts: 26

I have noticed a lot of activity from Windows anti-virus and MSSearch (indexing). Is it possible to use the Process Restrictions system to block these.

I can probably record a list of the anti-virus executables then programatically discover the Process IDs as required; but I wonder if Windows/Anti-Virus tools will see this as virus-like behaviour which will lead to other problems.

I would like to prevent the unnecessary reads. I think re-implementing as a Shell Namespace Extension rather than a disk would do the job but I will lose other features that way.

Anyone with any thoughts? Anyone tried it?
Posted: 01/30/2014 09:37:17
by Volodymyr Zinin (EldoS Corp.)

The problem with the process restriction mechanism can be if some of these utilities work on the kernel mode level in the context of the "SYSTEM" process (which PID is 4). Many other kernel components also perform I/O requests in the context of this process. So blocking of it can cause some problems.

Perhaps it's better to analyze what a process is opening a file/directory in the OnCreate/OnOpen callback (see the GetOriginatorProcessName and similar CBFS methods) and throw the access denied error. This causes the process won't obtain a handle to the file and won't be able to do any other operations.

You can take Process Monitor from syinternals.com and investigate what behavior these utilities have.
Posted: 01/30/2014 09:39:22
by Richard Hauer (Basic support level)
Joined: 12/05/2013
Posts: 26

Thanks for the advice - I will have a go.
Posted: 01/30/2014 10:18:25
by Richard Hauer (Basic support level)
Joined: 12/05/2013
Posts: 26

How do I throw an Access Denied error? What is the error code, do you know?
Posted: 01/30/2014 10:23:02
by Volodymyr Zinin (EldoS Corp.)

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages



Topic viewed 2473 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!