EldoS | Feel safer!

Software components for data protection, secure storage and transfer


Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
Posted: 07/06/2015 22:55:12
by byeong hun choi (Basic support level)
Joined: 07/06/2015
Posts: 2

I am newbie here.

can i use this solution for anti virus filter?

detail rely please.
Posted: 07/07/2015 11:40:57
by Eugene Mayevski (EldoS Corp.)

In general, antivirus applications include filesystem filter drivers to intercept file operations and check the files being accessed. Filter drivers can be bypassed in several ways but those ways are accessible via kernel mode, so if one has got to the kernel mode to bypass the filter, the system is already in big trouble anyway.

"In details" you need to
1) setup filter on all (or chosen disks) using filtering rules .
2) set ReadWriteFilesInPreCreatePath property to true
3) handle OnCreateFileC and OnFileOpenC events and when handling them, verify the request flags -- you need to check the file unless it's opened for writing with truncation flag set (in which case previous contents will be discarded). In other words, you don't check the files if they are opened not for reading.
4) use OpenFile method of CallbackFilter to read file contents for verification. Please pay attention to the fact that OpenFile method opens files in non-buffered mode which has its own restrictions. Please see the description in the help file for additional details.
5) allow or forbid file opening request based on verification results.

Sincerely yours
Eugene Mayevski



Topic viewed 2274 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!