Re: On access scanning in Windows XP?
John Ogness <jogness <at> antivir.de>
2004-03-24 08:36:05 GMT
fred wu wrote:
> I found that in dazuko directory has dazukoio_xp.h, dazuko_xp.c and
> dazuko_xp.h. Is it all the neccessary file for XP?
No, the dazuko_xp files stand for "Dazuko Cross Platform". This is the main
code of Dazuko, which compiles for all supported platforms (ie. it is
written in ANSI C with no platform-specific actions).
> By the way, does the
> filter can scan all the file format? I observed that some antivirus
> software can only on access scan .dll, .sys and .com file. However, some
> antivirus can on access all file.
A filter device in WindowsXP should be able to detect all file access
events. The scanners decide if they want to scan the files or not. A filter
device in WindowsXP is similar to the new Linux Security Model in Linux 2.6
(as far as I know).
> As you said, if I write a device filter, window xp will support
> dazuko, right? So, does Window XP support on access scan itself? or does
> window XP support device filter? As I know, linux don't support on
> access scan. So, it needs to hack the kernel.
No operating system has direct support for on-access scanning. However, some
operating systems provide mechanisms to cleanly implement an on-access
scanner. Examples include Linux 2.6 LSM, and Windows Filter Devices.
> One more question, where can I find more correct documentation on
> device filter?
Google? Microsoft? I am not a Windows user, so I have very little resources
in this area. I have been to several conferences where I talk with people
about Windows. This is how I know that a filter device is how Dazuko would
need to be implemented. However, I have no experience with this, as I have
never really used WindowsXP or done any kind of system programming on Windows.
Almost all anti-virus companies have implemented an on-access scanner for
Windows and all of them are almost certainly using filter devices. As many
of them are starting to choose Dazuko for their GNU/Linux and FreeBSD
scanners, I hope they will be willing to contribute back with some of their
Windows experience. Since every anti-virus company already has Windows
on-access scanners, I don't see the point of "hiding" their code anymore.