dazuko-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Dazuko-devel] On access scanning in Windows XP?


From: John Ogness
Subject: Re: [Dazuko-devel] On access scanning in Windows XP?
Date: Wed, 24 Mar 2004 09:36:05 +0100
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113

fred wu wrote:
>   I found that in dazuko directory has dazukoio_xp.h, dazuko_xp.c  and 
> dazuko_xp.h. Is it all the neccessary file for XP?

No, the dazuko_xp files stand for "Dazuko Cross Platform". This is the main
code of Dazuko, which compiles for all supported platforms (ie. it is
written in ANSI C with no platform-specific actions).


> By the way, does the
> filter can scan all the file format? I observed that some antivirus 
> software can only on access scan .dll, .sys and .com file. However, some 
> antivirus can on access all file.

A filter device in WindowsXP should be able to detect all file access
events. The scanners decide if they want to scan the files or not. A filter
device in WindowsXP is similar to the new Linux Security Model in Linux 2.6
(as far as I know).


>   As you said, if I write a device filter, window xp will support 
> dazuko, right? So, does Window XP support on access scan itself? or does 
> window XP support device filter? As I know, linux don't support on 
> access scan. So, it needs to hack the kernel.

No operating system has direct support for on-access scanning. However, some
operating systems provide mechanisms to cleanly implement an on-access
scanner. Examples include Linux 2.6 LSM, and Windows Filter Devices.


>  One more question, where can I find more correct documentation on 
> device filter?

Google? Microsoft? I am not a Windows user, so I have very little resources
in this area. I have been to several conferences where I talk with people
about Windows. This is how I know that a filter device is how Dazuko would
need to be implemented. However, I have no experience with this, as I have
never really used WindowsXP or done any kind of system programming on Windows.

Almost all anti-virus companies have implemented an on-access scanner for
Windows and all of them are almost certainly using filter devices. As many
of them are starting to choose Dazuko for their GNU/Linux and FreeBSD
scanners, I hope they will be willing to contribute back with some of their
Windows experience. Since every anti-virus company already has Windows
on-access scanners, I don't see the point of "hiding" their code anymore.

John Ogness

-- 
Dazuko Maintainer




reply via email to

[Prev in Thread] Current Thread [Next in Thread]