Re: system monitoring
- From: "Volodymyr Shcherbyna" <v_scherbina@xxxxxxxxxxxxxxx>
- Date: Fri, 15 May 2009 17:57:04 +0200
In the past there has been no requirement, only the fact that you have
annoying popups or have to convince the user to change his settings to
load the driver. I would be curious to see a reference to this WHQL
requirement since it contradictary to everything the have been doing.
It actually becomes indirectly a requirement in case if company makes
installation of 200k drivers and everything has to be done silently without
bringing attention of user. Changing policy settings to avoid popups seemed
to be a solution but in case of banks or armies it does not work as this is
completly non serious.
--
Volodymyr M. Shcherbyna, blog: http://www.shcherbyna.com/
(This posting is provided "AS IS" with no warranties, and confers no
rights)
"Don Burn" <burn@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:OYjIgRX1JHA.3476@xxxxxxxxxxxxxxxxxxxxxxx
In the past there has been no requirement, only the fact that you have
annoying popups or have to convince the user to change his settings to
load the driver. I would be curious to see a reference to this WHQL
requirement since it contradictary to everything the have been doing.
As far as your pain in the neck quote, I would hate to see the OP who is
new to this stuff think they should be using the old filter technology
because you used the term "legacy filter", especially since if he did want
to WHQL in some categories a legacy filter is disallowed.
--
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
"Volodymyr Shcherbyna" <v_scherbina@xxxxxxxxxxxxxxx> wrote in message
news:eCTFEJX1JHA.1424@xxxxxxxxxxxxxxxxxxxxxxx
You do not have to WHQL for a filter on 64-bit you have to digitally
sign it, these are seperate signing programs.
Well, depends. You have to pass WHQL for NDIS IM filters, as unclassified
submission.
Also, the term legacy filter is incorrect, the new file system
mini-filter model and KMDF filters are not legacy filters.
Pain in the neck :)
--
Volodymyr M. Shcherbyna, blog: http://www.shcherbyna.com/
(This posting is provided "AS IS" with no warranties, and confers no
rights)
"Don Burn" <burn@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:OJpFdDX1JHA.4116@xxxxxxxxxxxxxxxxxxxxxxx
You do not have to WHQL for a filter on 64-bit you have to digitally
sign it, these are seperate signing programs. Also, the term legacy
filter is incorrect, the new file system mini-filter model and KMDF
filters are not legacy filters.
--
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
"Volodymyr Shcherbyna" <v_scherbina@xxxxxxxxxxxxxxx> wrote in message
news:ORpSA%23W1JHA.1432@xxxxxxxxxxxxxxxxxxxxxxx
Is hooking not possible on 64bit systems?
Not possible because of patch guard functionality implemented by
Microsoft.
What alternative does they provide?
A set of legacy filters you can write. Also pay attention that to
release filter you usually pass DTM test, pay money to Microsoft, and
you get digital signature, and only after this driver is loaded into
Windows :).
--
Volodymyr M. Shcherbyna, blog: http://www.shcherbyna.com/
(This posting is provided "AS IS" with no warranties, and confers no
rights)
"Lloyd" <lloydkl@xxxxxxxxx> wrote in message
news:13d72c2f-e178-45ad-82cb-8ff09b5064e2@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
You do not want kernel hooking since it cannot be done on 64-bit
systems and
on 32-bit your software will be flagged by malware scanners. If you
want
to see file operations, you need a file system filter, go
tohttp://www.osronline.comand join NTFSD that is where the file system
folks
hang out. This is tough stuff and is hard to do right.
Is hooking not possible on 64bit systems? (applicable to 64bit Linux
as well?). What alternative does they provide? Whether "filter
drivers" are the plausible solution? Can I use filter drivers for
monitoring whole system activities ?(like network, filesystem, new
application installation, external devices...)
Thanks,
Lloyd
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 4079 (20090515) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 4079 (20090515) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 4079 (20090515) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 4079 (20090515) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
.
- References:
- system monitoring
- From: Lloyd
- Re: system monitoring
- From: Kerem Gümrükcü
- Re: system monitoring
- From: Lloyd
- Re: system monitoring
- From: Don Burn
- Re: system monitoring
- From: Lloyd
- Re: system monitoring
- From: Volodymyr Shcherbyna
- Re: system monitoring
- From: Don Burn
- Re: system monitoring
- From: Volodymyr Shcherbyna
- Re: system monitoring
- From: Don Burn
- system monitoring
- Prev by Date: Re: system monitoring
- Next by Date: File corrupt error (1392) calling OpenTrace()
- Previous by thread: Re: system monitoring
- Next by thread: How to get path of specified HKEY
- Index(es):
Relevant Pages
|
