Minifilter Driver - Which IRP request should I filter for realtime virus protection?

Question

After I looked into the MS example (Scanner File System Minifilter Driver). I noticed that they use only IRP_MJ_CREATE, IRP_MJ_WRITE, IRP_MJ_CLEANUP. Will it enough for realtime protection?

Answer 1

All file writes will go through IRP_MJ_WRITE. So if you scan the file/data in this path, you can be fairly sure that the new file/data does not contain virus.

But make sure you filter ALL write functions (like writing memory mapped files etc). Better/required will be to filter paging IO too.

Once its assured that files on disk does not contain virus, scanning them during read is redundant.

However, with this if there is already a virus file present on system, it will not be caught. But don't think that is required for realtime protection.