Which is the area where the sample lives?
/filesys/miniFilter/avscan
Describe the issue
The application performs file memory mapping, closes the opened file handle, and conducts write operations on the mapped memory area.Since the IRP_MJ_WRITE event is triggered after IRP_MJ_CLEANUP,scanning can be bypassed and relevant content may not be detected.Why not scan upon receiving the IRP_MJ_CLOSE notification also?
Which is the area where the sample lives?
/filesys/miniFilter/avscan
Describe the issue
The application performs file memory mapping, closes the opened file handle, and conducts write operations on the mapped memory area.Since the IRP_MJ_WRITE event is triggered after IRP_MJ_CLEANUP,scanning can be bypassed and relevant content may not be detected.Why not scan upon receiving the IRP_MJ_CLOSE notification also?