How does a Windows antivirus hook into the file access process?

Question

The subject says it all. A normal antivirus has to intercept all file accesses, scan the files and then optionally deny access to the file (possibly even displaying a prompt to the user). How can this be done?

I'm aware of a method called API hooking, but that's a really dirty undocumented hack - and as such isn't really reliable. What's the "official" way of doing this?

Alternatively, I would be interested in intercepting the loading of executable modules (.DLL, .EXE, etc.), not just arbitrary file reads.

Answer 1

Through File System Filter Drivers. However, implementing such drivers is quite complicated and "fragile".

Answer 2

In the recent versions of windows (at least XP onwards) there is the concept 'filters' which can be viewed using MS Filter Manager, (fltmc.exe from a command prompt)

This provides a low level I/O hook that AV programs can access and automatically register to be passed all I/O requests to the file system. It is a kit you can get the drivers for an develop your own filters for.

http://www.microsoft.com/whdc/driver/filterdrv/default.mspx is a starting place to get in depth info.