File system filter drivers are often the topic of some interesting discussions when working on server performance issues. This post will discuss “understanding how a file system filter driver works, and also the most common issues – especially when dealing with Anti-Virus filter drivers and updates.”
Simply put, a file system filter driver is a driver that sits on top of the file system and examines requests made to the file system to determine how (and in some cases, IF) the request should be handled. Different applications such are remote file replication services and file encryption use filter drivers, but the one with which we are all familiar is the Anti-Virus filter driver.
Let’s look at an example of how this works when real-time scanning is enabled. When an application tries to open a file, the filter driver intercepts the request and examines the file being opened to ensure that it does not have a virus. If the file is clean, then the request is sent on to the file system. However, if the file is infected, then the virus scanner notifies its associated Windows service process to quarantine or clean the file. If the file cannot be cleaned, then the filter driver fails the request (usually with an Access Denied error) so that the virus cannot become active.
- WHDC – File System Filter Drivers
- MSDN: Load Order Groups for File System Filter Drivers
- GES Blog: The Case of the Low Hanging Filter Driver