From 2fe891abf7c6e29636bae0db2c8aadb134791b84 Mon Sep 17 00:00:00 2001 From: Juraj Vijtiuk <30860583+jvijtiuk@users.noreply.github.com> Date: Tue, 3 Aug 2021 19:03:40 +0200 Subject: [PATCH] Add FS filter hook proposal AV signature based malware detection scenario (#355) Signed-off-by: Juraj Vijtiuk --- docs/eBpfFileSystemHookProposal.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/eBpfFileSystemHookProposal.md b/docs/eBpfFileSystemHookProposal.md index de8655219..d9a68d174 100644 --- a/docs/eBpfFileSystemHookProposal.md +++ b/docs/eBpfFileSystemHookProposal.md @@ -13,7 +13,9 @@ operations on Windows without the need for writing a new mini-filter. ### Monitor file access for an executable Permit a user to monitor which files are opened/read/written by an executable. A hook would need to call out at -the start of I/O operations and provide a helper to query information about the calling process. +the start of I/O operations and provide a helper to query information about the calling process. This would for +example allow for the classic antivirus software use case where file open calls are hooked and the file is +then compared with known malicious signatures, while making use of all the benefits of eBPF. ### I/O Latency