site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com On May 18, 2006, at 6:49 PM, Jeremy Pereira wrote: = Mike _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... Does anybody know by any chance how NAV hooks into the OS? Does it use the recommended method as described here: http://developer.apple.com/technotes/tn2005/tn2127.html#SECANTIVIRUS The mechanism described in that technote was developed partly in response to the needs and concerns of anti-virus software developers. The reason I am asking is that I'm trying to understand what effect it might have on my VFS kext. Without knowing what your VFS kext does, specifically, it's hard to offer you much extra help. Typically you can expect an AV product to watch file operations that either affect the contents of files, or depend on their contents (open, execute, etc.). These intercepts will occur between the lookup operation and the corresponding access operation, and may result in secondary operations against the file. e.g. for an execute operation, you might expect to see a file looked up, then opened, read, closed, then executed. If you aren't keeping state dependent on VNOP call ordering, you should never know that something is snooping. This email sent to site_archiver@lists.apple.com