System slow down when start executable files from Dokan volumes with some AV software installed

[IncubusRK]

System slow down when start executable files from Dokan volumes with some AV software installed

Environment

Windows version: 10.0.19042.685 (also check Windows 7) Processor architecture: x64 Dokany version: 1.4.0.1000 Library type (Dokany/FUSE): n/a

Check List

• [x] I checked my issue doesn't exist yet
• [x] My issue is valid with mirror (and memfs) default sample and not specific to my user-mode driver implementation
• [x] I can always reproduce the issue with the provided description below.
• [x] I have updated Dokany to the latest version and have reboot my computer after.
• [ ] I tested one of the last snapshot from appveyor CI

Description

System slow down when start executable files from Dokan volumes with some AV software installed Checked the following affected products: Kaspersky Total Security, Kaspersky Free, Kaspersky Security Cloud Free I create bugreport to Kaspersky tech support.

Kaspersky technical support analized report and suggested a fix for dokan1.dll: In file https://github.com/dokan-dev/dokany/blob/77aa69ceec0f4b6f67f0a170b8b8da9c555ad809/dokan/dokan.c#L410 change dwDesiredAccess from GENERIC_READ | GENERIC_WRITE to GENERIC_READ If exclude write access, the antivirus stops analyzing and slowing down DokanLoop threads I was buid version with this fix and check that main functionality of dokan is not affected. Test by running memfs.exe, copy some executable files to virtual drive and run it.

Logs

memfs.exe log debug.txt

[Liryna]

Hi @IncubusRK ,

Thanks for the report and contacting Kaspersky by yourself!

I agree the dwDesiredAccess should be changed. It can even just be set to 0 if we use FILE_DEVICE_FILE_SYSTEM instead of FILE_DEVICE_UNKNOWN for the DeviceType of the CTL_CODE here. https://github.com/dokan-dev/dokany/blob/dcd44377c1fe571c24dbbb82982414ca43564f6a/sys/public.h#L35-L72 Do you still have the bugreport open with them ? It might be worth it to ask them and fully know what they expect for a normal usage of the DeviceIoControl and avoid future conflict.

[IncubusRK]

Hi, I try to ask them

[IncubusRK]

Here is the answer I received: "I would answer like this. Antivirus reacts to CreateFile more than to DeviceIoControl. Therefore, the fewer suspicious openings the program makes (for example, with write access rights), the better performance will be."

[Liryna]

@IncubusRK Awesome! thanks for following on this. I think we can remove the write access for now and focus to change the code to not request access at all later. Would you like to make a small PR for the change as you did all the work and sign your presence in the code base ?

[IncubusRK]

Thanks, I will be glad

[infeo]

I created a PR, because on the project I'm working on we recieved lately a lot issues of not mounted/ directly unmounted dokan devices and I want too see this rather sooner than later be fixed.

[Liryna]

Thanks @infeo for going ahead ! I will try to make a release tomorrow with the fix 👍

[infeo]

You are welcome. I'm happy to hear that a release is planned, although I did not intend to push one. 😅

[IncubusRK]

I'm sorry @Liryna I completely lost track of time @infeo, thanks for RP

[Liryna]

I just made a release. It has been some time since the last one !

[Liryna]

All IOCTL are now migrated to FSCTL https://github.com/dokan-dev/dokany/commit/9d7bc123e56de6a0e24058b3fa669629324f5c43 Driver code keep the IOCTL for backward compatibility with older libraries not using the FSCTL.