Python - read access during match is not read only

[GoogleCodeExporter]

I use the python module for Windows x86.
I try to access some files, like the ones in folder 
"C:\Windows\System32\winevt\Logs" which are read-only for the user running the 
script.
I get an error "could not open file".

i.e.
Error: could not open file 
"C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile 
Service%4Operational.evtx"

I figured out, that using match on the file must use other parameters than "r" 
or "rb", because variant A works fine while variant B does not. 

A:
f = open(filePath, 'rb')
matches = yara_rules.match(data=f.read())

B:
matches = yara_rules.match(filePath)

It would be great if this could be fixed or handled by a parameter.

Thanks a lot for your work. 
Your module helped me a lot. 

Original issue reported on code.google.com by Veno...@gmail.com on 7 May 2013 at 7:42

[GoogleCodeExporter]

The issue here is related with sharing modes as described in 
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363874(v=vs.85).aspx. 
The "match" functions internally calls CreateFile using FILE_SHARE_READ but not 
FILE_SHARE_WRITE. This means that we can share the file with other processes 
trying to read from it, but not with processes trying to write. As those logs 
files are already open by Windows in write mode, and we are not specifying 
FILE_SHARE_WRITE, our call to CreateFile fails. The Python's "open" in the 
other hand calls CreateFile with FILE_SHARE_WRITE enabled.

The correct behavior for YARA is disallowing scans on files are being written 
to by other processes, otherwise it can't guarantee a correct result.

Original comment by plus...@gmail.com on 6 Dec 2013 at 1:45

• Changed state: WontFix