File system filter drivers are often the topic of some interesting discussions when working on server performance issues. Understanding how a file system filter driver works is the topic of today’s post. We’ll also quickly discuss one of the most common issues that we see – especially when dealing with Anti-Virus filter drivers and updates.
Simply put, a file system filter driver is a driver that sits on top of the file system and examines requests made to the file system to determine how (and in some cases, IF) the request should be handled. Different applications such are remote file replication services and file encryption use filter drivers, but the one with which we are all familiar is the Anti-Virus filter driver.
Let’s look at an example of how this works when real-time scanning is enabled. When an application tries to open a file, the filter driver intercepts the request and examines the file being opened to ensure that it does not have a virus. If the file is clean, then the request is sent on to the file system. However, if the file is infected, then the virus scanner notifies its associated Windows service process to quarantine or clean the file. If the file cannot be cleaned, then the filter driver fails the request (usually with an Access Denied error) so that the virus cannot become active.
Now, you’re probably asking yourself, “That’s great, but what does this have to do with server performance?” If a file system filter driver is not functioning properly, requests may get stuck, time out or fail – and not because the file being accessed is infected with a virus. From the user’s perspective, access to their files (usually across the LAN / WAN) appears to be incredibly slow, or the files may appear to be inaccessible. For those of you that have worked with our Support Engineers on issues like this, one of our common lines of questioning concerns how Anti-Virus, specifically On-Access or Real-Time scanning, is configured. Which brings us to the second part of our post … the most common “gotcha” that we see with respect to the Anti-Virus filter driver and updates …
When updating Anti-Virus, the primary concern is ensuring that the Anti-Virus signature file is current to guard against emerging threats and existing viruses. However, although keeping your signature file current is obviously important, it is equally important to ensure that your Anti-Virus file system filter driver is kept up to date as well. We have had more than a few issues where a customer has reported Pool memory depletion or a server soft hang, and after investigating, the culprit turned out to be an outdated file system filter driver for the Anti-Virus software. As part of your maintenance routine, when keeping an eye out for updated drivers and firmware for your servers, you should also keep an eye out to make sure that you are running the latest file system filter drivers for your Anti-Virus as well.
And with that, we’ve reached the end of our post. Hopefully this sheds some light on what is going on behind the scenes when you are opening files, or using real-time scanning. Until next time …
- WHDC – File System Filter Drivers
- MSDN: Load Order Groups for File System Filter Drivers
- GES Blog: The Case of the Low Hanging Filter Driver