Possible duplicate:
How to connect an antivirus to the process of accessing a Windows file?
Antivirus software often offers real-time protection (presumably) by intercepting calls to the file system, scanning the target file, and then ending the call. From the observed behavior, I assume that this happens whenever the application tries to open the file handler for reading (at least open a file with 5 gigabytes with Sophos = instant coffee break set)
How exactly is this implemented? Do they really use drivers that abstract the file system or is it just a case of calling an API (which method (s)?) To insert themselves into the chain?
Is there a standard way to determine which applications connect in this way?
I noted .Net as this is my pick, but I suspect P / Invoke would be required, although a .NET example would be ideal, a direct API link is almost as good.
Basic source share