How do I get the unix filename for a wine handle?

[Kuba Ober]

> > just for sake of completeness: how about enhancing ClamAV so that it
> > takes a fd (instead of a filename) as its input ?
>
> It looks like as if fd are already supported somehow. Need to have a closer
> look at that ...
>
> But I found an even better alternative: ClamAV supports a STREAM command
> which allows a client to send a string to the scanner. This allows to scan
> a string even before it is written to disk.

I think that this will totally kill performance. Many programs can create 
temporary files that later get deleted. There's no point in monitoring writes 
to those.

The only way to tell is to wait until the handle gets closed by wine. Then I 
imagine you'd use fstat on a copy of the handle and see if there are any hard 
links (i.e. directory entries) pointing to that inode, and if there are (i.e. 
if the file is still acessible), only then you'd scan it. You'd also need to 
keep track of any handle copies that wine holds, if there are any -- I don't 
know offhand if wine itself duplicates "user" file handles, nor whether 
there's a windows API to do so.

Similarly, programs such as databases may reorganize huge swaths of file(s), 
writing a lot of stuff that has no relevance to a virus scanner.

I think that no-brainer approaches will result in exactly the same 
performance-robbing solution as McAffe and Symantec products evolved to.

I think there needs to be some more serious thinking done before implementing 
your project.

Cheers, Kuba