Download  FileProtector Demo Setup File
Download  FileProrector Demo Zip File

File Protector Demo was developed with EaseFilter File Monitor, File Control, File Encryption and Process Filter Driver SDK, it demonstrates how to use the EaseFilter Filter Driver SDK to monitor or control the Windows file I/O. The File Protector tool can monitor or block the file change and file access in real time, get the notification for all the registered file I/O requests. It can capture or block the file open, file creation, file change, file read, file written, query file information, set file information, query security information, set security information, file rename, file delete, directory browsing and file close I/O requests. You can log the file I/O information to know who, when, what files were accessed. Here is the File Protector demo tool screenshot.

File Protector Global Settings

1. The maximum threads of the connection: there is a communication channel between the filter driver and the user mode service, the filter driver will send the file I/O messages to the user mode service via this channel, this is the number of threads to handle the messages in the user mode service.
2. The maximum connection timeout: the maximum time of the message in filter driver in the communication channel queue waiting for being processed.
3. The volume attached or detached: enable the setting to get the notification when there is new volume was attached, or there is existing attached volume was detached.
4. Block the volume formatting: enable this flag, it will prevent your volumes from being formatted.
5. Block the USB reading: enable this flag, it will prevent your USB from being read.
6. Block the USB writing: enable this flag, it will prevent your USB from being written.
7. Protected Process Ids: prevent the processes from being terminated, to better to protect your processes, you need to run it as Windows service.

Setup Filter Rule For File Protector

The filter rule is a file name based file control policy, the filter driver will watch the file I/O based on the file name with below orders, the filter driver will only monitor or control the files which match the filter conditions. To monitor the file I/O, you need to create at least one file filter rule.

1. The include file filter mask: a file filter rule is a file name with wildcards characters. Every filter rule has an unique file name filter mask, it can’t be duplicated with other filter rules. Only the file I/O will be filtered if the file name matches the include file filter mask.
2. The exclude file filter mask: if it is not empty,  the file I/O will be excluded if the file name matches the exclude file filter mask.
3. The include process names: if it is not empty, then only the file I/O which was initiated by the process which in the include process name list will be filtered.
4. The include process Ids: if it is not empty, then only the file I/O which was initiated by the process which in the include process Id list will be filtered.
5. The exclude process names: if it is not empty,  the file I/O will be excluded if the file I/O was initiated by the process which in the exclude process name list.
6. The exclude process Ids: if it is not empty,  the file I/O will be excluded if the file I/O was initiated by the process which in the exclude process Id list.
7. The include user names: if it is not empty, then only the file I/O which was initiated by the user name which in the include user name list will be filtered.
8. The exclude user names: if it is not empty,  the file I/O will be excluded if the file I/O was initiated by the user which in the exclude user name list.
9. The CreateFile filter option: if it is not zero, then only the file I/O which opened with the same DesiredAccess, Disposition and CreateOptions will be filtered.

File Access Control Settings of the File Filter Rule

To control the file access and protect your sensitive data, you can configure the access control flag in the filter rule, or you can register the pre-io events, allow or deny the file access in the pre-io notification event. To configure the access flag of the filter rule, you can prevent your files from being read, written, deleted, renamed or changed by unauthorized processes or users.

Enable Transparent AES File Encrption

The EaseFilter Encryption Filter Driver(EEFD) is a transparent on-access file level encryption file system filter driver. It can encrypt or decrypt the file automatically in the file system level. The EEFD is a mature commercial product. It provides a complete modular framework for the developers to build the on access file encryption software. With the EEFD, you can incorporate transparent on-access, file level encryption into your application.

The EEFD can encrypt the new created file automatically. Firstly, the EEFD will encrypt the data before the applications write the data to the disk. After that when the applications read the encrypted file, the EEFD will decrypt the data automatically. The encryption and decryption process are transparent to the application. The encryption and decryption process won't generate the temporary files. The encrypted file always stay encrypted in the disk. Only the authorized users or processes can see the clear data of the encrypted file.

Setup File Control Access Flag

You can setup the control policies in the filter driver, the filter driver will allow or block the file access based on the policies setup by the filter rules. To setup the control filter rule for filter driver, you can set or unset the bit of the access flag integer to allow or block the specific I/O as below in your filter rule.

• ALLOW_ENCRYPT_NEW_FILE:Enable this bit, it will enable the encryption feature, the new created file will be encrypted.
• ALLOW_READ_ENCRYPTED_FILES:Disable this bit, it will block the encrypted file to be decrypted, the raw encrypted data will return.
• DISABLE_ENCRYPT_DATA_ON_READ:Disable this bit, it will encrypt the file on the go if the encryption filter rule is enabled.
• ENABLE_HIDE_FILES_IN_DIRECTORY_BROWSING:Enable this bit, hide the files from the folder directory list if the hide file mask was added.
• ENABLE_REPARSE_FILE_OPEN: Enable this bit, reparse the file open to the new file name if the reparse file mask was added.
• ALLOW_FILE_ACCESS_FROM_NETWORK:Disable this bit, block the file being accessed via SMB share.
• ALLOW_COPY_PROTECTED_FILES_OUT:Disable this bit, block the file being copied out of the protected folder.
• ALLOW_COPY_PROTECTED_FILES_TO_USB: Disable this bit, block the file being copied out of the USB drive.
• ALLOW_OPEN_WTIH_ACCESS_SYSTEM_SECURITY:Disable this bit, block the file open with file security access.
• ALLOW_OPEN_WITH_READ_ACCESS:Disable this bit, block the file open with read access.
• ALLOW_OPEN_WITH_WRITE_ACCESS:Disable this bit, block the file open with write access.
• ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS:Disable this bit, block new file creation or open file with overwrite access.
• ALLOW_OPEN_WITH_DELETE_ACCESS:Disable this bit, block the file open with delete access.
• ALLOW_READ_ACCESS:Disable this bit, block the file data being read.
• ALLOW_WRITE_ACCESS:Disable this bit, block the file being written.
• ALLOW_QUERY_INFORMATION_ACCESS:Disable this bit, prevent the file information from being queried.
• ALLOW_SET_INFORMATION:Disable this bit, prevent the file information from being changed: change file attribute, change file size, rename file name, delete file.
• ALLOW_FILE_RENAME:Disable this bit, block the file being renamed.
• ALLOW_FILE_DELETE:Disable this bit, block the file being deleted.
• ALLOW_FILE_SIZE_CHANGE:Disable this bit, block the file size being changed.
• ALLOW_QUERY_SECURITY_ACCESS:Disable this bit, block the file security information being queried.
• ALLOW_SET_SECURITY_ACCESS:Disable this bit, block the file security information being changed.
• ALLOW_DIRECTORY_LIST_ACCESS:Disable this bit, block the directory being browsed.

1. Add file access rights to the process name:  you can set the file access rights in the filter rule to the specific processes based on the process name. You can allow or block the specific file I/O to the authorized or unauthorized processes.
2. Add file access rights to the process based on sha256 hash:  you can set the file access rights in the filter rule to the specific processes which the process has the specific sha256 hash. You can allow or block the specific file I/O to the authorized or unauthorized processes.
3. Add file access rights to the process based on certificate name:  you can set the file access rights in the filter rule to the specific processes which were signed with the specific certificate name. You can allow or block the specific file I/O to the authorized or unauthorized processes.
4. Add file access rights to the process Id:  you can set the file access rights in the filter rule to the specific processes based on the process Id. You can allow or block the specific file I/O to the authorized or unauthorized processes.
5. Add file access rights to the user name:  you can set the file access rights in the filter rule to the specific users based on the user name. You can allow or block the specific file I/O to the authorized or unauthorized users.

Control The File Access In Callback Function

You can register the Pre-IO operation to control the file access in your callback functions. By registering the specific I/O events, you can fully control the I/O, your callback functions will be invoked for every registered I/O, you can allow, modify or block this I/O based on the I/O information.

• OnPreFileCreate:Fires this event before the file create IO was going down to the file system. You can allow or block the file open or creation in this callback function.
• OnPreFileRead:Fires this event before the file read IO was going down to the file system. You can allow or block the file reading in this callback function.
• OnPreFileWrite:Fires this event before the file write IO was going down to the file system. You can allow or block the file writing in this callback function.
• OnPreQueryFileSize:Fires this event before the query file size IO was going down to the file system. You can allow or block the file size being queried in this callback function.
• OnPreQueryFileBasicInfo:Fires this event before the query file basic info IO was going down to the file system. You can allow or block the file basic information being queried in this callback function.
• OnPreQueryFileStandardInfo:Fires this event before the query file standard info IO was going to the file system. You can allow or block the file standard information being queried in this callback function.
• OnPreQueryFileNetworkInfo:Fires this event before the query file network info IO was going down to the file system. You can allow or block the file network information being queried in this callback function.
• OnPreQueryFileId:Fires this event before the query file Id IO was going down to the file system. You can allow or block the file Id being queried in this callback function.
• OnPreQueryFileInfo:Fires this event before the query file info IO was going down to the file system. You can allow or block the file information being queried in this callback function.
• OnPreSetFileSize:Fires this event before the set file size IO was going down to the file system. You can allow or block the file size being changed in this callback function.
• OnPreSetFileBasicInfo:Fires this event before the set file basic info IO was going down to the file system. You can allow or block the file basic information being changed in this callback function.
• OnPreSetFileStandardInfo:Fires this event before the set file standard info IO was going down to the file system. You can allow or block the file standard information being changed in this callback function.
• OnPreSetFileNetworkInfo:Fires this event before the set file network info was going down to the file system. You can allow or block the file network information being changed in this callback function.
• OnPreMoveOrRenameFile:Fires this event before the file move or rename IO was going down to the file system. You can allow or block the file being renamed in this callback function.
• OnPreDeleteFile:Fires this event before the file delete IO was going down to the file system. You can allow or block the file size being deleted in this callback function.
• OnPreSetFileInfo:Fires this event before the set file info IO was going down to the file system. You can allow or block the file information being changed in this callback function.
• OnPreQueryDirectoryFile:Fires this event before the query directory file info was going down to the file system. You can allow or block the directory being browsed in this callback function.
• OnPreQueryFileSecurity:Fires this event before the query file security IO was going down to the file system. You can allow or block the file security being queried in this callback function.
• OnPreSetFileSecurity:Fires this event before the set file security IO was going down to the file system. You can allow or block the file security being changed in this callback function.

The common information of the file I/O event:

1. IoStatus : this is the IO completion status, either STATUS_SUCCESS if the requested operation was completed successfully or an informational, warning, or error STATUS_XXX value, only effect on post IO.
2. TransactionTime: the transaction time in UTC of this IO request.
3. FileObject: the fileObject is an unique Id for the file I/O from open till the close.
4. ProcessId: the process Id who initiates the IO.
5. ProcessName: the process name who initiates the IO.
6. ThreadId: the thread Id who initiates the IO.
7. UserName: the user name who initiates the IO.
8. FileName: the file name of the file IO.
9. FileSize: the file size of the file IO.
10. CreationTime : the creation time in UTC of the file.
11. LastWriteTime: the last write time in UTC of the file.
12. FileAttributes: the file attributes of the file IO.
13. CreateOptions:the file create options of the file IO was opened.
14. SharedAccess:  the SharedAccess for file open, please reference CreateFile windows API.
15. IsRemoteAccess: it indicates if the file open was from the SMB network.
16. RemoteIp: the IP address of the remote computer who is opening the file. This feature is enabled only for Win7 or later OS.

File Protector C# Example

The following example creates a filter rule to protect the directory specified at run time. The filter rule was set to protect the folder against the file being renamed, deleted, written. The component is registered with the create and delete IO callback event in the directory. If a file was opened or deleted, the event will be triggered, you can allow or block the IO in the event.

/*A File Protector C# Example
The following example creates a filter rule to watch the directory specified at run time. The component is set to watch for all file change in the directory. If a file was changed, the file name, file change type, user name, process name will be printed to the console. The component also is set to watch the file open and file read IO, the IO was triggered, the file open and file read information will be printed to the console.*/
  
using System;
using EaseFilter.FilterControl;

namespace FileProtectorConsole
{
    class Program
    {
        static FilterControl filterControl = new FilterControl();

        static void Main(string[] args)
        {
            string lastError = string.Empty;
            string licenseKey = "Email us to request a trial key: [email protected]";

            FilterAPI.FilterType filterType = FilterAPI.FilterType.MONITOR_FILTER|FilterAPI.FilterType.CONTROL_FILTER
                |FilterAPI.FilterType.PROCESS_FILTER|FilterAPI.FilterType.REGISTRY_FILTER|FilterAPI.FilterType.ENCRYPTION_FILTER;

            int serviceThreads = 5;
            int connectionTimeOut = 10; //seconds

            try
            {
                //copy the right Dlls to the current folder.
                Utils.CopyOSPlatformDependentFiles(ref lastError);

                if (!filterControl.StartFilter(filterType, serviceThreads, connectionTimeOut, licenseKey, ref lastError))
                {
                    Console.WriteLine("Start Filter Service failed with error:" + lastError);
                    return;
                }

                //the watch path can use wildcard to be the file path filter mask.i.e. '*.txt' only monitor text file.
                string watchPath = "c:\test\*";

                if (args.Length > 0)
                {
                    watchPath = args[0];
                }

                //create a file protector filter rule, every filter rule must have the unique watch path. 
                FileFilter fileProtectorFilter = new FileFilter(watchPath);

                //configure the access right for the protected folder

                //prevent the file from being deleted.
                fileProtectorFilter.EnableDeleteFile = false;

                //prevent the file from being renamed.
                fileProtectorFilter.EnableRenameOrMoveFile = false;

                //prevent the file from being written.
                fileProtectorFilter.EnableWriteToFile = false;

                //authorize process with full access right
                fileProtectorFilter.ProcessNameAccessRightList.Add("notepad.exe", FilterAPI.ALLOW_MAX_RIGHT_ACCESS);

                //you can enable/disalbe more access right by setting the properties of the fileProtectorFilter.

                //Filter the callback file IO events, here get callback before the file was opened/created, and file was deleted.
                fileProtectorFilter.ControlFileIOEventFilter = (ulong)(ControlFileIOEvents.OnPreFileCreate | ControlFileIOEvents.OnPreDeleteFile);

                fileProtectorFilter.OnPreCreateFile += OnPreCreateFile;
                fileProtectorFilter.OnPreDeleteFile += OnPreDeleteFile;

                filterControl.AddFilter(fileProtectorFilter);

                if (!filterControl.SendConfigSettingsToFilter(ref lastError))
                {
                    Console.WriteLine("SendConfigSettingsToFilter failed." + lastError);
                    return;
                }

                Console.WriteLine("Start filter service succeeded.");

                // Wait for the user to quit the program.
                Console.WriteLine("Press 'q' to quit the sample.");
                while (Console.Read() != 'q') ;

                filterControl.StopFilter();

            }
            catch (Exception ex)
            {
                Console.WriteLine("Start filter service failed with error:" + ex.Message);
            }

        }

        /// 

        /// Fires this event before the file was opened. 
        /// 

        static void OnPreCreateFile(object sender, FileCreateEventArgs e)
        {
            Console.WriteLine("OnPreCreateFile:" + e.FileName + ",userName:" + e.UserName + ",processName:" + e.ProcessName);

            //you can block the file open here by returning below status.
            e.ReturnStatus = NtStatus.Status.AccessDenied;

        }

        /// 

        /// Fires this event before the file was deleted.
        /// 

        static void OnPreDeleteFile(object sender, FileIOEventArgs e)
        {
            Console.WriteLine("OnPreDeleteFile:" + e.FileName  + ",userName:" + e.UserName + ",processName:" + e.ProcessName);

            //you can block the file being deleted here by returning below status.
            e.ReturnStatus = NtStatus.Status.AccessDenied;
        }
    }
}