File Security SDK Programming
Download EaseFilter Filter Driver SDK Setup File Download EaseFilter Filter Driver SDK Zip File
EaseFilter File Security Filter Driver SDK
EaseFilter Comprehensive File Security SDK is a set of file system filter driver software development kit which includes File Monitor Filter Driver, File Access Control Filter Driver, Transparent File Encryption Filter Driver, Process Filter Driver and Registry Filter Driver. The File Security Solution encompasses file security, digital rights management, encryption, file monitoring, file auditing, file tracking, data loss prevention, process monitoring and protection, and system configuration protection.The EaseFilter File System Filter Driver can log, observe, modify, or even prevent the I/O operations for one or more file systems or file system volumes.
What can you do with EaseFilter SDK
With the EaseFilter SDK, you can implment the file security solution for the file audit, file access logging, continue data protection, data loss prevention, secure file access control, secure file sharing with DRM, auto file encryption, malicious software protection and registry protection.
- File monitor and file audit
Monitor Windows file I/O activities in real time, track the file access and changes, monitor file and folder permission changes, audit who is writing, deleting, moving or reading files, report the user name and process name, get the user name and the ip address when the Windows file server's file is accessed by network user. - File access control and data protection
Control Windows file I/O activities in real time, intercept the file system IO request, modify the IO data before or after the request goes down to the file system, allow or block the file IO request based on filter rules. With the control filter driver, you can protect the sensitive files, verify the user identity, authenticate the user, authorize the file access, prevent the confidential files from being accessed, modified, renamed, deleted, or read by unauthorized users or processes. You can hide your sensitive files to the unauthorized users or processes, protect your intellectual property from being copied. - Transparent file level encryption for enterprise
The encryption uses a 256 bits symmetric key to encrypt or decrypt the data with AES encryption algorithm. The transparent file-level encryption protects against unauthorized access by users and processes, secures unstructured data for the enterprise. Secure file sharing across your network with digital right. High-performance hardware accelerated encryption, encryption overhead is minimized using the AES hardware encryption capabilities available in modern CPUs. - Process monitoring and protection
Protect your system environment by monitoring and protecting the process running in your system. Get the notification of the process/thread creation or termination, prevent the untrusted executable binaries ( malwares) from being launched. - Registry monitoring and protection
Protect Windows core registry keys and values and prevent potentially damaging system configuration changes, besides operating system files. Get the notifications of each registry operation when the registry key was accessed or modified by the applications.
Develop the data protection application in C#/C++
EaseFilter SDK offers the developers the demo projects with the C#/C++ source code, it provides the users to implement the file security application in one step. In C++ programming sample, it demonstrates how to monitor the file I/O, track the file changes, control the file access, encrypt the file at a rest, process monitoring and protection, registry activities monitoring and protection in one project.
There are multiple C# samples for EaseFilter SDK. You can start with the simplest console project "FileMonitorConsole" and "FileProtectorConsole", these two projects demonstrate the simple funtionalities of the File Monitor and File Control SDK. To understand the more complicated features of the SDK, you can reference the WinForm GUI demo project "FileProtector", it demontrates the feature of the file monitor, file control, file encryption with the GUI configuration settings in an intuitive way. To understand the encryption feature better, you can reference the demo project "AutoEncryptDemo". If you want to learn about the Process Filter SDK, you can reference the demo project "ProcessMon". For Registry Filter SDK, you can reference the demo project "RegMon".
Manage the files with filter rule
To monitor or control the file access, we need to know which file to be managed. EaseFilter SDK uses the filter rules to monitor or control which file being accessed by which process or user. A filter rule has a unique file filter mask, the filter mask can include the wildcard character '*’ or ‘?’. For example: c:\test\*.txt, the filter will only monitor or control all the files with extension .txt in the folder c:\test.Exclude the files in filter rule
If you want to exclude some files from the filter rule, you can use AddExcludeFileMaskToFilterRule to exclude the file access from the filter rule.//Example:
//Manage the file I/Os for files in folder c:\test, but exclude all the .txt files:
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
AddExcludeFileMaskToFilterRule(L"c:\\test\\*",L"*.txt");Manage the files for the specific processes in filter rule
If you want to setup the filter rule only for some specific processes, you can add the include process name filter mask to the filter rule. If you want to setup the filter rule excluding the specific processes, you can add the exclude process name filter mask to the filter rule.//Create file filter rule for folder c:\test
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
//Manage the file I/Os for files in folder c:\test only for process "notepad.exe":
AddIncludeProcessNameToFilterRule(L"c:\\test\\*",L"notepad.exe");
//Manage the file I/Os for files in folder c:\test except for process "cmd.exe"
AddExcludeProcessNameToFilterRule(L"c:\\test\\*",L"cmd.exe");
Manage the files for the specific users in filter rule
If you want to setup the filter rule only for some specific users, you can add the include user name filter mask to the filter rule. If you want to setup the filter rule excluding the specific users, you can add the exclude user name filter mask to the filter rule.//Create file filter rule for folder c:\test
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
//Manage the file I/Os for files in folder c:\test only for user "TestDoman\\TestUser"
AddIncludeUserNameToFilterRule(L"c:\\test\\*",L"TestDoman\\TestUser");
//Manage the file I/Os for files in folder c:\test excluding the user "TestDoman\\excludeUser"
AddExcludeUserNameToFilterRule(L"c:\\test\\*",L"TestDoman\\excludeUser");How to authenticate a trusted process
Authenticate a process by the process name or process Id is not easy, since a malicious application can hack your binary file, or replace the executable file with the same file name of the malicious binary file. How to assure a process is a trusted process? You can verify the digital code signature of the process which was signed with your company's certificate. You also can verify if the sha256 hash of the process is correct.
//Create the file filter rule for folder c:\test, by default no one can access the files.
AddFileFilterRule(LEAST_ACCESS_FLAG, L"c:\\test\\*", 1);
//Set the full access rights to the process "myapp.exe" which was signed with certificate "EaseFilter Technologies"
AddProcessRightsToFilterRule(L"c:\\test\\*",L"myapp.exe",ALLOW_MAX_RIGHT_ACCESS,L"EaseFilter Technologies",NULL);How to track the file change in filter rule
File Monitor Example demonstrates how to monitor the Windows file I/O. To track the file change, we need to enable the monitor filter driver feature, then register the file change events with the combination of the flags of the following enumeration. When the file was changed, then the regsiterred events will be raised.
- NotifyFileWasCreated: if this flag is enabled, a new file creation event will be sent when a new file was created in the matched filter rule.
- NotifyFileWasDeleted:if this flag is enabled, a file deleted event will be sent when a file was deleted in the matched filter rule.
- NotifyFileWasRenamed:if this flag is enabled, a file renamed event will be sent when a file was renamed in the matched filter rule.
- NotifyFileWasWritten: if this flag is enabled, a file written event will be sent when a file was written with data in the matched filter rule.
- NotifyFileSecurityWasChanged: if this flag is enabled, a file security changed event will be sent when a file’s security was changed in the matched filter rule.
- NotifyFileInfoWasChanged: if this flag is enabled, a file information changed event will be sent when a file’s information was changed in the matched filter rule.
- NotifyFileWasRead: if this flag is enabled, a file read event will be sent when a file’s data was read in the matched filter rule.
typedef enum FileEventType
{
FILE_WAS_CREATED = 0x00000020,
FILE_WAS_WRITTEN = 0x00000040,
FILE_WAS_RENAMED = 0x00000080,
FILE_WAS_DELETED = 0x00000100,
FILE_SECURITY_CHANGED = 0x00000200,
FILE_INFO_CHANGED = 0x00000400,
FILE_WAS_READ = 0x00000800,
};
//Example:
//Track the file change events ( written, renamed, deleted ) for files in folder c:\test:
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
RegisterFileChangedEventsToFilterRule(L"c:\\test\\*",FILE_WAS_WRITTEN|FILE_WAS_RENAMED|FILE_WAS_DELETED); File audit example- track the file I/O activities in real time
We can register the monitor I/Os to track the file I/O detail information. With the POST_CREATE event, you will know how the file was opened, to know if the file was opened or created, truncated, overwritten. For read I/O, you will know the read offset, read length. For write I/O, you will know the write offset and write length. For information query or set I/O, you can get or set the file information: file size, file time, file attributes. For security query or set I/O, you can get or change the file security information. For directory I/O, you can get the file list of the directory.
typedef enum MessageType
{
POST_CREATE = 0x00000002,
POST_FASTIO_READ = 0x00000008,
POST_CACHE_READ = 0x00000020,
POST_NOCACHE_READ = 0x00000080,
POST_PAGING_IO_READ = 0x00000200,
POST_FASTIO_WRITE = 0x00000800,
POST_CACHE_WRITE = 0x00002000,
POST_NOCACHE_WRITE = 0x00008000,
POST_PAGING_IO_WRITE = 0x00020000,
POST_QUERY_INFORMATION = 0x00080000,
POST_SET_INFORMATION = 0x00200000,
POST_DIRECTORY = 0x00800000,
POST_QUERY_SECURITY = 0x02000000,
POST_SET_SECURITY = 0x08000000,
POST_CLEANUP = 0x20000000,
POST_CLOSE = 0x80000000,
};
//Example:
//Get the notification when the file was opened/read for files in folder c:\test:
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
RegisterMonitorIOToFilterRule(L"c:\\test\\*",POST_CREATE|POST_FASTIO_READ|POST_CACHE_READ|POST_NOCACHE_READ|POST_PAGING_IO_READ);
How to control the file access in filter rule
File Protector example was developed with EaseFilter File Monitor, File Control, File Encryption and Process Filter Driver SDK, it demonstrates how to monitor or control the Windows file I/O. There are two options to control the file access with the file filter rule. One is to set the access flags in the filter rule, the file access will be blocked or allowed in the file system based on the filter rule policies. The other one is to register the pre-I/O callback events, the user mode application will get the notification in the callback function before the file I/O was going down to the file system, in the callback function you can allow or block this file I/O based on the I/O information.
Set the file access rights in the filter rule.
To control the file I/O access rights, allow or block the file IO access, you can set the access control flag of the filter rule, the access flags can be the combination of the below enumeration. With the control flag settings, you can prevent the files from being accessed by the unauthorized users or processes.
typedef enum AccessFlag
{
EXCLUDE_FILTER_RULE = 0X00000000,
EXCLUDE_FILE_ACCESS = 0x00000001,
REPARSE_FILE_OPEN = 0x00000002,
HIDE_FILES_IN_DIRECTORY_BROWSING = 0x00000004,
FILE_ENCRYPTION_RULE = 0x00000008,
ALLOW_OPEN_WTIH_ACCESS_SYSTEM_SECURITY = 0x00000010,
ALLOW_OPEN_WITH_READ_ACCESS = 0x00000020,
ALLOW_OPEN_WITH_WRITE_ACCESS = 0x00000040,
ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS = 0x00000080,
ALLOW_OPEN_WITH_DELETE_ACCESS = 0x00000100,
ALLOW_READ_ACCESS = 0x00000200,
ALLOW_WRITE_ACCESS = 0x00000400,
ALLOW_QUERY_INFORMATION_ACCESS = 0x00000800,
ALLOW_SET_INFORMATION = 0x00001000,
ALLOW_FILE_RENAME = 0x00002000,
ALLOW_FILE_DELETE = 0x00004000,
ALLOW_FILE_SIZE_CHANGE = 0x00008000,
ALLOW_QUERY_SECURITY_ACCESS = 0x00010000,
ALLOW_SET_SECURITY_ACCESS = 0x00020000,
ALLOW_DIRECTORY_LIST_ACCESS = 0x00040000,
ALLOW_FILE_ACCESS_FROM_NETWORK = 0x00080000,
ALLOW_NEW_FILE_ENCRYPTION = 0x00100000,
ALLOW_READ_ENCRYPTED_FILES = 0x00200000,
ALLOW_ALL_SAVE_AS = 0x00400000,
ALLOW_COPY_PROTECTED_FILES_OUT = 0x00800000,
ALLOW_FILE_MEMORY_MAPPED = 0x01000000,
LEAST_ACCESS_FLAG = 0xf0000000,
ALLOW_MAX_RIGHT_ACCESS = 0xfffffff0,
};
AddFileFilterRule(ULONG AccessFlag,WCHAR* FilterMask, ULONG FilterId)
1. Block the file creation example
To prevent the new file from being created or overwritten, you can disable the access flag ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS in the filter rule.//Example:
//Block the new file creation in folder c:\test:
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS&(~ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS), L"c:\\test\\*", 1);2. Block the file being changed example
Protect your file from being changed with the access flag setting. We need to block the file writting, renaming, deleting, file information changing and security changing.//Example:
//Prevent the file from being modified, renamed or deleted in folder c:\test:
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS
&(~(ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION|ALLOW_SET_SECURITY_ACCESS), L"c:\\test\\*", 1);3. Hide the files example
Hide the files with access flag setting, you can hide the files from the protected folders for the specific users or processes.//Example:
//Hide the files in folder c:\test for process "explorer.exe"
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS|HIDE_FILES_IN_DIRECTORY_BROWSING, L"c:\\test\\*", 1);
AddIncludeProcessNameToFilterRule(L"c:\\test\\*",L"explorer.exe");
AddHiddenFileMaskToFilterRule(L"c:\\test\\*",L"*.*");4. Reparse the file open example
Reparse the file open with access flag setting. You can reparse the file open to another file in different folder//Example:
//Reparse the file open in folder c:\test to another folder c:\reparseFolder"
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS|REPARSE_FILE_OPEN, L"c:\\test\\*", 1);
AddReparseFileMaskToFilterRule(L"c:\\test\\*",L"c:\\reparseFolder\\*");5. Blacklisting and whitelisting example
A blacklisting is the list of the processes or users who don't have the specific rights to access the files. A whitelisting is the list of the processes or users who have the specific rights to access the files. You can set the access rights to the process or user in the filter rule, then you can grant or revoke the file access rights to the specific processes or users. This feature requires the control and process filter driver were enabled.
Zero trust example, no one can access the files by default in the filter rule, then you can add the authorized processes or user to the whitlelist who can access the files.
//Create the file filter rule for folder c:\test, by default no one can access the files.
AddFileFilterRule(LEAST_ACCESS_FLAG, L"c:\\test\\*", 1);
//Set the full access rights to the process "notepad.exe"
AddProcessRightsToFilterRule(L"c:\\test\\*",L"notepad.exe",ALLOW_MAX_RIGHT_ACCESS);
//Set the readonly access rights to the process "explorer.exe",
AddProcessRightsToFilterRule(L"c:\\test\\*",L"explorer.exe"
,ALLOW_MAX_RIGHT_ACCESS&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION));Control the file I/O in user mode application
You can register the PRE-I/O callback events in the filter rule. The callback function in the user mode application will get the notification for the registerred I/O, then your application can block or allow the speicfic I/O based on the file I/O information.
//Example:
//Register the PRE_CREATE, PRE_SETINFORMATION I/O for folder c:\test,
//you can allow or deny the file opern, creation, deletion, rename in the callback routine.
AddFileFilterRule(ALLOW_MAX_RIGHT_ACCESS, L"c:\\test\\*", 1);
RegisterControlToFilterRule(L"c:\\test\\*",PRE_CREATE|PRE_SET_INFORMATION);
How to encrypt the files at a rest
To protect your sensitive files with data encryption at rest, it requires the encryption filter driver enabled. You can set the (128bits 192bit or 256bits) encryption key in the filter rule, all the files will be encrypted with the same encryption key and unique IV per file. You can encrypt the file with your own unique encyrption key, iv and custom header of the encrypted file.1. Auto file encryption example
All the files will be encrypted automatically by default, all processes or users will get the raw encyrpted data. Only authorized processes or users can get the decrypted data. Here is the example:Transparent encrypt files in folder c:\test with AES 256bits key, only authorized process "notepad.exe" can read the encrypted file,
so when you copy the encrypted file in Windows explorer, the raw encrypted files will be copied out instead of the decrypted files.
//Create an encryption file filter rule, bye default no one can read the decrypted data.
AddFileFilterRule((ALLOW_MAX_RIGHT_ACCESS|FILE_ENCRYPTION_RULE)&(~ALLOW_READ_ENCRYPTED_FILES), L"c:\\test\\*", 1);
//256 bit,32bytes encrytpion key
unsigned char key[] = {0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,0x2b,0x73,0xae,0xf0,
0x85,0x7d,0x77,0x81,0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4};
//setup the encryption key of the filter rule.
AddEncryptionKeyToFilterRule(L"c:\\test\\*",sizeof(key),key);
//authorized the process "notepad.exe" to read the encrypted file.
AddProcessRightsToFilterRule(L"c:\\test\\*",L"notepad.exe",ALLOW_MAX_RIGHT_ACCESS);2. Secure file sharing with DRM example
Encrypt every file with a unique 256-bits key, embed the DRM data to the header of the encrypted file, and store the file access policies in a central server, share the encrypted files with fully control. You can grant, revoke or expire the file access at any time, even after the file has been shared.
//Create an encryption file filter rule
AddFileFilterRule((ALLOW_MAX_RIGHT_ACCESS|FILE_ENCRYPTION_RULE, L"c:\\test\\*", 1);
//Enable encrytion with the custom key,iv and DRM tag data.
AddBooleanConfigToFilterRule(L"c:\\test\\*",REQUEST_ENCRYPT_KEY_IV_AND_TAGDATA_FROM_SERVICE);Process monitoring and protection
1. Process monitor example. Register the process operations callback service, to get the notification when the process or thread creation or termination.//Example:
//Get the notification when any new process or thread creation or termination.
AddProceeFilterEntry(2, L"*"
,PROCESS_CREATION_NOTIFICATION|PROCESS_TERMINATION_NOTIFICATION|THREAD_CREATION_NOTIFICATION|THREAD_TERMINATION_NOTIFICATION);2. Process protection example, block the malware process from running in your system. Prevent the untrusted executable binaries (malwares) from being launched, protect your data being damaged by the untrusted processes.
//Example:
//Block the processes running from the folder c:\untrustFiles.
AddProceeFilterEntry(wcslen(L"c:\\untrustFiles\\*")*2, L"c:\\untrustFiles\\*", DENY_NEW_PROCESS_CREATION);Registry monitoring and protection
1. Registry protection example
To protect the registry against the unauthorized the change, you can set the registry access rights to readonly to the specific processes. Prevent the registry from being accessed by unauthorized processes//Example:
//Set the registry readonly access rights to the process "notepad.exe".
ULONG ALLOW_READ_REGITRY_ACCESS_FLAG = REG_ALLOW_OPEN_KEY|REG_ALLOW_QUERY_KEY | REG_ALLOW_ENUMERATE_KEY | REG_ALLOW_QUERY_VALUE_KEY
| REG_ALLOW_QUERY_KEY_SECURITY | REG_ALLOW_QUERY_KEYNAME);
AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\windows\\*")*2,L"c:\\windows\\*"
,ALLOW_MAX_RIGHT_ACCESS
&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION),0,0 );
AddRegfilterEntry (wcslen(L"notepad.exe")*2, L"notepad.exe", 0, 0, NULL, 2, L"*",ALLOW_READ_REGITRY_ACCESS_FLAG,0,0 );2. Registry monitoring example
You can register the registry access events to get the registry access callback notification when the registry operation was triggered.//Example:
//Get the notification of the registry operation for the process "notepad.exe".
ULONG ALLOW_READ_REGITRY_ACCESS_FLAG = REG_ALLOW_OPEN_KEY|REG_ALLOW_QUERY_KEY | REG_ALLOW_ENUMERATE_KEY | REG_ALLOW_QUERY_VALUE_KEY
| REG_ALLOW_QUERY_KEY_SECURITY | REG_ALLOW_QUERY_KEYNAME);
AddFileAccessRightsToProcessName(wcslen(L"notepad.exe")*2, L"notepad.exe", wcslen(L"c:\\windows\\*")*2,L"c:\\windows\\*"
,ALLOW_MAX_RIGHT_ACCESS
&(~(ALLOW_OPEN_WITH_CREATE_OR_OVERWRITE_ACCESS|ALLOW_WRITE_ACCESS|ALLOW_FILE_RENAME|ALLOW_FILE_DELETE|ALLOW_SET_INFORMATION),0,0 );
AddRegfilterEntry (wcslen(L"notepad.exe")*2, L"notepad.exe", 0, 0, NULL, 2, L"*",REG_MAX_ACCESS_FLAG,MAX_REG_CALLBACK_CLASS,0 );