EaseFilter Comprehensive File Security SDK is a set of file system filter driver software development kit which includes file monitor filter driver, file access control filter driver, transparent file encryption filter driver, process filter driver and registry filter driver. In a single solution, EaseFilter Comprehensive File Security SDK encompasses file security, digital rights management, encryption, file monitoring, file auditing, file tracking, data loss prevention, process monitoring and protection, and system configuration protection.
EaseFilter File System Filter Driver is a kernel component module which is sitting on the layer between the I/O manager and the file system. When a user application invokes a win32 API to a
file, the filter driver can intercept this I/O, based on the policies was set with the filter rule, the I/O information can be sent to the user, or be modified/blocked the access based on the setting
as below figure.
The filter driver programming is certainly a challenge, to simplify your development and to provide you with a robust and well-tested file system filter driver that works with all versions and patch releases of the Windows operating systems supported by Microsoft, EaseFilter SDK provides you a complete, modular environment for building active file system filter driver in your application.
How To Track the File Change Events?
With the EaseFilter File Monitor Filter Driver SDK, you can track the file change events by registering the event type you are interested in it, the notification will be sent when the file was changed after the file handle was closed. With the file change event, you will know the user name, process name, file name and the event type.
If you want to get the notification when a new file was created, you can register the event “NotifyFileWasCreated”. If you want to get the notification when a file was written with data, you can register the event “NotifyFileWasWritten”. If you want to get the notification when a file was moved or renamed, you can register the event “NotifyFileWasRenamed”. If you want to get the notification when a file was deleted, you can register the event “NotifyFileWasDeleted”. If you want to get the notification when a file’s security was changed, you can register the event “NotifyFileSecurityWasChanged”. If you want to get the notification when a file’s information( file attributes, file time, file size) was changed, you can register the event “NotifyFileInfoWasChanged”.
How To Track the File I/O in Real Time?
With the EaseFilter File Monitor Filter Driver SDK, you can get the file I/O information after the file I/O was completed and returned from the file system. The common file I/O information includes the user name, process name, file name, file attributes, file size and the I/O return status, you will get the error code if the I/O was not succeeded. For every different type’s file I/O, it has its own specific I/O data. For a create I/O, comes from a CreateFile win32 API, you will get the file create options, create result, a file was opened, created, overwritten or failed to open. For a read, write I/O, you will know the read or write offset, read or write length, read or write data and the return read or write length if it was succeeded. For a query or set file information I/O, you will know the information class and the data.
How To Control the File I/O in Real Time?
With the EaseFilter File Control Filter Driver SDK, you can control the file I/O with two options, one option is set the file control access flag in the pre-define filter rule, with the access flags, you can block any file I/O, block the file create, file open, file read, file write, file change, file rename and file delete. With this option, you can setup the control policies based on the file name, user name or the process name. The pros of this option is simple and efficient, the cons is the control policies have to be predefined.
The other option to control the file I/O is to register the pre file I/O callback function, then you will get the callback before the file I/O goes down to the file system, in your callback function you can block or pass this file I/O based on the file I/O information. The pros of this option is you can control the file I/O dynamically, the cons is the slow performance.
How To Encrypt the File Automatically?
With the EaseFilter File System Encryption Driver SDK, it provides you an on access file based encryption solution. The encryption filter driver will integrate the encryption or decryption process in the same read or write I/O, it can improve the encryption performance dramatically without the extra IO needed.
To encrypt the file automatically with the EaseFilter Encryption Filter Driver SDK, you can either setup the master encryption key in the filter rule, then you can encrypt all the files with the same encryption key and an unique initial vector. Or you can setup a callback function in the filter rule, then you can get the encryption key and initial vector from the callback function, with this option, you can have the unique encryption key for every file, you can set up the central key management service.
You can authorize the encrypted file access to the specific users or processes with the filter rule policy setting. You also can setup the filter rule policy to disable the specific users or processes to read the encrypted data, it will only get the raw encrypted data, for example the backup software, copy software, they need to get the raw encrypted file.
For every encrypted file, a header was appended to the file, you can put your own control meta data there as the digital rights management. With the digital rights management you can authorize the users or processes to read the file, or block the unauthorized users or processes to your files.
A C# Code Snippet to Use the Filter Driver SDK
Copy the correct version (32bit or 64bit) EaseFlt.sys, FilterAPI.DLL to your binary folder, then add the reference “FilterControl” project to your project.
FilterControl filterControl = new FilterControl();
if (!filterControl.StartFilter(filterType, serviceThreads, connectionTimeOut,licenseKey, ref lastError))
{
Console.WriteLine("Start Filter Service failed with error:" + lastError);
return;
}
//create a file monitor filter rule, every filter
//rule must have the unique watch path.
FileFilter fileMonitorFilter = new FileFilter(watchPath);
//Filter the file change event to monitor all file change events.
fileMonitorFilter.FileChangeEventFilter = (FilterAPI.FileChangedEvents)FilterAPI.NotifyAllFileEvents;
//register the file change callback events.
fileMonitorFilter.NotifyFileWasChanged += NotifyFileChanged;
//Filter the monitor file IO events
fileMonitorFilter.MonitorFileIOEventFilter = (ulong)(MonitorFileIOEvents.OnFileOpen | MonitorFileIOEvents.OnFileRead);
//fileMonitorFilter.OnFileOpen += OnFileOpen;
//fileMonitorFilter.OnFileRead += OnFileRead;
filterControl.AddFilter(fileMonitorFilter);
if (!filterControl.SendConfigSettingsToFilter(ref lastError))
{
Console.WriteLine("SendConfigSettingsToFilter failed." + lastError);
return;
}
Download EaseFilter Filter Driver SDK Setup File Download EaseFilter Filter Driver SDK Zip File