test2101

Building Secure File Monitoring with EaseFilter File System Control Filter SDK

Written by

adm

in

EaseFilter File System Control Filter SDK: Complete Developer Guide

Overview

EaseFilter File System Control Filter SDK is a Windows filter-driver SDK that lets developers intercept, inspect, modify, allow, or deny file-system I/O operations. It provides a user-mode API (FilterAPI.dll / EaseFilter.FilterControl.dll) paired with a kernel-mode driver (EaseFlt.sys) so applications can implement file access control, protection, auditing, and related features without writing a full minifilter from scratch.

When to use it

  • Implementing enterprise file access control (DLP, enterprise DRM).
  • Blocking or allowing file operations by user, process, path, or content.
  • Auditing and journaling file events (who/when/what).
  • Transparent on-access encryption or content modification.
  • Building file-protector tools (prevent delete/rename/read for sensitive files).

Key components

  • EaseFlt.sys — kernel-mode file system filter driver (⁄64-bit).
  • FilterAPI.dll / EaseFilter.FilterControl.dll — user-mode communication and wrapper APIs.
  • Sample projects and demos (C++ and C#) demonstrating monitoring, protection, encryption, and utilities.
  • Configuration and rule APIs to define file filters and callbacks.

Architecture & flow

  1. Install and start EaseFlt.sys with admin privileges.
  2. Set a registration/license key and configure filter type (CONTROL, MONITOR, ENCRYPTION, etc.).
  3. Register message/event callbacks in your user-mode app; driver sends I/O events to your app.
  4. Define FileFilter rules (include/exclude paths, users, processes, operations).
  5. In pre-operation callbacks you may allow, deny, modify, or reparse requests; in post-operation callbacks you can audit or post-process results.
  6. On shutdown, unregister callbacks and uninstall the driver cleanly.

Common filter types

  • FILE_SYSTEM_CONTROL — full control over pre/post I/O (open/create, read/write, set/query info, rename/delete, directory listing).
  • FILE_SYSTEM_MONITOR — event logging and auditing.
  • FILE_SYSTEM_ENCRYPTION — transparent on-access encryption/decryption.
  • FILE_SYSTEMREGISTRY / PROCESS — registry and process monitoring/protection (when combined in the suite).

Getting started (practical steps — assume C# app)

  1. Download SDK and sample source.
  2. Add references: EaseFilter.FilterControl.dll and FilterAPI.dll.
  3. Run installer as Administrator or call InstallDriver()/UnInstallDriver() from your app.
  4. Set registration key: 
    csharp
    FilterControl.SetRegistrationKey(“your-key-here”);
  5. Set filter type: 
    csharp
    FilterControl.SetFilterType((uint)FilterType.FILE_SYSTEM_CONTROL);
  6. Register callbacks (example signatures shown in SDK samples):
    • RegisterMessageCallback(threadCount, MessageCallback, DisconnectCallback)
  7. Create FileFilter rules (include/exclude file patterns, processes, users) and send configuration to driver.
  8. Implement pre-operation handler to Allow/Deny/Modify:
    • Return codes or API calls in the sample control the kernel driver’s decision.
  9. Test on an isolated VM with various user/process scenarios.
  10. Unregister and uninstall on exit.

(Refer to the SDK samples for exact API signatures and thread model.)

Typical use-case examples

  • Prevent deletion: Register a pre-setinformation callback; if operation is FileDispositionDelete on protected paths and caller is unauthorized, return deny.
  • Block read for unauthorized processes: In pre-read/pre-create, check process name/identity and return STATUS_ACCESS_DENIED.
  • Transparent encryption: Replace write buffer in pre-write with encrypted bytes; decrypt in post-read before returning to user.
  • Audit-only mode: Use FILE_SYSTEM_MONITOR to log events to a database or file without blocking operations.

Best practices

  • Run development and testing on an isolated VM to avoid system-bricking bugs.
  • Keep callback handlers fast — heavy work should be deferred to worker threads in user mode to avoid blocking I/O.
  • Minimize kernel/user round-trips; batch rules and use efficient pattern matching.
  • Carefully manage contexts (volume/instance/stream) to avoid leaks; follow samples for cleanup callbacks.
  • Handle driver start/stop and disconnect events gracefully; include timeouts and retries.
  • Code-sign the driver and follow Microsoft WDK signing/testing guidelines for deployment.
  • Test across Windows versions you target (and with common third-party filters present).

Performance considerations

  • Pre-operation filtering has performance cost; measure overhead with representative workloads.
  • Use include/exclude rules to narrow the scope (don’t filter entire volumes unless necessary).
  • For high-throughput scenarios, prefer in-kernel light-touch actions and push heavy processing to user mode asynchronously.
  • Use hardware-accelerated crypto if doing encryption to reduce CPU load.

Debugging & troubleshooting

  • Use the SDK samples’ logging and the sample FilterControl utilities to view driver status and events.
  • Enable verbose logs in dev builds; reproduce and capture failing sequences in a VM snapshot.
  • Use Windows Event Viewer and kernel debugging (WinDbg) for driver-level issues.
  • Validate driver altitude conflicts if other minifilters are installed.

Security & deployment

  • Require admin privileges to install/start the driver.
  • Sign drivers and follow Microsoft’s driver signing and deployment processes.
  • Harden the user-mode service (run with least privilege, protect IPC channels).
  • Validate and sanitize inputs coming from kernel to user-mode to avoid elevation vectors.

Useful SDK features

  • Built-in file matching rules (wildcards, path patterns).
  • User/process-based allow/deny lists.
  • Pre/post callbacks for create/open, read, write, set/query info, directory enumerate, rename, delete.
  • Demo apps: FileMonitor, FileProtector, SecureSandbox, AutoEncryptDemo, etc., to use as templates.
  • Support for C++ and C# integration with sample code.

References

  • EaseFilter GitHub samples (EaseFilterSDK/File-Security-SDK and examples).
  • EaseFilter programming KB and minifilter framework docs on easefilter.com.
  • Microsoft Minifilter and Filter Manager documentation for driver model and altitudes.

Quick checklist before production

  • Sign and test driver on target OS versions.
  • Limit filter scope with precise rules.
  • Implement robust error handling and graceful shutdown.
  • Benchmark and optimize critical paths.
  • Ensure the user-mode service is secure and resilient.

If you want, I can generate a minimal C# example that installs the driver, registers a simple pre-create callback, and blocks creation of files matching a pattern.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts