I have created a minifilter driver to block the access of files in network share drive. It is working fine .
Here I face an issue, not able to block file editing in it.
I have checked with the following flag values in miniprecreate.
FILE_OVERWRITE , FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA
But not able to block file edition.
Thanks in advance. Can you please provide a solution.
You won’t be able to do this purely from IRP_MJ_CREATE’s desired access and disposition, because those are often set for things that don’t end up getting used, which would cause your filter to over block. To do this properly, you will need to allow most IRP_MJ_CREATES, except those that would modify your file during the create, and block specific actions, like IRP_MJ_WRITE, and many IRP_MJ_SET_INFORMATION’s
But specifically to what you are trying above, you’ve missed some entries. An existing file can be edited, for example, with a disposition of FILE_OPEN or FILE_OPEN_IF, or FILE_OVERWRITE_IF, etc., but you state that you are only checking for FILE_OVERWRITE.