Help on Minifilter.

I am using a mini-filter driver to block the file access. The JSON rules come from the server and need to process and after then it will decide whether that file would be blocked or Not? so I am thinking of the following approach:

  • From MiniPreRead/Write send filePath from kernel mode to user mode using FltSendMessage and wait for the reply. If the reply is 1 then block the file access else Allow.
    The user-mode process that JSON and then Gives the reply as a bool. Processing JSON in user mode might take 1-5 sec or even more sometimes.

So should I go with this approach?

would it be inefficient in some way?

If this approach is not good then please suggest any efficient way for doing it.

I am very thankful for the OSR community and waiting for some valuable suggestions.

Purpose?
If this is for a single file, where performance is of no issue
(literally, if the performance is of NO IMPORTANCE AT ALL), then it is
… not good :slight_smile: Because FltSendMessage might not be able to run in
Read/Write, and you will also miss memory mapped reads/writes
(depending on the purpose, the latter may not matter).

But seriously, 1-5seconds? Even if that is only during file open,
consider whether you would be OK with such a wait for a file open,
then reconsider the approach.

Dejan.

I am using a mini-filter driver to block the file access. The JSON rules
come from the server and need to process and after then it will decide
whether that file would be blocked or Not? so I am thinking of the following
approach:

* From MiniPreRead/Write send filePath from kernel mode to user mode using
FltSendMessage and wait for the reply. If the reply is 1 then block the
file access else Allow.

The user-mode process that JSON and then Gives the reply as a bool.
Processing JSON in user mode might take 1-5 sec or even more sometimes.

So should I go with this approach?

would it be inefficient in some way?

If this approach is not good then please suggest any efficient way for doing
it.

@Dejan_Maksimovic The purpose is to block file access by any browser application. For eg., If someone tries to access the file from chrome then depending on the rules action will take place.

If that is not a good approach then what should I do now?
Assume that there are a set of rules in JSON format. so how can efficiently do in kernel mode or any efficient way for doing it?

  1. Anything beyond a few milliseconds for a file OPEN is too long, unless
    it is a second or so per downloaded file I guess. But per READ/WRITE, it
    will be too much to even prolong by 10ms.
  2. Do any check in PostOpen only. You can prevent access then if needed,
    but do not take a few seconds per open, as it will annoy users a lot.

@Dejan_Maksimovic The purpose is to block file access by any browser

@Dejan_Maksimovic I want to block the file open access for a particular process. so doing check in Post-Create would be useless as the content have been already lost.

I said PostOpen.
But there are several others, depending on the particular requirement.

@Dejan_Maksimovic I want to block the file open access for a particular
process. so doing check in Post-Create would be useless as the content have
been already lost.

PostCreate comes before read and write so I’m not sure about your point.

Please spend time playing with the avscan sample so you can gain some better understanding.

@“Scott_Noone_(OSR)” @Dejan_Maksimovic Thank you for the suggestion. I am trying with your suggestion. I will let you know once done.

unless you can very narrowly define the class of files / processes that you want to protect access to / from, and let all others passthrough quickly, the exact callback or IO model to use seems irrelevant unless you can do something about the 5 second time to check. If this kind of check gets done on every file on a C drive, the user would experience 486 like performance - maybe worse.

an obvious improvement would be not to use JSON. or maybe to use it only as the ‘storage’ format for your rules, but implement something better in memory. without knowing more about what you are trying to achieve it seems hard to help much