Hi All,
I have mini file system filter driver that intercepts and blocks access to a few protected folders.
This works fine when the folder is accessed directly.
But the folder can be shared and accessed through the network location.
The mini filter is not able to detect or block such network operations.
Does mini filter support UNC location?
If so, how this can be achieved using mini filter?
You’ll see these accesses come from the System process context. Check for the magic SRV/NFS ECPs to identify opens from remote clients:
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_srv_open_ecp_context
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_nfs_open_ecp_context
For filtering and control network path you should use the Windows Filtering Platform Callout Drivers model:
https://docs.microsoft.com/en-us/windows-hardware/drivers/network/introduction-to-windows-filtering-platform-callout-drivers
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/_netvista/#windows-filtering-platform-callout-drivers