Hey, I’m working on an anti encryption filter driver - my detection logic is run at cleanup so as long as the handle is still open no encryption will be identified , as a result I’m trying to deal with the following scenario 1.Process encrypts files 2. Process copies the encrypted files 3. Process closes the handle - since taking a copy is just a few reads and writes at the end of the day, what would be an approach to prevent ‘2’ ? (Prevent the presence of those “encrypted files” upon detection ) I thought of the following options 1. Move some detection logic to post write , save the potentially encrypted content , and check if it’s ever written to another file, if so mark the target file as encrypted too 2. Somehow detect copy operations , and whenever a file marked as encrypted is copied mark the copy as encrypted too(that would require again to be able to identify a file as encrypted within the write filter Would appreciate if anyone is willing to share his throughout regarding approaching this problem
What you ask for is some 99.9999% of work for such a product.
And even then it is only 50% or less effective.