Get source file obj in case of network directory copy paste

Hi All,

I am having DLP implemented mini-filter driver but currently I am stuck at following case

  • Consider user is copying and paste a file from local system to network shared location.
  • Then my DLP driver monitor and detect same file as suspicious.
  • But now I want local source of detected file.

So is there any mechanism provided by system to track source file in this case.

Thanks

With any type of copy, whether it is local to local volume or local to
network share, there is no deterministic method to know the source of
the copy. For a rename, yes, you know that. But for a copy you see an
open on file1, a create on file2 at some point in time, reads from file1
and writes to file2 at some later point in time. Not necessarily all in
this order but there is no full proof way when you see the create or
write of file2 to know that the source is file1.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: xxxxx@gmail.com
To: “Windows File Systems Devs Interest List”
Sent: 6/7/2017 1:43:25 AM
Subject: [ntfsd] Get source file obj in case of network directory copy
paste

>Hi All,
>
>I am having DLP implemented mini-filter driver but currently I am stuck
>at following case
>- Consider user is copying and paste a file from local system to
>network shared location.
>- Then my DLP driver monitor and detect same file as suspicious.
>- But now I want local source of detected file.
>
>So is there any mechanism provided by system to track source file in
>this case.
>
>Thanks
>
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>

Thanks Peter Scott for details…