Re: system monitoring

Tech-Archive recommends: Fix windows errors by optimizing your registry

Well there are a lot of challenges here, since there is no file copy
operation and what you really need is to track the data. For instance a
copy is just a bunch of reads and writes, a network send is reads followed
by transmits (writes) to a network stack. Worse yet a lot of these schemes
miss obvious approaches, for instance I was at a client who was proud of
their new security protection (same goal as what you stated), I asked to try
it. So I opened a text file that was "secure" copied it to the clipboard
and pasted it into MS Paint, then saved the bitmap to the USB drive (OOPS!).

You do not want kernel hooking since it cannot be done on 64-bit systems and
on 32-bit your software will be flagged by malware scanners. If you want
to see file operations, you need a file system filter, go to
http://www.osronline.com and join NTFSD that is where the file system folks
hang out. This is tough stuff and is hard to do right.


--
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply




"Lloyd" <lloydkl@xxxxxxxxx> wrote in message
news:53ddbf30-ec0e-49c7-a8b6-e17b6dbac115@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
You must be interessted in something
special or special area. monitoring "everything" is kinda
absurd!

As an example, I would like to monitor whether the user is copying a
"restricted file" to an external storage media like "usb" or he is
sending through "network" etc. Anything wrong in using "hook" approach
or is there any better way?

PS: I dont know hooking, but if it is possible, I am ready to
learn :)

Thanks,
Lloyd

__________ Information from ESET NOD32 Antivirus, version of virus
signature database 4075 (20090514) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com






__________ Information from ESET NOD32 Antivirus, version of virus signature database 4075 (20090514) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com




.

Relevant Pages

  • Re: Writing Minifilters To Scan the File Content
    ... Join the NTFSD group mentioned before, that is where file system people hang ... Don Burn (MVP, Windows DDK) ... Windows Filesystem and Driver Consulting ... The message was checked by ESET NOD32 Antivirus. ...
    (microsoft.public.development.device.drivers)
  • Re: FS Minifilters to sync with remote server
    ... Yes if you are just talking about some functions a mini-filter may be ... Be aware that the kernel may have a lot operations you will find ... Don Burn (MVP, Windows DDK) ... I'm perfectly happy with a standard file system if I can ...
    (microsoft.public.development.device.drivers)
  • Re: SetFileIoOverlappedRange
    ... Windows Filesystem and Driver Consulting ... where I open a file on a standard NTFS file system with FILE_READ_ACCESS ... driver) is interfering with the operation. ... The message was checked by ESET NOD32 Antivirus. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: SetFileIoOverlappedRange
    ... Windows Filesystem and Driver Consulting ... where I open a file on a standard NTFS file system with FILE_READ_ACCESS ... driver) is interfering with the operation. ... The message was checked by ESET NOD32 Antivirus. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: How to refresh the network disk directory?
    ... As Max said this requires a clustered file system implemented as its own ... A cluster filesystem is required for such ... Maxim Shatskih, Windows DDK MVP ...
    (microsoft.public.development.device.drivers)