EaseFilter File Protector: Complete Guide to Features & Setup
Overview
EaseFilter File Protector is a Windows file-system filter solution (built on EaseFilter’s File System Filter Driver SDK) that monitors, controls and can transparently encrypt file I/O at the kernel level. It intercepts file operations (open, read, write, rename, delete, browse, etc.) to enforce access rules, log activity, block unauthorized actions, and integrate encryption/DRM or DLP workflows.
Key features
- Real-time monitoring: Capture file I/O events (create/open/read/write/close/rename/delete) with process, user and timestamp details.
- Access control rules: Allow or deny operations by file path, file mask, process name/ID, user, or session.
- Per-process and per-user rights: Grant different rights (read/write/rename/delete) to specific processes or users.
- Callback-based control: Register pre/post I/O callbacks to inspect, modify or block operations programmatically.
- Transparent on-access encryption: Encrypt/decrypt files on-the-fly with per-file IVs so only authorized principals see plaintext.
- Directory browsing hiding: Hide files/folders from directory listings while keeping them present on disk.
- Reparse/redirect: Reparse file opens to alternate locations for virtualization or sandboxing use cases.
- Auditing & logging: Detailed logs with I/O data, status codes, file times and caller information for SIEM/EDR integration.
- Sample apps & SDKs: C# and C++ sample projects demonstrating protect, monitor, encryption, DRM and process/registry filters.
- Process & registry filtering: Optional modules to block unauthorized executables and protect registry keys.
Common use cases
- Data Loss Prevention (DLP) and preventing unauthorized copy/USB exfiltration.
- Ransomware mitigation by blocking unknown processes from writing or deleting files.
- Transparent DRM/encryption for secure file sharing.
- File access auditing for compliance and forensics.
- Application-level sandboxing and secure folders.
Components you’ll use
- Filter driver service (kernel-mode filter).
- Filter control library (EaseFilter.FilterControl, available as SDK/NuGet).
- Management/console or custom control app using provided APIs.
- Sample FileProtector demo project (C#) used to create rules and callbacks.
Installation and prerequisites (Windows)
- Windows with administrative privileges.
- Obtain EaseFilter File Control SDK / FileProtector demo (download from EaseFilter website or NuGet package for the managed library).
- Visual Studio (for building samples/custom apps) if developing; otherwise use provided installers.
- Ensure drivers can be installed (driver signing policy — follow EaseFilter documentation for signing/trial keys).
Quick setup — step‑by‑step (practical, minimal working example)
- Install the FileProtector demo or copy SDK runtime DLLs and driver installer into your target machine.
- Run installer or register/start the filter service as Administrator (the demo/SDK includes scripts or an executable to StartFilter).
- Launch the management console or sample FileProtector app.
- Create a filter rule:
- Set watch path (supports wildcards), e.g., c:\sensitive*
- Choose masks (include/exclude patterns), e.g.,.docx, *.xlsx
- Configure access flags: disable delete, disable rename, block write for unknown processes.
- Add allowed processes/users (e.g., allow notepad.exe or domain\Alice full access).
- (Optional) Register callback handlers in your control app to inspect/prevent specific I/O (PRE_CREATE, PRE_READ, PRE_WRITE, PRE_SET_INFORMATION). Example: on PRECREATE, return AccessDenied to block deletions.
- (Optional) Enable transparent encryption in the rule and configure key management per EaseFilter docs.
- Test: attempt operations from allowed and blocked processes; verify console logs and system behavior.
- Deploy rules to target systems and monitor logs centrally (or integrate with SIEM).
Example C# snippet (conceptual)
csharp
// pseudocode based on EaseFilter sample FilterControl filter = new FilterControl(); filter.StartFilter(FilterAPI.FilterType.CONTROL_FILTER | FilterAPI.FilterType.ENCRYPTION_FILTER, 5, 10, licenseKey, ref err); var rule = new FileFilter(“c:\sensitive\*”); rule.EnableDeleteFile = false; rule.EnableRenameOrMoveFile = false; rule.AddProcessRights(“c:\sensitive\*”, “trusted.exe”, ALLOW_MAX_RIGHT_ACCESS); filter.AddFileFilterRule(rule);
Best practices and deployment tips
- Run rule testing in a controlled environment before broad deployment.
- Use explicit allow lists for trusted processes rather than broad deny lists.
- Keep driver and SDK versions consistent across systems; apply signed drivers when possible.
- Integrate logs with SIEM/EDR for centralized alerting and retention.
- Plan key management and backup for encryption features; losing keys can render data inaccessible.
- Monitor performance: kernel-level filtering adds overhead—benchmark on representative workloads.
Troubleshooting checklist
- Driver won’t start: check administrative privileges and driver signing policy; review Windows Event Log.
- Legitimate app blocked: add the process executable or user account to the allow list or adjust file mask.
- High CPU/latency: reduce excessive callback registration or narrow filter masks; increase service threads per docs.
- Encryption errors: verify key configuration and that the encryption filter is enabled for the correct rule.
Resources
- EaseFilter official docs and KB (FileProtector demo, SDK references and sample code).
- GitHub sample repositories (FileProtector example, SDK samples).
- NuGet: EaseFilter.FilterControl package for managed-library integration.
Final notes
EaseFilter File Protector is designed for deep, flexible control of Windows file I/O at scale. For production use, follow EaseFilter’s documentation for driver signing, license keys and detailed API reference, and perform staged rollouts with logging enabled.
If you want, I can: provide a ready-to-use rule configuration for a specific folder and scenario (DLP, ransomware protection, or transparent encryption) — tell me which scenario to assume.
Leave a Reply