Overview of File Filtering with CBFS Filter

Summary

CBFilter is a component of CBFS Filter, an SDK and library designed for monitoring and controlling various system activities, including filesystem operations, registry operations, and the lifecycle of processes and threads. This component—available as a class, struct, or trait depending on your programming language—enables you to monitor and control all types of filesystem operations within your Windows applications. The article reviews the purpose, features, architecture, and applications of the CBFilter component.

Introduction

In Windows, when an application or operating system component needs to read or write a file or perform another action, the operating system sends a specially crafted request packet, known as an I/O Request Packet (IRP), to the filesystem driver. This packet typically does not go directly to the filesystem; instead, it first passes through a stack of filesystem filters. This architecture allows application developers to observe these requests and take necessary actions. The actions can range from simple monitoring and logging of operations to more proactive measures, such as handling a request packet without further processing, modifying the request, or denying it with an error.

Filter applications can include data encryption, compression, data leak prevention, user isolation, backup and recovery, and much more.

Filtering of filesystem operations plays an essential role in a plethora of scenarios:

  1. Data Integrity and Security
    • Protection Against Unauthorized Access: Monitoring helps identify unauthorized file access or modifications and block them, ensuring that sensitive data remains protected. This includes detection and control over file operations with removable drives (USB drives, flash drives, flash sticks, flash cards, etc.)
    • Detection and prevention of Malicious Activities: Continuous monitoring can detect suspicious activities such as malware trying to modify or delete critical files, allowing for immediate intervention, both manual and automated. Filtering makes it possible to block the unauthorized attempts to modify data or save previous versions of files before they are modified, helping in avoiding fatal destruction of data.
    • Change Tracking: Keeping track of all changes made to files helps in understanding the history of data and aids in forensic investigations when security breaches occur.
  2. Compliance and Auditing
    • Regulatory Compliance: Many industries are subject to regulations that require meticulous record-keeping of file access and modifications. Monitoring ensures compliance with standards such as GDPR, HIPAA, or PCI-DSS.
    • Audit Trails: Creating comprehensive logs of filesystem activities supports audit processes, helping organizations demonstrate adherence to policies and regulations.
  3. System Performance Optimization
    • Resource Management: Monitoring file operations enables administrators to identify resource bottlenecks and optimize performance by analyzing access patterns.
    • Preventing System Failures: By observing filesystem operations, potential issues such as disk space exhaustion or excessive I/O operations can be flagged before they lead to system crashes or performance degradation.
  4. Data Recovery and Backup
    • Backup Management: Monitoring ensures that backup operations are successfully completed and allows for quick recovery of lost or corrupted files, minimizing downtime. Data mirroring enables making on-the-fly copies of the data being modified in their before- and after-modification versions.
    • Version Control: Keeping track of file changes enables versioning, making it easier to restore previous versions of files in case of accidental deletion or corruption.
  5. Automation and Efficiency
    • Streamlined Operations: Automated monitoring and control can significantly reduce the manual effort required for filesystem management, allowing IT staff to focus on higher-level tasks.
    • Dynamic Response to Events: Control mechanisms can automatically respond to specific events (e.g., blocking a file deletion attempt), improving efficiency and reducing the likelihood of human error.
  6. User Accountability
    • User Behavior Tracking: Monitoring file access and modifications can help identify user behavior patterns, allowing organizations to hold individuals accountable for their actions.
    • Role-based Access Control: Ensuring that only authorized users can perform certain actions on the filesystem is critical for security and can be enforced through monitoring tools.
  7. Disaster Recovery Preparedness
    • Proactive Monitoring: Regular monitoring helps organizations prepare for potential disasters by enabling early detection of issues that could lead to data loss or corruption.
    • Incident Response Planning: Having detailed logs and monitoring in place allows organizations to develop effective incident response strategies, facilitating quicker recovery from disasters.
  8. Data protection
    • Protection at Rest: Sensitive data such as personal information, financial records, and intellectual property is safeguarded from unauthorized access when stored on the filesystem. Even if an attacker gains access to the storage medium, the data remains unintelligible without the decryption key.
    • Seamless User Experience: Users can interact with files as usual, with the encryption and decryption processes occurring transparently in the background. This minimizes disruption to workflows while maintaining high security.
    • Compliance to Regulatory Requirements: Many regulations (e.g., GDPR, HIPAA) mandate the protection of sensitive data. On-the-fly encryption helps organizations comply with these regulations by ensuring that data is encrypted before it is stored.
    • Immediate Encryption: Data is encrypted as it is created or modified, providing real-time protection. This is crucial for scenarios like logging, where sensitive information may be recorded continuously.
    • Dynamic Encryption Policies: Organizations can implement policies that trigger encryption based on specific criteria (e.g., file type, user role), allowing for adaptive security measures.

What CBFilter Offers

With CBFilter, regular application developers can enhance their applications with the aforementioned features without needing to engage in kernel-mode development. CBFilter consists of a pre-built kernel-mode driver (specifically, a filesystem filter driver) and a user-mode library (a component, class, struct, or trait). The user-mode library is what applications call to utilize the available functionality, while the driver is installed only once during the application installation, after which the application does not directly communicate with the driver.

CBFilter can be used in Windows applications developed in C#, C++, Python, Java and Java-compatible languages (Kotlin, Scala, Groovy), Go, Rust, and Delphi.

Trackable operations

With CBFilter, you can capture and intercept the following types of operations:

  • file create and file open operations
  • file reads and file writes
  • file modification
  • file renaming
  • file deletion
  • directory creation and deletion
  • directory enumeration
  • retrieval and updating of file and directory attributes
  • reading and writing of security attributes of files and directories
  • reading and writing of extended attributes of files
  • creation of hard links to files
  • operations with reparse points
  • access to a reparse point
  • locking and unlocking of file ranges
  • custom requests sent to a filesystem for a file or the whole filesystem

In addition to these operations, CBFilter can redirect file access dynamically to another file using the file reparsing mechanism.

Monitoring and control capabilities

With each request, the application can identify who initiated it (which user), what process was involved, and exactly when the request occurred. Each reported request can include all known names of the file or directory being accessed (depending on the setting).

A key feature of CBFilter is its ability to intercept requests before they reach the filesystem, allowing the application to modify or handle the request beforehand. Alternatively, the application can be notified after the filesystem processes the request, giving it the option to know the outcome of the operation and potentially alter it before the result is returned to the originating process.

If your application only needs to monitor access to specific files or directories or log operation details, CBFilter offers an asynchronous notification mechanism. This method is less intrusive than synchronous request tracking; it captures main request parameters, which are then passed to the application for logging purposes asynchronously.

CBFilter optimizes performance by allowing you to set rules that define which types of requests should be reported, when they should be reported (before or after reaching the filesystem), and which specific files to monitor. The conditions can include not only file names or paths but also file or directory attributes, file size, the existence of extended attributes, and specific processes to track.

For control events (those reported before or immediately after reaching the filesystem), the application can alter parameters or associated data, complete the request with an error, or override an error and report success. If the event is reported before reaching the filesystem, the application can complete or deny the request without passing it to other filters or the filesystem.

On-the-fly data modification

With CBFilter, an application can modify data being read from or written to a file by intercepting the related request packets. Modifications can be implemented through direct changes to the request data buffers or by handling the requests and performing a separate file operation instead. The latter approach, known as "isolation," allows applications to easily change file size and implement on-the-fly data encryption or compression. Unlike the direct modification method, the modified and original file data do not interfere in the system cache.

Such on-the-fly modifications can be performed based on various criteria determined by the application when the file is opened. For example, when a document is opened, the application may choose to decrypt it only if it is accessed by a specific process or user, while all other users receive "garbled," encrypted content.

Configurability

CBFilter offers multiple ways to customize the component's behavior, allowing you to achieve an optimal balance between your needs and system performance. Among other settings, an application can choose to capture or skip requests that have failed (i.e., when the filesystem returns an error code), process or skip read and write operations involving data movement between processes and the system cache (referred to as "cached requests"), and collect or skip the gathering of all file names associated with an opened file.

Defense Against Unauthorized Use

As a powerful tool for controlling filesystem operations, the CBFilter driver can be a target for attacks and unauthorized use. To counteract such threats, CBFilter includes several protective measures. Specifically, it can be configured to accept commands only from the application specified during driver installation or to accept commands exclusively from elevated processes (such as system services).

Performance Considerations

As the filter driver receives all request packets sent to a filesystem, improper configuration can negatively impact performance. CBFilter provides several methods to minimize this impact.

First, applications can set fine-grained filter rules to avoid excessive notifications. Additionally, access rules can be set in order to enforce file access control without requiring communication back to user mode.

Furthermore, pass-through rules can be defined to specify which requests should be ignored, even if they match existing filter rules.

Finally, many configuration options affect performance, and their default settings are optimized for maximum efficiency. You should only adjust these settings when you need to enable a specific feature.

Best Practices and Tips

The most common pitfalls are:

  • Using control events when notifications suffice: If your goal is only to monitor and log requests, it is more efficient to use notification events, which will positively impact system performance.
  • Capturing too many events for too many files: While it may be tempting to set a filter rule to capture all events across all files and disks, doing so significantly affects performance. Instead, opt for fine-tuned rules that cover a specific subset of files or trigger events only for particular types of requests.
  • Adding too many rules: Although this advice may seem contradictory to the previous point, it is important to recognize that rules also have their costs. Adding a few rules is typically not problematic, but introducing a hundred or more can consume CPU time during processing. Finding a balance between the number of rules and the frequency of callbacks to user mode requires testing your application in real-world scenarios.
  • Trying to do too much in event handlers: If your application needs to perform complex actions in response to a filesystem event, consider shifting these actions to a separate worker thread to execute them asynchronously. This approach not only enhances system stability but also helps prevent unexpected interactions with third-party software.

Getting Started with CBFilter

You can find an evaluation version of the SDK for your platform and programming language in the Download Center. After downloading and installing the SDK, you will receive a library, sample code, and comprehensive documentation on your system. The documentation includes a "Getting Started" section with programming instructions. Additionally, free technical support is available during the evaluation phase.

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@callback.com.