What is a trusted process?
A trusted process is an application which was signed with a Microsoft Authenticode Code Signing certificate. Code signing accomplishes both with a digital signature and a hash function. The digital signature authenticates the developer; the hash serves as a checksum to ensure the integrity of the software hasn’t been compromised. Quickly, from a technical standpoint, the code signing certificate and the code itself are both hashed together and then the resulting hash value is digitally signed with the certificate’s private key.
When a user receives the software, their system will first repeat the hash value that was created when the certificate and code were both hashed together during the signing. No two disparate inputs can create the same output in hashing, so if the values match, you can safely assume the software’s integrity is intact.
Then the system takes the public key that was presented alongside the code signing certificate and uses it to verify the signature.
When done properly, the result is this:
Control the file access with EaseFilter Control Filter Driver
The EaseFilter Control Filter Driver allows you to control the file I/O activities in file system level in real time, prevent your sensitive files from being accessed by untrusted processes. You can control the file I/O activities on file system level, capture file open, create, overwrite, read, write, query file information, set file information, query security information, set security information, file rename, file delete, directory browsing and file close I/O requests.
To control the file access, you can set up the filter rules based on the file access policies you created. To setup the filter rule, you can set up the default file access rights for the filter rule, if you want your files only can be accessed by the trusted processes, then you need to setup the least access rights to the filter rule as below:
//Create a new filter rule for files in folder c:\\protectedFolder //Setup the least access rights to this folder, then no one can access to this folder. FilterAPI.AddFileFilterRule(FilterAPI.AccessFlag.LEAST_ACCESS_FLAG, "c:\\protectedFolder\\*",false,0)
How to add the access rights to your trusted processes?
To setup the access rights to the trusted processes, you need to identify which process is trusted. A trusted process was developed by a trusted publisher, and the executable binary has not been tampered with since it was published. Authenticode is a Microsoft code-signing technology that identifies the publisher of Authenticode-signed software. Authenticode also verifies that the software has not been tampered with since it was signed and published. Authenticode uses cryptographic techniques to verify publisher identity and code integrity.
Using Authenticode, the signature is embedded within Portable Executable (PE) files, you can verify that the file is signed by inspecting the signature attached to the file. So if you want to add the access rights to the trusted process based on the publisher of the code certificate, you can use the API below to add the access rights for the trusted process with digital code signer name to the filter rule.
//Add the maximum access rights to the process which was digital code signed by the specific publisher. FilterAPI.AddSignedProcessAccessRightsToFilterRule("c:\\protectedFolder\\*",certificateName, (uint)certificateName.Length*2, FilterAPI.ALLOW_MAX_RIGHT_ACCESS)
If you don’t use the Authenticode verification, and you trust the executable binary which was developed by yourself, you also can use the sha256 hash of the software binary to verify that the file has not been tampered. You can add the access rights to this trusted process with the same sha256 hash with below code:
//Add the maximum access rights to the process which has the same sha256 hash. FilterAPI.AddSha256ProcessAccessRightsToFilterRule("c:\\protectedFolder\\*",Sha256HashOfProcess, (uint)Sha256HashOfProcess.Length*2, FilterAPI.ALLOW_MAX_RIGHT_ACCESS)
Here is the C# demo project “FileProtector” to demo how to add the access rights for the trusted process: