What Is A Filter Rule

A filter rule is the policy to monitor or control the files by the filter driver. To manage the files by filter driver, you need to create at least one filter rule, you can have multiple filter rules with different policies to manage different files to meet your requirement.

A filter rule has only one unique include file mask, when a new filter rule was added to the filter driver, if a filter rule with the same include file filter mask exists, the new filter rule will replace the older one.

With the file filter mask setting in the filter rule,  the filter driver will only monitor or control the files which match the file filter mask. With the accessFlag setting, it will set the access rights for this filter rule, it will allow or block the specific file I/O. With the ExcludeFileFilterMask setting, you can exclude the files you are not interested. With the IncludedProcessNameList setting, you can only manage the file I/Os which from the included process list. With the ExcludedProcessNameList setting, you can exclude the file I/Os which from the excluded process list. With the IncludedUserNameList setting, you can only manage the file I/Os which from the included user list. With the ExcludedUserNameList setting, you can exclude the file I/Os which from the excluded user list.

Which file will be monitored or controlled in the filter rule?

The filter rule is a file name based file control policy, the filter driver will watch the file I/O based on the file name with below orders, the filter driver will only monitor or control the files which match the filter conditions.

  1. When a file was opened, the filter driver will intercept this I/O, first it will check if the file name matches the include file name mask in the filter rule, i.e. the filter rule file mask is “c:\test\*”, and the a file “c:\test\mytes.txt” was opened, it will match. If the file name doesn’t match the filterMask in the filter rule, then it will skip the following I/Os of this file.
  2. Check if the  excludeFileFilterMask is empty, if it is not, then check if the file name matches the excludeFileFilterMask, if yes, then skip this  file I/O.
  3. Check if the  IncludedProcessNameList is empty, if it is not, then check if the process was in the list, if not, then skip this file I/O.
  4. Check if the  ExcludedProcessNameList is empty, if it is not, then check if the process was in the list, if yes, then skip this file I/O.
  5. Check if the  IncludedUserNameList is empty, if it is not, then check if the user name was in the list, if not, then skip this file I/O.
  6. Check if the  ExcludedUserNameList is empty, if it is not, then check if the user name was in the list, if yes, then skip this file I/O.

How to crate a filter rule?

Here are some APIs to create the filter rule. With this filter rule setting, you can setup your own file monitor or control policies.

/// <summary>
/// Add the new filter rule to the filter driver.
/// </summary>
/// <param name="accessFlag">access control rights of the file IO to the files which match the filter mask</param>
/// <param name="filterMask">the filter rule file filter mask, it must be unique.</param>
/// <param name="isResident">if it is true, the filter rule will be added to the registry, get protection in boot time.</param>
/// <param name="filterRuleId">the id to identify the filter rule, it will show up in messageId field of messageSend structure if the callback is registered</param>
/// <returns></returns>
[DllImport("FilterAPI.dll", SetLastError = true)]
public static extern bool AddFileFilterRule(
uint accessFlag,
[MarshalAs(UnmanagedType.LPWStr)]string filterMask,
bool isResident,
uint filterRuleId );
/// <summary>
/// Exclude the files from this filter rule if the files match the excludeFileFilterMask.
/// </summary>
/// <param name="filterMask">the filter rule file filter mask</param>
/// <param name="excludeFileFilterMask">the file filter mask for the excluded files</param>
/// <returns></returns>
[DllImport("FilterAPI.dll", SetLastError = true)]
public static extern bool AddExcludeFileMaskToFilterRule(
[MarshalAs(UnmanagedType.LPWStr)]string filterMask,
[MarshalAs(UnmanagedType.LPWStr)]string excludeFileFilterMask);
/// <summary>
/// only manage the file IO for the processes in the included process list 
/// </summary>
/// <param name="filterMask">the file filter mask of the filter rule</param>
/// <param name="processName">the include process name filter mask, process name format:notepad.exe</param>
/// <returns></returns>
[DllImport("FilterAPI.dll", SetLastError = true)]
public static extern bool AddIncludeProcessNameToFilterRule(
[MarshalAs(UnmanagedType.LPWStr)]string filterMask,
[MarshalAs(UnmanagedType.LPWStr)]string processName);
/// <summary>
/// skip the IO for the processes in the excluded process list
/// </summary>
/// <param name="filterMask">the file filter mask of the filter rule</param>
/// <param name="processName">the include process name filter mask</param>
/// <returns></returns>
[DllImport("FilterAPI.dll", SetLastError = true)]
public static extern bool AddExcludeProcessNameToFilterRule(
[MarshalAs(UnmanagedType.LPWStr)]string filterMask,
[MarshalAs(UnmanagedType.LPWStr)]string processName);

How to setup the access rights in the filter rule?

There is default access rights for the filter rule when you create a new file filter rule. You can setup the default access rights to all processes or users with this setting, you can disable some access rights here, for example, you can block the file change access rights by default. Beside the default access rights setting, you can add the access rights to the specific processes or users based on the process name or process Id or user name with below APIs. With these settings, you can create the whitelist or blacklist processes or users to your files.


/// <summary>
/// Set the access rights to the specific process
/// </summary>
/// <param name="filterMask">the file filter mask of the filter rule</param>
/// <param name="processName">the process name will be added the access rights, e.g. notepad.exe or c:\windows\*.exe</param>
/// <param name="accessFlags">the access rights</param>
/// <returns>return true if it succeeds</returns>
[DllImport("FilterAPI.dll", SetLastError = true)]
public static extern bool AddProcessRightsToFilterRule(
[MarshalAs(UnmanagedType.LPWStr)]string filterMask,
[MarshalAs(UnmanagedType.LPWStr)]string processName,
uint accessFlags);
/// <summary>
/// Add the access rights of the process with the sha256 hash to the filter rule.
/// allows you to set the access rights to your trusted process.
/// </summary>
/// <param name="filterMask">The filter rule file filter mask.</param>
/// <param name="imageSha256">the sha256 hash of the executable binary file.</param>
/// <param name="hashLength">the length of the sha256 hash, by default is 32.</param>
/// <param name="accessFlags">the access flags for the setting process.</param>
/// <returns>return true if it is succeeded.</returns>
[DllImport("FilterAPI.dll", SetLastError = true)]
public static extern bool AddSha256ProcessAccessRightsToFilterRule(
[MarshalAs(UnmanagedType.LPWStr)]string filterMask,
byte[] imageSha256,
uint hashLength,
uint accessFlags);
/// <summary>
/// Add the access rights of the process which was signed with the certificate to the filter rule.
/// allows you to set the access rights to your trusted process.
/// </summary>
/// <param name="filterMask">The filter rule file filter mask.</param>
/// <param name="certificateName">the subject name of the code certificate to sign the process.</param>
/// <param name="lengthOfCertificate">the length of the certificate name</param>
/// <param name="accessFlags">the access flags for the setting process.</param>
/// <returns>return true if it is succeeded.</returns>
[DllImport("FilterAPI.dll", SetLastError = true)]
public static extern bool AddSignedProcessAccessRightsToFilterRule(
[MarshalAs(UnmanagedType.LPWStr)]string filterMask,
[MarshalAs(UnmanagedType.LPWStr)]string certificateName,
uint lengthOfCertificate,
uint accessFlags);
/// <summary>
/// Set the access control flags to process with the processId
/// </summary>
/// <param name="filterMask">the filter rule file filter mask</param>
/// <param name="processId">the process Id which will be added the access control flags</param>
/// <param name="accessFlags">the access control flags</param>
/// <returns>return true if it succeeds</returns>
[DllImport("FilterAPI.dll", SetLastError = true)]
public static extern bool AddProcessIdRightsToFilterRule(
[MarshalAs(UnmanagedType.LPWStr)]string filterMask,
uint processId,
uint accessFlags);
/// <summary>
/// Set the access control rights to specific users
/// </summary>
/// <param name="filterMask">the filter rule file filter mask</param>
/// <param name="userName">the user name you want to set the access right</param>
/// <param name="accessFlags">the access rights</param>
/// <returns></returns>
[DllImport("FilterAPI.dll", SetLastError = true)]
public static extern bool AddUserRightsToFilterRule(
[MarshalAs(UnmanagedType.LPWStr)]string filterMask,
[MarshalAs(UnmanagedType.LPWStr)]string userName,
uint accessFlags);