Preventing file from being opened much a virus checker
Jim Culver
I have an usual requirement so I thought I'd solicit your opinions
before I start heading down the wrong path.
For the project I am working on I have a need to stop users opening
files if they have been blacklisted by the organization. I won't go
into the reason why the files can by blacklisted as this is
confidential to the organization I am working for, for now can we just
assume that I will be provided with a list of file paths which can not
be opened by the user.
The other interesting part to this is that we will not be allowed to
change the security permissions to the file or containing folders or
implement anything on the file server or to move the files from their
current location.
So in a nutshell what I have been asked to do is when a user attempts
to open a file on their machine, check it against the list of
blacklisted files and if it has been blacklisted then stop the file
from being opened.
So I was thinking along the lines that this must work slightly like a
virus checker in the respect that some virus checkers scan a file
before you open it and prevent you from opening if it contains a
virus.
So I think what I need to be able to do is
1) Detect when a user is trying to open a file bearing in mind the
file will often be on a remote machine.
2) Check the file to see if it is a blacklisted file
3) Stop the file from being opened if it is blacklisted.
So I guess where I come unstuck is on points 1 and 3.
Guess my first question is...has anyone got any idea of how I can tell
when a file is being opened? I have already disregarded using the
file system watcher as I can not predict which remote folders I'd need
to watch in advance. I have also disregarded writing add-ins for word/
excel etc as the solution needs to be able to prevent all applications
from being able to open the file.
My Second question is...assuming I can tell when a file is being
opened is there anyway I can stall the process and then allow it to
continue once I have verified that the file is not blacklisted.
Any suggestions would be greatly appreciated.
Thanks
Jim
Peter Duniho
wrote:
> [...]
> Guess my first question is...has anyone got any idea of how I can tell
> when a file is being opened? I have already disregarded using the
> file system watcher as I can not predict which remote folders I'd need
> to watch in advance.
Even if you could, FileSystemWatcher only informs you of changes to
files. Simply opening a file wouldn't cause an event to be raised, and
even if it did, there's nothing you could do about it (i.e. it's simply
"fyi"...it wouldn't provide you the opportunity to actually _do_ anything
about it).
> I have also disregarded writing add-ins for word/
> excel etc as the solution needs to be able to prevent all applications
> from being able to open the file.
The only way to do that is at a much lower level than .NET provides access
to. As you've noted already, you're essentially operating at the same
level as a virus checker program, and you need to get much closer to the
file system than is possible in .NET for something like that.
> My Second question is...assuming I can tell when a file is being
> opened is there anyway I can stall the process and then allow it to
> continue once I have verified that the file is not blacklisted.
At the correct level, you have complete control. Just as a virus checker
intercepts i/o between a program and a file, so too would your own
program. In the process of doing that, it could simply delay the
completion of i/o in the accessing program, until your own program has
determined whether the file is allowed or not.
But you'll basically have to write a virus checker, albeit with
specialized features, to accomplish this. It's not really a .NET thing.
Pete
ib.dan...@googlemail.com
For a requirement like this, you must develop a "filter driver" for
windows. Not a trivial task and I don't think its possible in .NET.
Just google for it and you may find some ideas.
cubaman
Hello Jim:
What you want can be done with operating system ACL, you don't need a
program for that..
Ben Voigt [C++ MVP]
"Jim Culver" <jculv...@gmail.com> wrote in message
news:ab6464c7-0a37-4335...@o6g2000yqj.googlegroups.com...
> Hey All,
>
> I have an usual requirement so I thought I'd solicit your opinions
> before I start heading down the wrong path.
>
> For the project I am working on I have a need to stop users opening
> files if they have been blacklisted by the organization. I won't go
> into the reason why the files can by blacklisted as this is
> confidential to the organization I am working for, for now can we just
> assume that I will be provided with a list of file paths which can not
> be opened by the user.
>
> The other interesting part to this is that we will not be allowed to
> change the security permissions to the file or containing folders or
> implement anything on the file server or to move the files from their
> current location.
May I assume that this requirement is because changing security would break
something important?
So this actually makes your problem even more difficult, you have to not
only detect access to the controlled resource, but also whether the access
was initiated by the user (block it) or by the important service (allow it).
Changing the important services to use an alternate user account and then
restricting access to that account is definitely the right way to go.
Trying to hack something using filesystem filters is just going to cause a
lot of pain. How many different names are there for the same file? I can
think of *LOTS*.
If you must treat the file server as readonly, the thing to do seems to be
to reserve the existing user accounts for the important services and create
new accounts for your users that don't have permissions to those files.