To block read/write operation moving out of winfsp

38 views
Skip to first unread message

Nikhilesh Susarla

unread,
Oct 14, 2023, 4:46:12 AM10/14/23
to WinFsp
I was looking if there is a way where we can detect if a drive data is being moved out of that drive to other drive. 

So, does winfsp provide any such capability to detect that an operation is being performed which is moving or reading out of winfsp drive?

I was looking at the winfsp.h and there is something : "FspFileSystemSetOperationGuardStrategy - Set file system locking strategy."

Is there more to read about what it does and how it helps for what locking strategy.

Thank you

Bill Zissimopoulos

unread,
Oct 16, 2023, 4:42:05 AM10/16/23
to Nikhilesh Susarla, WinFsp

There is no way to reliably detect if drive data is being copied out of a WinFsp drive to another drive using file systems. A file system implements simple Read and Write operations that do not carry a “reason” with them. When the file system receives a Read there is no way for it to know what the application performing the Read is going to use the data for. It might very well write the data to another file system.

 

The best you can do is apply some heuristics. For example, if an application has read more than 10 files in sequence from beginning to end it may be trying to copy the data, especially if that application is cmd.exe or explorer.exe. Of course such heuristics are brittle, they can break applications that do not copy your data and they can be easily circumvented.

 

A slightly better way would be to implement a filter driver that sits on top of two different drives and detects data moving across file systems. But that could easily be circumvented (e.g. an application could encrypt and pad (change the size of) the copied data when placing them on the destination drive and the filter driver would be unable to detect the copy). This is also outside the scope of WinFsp.

 

Bill

--
You received this message because you are subscribed to the Google Groups "WinFsp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to winfsp+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/winfsp/4c30cc5d-2b96-426b-81e2-b6824d5864a3n%40googlegroups.com.

Nikhilesh Susarla

unread,
Oct 27, 2023, 6:36:02 AM10/27/23
to WinFsp
With regards to the above conversation, I was checking if security descriptor is providing something custom information to add as for every file we can add our FileSecurity, if we can add a custom data/value. So, I can run a watcher outside of my drive and check if that FileSecurity custom value matches with what I wrote. This can uniquely help me to identify my file which came from winfsp drive. 

But I don't specifically find it. If you know any can you point me on any resources to read more on that. I think even extended attributes can do the same way? Have a custom attribute along with other attributes and then watch using my file watcher. 

I know watcher itself is bad, but I want to restrict my file moments outside of my drive. 

Is there a way to determine from which file system type the file is coming from ? I know it's not that possible or close to possible. Say if I can determine if the file is coming from one file system like FAT32 to NTFS, if we can detect that ? Do  you think we can use something similar ? 

I have very limited knowledge on the depth of the above. So, any resources to read more would be great.

Thank you
Reply all
Reply to author
Forward
0 new messages