EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Real User or System ?

Also by EldoS: SecureBlackbox
200+ components and classes for digital security, signing, encryption and secure networking.
#31390
Posted: 11/11/2014 00:52:03
by Emile Lugassy (Basic support level)
Joined: 11/11/2014
Posts: 3

Hi

Using callbackFilter, i get a huge amount of callbacks. However i'm looking for a way to distingish between system operation and the user operation.

How can i make the difference between a System originated operation and the USER originator operation ?

As an example : when i open a txt file with explorer :
path operation originatorProcess ProcessId Username result
C:\Users\luga\Dropbox\afac\mydoc.txt OpenFileN C:\Windows\explorer.exe 7336 luga SUCCESS
But i have the same signature when the explorer.exe just opens each files for its own reason...

Thanks
E
#31391
Posted: 11/11/2014 01:06:53
by Eugene Mayevski (EldoS Corp.)

The user doesn't open a file. He tells the computer to do this. And you are looking for a way to distinguish between operations performed by Explorer on user's request and performed by Explorer due to internal logic of Explorer.

Explorer scans directories and opens files in the current directory to get metadata and sometimes thumbnails. This is how it was designed and you can neither detect this behavior nor prevent it.

Moreover the pattern is different for various versions of Windows, so it's not possible to use behavior patterns for detection of "automated" open operations.


Sincerely yours
Eugene Mayevski
#31392
Posted: 11/11/2014 02:30:52
by Emile Lugassy (Basic support level)
Joined: 11/11/2014
Posts: 3

True, you formulated my question more correctly than me...

I don't wan't to prevent anything, i 'm just trying to filter because my logic will apply to user originated files.

Any hint, or idea i can search to reduce that number of non-user generated operations ? I don't need to be super precise...
Thanks
E.
#31393
Posted: 11/11/2014 02:32:45
by Eugene Mayevski (EldoS Corp.)

This question is asked frequently for CBFS and the answer is negative.


Sincerely yours
Eugene Mayevski
#31394
Posted: 11/11/2014 02:45:39
by Emile Lugassy (Basic support level)
Joined: 11/11/2014
Posts: 3

At least it is clear... thank you
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 2377 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!