EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Real User or System ?

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
Posted: 11/11/2014 00:52:03
by Emile Lugassy (Basic support level)
Joined: 11/11/2014
Posts: 3


Using callbackFilter, i get a huge amount of callbacks. However i'm looking for a way to distingish between system operation and the user operation.

How can i make the difference between a System originated operation and the USER originator operation ?

As an example : when i open a txt file with explorer :
path operation originatorProcess ProcessId Username result
C:\Users\luga\Dropbox\afac\mydoc.txt OpenFileN C:\Windows\explorer.exe 7336 luga SUCCESS
But i have the same signature when the explorer.exe just opens each files for its own reason...

Posted: 11/11/2014 01:06:53
by Eugene Mayevski (Team)

The user doesn't open a file. He tells the computer to do this. And you are looking for a way to distinguish between operations performed by Explorer on user's request and performed by Explorer due to internal logic of Explorer.

Explorer scans directories and opens files in the current directory to get metadata and sometimes thumbnails. This is how it was designed and you can neither detect this behavior nor prevent it.

Moreover the pattern is different for various versions of Windows, so it's not possible to use behavior patterns for detection of "automated" open operations.

Sincerely yours
Eugene Mayevski
Posted: 11/11/2014 02:30:52
by Emile Lugassy (Basic support level)
Joined: 11/11/2014
Posts: 3

True, you formulated my question more correctly than me...

I don't wan't to prevent anything, i 'm just trying to filter because my logic will apply to user originated files.

Any hint, or idea i can search to reduce that number of non-user generated operations ? I don't need to be super precise...
Posted: 11/11/2014 02:32:45
by Eugene Mayevski (Team)

This question is asked frequently for CBFS and the answer is negative.

Sincerely yours
Eugene Mayevski
Posted: 11/11/2014 02:45:39
by Emile Lugassy (Basic support level)
Joined: 11/11/2014
Posts: 3

At least it is clear... thank you
Also by EldoS: SecureBlackbox
200+ components and classes for digital security, signing, encryption and secure networking.



Topic viewed 3533 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!