EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Question on filter monitoring behaviour when files are renamed

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#36749
Posted: 05/18/2016 06:20:00
by Chris Spiteri (Standard support level)
Joined: 10/06/2014
Posts: 57

Hello,

We have a question about the behaviour of the filter when monitoring write activity on a file which is renamed.

We had a case where we assigned a write-notification rule on a file for monitoring. The rule included the full filename and its extension, and write activity was detected successfully. The file was then renamed, but we noticed that even though the write notification callback was called successfully with every write, the filename that it returned was the previous/old filename.

Our concern is that we might end up in a situation where we start missing write notifications on files that are renamed.

What is the behaviour of the filter in this case, and are there any steps you recommend for us not to miss any write notifications on the renamed file?

Thanks and best regards,
Chris
#36755
Posted: 05/18/2016 12:09:51
by Vladimir Cherniga (EldoS Corp.)

Quote
Chris Spiteri wrote:
What is the behaviour of the filter in this case, and are there any steps you recommend for us not to miss any write notifications on the renamed file?

CallbackFilter performs file rename tracking and update full name information in post-process, when operation completes by file system. In that short period of processing there is possible that you observe file read/write requests with a name was used before renaming. Especially, when file is kept opened during rename operation. Tracking rename or move information through callbacks is the only way to know that file name or disposition was changed.
If the file wasn't opened during rename operation, all further requests will be visible with updated file name.
#36766
Posted: 05/19/2016 05:42:08
by Chris Spiteri (Standard support level)
Joined: 10/06/2014
Posts: 57

Thanks for your reply. We are observing different behaviour to what was described in your reply.

As an example:

1. We start monitoring file with name ABC with the CallbackFilter and write notifications start coming in with the filename "ABC" of course.

2. Some other application closes the file, renames it to XYZ (while it is closed), re-opens it and continues making changes. During this time, we do not modify or update the CallbackFilter rules etc..

3. After the rename, for the subsequent writes we still receive write notifications for the old filename "ABC"... this lasts for minutes and hours if left as is. However checking with procmon, we see the events in procmon with the new filename (XYZ), while simultaneously receiving the write notifications on the old name (ABC) from the CallbackFilter.

4. As soon as we start monitoring the new name "XYZ" in the CallbackFilter, the write notifications now start coming in with the NEW name XYZ. However in once instance this did not happen (possibly due to some filename sorting etc.?) and the write notifications kept coming on the old filename even after updating the CallbackFilter rule with the new filename.

What we want to clarify most at this stage is whether this is normal/expected behaviour of the CallbackFilter, or whether we stumbled on some unexpected behaviour.

If you want, we can write a small program that simulates this behaviour and upload it to you for review.

Thanks and best regards,
Chris
#36767
Posted: 05/19/2016 06:03:04
by Vladimir Cherniga (EldoS Corp.)

I am open a corresponding ticket to continue discussion there.

Reply

Statistics

Topic viewed 1454 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!