EaseFilter SDK FAQ

1. What license do I need to buy?
You can use in house developer license if the derived works will only be deployed to one site (physical location) within your organization.
You need to use OEM developer license if you need to distribute your product to outside of your organization with royalty free.
You need to use source code license if you want to customize or modify the SDK code, the source code license includes an OEM developer license.

2. Can I upgrade my license from In House to OEM, or to Source Code License?
Yes, you can upgrade your license within 3 months after you purchase the license, the price difference will be charged, your subscription date is the date of the first purchasing.

3. How many licenses do I need to buy?
A license must be purchased for each developer in the team, or for each location the derived works will be deployed at, whichever is the greater.For the additional developer license, the price is the 50% of the regular developer license.

4. What programming langue do I need to use for the Filter Driver SDK?
The Filter Driver SDK can be used with any programming language, as long as the language can load the Windows DLL, currently we offer C++/C# demo source code to demo how to use the filter driver SDK.

5. What I/O can I intercept with the Filter Driver SDK?
In theory the Filter Driver SDK can intercept all the file I/Os: file open, file creation, file reading, file writing, file rename, file deletion, query file informaiton, change file information, query file security, change file security, folder browsing.

6. What is the EaseFilter File System Monitor Filter Driver SDK?
The Monitor Filter Driver SDK is the development kit of file system filter driver in Windows, which can monitor the file I/O events, you can know who ( user name, process name ) has accessed the files, changed the files or delete the files.

7. What is the EaseFilter File System Control Filter Driver SDK?
The Control Filter Driver SDK is the development kit of file system filter driver in Windows, which can block the file I/O access (browse the folder, file open, read file data, write data to file, file rename or delete the file) by the unauthorized users or processes.

8. What is the EaseFilter File System Encryption Filter Driver SDK?
The Encryption Filter Driver SDK is the development kit of file system filter driver in Windows, which can transparently encrypt the the block data when you write block data to the file, decrypt the block data when you read the encrypted file in memory, your encrypted files in disk are always encrypted.

9. Can I use Monitor Filter Driver SDK, Control Filter Driver SDK and Encryption Filter Driver SDK in the same time?
Yes, you can enable these three filter driver type together in your application if your license was covered with three filter driver type.

10. Is it safe to install the EaseFilter SDK?
Yes, EaseFilter Filter Driver SDK has been deployed to hundreds of end user since 2011. The EaseFilter Filter Driver has passed the Microsoft HLK certification program, was signed by Microsoft 256 bit certificate.

11. I have a special requirement, can you customize the filter driver for me?
Yes, we can customize the filter driver or develop the user mode application as your request, the consultant fee will be charged.

12. Does the filter driver SDK support Windows service?
Yes, in our demo projects, we have C++ and C# source code to demo how to use the filter driver in Windows service.

13. Does the filter driver SDK support double bytes character set, for example Chinese and Japanese?
Yes, the file name in the filter driver was implemented with unicode string, to support the double set characters, the filter mask must be passed with unicode string.

14. How can I start the filter driver in safe mode?
To load the filter driver in safe mode, you need to change the value of the key “Start”  to 0 in registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EaseFilter

15. What is a filter rule?
A filter rule is the policy for the filter driver, if the file name matchs the "IncludeFilterMask", if it is the excluded filter rule, the filter driver will skip the files, or the filter driver will check if it needs to manage the file based on the policy of the filter rule. To manage your files, you need to create at least one filter rule, you can have multiple filter rules. A filter rule only can have one unique include file mask, A filter rule can have multiple exclude file masks, multiple include process names and exclude process names, multiple include process Ids and exclude process Ids, multiple include user names and exclude user names.

16. Can I prevent my process from being terminated?
Yes, with the control filter driver, you can add the protect process Id to the filter driver with API "AddProtectedProcessId", it will block the process being terminated by other processes.

17. Why I can't get the read IO when I open the text file with notepad?
Because the notepad open the file with memory mapping, if the file content is not mapped in the memory, it will trigger a read IO, or it will get the data from the memory directly. So if the file was opened before your service was started, you can't see the read IO. To get the better test result, you can reboot your computer, start your service first before open any files.

18. What is PRE IO and POST IO message type?
Windows file I/O operations are layered, a filter driver is sitting on the layer between the IO manager and the file system. when a user application invokes a Win32 API, the I/O request will go down to the filter driver from the IO manager, the filter driver then pass the IO to the file system, after the file system procesed the IO, it will return the IO with result to the filter driver, then back to the user. A PRE IO is the IO in the filter driver coming from IO manager before going down to the file system. A POST IO is the IO in the filter driver coming back from file system after it was processed.

19. Do I register PRE IO or POST IO for my callback function?
For Control Filter Driver SDK, if you want to block the file access ( open, read, write, rename, delete), you need to register the PRE IO.
For Monitor Filter Driver SDK, you only can register the POST IO.

20. How do I know if my file was encrypted?
If you open the encrypted file without the filter driver service running, the encrypted data will be returned.. For the encrypted file, the "Reparse Point" file attribute was added, you will see the 'P' in the attriube tab of the encrypted file.

21. If I want to monitor File IO ( creation,rename,delete,write,security change,file info change, file read) in c:\test folder, what do I need to set?
First you need to enable the monitor filter driver, then you can register the event type as below:

FilterRule monitorFilterRule = new FilterRule();
monitorFilterRule.IncludeFileFilterMask = "c:\\test\\*";
monitorFilterRule.AccessFlag = FilterAPI.ALLOW_MAX_RIGHT_ACCESS;
monitorFilterRule.EventType = (uint)(FilterAPI.EVENTTYPE.CREATED | FilterAPI.EVENTTYPE.DELETED | FilterAPI.EVENTTYPE.RENAMED | FilterAPI.EVENTTYPE.WRITTEN
| FilterAPI.EVENTTYPE.READ | FilterAPI.EVENTTYPE.INFO_CHANGED | FilterAPI.EVENTTYPE.SECURITY_CHANGED);

GlobalConfig.FilterRules.Add(monitorFilterRule.IncludeFileFilterMask, monitorFilterRule);