EaseFilter File System Monitor Filter SDK Component

3.82/5 (498 Reviews)

File system monitor filter can monitor the file system activities on the fly.

Development And IT Languages And Scripts Shareware
FREE DOWNLOAD (v4.0.1.3)
File Size: 3984KB | Safe & Verified

Key Features of EaseFilter File System Monitor Filter SDK

  • File system monitor filter can monitor the file system activities on the fly.
  • With file system monitor filter you can monitor the file activities on file system level,capture file open,create, overwrite, read, write,query file information, set file information, query security information, set security information, file rename, file delete, directory browsing and file close I/O requests.

How to Monitor File System Activity in Real-Time

The EaseFilter File Monitor SDK allows you to capture detailed logs of every file access event. Follow these steps to start auditing your file system:

  1. Define a Monitoring Filter Rule
    Create a FileFilterRule to specify which paths to monitor. You can use wildcards like C:\SensitiveData\* to track an entire directory or *.docx to focus only on specific file types.
  2. Configure Process and User Filters
    To reduce log noise, you can exclude trusted processes like backup.exe or specific administrative users. Conversely, you can set the rule to only monitor activity from specific high-risk applications.
  3. Register Post-Event Callbacks
    Subscribe to events like OnPostFileWrite or OnPostMoveOrRenameFile. These trigger after an action occurs, providing the full context: who did it, what process they used, the file path, and if the operation succeeded.
  4. Export to SIEM (Optional)
    Format the captured event data into JSON to integrate with tools like Splunk or Elastic Stack. This allows you to build real-time dashboards and alerts for suspicious file activity across your entire network.
Pro Tip: Monitoring "Read" operations on every file can create massive log files. For best performance, only monitor Write, Delete, and Rename events unless your compliance policy specifically requires a full read audit.

Frequently Asked Questions

Yes. The File Monitor SDK can identify network-based access. When a file on a Windows server is accessed via the network, the driver captures the Remote IP address and the user name associated with the connection.

The SDK uses an efficient Kernel-mode Filter Manager framework. Performance impact is minimal because filtering happens at the driver level. However, impact increases if you log every single 'Read' operation or if your user-mode callback performs complex processing for every event.

The File Monitor SDK is primarily for auditing and logging (post-events). To actively block operations like deletion in real-time, you would need to use the File Control Filter Driver SDK, which handles pre-event interventions.

Ensure that: 1) You are running the application as Administrator. 2) You have added at least one valid Filter Rule with a correct path mask. 3) The filter driver service has been successfully started via the StartFiltering() method.

Technical Specifications

EaseFilter File System Monitor Filter SDK Screenshot

Screenshot of EaseFilter File System Monitor SDK: Filter Driver Development