CBFS Filter 2020 C++ Builder Edition

Questions / Feedback?

Default Rules

Default rules are a type of special filter rule supported by the CBFilter and CBRegistry components. Default rules work same way that access rules do, with one notable exception: they are managed by a component's system driver rather than the component itself. As a result, they become active as soon as the component's system driver loads at boot time, and then continue to be enforced at all times, regardless of whether the application that originally added them is open.

Note that default rules have lower priority that all other filter rules. This means that if when the application opens and begins to add other kinds of filter rules, any rules which "overlap" a default rule (i.e., those whose masks match one or more of the files or registry keys covered by a default rule) will take precedence, overriding the applicable default rule. When such a rule is removed (either directly, or due to the application closing), the default rule that it was overriding will become active again.

The CBFilter and CBRegistry components provide the following methods for managing default rules:

The component's system driver stores information about default rules in the registry under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services key, which has restricted accessibility. Applications must therefore be running with Administrator or System Service rights (or their equivalent) in order to successfully add or remove default rules. (Running the application from an account that belongs to the Administrators group is not sufficient.)

Please note that default rules only work when a component's system driver is loaded. This means that default rules won't be available, e.g., if the system boots in safe mode. Refer to the Loading Drivers in Safe Mode topic for more information.

 
 
Copyright (c) 2020 Callback Technologies, Inc. - All rights reserved.
CBFS Filter 2020 C++ Builder Edition - Version 20.0 [Build 7543]