Default Rules
Default rules are a type of special filter rule supported by the CBFilter and CBRegistry classes. Default rules work same way that access rules do, with one notable exception: they are managed by a class's system driver rather than the class itself. As a result, they become active as soon as the class's system driver loads at boot time, and then continue to be enforced at all times, regardless of whether the application that originally added them is open.
Note that default rules have lower priority that all other filter rules. This means that if when the application opens and begins to add other kinds of filter rules, any rules which "overlap" a default rule (i.e., those whose masks match one or more of the files or registry keys covered by a default rule) will take precedence, overriding the applicable default rule. When such a rule is removed (either directly, or due to the application closing), the default rule that it was overriding will become active again.
The CBFilter and CBRegistry classs provide the following methods for managing default rules:
- AddDefaultRule
- DeleteDefaultRule
- SuspendDefaultRules
- CreateDefaultRulesSnapshot
- CloseDefaultRulesSnapshot
The class's system driver stores information about default rules in the registry under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services key, which has restricted accessibility. Applications must therefore be running with Administrator or System Service rights (or their equivalent) in order to successfully add or remove default rules. (Running the application from an account that belongs to the Administrators group is not sufficient.)
Please note that default rules only work when a class's system driver is loaded. This means that default rules won't be available, e.g., if the system boots in safe mode. Please refer to the Loading Drivers in Safe Mode topic for more information.