How do I prevent file deletion using filter rules?
Files are deleted by opening them with the "DeleteOnClose" flag set, and then closing the file. So, you need to add a filter rule that includes the FS_CE_BEFORE_OPEN flag, and then handle the BeforeOpenFile event by removing the DeleteOnClose flag from the Options event parameter. You should also do the same thing for the BeforeCreateFile event.
If you also want to protect a file's contents from being erased/overwritten, you need to inspect the CreateDisposition parameter during the aforementioned events, and the TRUNCATE_EXISTING or CREATE_ALWAYS flag is present, deny the request.
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at firstname.lastname@example.org.