The OS caches the data read from the file and decrypted by CBFS Filter. How do I prevent this?

A file data cache is always used by the OS and its file system manager. You can't disable it or prevent the data from being placed into the cache.

Before the application can read any data from the file (and the file is identified by the open handle), it should open this file to obtain a file handle. If the file is not opened by the application, it cannot be read by this application, even when another application has opened the file.

So, if you prevent the application from opening the file, you will also prevent this application from reading the data of this file. The cache itself is protected from access by the applications. The cache can only be read from kernel-mode drivers.

Within Windows, the only way to to have the data encrypted until it reaches the intended application is to have the application itself encrypt or decrypt the data and to keep only the decrypted data in the nonpaged memory.

Ready to get started?

Learn more about Callback Technologies or download a free trial.

Download Now