| This article makes me irrationally annoyed by how lazy the author was. I was able to produce a test in under 5 minutes that disproves the article's core assumption: > The Dropbox application uses a filesystem monitor to detect when changes are made by monitoring filesystem write events. This is, by necessity, a system-wide process. So DLP alerting that Dropbox is “acccessing” a new file shouldn’t be surprising. THAT IS NOT HOW THAT WORKS! Sorry, I am calm now. As someone who has spent quite a lot of time using Windows' File System Watcher functionality, I know that that is nonsense. Windows monitoring/watching is conducted at the kernel, when an IO operation occurs that hits a registered monitor it fires off an event (windows message) to that process to let it know, the process itself never accesses that file directly. But just test it for yourself. 1) Download Process Monitor [0] 2) Start Process Monitor, turn off Registry, Network, Profiling, and Process events. 3) Set the include (included processes to monitor) to [whatever executable you build] 4) Build this (see examples section) [1] in C#/VB.net and run it 5) Set the process name in #4 in the include in #3 6) Write to a file in C:\ (that's the default in the example program/source) 7) You should see some Console.WriteLine() output indicating the file watcher is working. If not run as administrator. 8) There you go. As you can see, no direct file accesses to the file. The monitor events are fired as you can see, but the file remains untouched directly by your program. The author could have done this. Why didn't they? It isn't like I had to even write one line of code or have some kind of specialist knowledge of low level kernel functionality... PS - I don't know/care if DropBox is stealing your stuff. I just wish the article's author had at least fact-checked before they claimed that "that is how this works!!!" when in reality that is untrue. That is how it works for Anti-Virus because AV scans within files to see contents, it isn't how it works for most processes which just use the file watcher functionality. If DropBox chooses to look inside files, then why? There is no need for that. PPS - If DropBox do have a system wide file watcher, that is just lazy. It will reduce system performance, and they could have just as easily set it up to point just to folders DropBox is configured to watch. [0] https://technet.microsoft.com/en-us/sysinternals/bb896645 [1] https://msdn.microsoft.com/en-us/library/system.io.filesyste... |