How do I prevent file deletion using filter rules?
Note that most often, files are deleted by opening them with the DeleteOnClose flag set, and then closing the file. If you follow the above instructions, the file will not be opened in the first place. You might want to allow files to be opened (even when the DeleteOnClose flag is initially set) but not be deleted. In this case, you need to add a filter rule that includes the FS_CE_BEFORE_CAN_DELETE flag, and then handle the BeforeOpenFile event by removing the DeleteOnClose flag from the Options event parameter. Do the same thing for the BeforeCreateFile event too.
If you also want to protect a file's contents from being erased/overwritten even when the file is not deleted, you need to inspect the CreateDisposition parameter of BeforeCreateFile and BeforeOpenFile event handlers, and if the TRUNCATE_EXISTING or CREATE_ALWAYS flag is present, deny the request.
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at firstname.lastname@example.org.