Process Monitoring and Protection Example

Download EaseFilter Process Filter Driver SDK Setup File
Download EaseFilter Process Filter Driver SDK Zip File

EaseFilter’s ProcessMon is your low-level bouncer for Windows processes—watching every entry and exit, blocking the bad actors on the spot, and giving you the full story on who’s running what. With filters, sandboxes, rich alerts, and ready-made code samples, it’s like having real-time process intelligence at your fingertips.

Process monitoring and protection

EaseFilter Process Filter Driver is a kernel-mode driver that filters process/thread creation and termination, it provides you an easy way to develop Windows application for the Windows process monitoring and protection. With the EaseFilter Process Filter Driver, it enables your application to prevent the untrusted executable binaries ( malwares) from being launched, protect your data being damaged by the untrusted processes.

Discover the Power of the EaseFilter ProcessMon Demo
Monitor every process and thread in real time with EaseFilter ProcessMon. Instantly track process creation, termination, and activity details — including user, command-line, and security context. Detect suspicious behavior, audit application usage, and gain complete visibility into your system’s runtime environment.

Whether for security, troubleshooting, or compliance, ProcessMon shows you exactly what’s happening on your system, when, and by whom.

Key Features of EaseFilter ProcessMon

• Kernel-Mode Monitoring & Protection

  Intercepts and controls process and thread creation/termination at the kernel level, enabling real-time monitoring and blocking of untrusted executables.

• Real-Time Event Notifications

  Emits events for process/thread create/exit and handle operations so your app can react immediately.

• Rich Event Context

  Provides parent PID, thread ID, executable path, command line, and more for forensic-grade logging and insights.

• Highly Configurable Filtering

  Create rules by PID, path, or wildcards (e.g., C:\test\*), and enforce policies such as DENY_NEW_PROCESS_CREATION.

• Sandboxing & Access Control

  Deny file access by default and selectively allow read/write to approved directories to isolate risky processes.

• Developer-Friendly Samples & APIs

  Includes sample projects (e.g., C#) that demonstrate monitoring, blocking, and sandboxing for quick integration.

1. Flexible filter rule configuration

Filter the process by process Id or wildcard process name, i.e. filter process name c:\test\*, it meant it will filter all processes which were launched from the folder c:\test.

2. Block the specific processes creation with the control setting "DENY_NEW_PROCESS_CREATION".

3. Process monitoring, get notification of the process or thread creation and termination.

Enable the corresponding flags in the SDK to receive process and thread event notifications:

• PROCESS_CREATION_NOTIFICATION – Notify when a new process is created.
• PROCESS_TERMINATION_NOTIFICATION – Notify when a process terminates.
• PROCESS_HANDLE_OP_NOTIFICATION – Notify when a process handle is created or duplicated.
• THREAD_CREATION_NOTIFICATION – Notify when a new thread is created.
• THREAD_TERMINATION_NOTIFICATION – Notify when a thread terminates.
• THREAD_HANDLE_OP_NOTIFICATION – Notify when a thread handle is created or duplicated.

4. Setting Up a Sandbox for a Process.

A sandbox is an isolated environment that limits a process’s file system access to specific, predefined folders. This helps prevent unauthorized reads, writes, or modifications outside of its permitted scope.

To configure a sandbox for a process using the EaseFilter File Control And Process Filter Driver SDK:

1. Deny all file access for the process by default (least privilege).
2. Explicitly allow only the folders and file types required for the process to operate.
3. Assign appropriate permissions — read-only or full access — based on security needs.

Example configuration:

• Deny all access outside the sandbox.
• Allow full access to C:\MySandbox for temporary data.
• Allow read-only access to C:\Windows for system libraries.

Process Filter Driver SDK Demo Video