LinkBack URL
About LinkBacks
Reply With Quote
DrCheese (11th June 2009)
The problem isnt killing a process, its finding out which process has the file locked.Originally Posted by tom_newton
When I was browsing through the FileSystemWatcher library I never found anything that might signify OnAccess. How wrong I was, I apologise for the unintentional misdirection
However surely if the file is a registered game in the hashlist. One could also save the deletion until the resource becomes available to do so? With the previous release of your programme, we tested out a few logging ideas. Such as recording every instance a SWF file was loaded. Builds up a nice history to show to their form tutors.
What I have done to those I have caught via a remote session, is change the SWF file permissions to deny total access for students. As soon as they load the SWF again, the SAFlashPlayer just stays white and never loads.
I can't thank you enough peterp for giving a few of us hope, the battle might soon be over! Well until the next bright spark comes along...
Yes, the onaccess is really to do with a property change (last access time changing). This is triggered when the file is opened (and thus locked) and when the file is closed (and then, yes, you can delete it or change its permission or otherwise mess with it)
Ideally I want to stop them playing it in the 1st place, else they just bring in a load, and play each of them once. Or copy them back from laptop /memory sick/mp3 players etc.
But the more I look into the problem of unlocking a file, the more it looks like it will beat me.
Have you a URL to the software?
I know of Securus the company who do E-Safety software but this monitors and does not actually block.
I can't see why it can't be done peterp.
Are you able to post a snippit of your code? One of us might come up with something ingenius!
Well, this is a bit like exposing myself, but here is a section of (badly written, badly commented code)
There are a couple of global variables used, and much of the code is commented out as it was put in for debugging purposes.
The actual deletion routine is currently commented out too.
The code will (with the correct test harness) scan any opened file for a specific string (which in this case identifies the presence of embedded swf in .xls files.)
The one that does MD5 hashing is very similar.
Code:Private Sub FileSystemWatcher2_Changed(ByVal sender As System.Object, ByVal e As System.IO.FileSystemEventArgs) Handles FileSystemWatcher2.Changed ListBox1.Items.Add(e.FullPath & " : " & e.Name & " : " & e.ChangeType.ToString) If (e.FullPath.Equals(last)) Then 'ListBox1.Items.Add("Ignoring that one") Else 'ListBox1.Items.Add("Scanning...") Try If doRead(e.FullPath) Then 'ListBox1.Items.Add("Deleteing " & e.FullPath) 'File.Delete(e.FullPath) '1st time this event is caught, the file has just been opened, and is thus locked 'the 2nd time the file is closed and can be deleted. 'Given the variable e.fullpath I need to find the handle of the process that has it locked. End If If (last.Equals("error")) Then last = "none" Else last = String.Copy(e.FullPath) End If Catch ex As Exception 'ListBox1.Items.Add(ex.Message) End Try End If End Sub Private Function doRead(ByVal fn As String) As Boolean Dim c As Byte Dim ca(50) As Byte Dim st As String = ":" Dim fsReadable As Boolean = True Dim found As Boolean = False Dim oFile As System.IO.FileInfo oFile = New System.IO.FileInfo(fn) Dim fs As System.IO.FileStream = oFile.OpenRead() While fsReadable Try c = fs.ReadByte Catch ex As Exception c = 46 fsReadable = False End Try If c = -1 Then fsReadable = False Else If c < 32 Or c > 126 Then c = 46 End If st = enqueueChar(c) 'ListBox1.Items.Add(st) End If If st.ToLower.Contains("\.f.l.a.s.h...o.c.x") Then found = True End If st = Nothing End While fs.Close() fs = Nothing Return found End Function Private Function enqueueChar(ByVal c As Byte) As String Dim st As String = "" Dim squeue(50) As Byte Dim count As Integer = 0 queue(qe) = c qe = qe + 1 qs = qs + 1 If qe > 49 Then qe = 0 End If If qs > 49 Then qs = 0 End If While Not qe = qs squeue(count) = queue(qs) count = count + 1 qs = qs + 1 If qs > 49 Then qs = 0 End If End While count = 0 qs = qs + 1 st = Encoding.UTF8.GetString(squeue) Return st End Function
What about if you take the application being used, as assumed.
For example, if the file type being opened has the extension .swf and/or the mimetype application/x-shockwave-flash.
Then closing SAFlashPlayer and/or any other media process as a given. This would then release the resource for you to delete?
Works to an extent with certain files. If they open a .xls spreadsheet then the only program they have that will open this is Excel, so I could close down all instances of excel (and if they loose work they had open in another window, thats a lesson that they shouldnt be playing games)
The .swf files themselves are slightly more tricky, in that they can do 'open with' and open them in a variety of programs that understand flash. (flash, flashplayer, media player classic and Internet Explorer are the ones I've caught them using.)
I had wanted a more generic approach so that one method could deal with multiple methods of gaming, or opening otherwise banned files. (we cant restrict them all, as various courses have them developing flash).
I think you are right though, without much more expertise than I have to delve into using ntdll.dll then I will have to settle for working out the filetype to default program. Or even be completely evil and close all processes that I identify as being able to play games without worrying which one was the process playing the game.
Well, when I see them playing games through Internet Explorer, I close the whole instance.
They should not be playing games, and as such if there was any work on the other tabs, then hard luck.
As long as the programme doesn't make any false positives, it's well within acceptable policy control to shut down the whole lot. I know of one school that shuts down the computer if they're caught.
With regards to opening up SWF in other files, surely group policy already prohibits running and installing new programmes. The only programmes that need to be closed are those already installed.
Maybe a KILL list is needed for customisation, like your last build.
Yes, they cannot install new programs, but .swf can currently run in ...
Embedded in excel worksheets (we cannot disable vba or macros as these are needed by some of our courses)
Internet Explorer (easiest to kill, thats the purpose of gamekiller2, which is doing a great job here)
Media Player Classic (installed as part of a codec pack and used by some media students)
Flash cs3 (used by computing students)
I think the approach will have to be the evil one :-
On detection of ANY game file being opened, close down ALL instances of these programs to ensure the file is deleteable.
So, if the student has some research open in IE, his large flash project open in Flash, and then decides to open a game, he's going to loose all his sessions work too. Oh well. :-)
I can live with that, I think most of the teachers can too, will have to clear it with the SLT though.
I had wanted the elegant solution of being able to determine which process I should kill, but oh well :-)
ok, will start work in coding the new version in earnest in the next week or so (although I'm off on summer holiday end of the month). I aim to get it up and running in some form by the end of summer break, ready for the new intake!
Thanks for all the suggestions and help.
It's all for the common cause!
Hopefully your release, plus a few more additions I'd like to make with logging (if you release the source that is!) should hit at the heart of the problem.
However a quick note about Externally hosted games. There are obviously thousands, even tens of thousands out there, and a blacklist against them would be folly as we could see that list expand to an unmanageable size. I still recommend using a firewall such as ISA, and then block SWF and the SWF MIME type, then use a whitelist to allow tutor requested sites.
Cheers peterp
Sorry to bring up an on going thread, but, i have just looked at our student GPO and tested it to see if everything is still working ok, and there seems to be a problem with the software restriction policy.
We have a list of file extensions that we block and one of them is SWF. For some reason (on a test GPO) the software restriction is blocking the exe and MDB but i have added SWF, TXT, DOC and PPT and nothing is happening. The extensions still open as usual. There is nothing configured in the GPO apart from the software restictions.
Can anyone help.
Tim
try moving the policy higher in the list and then do gpupdate /force
I've found this out today as well, it manages to block .exe's and other files properly but when you tell it to block .swf it does nothing. Whist it really is just a classroom control issue it'd be nice if I could stop it still.
I've been led to believe, by RM, that SR doesn't block the .swf even if explicitly specified.
Thus using GameKiller2.
DrCheese (11th June 2009)
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
