For several years I’ve been meaning to write some code to use ETW on a file server to profile calls to CreateFile, associate them to an SMB client, and ultimately blackhole connectivity for that client if an anomalous “velocity” of calls is reached.
It would take some significant baseline measurement to determine thresholds. Determining what’s “normal” for a client would be a fun exercise itself.
I’ve never done the PoC work to see if it’s feasible to even do this. It touches APIs I’m not familiar with (ETW looks like a dark and twisty maze) so it wasn’t something I could quickly knock together.
Maybe somebody else could run with this. I was going to do this as Free software but there’s probably money to be made with it, too.
It would take some significant baseline measurement to determine thresholds. Determining what’s “normal” for a client would be a fun exercise itself.
I’ve never done the PoC work to see if it’s feasible to even do this. It touches APIs I’m not familiar with (ETW looks like a dark and twisty maze) so it wasn’t something I could quickly knock together.
Maybe somebody else could run with this. I was going to do this as Free software but there’s probably money to be made with it, too.