File Minifilter
FltRegisterFilterFile system monitoring with PE (Portable Executable) write detection.
Overview
The file minifilter monitors file system operations and specifically detects when PE files (executables, DLLs) are written to disk. This helps identify malware dropping payloads.
Event Types
| Event | Description |
|---|---|
| FileCreate | New file created |
| FileWrite | File written to |
| PEWrite | PE file (EXE/DLL) written |
| FileDelete | File deleted |
| FileRename | File renamed |
PE Detection
The minifilter checks the first bytes of file writes for the PE signature:
MZ (0x4D 0x5A) — DOS header magicDetection Scope
PE detection triggers on any file write containing the MZ header, regardless of file extension. This catches renamed executables.
Captured Information
- • Process — PID and name of the writing process
- • File path — Full path to the file
- • Operation — Create, Write, Delete, Rename
- • PE flag — Whether the write contains PE data
- • Size — Bytes written
Monitored Locations
Default rules focus on suspicious locations:
- •
%TEMP%— Temporary folder - •
%APPDATA%— User application data - •
Downloads— User downloads folder - •
Startup— Startup folder
UI Features
- • File tab — View all file events
- • PE filter — Show only PE write events
- • Path filter — Focus on specific directories
- • Process filter — See file activity by process
IPS Rule Examples
File: *\Temp\*.exe | Action: Alert
File: *\Startup\* | PE: true | Action: Block