Near Real-Time Filesystem Monitoring for NTFS Volumes

This topic provides information about FSMon and NTFS.

Overview

The Near Real-Time Filesystem Monitoring feature in FSMon enables continuous, event-driven tracking of file and directory changes on NTFS volumes using the Windows USN Journal. This allows the scanner to detect and process filesystem changes (create, delete, rename, etc.) as they happen, improving responsiveness and accuracy compared to periodic scans.

It helps to reduce the resources required in the endpoint as after the first complete scan, the single events are tracked using USN thus requiring less amount of periodic scans over time.

Feature Outline

  • Volume Monitoring

    Monitors specified NTFS volumes for real-time changes using the USN Journal.

  • Event Types Supported
    • File/Directory Create
    • File/Directory Delete
    • File/Directory Rename
    • File/Directory Close
  • Exclusion Support

    Excluded paths are supported

  • Volume Lifecycle

    Handles volume addition/removal dynamically

Supported Platforms

  • Windows Only
    • Requires NTFS filesystem
    • Requires USN Journaling
  • Non-Windows
    • The feature is disabled.

Configuration

Main Configuration Options
  • Supported via CLI only. By default, the feature is enabled on NTFS with journaling enabled
  • WatchDogStatus:
    • "disable": Real-time monitoring is off (periodic scans only)
    • "default": Real-time monitoring enabled if USN Journal exists
    • "force": Real-time monitoring enabled; USN Journal created if missing on all the detected NTFS volumes

Example

bf-scanner.exe config set FSMon.WatchDogStatus force

bf-scanner.exe config set FSMon.WatchDogStatus default

bf-scanner.exe config set FSMon.WatchDogStatus disable

Notes

  • USN Journal Dependency
    • Requires USN Journal to be present or creatable
    • USN Journal created by Scanner (force mode) is NOT deleted on scanner service exit
    • USN Journal re-sizing is not handled if size is too small to avoid wrapping
  • Volume Add/Removal Depends on DevMon Partition Table
    • Volumes are maintained by the DevMon Partition table. The refresh interval of the DevMon Partition table may delay the processing of volume add/remove. The default DevMon Partition refresh interval is 5 Minutes (300 seconds)
  • Resource Usage
    • Real-time monitoring may spike Memory and I/O usage during initialisation of real-time monitoring, especially on large volumes
    • After initialization, CPU, Memory and disk I/O usage is optimized compared with 11.0.39.0 disk crawling mechanism as only detected changes are processed avoiding the need to rebuild the entire cache

Limitations

  • Symlink/Reparse Point Handling
    • Symlinks and reparse points are NOT excluded for directories