topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Monday March 18, 2024, 9:27 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Alert on File/Folder Access  (Read 9490 times)

Nzyme

  • Participant
  • Joined in 2011
  • *
  • Posts: 100
    • View Profile
    • Donate to Member
Alert on File/Folder Access
« on: November 25, 2015, 09:42 AM »
I would like to know if there are any programs that can alert the user (who is currently logged in as Administrator) about an intruder trying to access a file/folder that has been specified in the program.

Scenario: I have set the folder to monitor as C. Hacker has somehow hacked into my PC and when trying to access any file/folder within C drive, I should get an alert informing me "who" is trying to access "what". Further, it should not allow the intruder to access the file/folder nor make any changes to them.

I basically need a second level of defense (after the Antivirus and Firewall). There are programs that display the log of files/folders accessed and the particular operation (create/modify/delete) performed but I need some kind of access control here that will prevent access. Thanks!

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Alert on File/Folder Access
« Reply #1 on: November 25, 2015, 09:47 AM »
This came up as an idea a while ago -- i think it's a great idea -- especially as an early warning tool.

Maybe someone could work on it as a NANY 2016 project.

A nice option would be the ability to alert on read and/or write, and the ability to exclude certain processes from triggering an alert.


x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Alert on File/Folder Access
« Reply #3 on: November 26, 2015, 05:11 PM »
For inspiration...  ;)
http://leelusoft.altervista.org/watch-4-folder.html
https://blogs.manageengine.com/it-security/eventloganalyzer/2012/06/20/object-access-auditing-simplified-find-the-who-what-where-when-of-file-folder-access.html
https://technet.microsoft.com/en-us/library/cc771070.aspx
http://venussoftcorporation.blogspot.com/2010/05/thefolderspy.html
https://directorymonitor.com/
http://trackfolderchanges.codeplex.com/
http://www.nirsoft.net/utils/folder_changes_view.html
http://www.isdecisions.com/products/fileaudit/file-folder-access-alert.htm

Just as info, when I looked into stuff like this a few years ago (6-10 maybe?), TheFolderSpy seemed to be the best combination of features and - more importantly - reliability. Several of the other programs for this sort of thing did not seem to implement the file system hook very well and caused instability and crashing, or at the least missed some number of test accesses. But NOTHING was really satisfactory for what I was looking for (which, in part, meant that the monitor could run as a service).
vi vi vi - editor of the beast

Nzyme

  • Participant
  • Joined in 2011
  • *
  • Posts: 100
    • View Profile
    • Donate to Member
Re: Alert on File/Folder Access
« Reply #4 on: November 27, 2015, 11:43 PM »
For inspiration...  ;)
http://leelusoft.altervista.org/watch-4-folder.html
https://blogs.manageengine.com/it-security/eventloganalyzer/2012/06/20/object-access-auditing-simplified-find-the-who-what-where-when-of-file-folder-access.html
https://technet.microsoft.com/en-us/library/cc771070.aspx
http://venussoftcorporation.blogspot.com/2010/05/thefolderspy.html
https://directorymonitor.com/
http://trackfolderchanges.codeplex.com/
http://www.nirsoft.net/utils/folder_changes_view.html
http://www.isdecisions.com/products/fileaudit/file-folder-access-alert.htm

Thanks Shades! Most of what I have tested only monitors the file/folder for changes and displays a log/alert and some actions to perform post access.

If there is an intrusion, the program should alert who is trying to access what and should not allow the action to complete. The program should exclude operations from the system and the logged in user to avoid too many alerts.

Is this possible by applying any policy in Windows itself or any other programs that can do this? Thanks!

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Alert on File/Folder Access
« Reply #5 on: November 28, 2015, 06:25 AM »
and should not allow the action to complete.

this requirement may take this tool from easy to hard, and i'm not sure it's critical to the idea, at least from my standpoint.

my idea was that the monitored file is more like a canary in the mine -- detecting an attempt to access it is to help alert you that a rogue process may be scanning (modifying) your files, and that you should investigate the possibility of some kind of malware/ransomeware.

actually preventing the test file from being modified has little value in this case.

identifying the PROCESS that tried to access the file would be important though..

MilesAhead

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 7,736
    • View Profile
    • Donate to Member
Re: Alert on File/Folder Access
« Reply #6 on: November 28, 2015, 07:58 AM »
This looks like it comes pretty close for the monitoring part.  Presumably if something sneaks onto your system it will run as the user who was active when it snuck on, or as SYSTEM.

NirSoft utilities are well done.  I would experriment with monitoring all of C: to find out if this will bog the system.  An alternative may be something like ToolWiz Time Freeze.  All writes to the system partition are redirected to a cache file using Shadow Copy Service of Windows.  When you reboot the changes are gone.  Of course this doesn't save you from tracking cookies as they exist until you reboot.  But it does stop them from continually accumulating.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Alert on File/Folder Access
« Reply #7 on: November 28, 2015, 08:15 AM »
Presumably if something sneaks onto your system it will run as the user who was active when it snuck on, or as SYSTEM.

identifying what USER the process is running under is not so important -- but identifying the PROCESS is.

MilesAhead

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 7,736
    • View Profile
    • Donate to Member
Re: Alert on File/Folder Access
« Reply #8 on: November 28, 2015, 09:08 AM »
Presumably if something sneaks onto your system it will run as the user who was active when it snuck on, or as SYSTEM.

identifying what USER the process is running under is not so important -- but identifying the PROCESS is.

I'm not arguing that but I wonder if any process that gets around security is going to use high level api calls rather than some sector by sector sneaky techniques.  I would think if the monitor could log it security could stop it.  But av type things are not my forte. :)

I do know that large scale monitoring for file folder change using the apis will bog things badly.  Utilities that do it well probably roll their own techniques.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Alert on File/Folder Access
« Reply #9 on: November 28, 2015, 09:28 AM »
The thing to remember is that stopping an application from accessing that one file is not going to help you much because all your other files are vulnerable.
The only thing that might help is if you somehow triggered some emergency protocol that locked down all files on the computer, but that seems especially hard to get right and avoid triggering on some harmless process.
That's why i'm thinking the best way to think of this is just as an early warning system -- unlikely to save you from much harm but perhaps able to give you a very early heads up that you've got a problem.

A possible compromise defensive mechanism might be a mode that when it sees a process trying to access the test file, immediately KILLS that process and puts it on a list of processes to be killed instantly if they restart.. The only danger there is false alarming on a legit process.

MilesAhead

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 7,736
    • View Profile
    • Donate to Member
Re: Alert on File/Folder Access
« Reply #10 on: November 28, 2015, 11:36 AM »
Unless you suspect the malware is going to masquerade as a system file I don't know how you would guess a filename that would lure out the malware.  If it is wholesale deleting stuff I guess both ends of the alphabet may be a good idea.  Otherwise the goat file may be at the end of the list.

I still think making use of VSS is a better approach.  The utility is free.  Where it would not work well is wholesale file creation scenarios.  In that case the system may hang.  But for generic user protection it seems as good as any.

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,610
    • View Profile
    • Donate to Member
Re: Alert on File/Folder Access
« Reply #11 on: November 28, 2015, 12:23 PM »
The only viable attack to be detected would be from network access to a file, when trying to modify/delete it, though I'm not sure if that would be identifiable as originating from a network-source. And then I'd expect any AV to detect that kind of attack. But maybe that's too optimistic :huh:

Nzyme

  • Participant
  • Joined in 2011
  • *
  • Posts: 100
    • View Profile
    • Donate to Member
Re: Alert on File/Folder Access
« Reply #12 on: November 30, 2015, 08:38 AM »
Presumably if something sneaks onto your system it will run as the user who was active when it snuck on, or as SYSTEM.

identifying what USER the process is running under is not so important -- but identifying the PROCESS is.

I think identifying the user along with process, time, type of operation (read, write, open, etc.) is equally important. Think about it, you are browsing the internet or listening to music and you see an alert for file/folder access. You know that you are not the one trying to access it but would want to know who initiated it (system access which was genuine or hacker who sneaked in the system logged in under your name). If you see that a access alert under your name is trying to access, you can take action on that immediately.

I think the program SpyShelter Firewall comes very close to what I need. For any type of access, it alerts me and I can either allow, reject or terminate the action but not sure if someone sneaks in my PC, will it prompt me with an alert.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Alert on File/Folder Access
« Reply #13 on: December 01, 2015, 06:41 AM »
Think about it, you are browsing the internet or listening to music and you see an alert for file/folder access.

Any halfway decently written malware isn't going to show its hand by touching the file system until after its gotten control of the system. So the net effect of running something to obscure for it to know to kill/bypass is most likely just going to be a front row seat to a horror show.

This kind of security is for human-slow direct access attempts, which is what auditing object access is designed to handle. User and logon type (service/network/interactive) are both recorded in the audit log, so watch for failure events, see who's failing to access what, and respond accordingly. Because if something is setoff in session with you - Computers being way faster than humans... - there is no way you will be able to react fast enough to anything other than be the first one on scene with a mop..

MilesAhead

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 7,736
    • View Profile
    • Donate to Member
Re: Alert on File/Folder Access
« Reply #14 on: December 01, 2015, 06:55 AM »
Computers being way faster than humans... - there is no way you will be able to react fast enough to anything other than be the first one on scene with a mop..

Heh heh.  Like the "duck and cover" defense against nuclear attack.  Get in the doorway, grab your ankles etc..   :Thmbsup: