Alert on File/Folder Access

[Nzyme]

I would like to know if there are any programs that can alert the user (who is currently logged in as Administrator) about an intruder trying to access a file/folder that has been specified in the program.

Scenario: I have set the folder to monitor as C. Hacker has somehow hacked into my PC and when trying to access any file/folder within C drive, I should get an alert informing me "who" is trying to access "what". Further, it should not allow the intruder to access the file/folder nor make any changes to them.

I basically need a second level of defense (after the Antivirus and Firewall). There are programs that display the log of files/folders accessed and the particular operation (create/modify/delete) performed but I need some kind of access control here that will prevent access. Thanks!

[mouser]

This came up as an idea a while ago -- i think it's a great idea -- especially as an early warning tool.

Maybe someone could work on it as a NANY 2016 project.

A nice option would be the ability to alert on read and/or write, and the ability to exclude certain processes from triggering an alert.

[Shades]

For inspiration... 
http://leelusoft.altervista.org/watch-4-folder.html
https://blogs.manageengine.com/it-security/eventloganalyzer/2012/06/20/object-access-auditing-simplified-find-the-who-what-where-when-of-file-folder-access.html
https://technet.microsoft.com/en-us/library/cc771070.aspx
http://venussoftcorporation.blogspot.com/2010/05/thefolderspy.html
https://directorymonitor.com/
http://trackfolderchanges.codeplex.com/
http://www.nirsoft.net/utils/folder_changes_view.html
http://www.isdecisions.com/products/fileaudit/file-folder-access-alert.htm

[x16wda]

For inspiration... 
http://leelusoft.altervista.org/watch-4-folder.html
https://blogs.manageengine.com/it-security/eventloganalyzer/2012/06/20/object-access-auditing-simplified-find-the-who-what-where-when-of-file-folder-access.html
https://technet.microsoft.com/en-us/library/cc771070.aspx
http://venussoftcorporation.blogspot.com/2010/05/thefolderspy.html
https://directorymonitor.com/
http://trackfolderchanges.codeplex.com/
http://www.nirsoft.net/utils/folder_changes_view.html
http://www.isdecisions.com/products/fileaudit/file-folder-access-alert.htm

-Shades (November 26, 2015, 08:47 AM)

Just as info, when I looked into stuff like this a few years ago (6-10 maybe?), TheFolderSpy seemed to be the best combination of features and - more importantly - reliability. Several of the other programs for this sort of thing did not seem to implement the file system hook very well and caused instability and crashing, or at the least missed some number of test accesses. But NOTHING was really satisfactory for what I was looking for (which, in part, meant that the monitor could run as a service).

[Nzyme]

For inspiration... 
http://leelusoft.altervista.org/watch-4-folder.html
https://blogs.manageengine.com/it-security/eventloganalyzer/2012/06/20/object-access-auditing-simplified-find-the-who-what-where-when-of-file-folder-access.html
https://technet.microsoft.com/en-us/library/cc771070.aspx
http://venussoftcorporation.blogspot.com/2010/05/thefolderspy.html
https://directorymonitor.com/
http://trackfolderchanges.codeplex.com/
http://www.nirsoft.net/utils/folder_changes_view.html
http://www.isdecisions.com/products/fileaudit/file-folder-access-alert.htm

-Shades (November 26, 2015, 08:47 AM)

Thanks Shades! Most of what I have tested only monitors the file/folder for changes and displays a log/alert and some actions to perform post access.

If there is an intrusion, the program should alert who is trying to access what and should not allow the action to complete. The program should exclude operations from the system and the logged in user to avoid too many alerts.

Is this possible by applying any policy in Windows itself or any other programs that can do this? Thanks!

[mouser]

and should not allow the action to complete.

this requirement may take this tool from easy to hard, and i'm not sure it's critical to the idea, at least from my standpoint.

my idea was that the monitored file is more like a canary in the mine -- detecting an attempt to access it is to help alert you that a rogue process may be scanning (modifying) your files, and that you should investigate the possibility of some kind of malware/ransomeware.

actually preventing the test file from being modified has little value in this case.

identifying the PROCESS that tried to access the file would be important though..

[MilesAhead]

This looks like it comes pretty close for the monitoring part.  Presumably if something sneaks onto your system it will run as the user who was active when it snuck on, or as SYSTEM.

NirSoft utilities are well done.  I would experriment with monitoring all of C: to find out if this will bog the system.  An alternative may be something like ToolWiz Time Freeze.  All writes to the system partition are redirected to a cache file using Shadow Copy Service of Windows.  When you reboot the changes are gone.  Of course this doesn't save you from tracking cookies as they exist until you reboot.  But it does stop them from continually accumulating.

[mouser]

Presumably if something sneaks onto your system it will run as the user who was active when it snuck on, or as SYSTEM.

identifying what USER the process is running under is not so important -- but identifying the PROCESS is.

[MilesAhead]

Presumably if something sneaks onto your system it will run as the user who was active when it snuck on, or as SYSTEM.

identifying what USER the process is running under is not so important -- but identifying the PROCESS is.

-mouser (November 28, 2015, 08:15 AM)

I'm not arguing that but I wonder if any process that gets around security is going to use high level api calls rather than some sector by sector sneaky techniques.  I would think if the monitor could log it security could stop it.  But av type things are not my forte.

I do know that large scale monitoring for file folder change using the apis will bog things badly.  Utilities that do it well probably roll their own techniques.

[mouser]

The thing to remember is that stopping an application from accessing that one file is not going to help you much because all your other files are vulnerable.
The only thing that might help is if you somehow triggered some emergency protocol that locked down all files on the computer, but that seems especially hard to get right and avoid triggering on some harmless process.
That's why i'm thinking the best way to think of this is just as an early warning system -- unlikely to save you from much harm but perhaps able to give you a very early heads up that you've got a problem.

A possible compromise defensive mechanism might be a mode that when it sees a process trying to access the test file, immediately KILLS that process and puts it on a list of processes to be killed instantly if they restart.. The only danger there is false alarming on a legit process.

[MilesAhead]

Unless you suspect the malware is going to masquerade as a system file I don't know how you would guess a filename that would lure out the malware.  If it is wholesale deleting stuff I guess both ends of the alphabet may be a good idea.  Otherwise the goat file may be at the end of the list.

I still think making use of VSS is a better approach.  The utility is free.  Where it would not work well is wholesale file creation scenarios.  In that case the system may hang.  But for generic user protection it seems as good as any.

[Ath]

The only viable attack to be detected would be from network access to a file, when trying to modify/delete it, though I'm not sure if that would be identifiable as originating from a network-source. And then I'd expect any AV to detect that kind of attack. But maybe that's too optimistic

[Nzyme]

Presumably if something sneaks onto your system it will run as the user who was active when it snuck on, or as SYSTEM.

identifying what USER the process is running under is not so important -- but identifying the PROCESS is.

-mouser (November 28, 2015, 08:15 AM)

I think identifying the user along with process, time, type of operation (read, write, open, etc.) is equally important. Think about it, you are browsing the internet or listening to music and you see an alert for file/folder access. You know that you are not the one trying to access it but would want to know who initiated it (system access which was genuine or hacker who sneaked in the system logged in under your name). If you see that a access alert under your name is trying to access, you can take action on that immediately.

I think the program SpyShelter Firewall comes very close to what I need. For any type of access, it alerts me and I can either allow, reject or terminate the action but not sure if someone sneaks in my PC, will it prompt me with an alert.

[Stoic Joker]

Think about it, you are browsing the internet or listening to music and you see an alert for file/folder access.

-Nzyme (November 30, 2015, 08:38 AM)

Any halfway decently written malware isn't going to show its hand by touching the file system until after its gotten control of the system. So the net effect of running something to obscure for it to know to kill/bypass is most likely just going to be a front row seat to a horror show.

This kind of security is for human-slow direct access attempts, which is what auditing object access is designed to handle. User and logon type (service/network/interactive) are both recorded in the audit log, so watch for failure events, see who's failing to access what, and respond accordingly. Because if something is setoff in session with you - Computers being way faster than humans... - there is no way you will be able to react fast enough to anything other than be the first one on scene with a mop..

[MilesAhead]

Computers being way faster than humans... - there is no way you will be able to react fast enough to anything other than be the first one on scene with a mop..

-Stoic Joker (December 01, 2015, 06:41 AM)

Heh heh.  Like the "duck and cover" defense against nuclear attack.  Get in the doorway, grab your ankles etc..